Linux Tutorials & Things howto

Basic Nginx and php Configuration

STEP1

Install Nginx and php5 packages;

sudo apt-get install nginx-full

sudo apt-get install php5-apcu php5-fpm php5-curl php5-cli php5-tidy php5-sqlite

STEP2

Configure nginx.conf file with the following example;
nginx.conf file - https://gist.github.com/altan-me/e184f8af116da94be264

Quick one-line Install nginx.conf file replacing the default;

sudo wget -O /etc/nginx/nginx.conf https://gist.githubusercontent.com/altan-me/e184f8af116da94be264/raw/1369aca3bc197eb4f62f03fa68e5c059affd4f50/nginx.conf


Example config;

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_priority 15; 
worker_rlimit_nofile 1024;

events {
        worker_connections 512;
        multi_accept on;
        accept_mutex_delay 500ms; 
        use epoll;
}

http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        server_tokens off;

        # Log Errors
        error_log /var/log/nginx/error.log;

        # Timeouts, do not keep connections open longer then necessary to reduce
        # resource usage and deny Slowloris type attacks.
        keepalive_timeout 20;
        client_header_timeout 20;
        client_body_timeout 20;
        reset_timedout_connection on;
        send_timeout 20;

        #Limit for Fail2ban
        #limit_req_zone  $binary_remote_addr  zone=app:10m   rate=2r/s;

        # Max Allowed Connections per IP
        limit_conn_zone $binary_remote_addr zone=addr:5m;
        limit_conn addr 100;

        include /etc/nginx/mime.types;
        default_type text/html;
        charset UTF-8;

        # Gzip Settings
        gzip on;
        gzip_proxied any;
        gzip_min_length 256;
        gzip_comp_level 6;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        # Cache informations about file descriptors, frequently accessed files
        open_file_cache max=100000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        # Virtual Host Configs
        include /etc/nginx/sites-enabled/*;
}

STEP3

Remove example/default pre-installed Virtual-host file;

sudo rm /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default

Create new Virtual-host file;
Run the following command replacing YOURDOMAINNAME eg. altan.me

sudo nano /etc/nginx/sites-available/YOURDOMAINNAME

EXAMPLE Virtual host Files;

When editing the virtual-hosts file be sure to edit in sites-available;
The following command soft links the sites-available and sites-enabled locations;

sudo ln -s /etc/nginx/sites-available/YOURDOMAINNAME /etc/nginx/sites-enabled/YOURDOMAINNAME

    (Soft links: original >> link)
    (this is an important step)

STEP4

Configure php;

Using nano edit the following line in php.ini;

sudo nano /etc/php5/fpm/php.ini

    cgi.fix_pathinfo=1
Change to:
    cgi.fix_pathinfo=0

Using nano edit the following line in www.conf;

sudo nano /etc/php5/fpm/pool.d/www.conf

    ;listen = /var/run/php5-fpm.sock
Change to:
    listen = 127.0.0.1:9000

Restart php to enable changes;

sudo service php5-fpm restart

STEP5

Creating default web directory;

sudo mkdir /var/www
sudo mkdir /var/www/YOURDOMAIN

Run configtest;

sudo service nginx configtest

All config modifications only take effect after restarting nginx or running the reload command;

sudo service nginx restart

or

sudo service nginx reload

Install and Configure Exim4 for send-only email [Debian]

Set VPS Time

sudo dpkg-reconfigure tzdata

Check system FQDN

hostname -f

Set system IP & hostname

sudo nano /etc/hosts

        ...
        IPADDRESS   HOSTNAME.DOMAINNAME HOSTNAME
        ...

Install exim4 and mailutils

sudo apt-get install exim4-daemon-light mailutils

If exim4 config does not run or exim4 is already installed run;

sudo dpkg-reconfigure exim4-config

ScreenShots of config screens options not shown leave blank or as default. Change HOSTNAME to your systems hostname & set your own domain name

After configuration restart exim;

sudo service exim4 restart

Send a test email;

echo "This is a test." | mail -s "Testing" someone@somedomain.com

If errors or email not recieved check log;

sudo nano /var/log/exim4/mainlog 

Errors encountered

Error (-53): retry time not reached for any host;

/usr/sbin/exim_tidydb -t 1d /var/spool/exim retry > /dev/null
/usr/sbin/exim_tidydb -t 1d /var/spool/exim reject > /dev/null
/usr/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp > /dev/null

Error Permission Denied fix;

sudo chown -R Debian-exim /var/spool/exim4/
sudo chown -R Debian-exim /var/log/exim4

Check out the Exim4 Cheat Sheet

How to generate a Free SSL cert using Lets encrypt [nginx]

STEP1

Clone letsencrypt git repo;

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

sudo ./letsencrypt-auto --help  

Ensure your webserver is not running
For my case - Nginx

sudo service nginx stop

STEP2

Run the script - Change the YOUR_DOMAIN.COM to your own domain before running. Also make sure to include the www. subdomain for one of the entries as shown;

