Nginx/Installation Notes

From Segfault
Jump to: navigation, search

Nginx

We'll install the Backports version of Nginx:

$ grep back /etc/apt/sources.list
deb http://http.debian.net/debian/  jessie-backports main

$ cat /etc/apt/preferences.d/backports.pref
Package: nginx-full nginx-common
Pin: release a=jessie-backports
Pin-Priority: 1000

$ sudo apt-get -V install nginx-full php5-fpm
$ sudo systemctl enable nginx.service php5-fpm.service

Configure Nginx:

$ cat /etc/nginx/sites-enabled/jessie0

upstream php-handler {
	server unix:/var/run/php5-fpm.sock;
}

server {
	listen 80;
	listen [::]:80;
	server_name jessie0;
	return 301 https://$server_name$request_uri;
}

server {
 	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;
	include snippets/snakeoil.conf;

	server_name jessie0;
	root /var/www/;

 	index index.html index.php;

	# mod_userdir
	location ~ ^/~(.+?)(/.*)?$ {
		alias /home/$1/www$2;
		autoindex on;
	}

	# PHP
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass php-handler;
	}

	# deny access to .htaccess files
	location ~ /.(svn|git|htaccess|htpasswd)(/|$) {
		deny all;
	}
}

Owncloud

Install Owncloud:

$ cat /etc/apt/sources.list.d/owncloud.list
deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /

$ wget https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key -qO- | sudo apt-key add -
$ sudo apt-get -V install owncloud curl php5-apcu

Configure Nginx:

	# http://sabre.io/dav/service-discovery/
	location = /.well-known/carddav { return 301 $scheme://$host/owncloud/remote.php/dav; }
	location = /.well-known/caldav  { return 301 $scheme://$host/owncloud/remote.php/dav; }
	location   /.well-known/acme-challenge { }

	location ^~ /owncloud {
		# set max upload size
		client_max_body_size 512M;
		fastcgi_buffers 64 4K;

		# Disable gzip to avoid the removal of the ETag header
		gzip off;

		error_page 403 /owncloud/core/templates/403.php;
		error_page 404 /owncloud/core/templates/404.php;

		location /owncloud {
			rewrite ^ /owncloud/index.php$uri;
		}

		location ~ ^/owncloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
			deny all;
		}

		location ~ ^/owncloud/(?:\.|autotest|occ|issue|indie|db_|console) {
			deny all;
		}

		location ~ ^/owncloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
			include fastcgi_params;
			fastcgi_split_path_info ^(.+\.php)(/.+)$;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_param PATH_INFO $fastcgi_path_info;
			fastcgi_param HTTPS on;
			# Avoid sending the security headers twice
			fastcgi_param modHeadersAvailable true;
			fastcgi_param front_controller_active true;
			fastcgi_pass php-handler;
			fastcgi_intercept_errors on;
		#	fastcgi_request_buffering off;
		}

		location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) {
			try_files $uri/ =404;
			index index.php;
		}

		# Adding the cache control header for js and css files
		# Make sure it is BELOW the PHP block
		location ~* \.(?:css|js)$ {
			try_files $uri /owncloud/index.php$uri$is_args$args;
			add_header Cache-Control "public, max-age=7200";
			# Add headers to serve security related headers  (It is intended
			# to have those duplicated to the ones above)
			# Before enabling Strict-Transport-Security headers please read
			# into this topic first.
			# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
			add_header X-Content-Type-Options nosniff;
			add_header X-Frame-Options "SAMEORIGIN";
			add_header X-XSS-Protection "1; mode=block";
			add_header X-Robots-Tag none;
			add_header X-Download-Options noopen;
			add_header X-Permitted-Cross-Domain-Policies none;
			# Optional: Don't log access to assets
			access_log off;
		}

		location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
			try_files $uri /owncloud/index.php$uri$is_args$args;
			# Optional: Don't log access to other assets
			access_log off;
		}
	}

phpMyAdmin

sudo apt-get install mysql-server phpmyadmin
sudo ln -s /usr/share/phpmyadmin /var/www/

Configure Nginx

	# phpMyAdmin
	location ~ ^/phpmyadmin/libraries/ {
		deny all;
	}
	location ~ ^/phpmyadmin/setup/lib/ {
		deny all;
	}


Roundcube

sudo apt-get install roundcube roundcube-sqlite3 roundcube-plugins php-tcpdf php5-pspell
sudo ln -s /var/lib/roundcube /var/www/

Be sure to configure /var/www/roundcube/config/config.inc.php too!

