Linux Tutorials & Things tls

Basic Nginx and php Configuration

STEP1

Install Nginx and php5 packages;

sudo apt-get install nginx-full

sudo apt-get install php5-apcu php5-fpm php5-curl php5-cli php5-tidy php5-sqlite

STEP2

Configure nginx.conf file with the following example;
nginx.conf file - https://gist.github.com/altan-me/e184f8af116da94be264

Quick one-line Install nginx.conf file replacing the default;

sudo wget -O /etc/nginx/nginx.conf https://gist.githubusercontent.com/altan-me/e184f8af116da94be264/raw/1369aca3bc197eb4f62f03fa68e5c059affd4f50/nginx.conf


Example config;

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_priority 15; 
worker_rlimit_nofile 1024;

events {
        worker_connections 512;
        multi_accept on;
        accept_mutex_delay 500ms; 
        use epoll;
}

http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        server_tokens off;

        # Log Errors
        error_log /var/log/nginx/error.log;

        # Timeouts, do not keep connections open longer then necessary to reduce
        # resource usage and deny Slowloris type attacks.
        keepalive_timeout 20;
        client_header_timeout 20;
        client_body_timeout 20;
        reset_timedout_connection on;
        send_timeout 20;

        #Limit for Fail2ban
        #limit_req_zone  $binary_remote_addr  zone=app:10m   rate=2r/s;

        # Max Allowed Connections per IP
        limit_conn_zone $binary_remote_addr zone=addr:5m;
        limit_conn addr 100;

        include /etc/nginx/mime.types;
        default_type text/html;
        charset UTF-8;

        # Gzip Settings
        gzip on;
        gzip_proxied any;
        gzip_min_length 256;
        gzip_comp_level 6;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        # Cache informations about file descriptors, frequently accessed files
        open_file_cache max=100000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        # Virtual Host Configs
        include /etc/nginx/sites-enabled/*;
}

STEP3

Remove example/default pre-installed Virtual-host file;

sudo rm /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default

Create new Virtual-host file;
Run the following command replacing YOURDOMAINNAME eg. altan.me

sudo nano /etc/nginx/sites-available/YOURDOMAINNAME

EXAMPLE Virtual host Files;

When editing the virtual-hosts file be sure to edit in sites-available;
The following command soft links the sites-available and sites-enabled locations;

sudo ln -s /etc/nginx/sites-available/YOURDOMAINNAME /etc/nginx/sites-enabled/YOURDOMAINNAME

    (Soft links: original >> link)
    (this is an important step)

STEP4

Configure php;

Using nano edit the following line in php.ini;

sudo nano /etc/php5/fpm/php.ini

    cgi.fix_pathinfo=1
Change to:
    cgi.fix_pathinfo=0

Using nano edit the following line in www.conf;

sudo nano /etc/php5/fpm/pool.d/www.conf

    ;listen = /var/run/php5-fpm.sock
Change to:
    listen = 127.0.0.1:9000

Restart php to enable changes;

sudo service php5-fpm restart

STEP5

Creating default web directory;

sudo mkdir /var/www
sudo mkdir /var/www/YOURDOMAIN

Run configtest;

sudo service nginx configtest

All config modifications only take effect after restarting nginx or running the reload command;

sudo service nginx restart

or

sudo service nginx reload

How to generate a Free SSL cert using Lets encrypt [nginx]

STEP1

Clone letsencrypt git repo;

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

sudo ./letsencrypt-auto --help  

Ensure your webserver is not running
For my case - Nginx

sudo service nginx stop

STEP2

Run the script - Change the YOUR_DOMAIN.COM to your own domain before running. Also make sure to include the www. subdomain for one of the entries as shown;

./letsencrypt-auto certonly --standalone --standalone-supported-challenges http-01 -d www.YOUR_DOMAIN.com,YOUR_DOMAIN.com --renew-by-default

If successfull the Cert files will be stored in the following directory;

sudo ls /etc/letsencrypt/live/www.DOMAINNAME.com

Check if files have been created


FIX PERMISIONS

sudo chown root:www-data /etc/letsencrypt/live /etc/letsencrypt/archive/
sudo chmod 750 /etc/letsencrypt/live/ /etc/letsencrypt/archive/

How to Install Baikal CalDav/CardDav Server on Debian [nginx]

This tutorial assumes you have configured NGINX and php as explained Here.

What is Baikal?

Baïkal offers ubiquitous and synchronized access to your calendars and address books over CalDAV and CardDAV. Baïkal implements the current IETF recommendation drafts of these industry standards for centralized calendar and address book collections.1

Baikal Admin Page

STEP1

Generate SSL Cert for new subdomain:
If you followed my Letsencrypt guide simply run;
Substitute YOURDOMAIN for the domain you will be using.

cd ~/letsencrypt/
sudo ./letsencrypt-auto certonly --standalone --standalone-supported-challenges http-01 -d dav.YOURDOMAIN --renew-by-default

STEP2

Install Dependencies;

sudo apt-get install sqlite3 sqlite php5-sqlite

STEP3

Configure Nginx Virtual-hosts file

sudo nano /etc/nginx/sites-available/dav.YOURDOMAINNAME

Check out my example file here

Link Virtual-hosts files;

sudo ln -s /etc/nginx/sites-available/dav.YOURDOMAINNAME /etc/nginx/sites-enabled/dav.YOURNOMAINNAME

STEP4

Make Dir and generate new dhparam (for improved SSL/TLS Security);

sudo mkdir /et/nginx/ssl/dav.YOURDOMAIN

sudo openssl dhparam -out /etc/nginx/ssl/dav.YOURDOMAIN/dhparam.pem 2048

Test Nginx Config for errors;

sudo service nginx configtest

STEP5

Make Directory ready for installing Baikal files;

sudo mkdir /var/www/dav.YOURDOMAIN

cd /var/www/dav.YOURDOMAIN

Download latest Baikal regular package;

sudo wget http://baikal-server.com/get/baikal-regular-0.2.7.tgz

sudo tar -xvzf baikal-regular-0.2.7.tgz

sudo mv baikal-regular/* .

sudo rm -rf baikal-regular

STEP6

Restart Nginx;

sudo service nginx restart

Navigate to https://dav.YOURDOMAIN/admin and complete setup;


Errors

Official Troubleshooting Document

If 403 permission errors;

    sudo chmod -R 770 /var/www/dav.YOURDOMAIN
    sudo chown www-data:www-data /var/www/dav.YOURDOMAIN -Rf