./letsencrypt-auto certonly --standalone --standalone-supported-challenges http-01 -d www.YOUR_DOMAIN.com,YOUR_DOMAIN.com --renew-by-default

If successfull the Cert files will be stored in the following directory;

sudo ls /etc/letsencrypt/live/www.DOMAINNAME.com

Check if files have been created


FIX PERMISIONS

sudo chown root:www-data /etc/letsencrypt/live /etc/letsencrypt/archive/
sudo chmod 750 /etc/letsencrypt/live/ /etc/letsencrypt/archive/

How to Install Baikal CalDav/CardDav Server on Debian [nginx]

This tutorial assumes you have configured NGINX and php as explained Here.

What is Baikal?

Baïkal offers ubiquitous and synchronized access to your calendars and address books over CalDAV and CardDAV. Baïkal implements the current IETF recommendation drafts of these industry standards for centralized calendar and address book collections.1

Baikal Admin Page

STEP1

Generate SSL Cert for new subdomain:
If you followed my Letsencrypt guide simply run;
Substitute YOURDOMAIN for the domain you will be using.

cd ~/letsencrypt/
sudo ./letsencrypt-auto certonly --standalone --standalone-supported-challenges http-01 -d dav.YOURDOMAIN --renew-by-default

STEP2

Install Dependencies;

sudo apt-get install sqlite3 sqlite php5-sqlite

STEP3

Configure Nginx Virtual-hosts file

sudo nano /etc/nginx/sites-available/dav.YOURDOMAINNAME

Check out my example file here

Link Virtual-hosts files;

sudo ln -s /etc/nginx/sites-available/dav.YOURDOMAINNAME /etc/nginx/sites-enabled/dav.YOURNOMAINNAME

STEP4

Make Dir and generate new dhparam (for improved SSL/TLS Security);

sudo mkdir /et/nginx/ssl/dav.YOURDOMAIN

sudo openssl dhparam -out /etc/nginx/ssl/dav.YOURDOMAIN/dhparam.pem 2048

Test Nginx Config for errors;

sudo service nginx configtest

STEP5

Make Directory ready for installing Baikal files;

sudo mkdir /var/www/dav.YOURDOMAIN

cd /var/www/dav.YOURDOMAIN

Download latest Baikal regular package;

sudo wget http://baikal-server.com/get/baikal-regular-0.2.7.tgz

sudo tar -xvzf baikal-regular-0.2.7.tgz

sudo mv baikal-regular/* .

sudo rm -rf baikal-regular

STEP6

Restart Nginx;

sudo service nginx restart

Navigate to https://dav.YOURDOMAIN/admin and complete setup;


Errors

Official Troubleshooting Document

If 403 permission errors;

    sudo chmod -R 770 /var/www/dav.YOURDOMAIN
    sudo chown www-data:www-data /var/www/dav.YOURDOMAIN -Rf

Generate SSH Key file and Configure OpenSSH

STEP 1:

Tip: Replace USERNAME with your systems user name.

Generate an Ed25519 key, and save the file as USERNAME_ssh;

ssh-keygen -t ed25519

ssh keygeneration example

Alternative - Generate a 8192bit rsa key;

ssh-keygen -t rsa -b 8192

STEP 2:

USERNAME_ssh= private key ( keep it secret, keep it safe )

USERNAME_ssh.pub= public key ( is seen by all )

Make a hidden directory in user home folder;

mkdir /home/USERNAME/.ssh

Move Public key file into the .ssh directory and name it as authorized_keys;

mv USERNAME_ssh.pub /home/USERNAME/.ssh/authorized_keys

Copy private key from current location to the users home folder ready for download;

cp USERNAME_ssh /home/USERNAME

Set owner permissions for the private key file;

chown USERNAME:USERNAME /home/USERNAME/USERNAME_ssh

Download private key file to your local machine;

SFTP COPY (run on local Linux Machine)

Copy private key to local machine;

sftp USERNAME@DOMAIN

get USERNAME_ssh

sftp login and get keyfile example

Note - Delete the private key file from the server after download;


SSH SERVER CONFIG:

We will disable root SSH logins, disable password only SSH access and define an alternative port number. Please change the port number to a random number between 20000 - 50000;

sudo nano /etc/ssh/sshd_config
  • Port XXXX
  • Protocol 2
  • RSAAuthentication yes
  • PubkeyAuthentication yes
  • PasswordAuthentication no
  • PermitRootLogin no
  • AllowUsers USERNAME
  • X11Forwarding no
  • PrintMotd yes
  • UsePAM no

These setting will not take effect until the sshd service is restarted

TEST SSH LOGON (run on local Linux Machine)

SSH Successful Login example

ssh -i PATHTOKEY USERNAME@DOMAIN -p PORTNUMBER

If logon is succesfull run;

service sshd restart
Older Posts