Configure Nginx:

	# Roundcube
	location ~ ^/roundcube/(config|temp|logs)/ {
		deny all;
	}

Mediawiki

As Mediawiki has been removed[1] from Debian, we'll use their official packages for now. We tried the Git installation[2][3] before, but it was just too messy and broke way to often. We may revisit that option at a later date.

wget https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz{,.sig}
wget https://www.mediawiki.org/keys/keys.txt -qO- | gpg --import
gpg --verify mediawiki*.tar.gz.sig
sudo tar -C /opt/ -xzf mediawiki*.tar.gz
sudo ln -s /opt/mediawiki* /var/www/w

sudo mkdir -m0750 /var/lib/mediawiki
sudo chown www-data:www-data /var/lib/mediawiki

Install the Lockdown Extension:

wget https://github.com/wikimedia/mediawiki-extensions-Lockdown/archive/master.tar.gz
tar -xzf master.tar.gz
mv mediawiki-extensions-Lockdown-master Lockdown && sudo mv Lockdown /opt/mediawiki*/extensions/

Adjust /var/www/w/LocalSettings.php as needed:

$wgScriptPath  = "/w";
$wgArticlePath = "/wiki/$1";
$wgUsePathInfo = true;

[...]

# https://www.mediawiki.org/wiki/Extension:Lockdown
require_once "$IP/extensions/Lockdown/Lockdown.php";

# Restrict certain actions
# https://www.mediawiki.org/wiki/Manual:Parameters_to_index.php#Actions
$wgSpecialPageLockdown['Export'] = array('root');
$wgSpecialPageLockdown['Randompage'] = array('root');
$wgSpecialPageLockdown['Recentchanges'] = array('root');
$wgActionLockdown['history'] = array('sysop');
$wgActionLockdown['historysubmit'] = array('sysop');                    # DOES NOT WORK!
$wgActionLockdown['edit'] = array('sysop');
$wgActionLockdown['raw'] = array('sysop');
$wgActionLockdown['render'] = array('sysop');
$wgActionLockdown['purge'] = array('sysop');
$wgActionLockdown['submit'] = array('sysop');
$wgActionLockdown['credits'] = array('sysop');
$wgActionLockdown['info'] = array('sysop');

# Restrict all permissions, but allow reading for everyone
$wgNamespacePermissionLockdown[NS_MAIN]['*'] = array('sysop');
$wgNamespacePermissionLockdown[NS_MAIN]['read'] = array('*');

# Private namespace
define('NS_PRIVATE', 100);
define('NS_PRIVATE_TALK', 101);

$wgExtraNamespaces[NS_PRIVATE] = 'Private';
$wgExtraNamespaces[NS_PRIVATE_TALK] = 'Private_talk';

# Restrict "read" permission to logged in users
$wgNamespacePermissionLockdown[NS_PRIVATE]['read'] = array('user');
$wgNamespacePermissionLockdown[NS_PRIVATE_TALK]['read'] = array('user');

# Prevent inclusion of pages from that namespace
$wgNonincludableNamespaces[] = NS_PRIVATE;
$wgNonincludableNamespaces[] = NS_PRIVATE_TALK;

Configure Nginx:

	# Mediawiki
	location /w {
		try_files $uri $uri/ /w/index.php?$query_string;
	#	location ~ \.php$ {
	#	try_files $uri $uri/ =404;
	#	include snippets/fastcgi-php.conf;
	#	fastcgi_pass php-handler;
	#	}
	#	location /w/images {
	#		# foo
	#	}

	#	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
	#		try_files $uri /index.php;
	#		expires max;
	#		access_log off;
	#	}

	#	location ~ ^/(w|wiki)/(Special|Blafasel) {
	#		try_files $uri $uri/ /w/index.php?$query_string;
	#		auth_basic		"Restricted";
	#		auth_basic_user_file	/etc/nginx/htpasswd;
	#	}

	#	if ( $args ~ title=Blafasel ) {
	#		deny all;
	#		auth_basic		"BLOCK";
	#		auth_basic_user_file	/etc/nginx/htpasswd;
	#	}
	}

	location /w/images/deleted  { deny all; }
	location /w/cache           { deny all; }
	location /w/languages       { deny all; }
	location /w/maintenance     { deny all; }
	location /w/serialized      { deny all; }
	location /w/mw-config       { deny all; }

Simplevault

Install Simplevault:

wget http://downloads.sourceforge.net/project/simplevault/simplevault/simplevault-1.9.tgz

Since we cannot use PHP in UserDir locations[4], we'll install Simplevault in each user's directory. We'll try to use symbolic links later on to save space:

sudo mkdir -p /var/www/sv/{dummy,joe,alice}
tar -xzf simplevault-1.9.tgz
for u in dummy joe alice; do
  echo $u; tar -C simplevault-1.9 -cf - . | sudo tar -C /var/www/sv/$u/ -xf -
done

sudo mkdir /var/lib/simplevault/
sudo touch /var/lib/simplevault/simplevault_{dummy,joe,alice}.txt
sudo chown -R www-data:www-data /var/lib/simplevault/

Be sure to configure all these /var/www/sv/*/simplevault-1.9/svconfig.php files!

Configure Nginx:

	# SimpleVault
	location ~ ^/sv/dummy {
		auth_basic		"SV";
		auth_basic_user_file	/etc/nginx/htpasswd.dummy;
	}

	location ~ ^/sv/joe {
		auth_basic		"SV";
		auth_basic_user_file	/etc/nginx/htpasswd.joe;
	}

	location ~ ^/sv/alice {
		auth_basic		"SV";
		auth_basic_user_file	/etc/nginx/htpasswd.alice;
	}

We can't use ngx_http_auth_digest yet and we have no Apache like require option (Require user ...), we'll need to generate[5] a separate htpasswd[6] file:

$ ./htpasswd.sh joe | sudo /etc/nginx/htpasswd.joe                         # htpasswd.sh Gist
Password: *****
joe:{SSHA}fqV+Y15QSK7a7pSawNr0HjxYjBEzUWJF

$ sudo chmod 0640 /etc/nginx/htpasswd* && sudo chgrp -c www-data /etc/nginx/htpasswd*

Naemon

$ cat /etc/apt/sources.list.d/labs-consol.list
deb http://labs.consol.de/repo/stable/debian jessie main

$ sudo apt-get install naemon uwsgi-plugin-psgi monitoring-plugins-basic pnp4nagios
$ sudo chown -R www-data:www-data /var/lib/pnp4nagios/ /var/spool/pnp4nagios/
$ sudo ln -s /usr/share/pnp4nagios/html /var/www/pnp4nagios
$ sudo ln -s /usr/share/thruk/root /var/www/thruk                                     # If it's not already in place!

Configure /etc/naemon/naemon.cfg:

service_check_timeout=120
process_performance_data=1
date_format=iso8601
use_regexp_matching=1
debug_level=-1

#
# Bulk Mode
# http://docs.pnp4nagios.org/pnp-0.6/config
#
service_perfdata_file=/var/lib/pnp4nagios/service-perfdata
service_perfdata_file_template=DATATYPE::SERVICEPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tSERVICEDESC::$SERVICEDESC$\tSERVICEPERFDATA::$SERVICEPERFDATA$\tSERVICECHECKCOMMAND::$SERVICECHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$\tSERVICESTATE::$SERVICESTATE$\tSERVICESTATETYPE::$SERVICESTATETYPE$
service_perfdata_file_mode=a
service_perfdata_file_processing_interval=15
service_perfdata_file_processing_command=process-service-perfdata

host_perfdata_file=/var/lib/pnp4nagios/host-perfdata
host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tHOSTPERFDATA::$HOSTPERFDATA$\tHOSTCHECKCOMMAND::$HOSTCHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$
host_perfdata_file_mode=a
host_perfdata_file_processing_interval=15
host_perfdata_file_processing_command=process-host-perfdata

Configure /etc/naemon/conf.d/commands_perfdata.cfg:

define command {
        command_name    process-service-perfdata
        command_line    /usr/lib/pnp4nagios/libexec/process_perfdata.pl --bulk=/var/lib/pnp4nagios/service-perfdata
}

define command {
        command_name    process-host-perfdata
        command_line    /usr/lib/pnp4nagios/libexec/process_perfdata.pl --bulk=/var/lib/pnp4nagios/host-perfdata
}

Configure /etc/pnp4nagios/config.php:

$conf['nagios_base'] = "/thruk";
LOG_LEVEL = 2

Configure Nginx:

	# Thruk	
	location @thruk {
		uwsgi_pass	127.0.0.1:4040;
		uwsgi_param	REMOTE_USER $remote_user;
		uwsgi_modifier1	5;
		include		uwsgi_params;
	}

	location ^~ /thruk {
		auth_basic		"Thruk";
		auth_basic_user_file	/etc/thruk/htpasswd;
		try_files $uri @thruk;
	}

	location /thruk/javascript/ {
		alias /usr/share/thruk/root/thruk/javascript/;
	}

	location /thruk/documentation.html {
		alias /usr/share/thruk/root/thruk/documentation.html;
	}

	location /thruk/startup.html {
		alias /usr/share/thruk/root/thruk/startup.html;
	}

	location ~ ^/thruk/plugins/(.*?)/(.*)$ {
		alias /etc/thruk/plugins/plugins-enabled/$1/root/$2;
	}

	location /thruk/themes/ {
		alias /etc/thruk/themes/themes-enabled/;
	}

	location /pnp4nagios {
		alias /usr/share/pnp4nagios/html;
	}

	# Symlink needed:
	# ln -s /usr/share/pnp4nagios/html /var/www/pnp4nagios
	location ~ ^(/pnp4nagios.*\.php)(.*)$ {
		root /usr/share/pnp4nagios/html;
		include fastcgi_params;
		fastcgi_split_path_info ^(.+\.php)(.*)$;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param SCRIPT_FILENAME $document_root/index.php;
		fastcgi_pass php-handler;
	}
}

References

  1. Debian #810290 - ITP: mediawiki -- website engine for collaborative work
  2. Download from Git
  3. MediaWiki Git Installation
  4. Nginx & UserDir & PHP
  5. How do I generate an .htpasswd file without having Apache tools installed?
  6. Module ngx_http_auth_basic_module