16   11 d  

How to set up Let’s Encrypt on Ubuntu

At first, it is necessary to add the certbot repository and to install the letsencrypt packet from one:

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt upgrade
sudo apt install letsencrypt

It is possible to edit command which will be excecuted every time after certificates had updated. Here:

sudo mcedit /etc/letsencrypt/cli.ini

Change post-hook to that you need:

...
post-hook = service nginx reload
...

To the next, you need to register Let’s Encrypt account:

certbot register --email mainfunction@ya.ru

Create .well-known directory in public root directory of your website. Let’s Encrypt will save temporary necessary data in directory stated above:

mkdir -p /var/www/your_web_site/public/.well-known

Check whether this catalog works:

echo '1234' > /var/www/your_web_site.localhost/public/.well-known/test.txt

Open http ://your_web_site.localhost/.well-known/test.txt in your browser, then:

rm /var/www/your_web_site.localhost/public/.well-known/test.txt

Directory .well-known has to be clean before you goint to the next step!

So, let’s try to create temporary SSL cerificate for testing.

letsencrypt certonly --dry-run -d your_web_site.localhost -d www.your_web_site.localhost

When it asks “webroot”, enter:

/var/www/your_web_site.localhost/

If check is complete well then create the really SSL certificate:

letsencrypt certonly -d your_web_site.localhost -d www.your_web_site.localhost

Check whether new SSL cerificate really works:

openssl x509 -text -in /etc/letsencrypt/live/your_web_site.localhost/cert.pem

Now, it necessary to configuring web server.

Configuring webserver

nginx

Add next lines to your host configuration section:

ssl_certificate /etc/letsencrypt/live/your_web_site.localhost/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_web_site.localhost/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your_web_site.localhost/chain.pem;
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4;

For fix OCSP stapling use next command:

tee /etc/nginx/conf.d/ssl_stapling.conf <<EOF
resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;
EOF

BUT If you don’t have a local DNS cache server then use this:

nameserver=$(grep nameserver /etc/resolv.conf | head -1 | cut -f2 -d" ")
sed -i s/127.0.0.1/$nameserver/ /etc/nginx/conf.d/ssl_stapling.conf
grep resolver /etc/nginx/conf.d/ssl_stapling.conf

Apache2

Example of host:

# Notice port of SSL host
<VirtualHost *:443>

    # <!-- SSL certificate
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/your_web_site.localhost/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your_web_site.localhost/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/your_web_site.localhost/chain.pem
    # -->

    ServerAdmin admin@localhost
    ServerName your_web_site.localhost
    DocumentRoot /var/www/your_web_site.localhost/
    <Directory /var/www/your_web_site.localhost/>
        Options Indexes FollowSymLinks
        php_admin_value open_basedir /var/www/your_web_site.localhost/
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog /var/www/logs/your_web_site.localhost-error.log
    LogLevel warn
    CustomLog /var/www/logs/your_web_site.localhost-access.log combined
</VirtualHost>
 28   15 d  

How to set up server monitoring with the Munin project

If you want to have monitoring by the Munin project, you have to install munin server on one server and munin node per every server which you want to have monitoring. For example:

First server have munin server and munin node together;
Second server have only munin-node;
Third server have only munin-node too, etc.

Munin server will collect states from nodes every some minutes and show them in useful web interface as graphics.
Munin nodes only collects states of servers which they installed.

Installing

If you want to install munin server:

sudo apt install munin

Or if you want to install munin-node:

sudo apt install munin-node

Common commands which you have to enter anyway:

sudo apt install munin-plugins-extra

And:

sudo apt isntall libwww-perl

Or if you got fail above:

sudo apt install libio-all-lwp-perl

Configuring munin nodes

For the next step you need to allow access for munin server to munin nodes. Open munin node configure file on every monitoring server:

sudo mcedit /etc/munin/munin-node.conf

And find this line:

allow ^127\.0\.0\.1$

Append munin server IP address in new line. It need only for nodes, installed on other servers where munin server didn’t install.

Check the node port:

...
# And which port
port 4949

You can change port and/or open in the server firewall if blocked one.

For apply changes restart node:

sudo service munin-node restart

Configuring munin server

Now, you need to open munin server configuration file:

mcedit /etc/munin/munin.conf

And append all nodes including local node in this file. For example:

[ratchet]
    address 127.0.0.1
    use_node_name yes
    port 4949

[serverN]
    address 255.255.255.255
    use_node_name yes
    port 4949

[serverN+1]
    address 255.255.255.255
    use_node_name yes
    port 4949
...

Perhaps you already have local node in this file, so check what you didn’t add several local nodes.

Configuring web interface

Apache2

If you use Apache as a front web server, then:

sudo apt install apache2-utils libapache2-mod-fcgid libcgi-fast-perl
sudo a2enmod rewrite
sudo a2enmod fcgid
sudo service apache2 reload

And create admin account for web interface:

htpasswd -c /etc/munin/munin-htpasswd admin

You can change username “admin” to what you want.

After this steps open for edit munin host configuration file:

mcedit /etc/apache2/conf-enabled/munin.conf

You can use my typical configuration:

# Enable this for template generation
Alias /munin /var/cache/munin/www

# Enable this for cgi-based templates
#Alias /munin-cgi/static /var/cache/munin/www/static
#ScriptAlias /munin-cgi /usr/lib/munin/cgi/munin-cgi-html
#<Location /munin-cgi>
#       Order allow,deny
#       Allow from localhost 127.0.0.0/8 ::1
#       AuthUserFile /etc/munin/munin-htpasswd
#       AuthName "Munin"
#       AuthType Basic
#       require valid-user
#</Location>

<Directory /var/cache/munin/www>
        Order allow,deny
        Allow from all #localhost 127.0.0.0/8 ::1
        Options None

        # This file can be used as a .htaccess file, or a part of your apache
        # config file.
        #
        # For the .htaccess file option to work the munin www directory
        # (/var/cache/munin/www) must have "AllowOverride all" or something 
        # close to that set.
        #

        AuthUserFile /etc/munin/munin-htpasswd
        AuthName "Munin"
        AuthType Basic
        require valid-user

        # This next part requires mod_expires to be enabled.
        #

        # Set the default expiration time for files to 5 minutes 10 seconds from
        # their creation (modification) time.  There are probably new files by
        # that time. 
        #

    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault M310
    </IfModule>

</Directory> 

# Enables fastcgi for munin-cgi-html if present
#<Location /munin-cgi>
#    <IfModule mod_fastcgi.c>
#        SetHandler fastcgi-script
#    </IfModule>
#</Location>

#<Location /munin-cgi/static>
#       SetHandler None
#</Location>

# Enables fastcgi for munin-cgi-graph if present
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
        Order allow,deny
        Allow from all #localhost 127.0.0.0/8 ::1
        AuthUserFile /etc/munin/munin-htpasswd
        AuthName "Munin"
        AuthType Basic
        require valid-user
        <IfModule mod_fcgid.c>
            SetHandler fcgid-script
        </IfModule>
        <IfModule !mod_fcgid.c>
            SetHandler cgi-script
        </IfModule>
</Location>

ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
<Location /munin-cgi/munin-cgi-html>
        Order allow,deny
        Allow from all #localhost 127.0.0.0/8 ::1
        AuthUserFile /etc/munin/munin-htpasswd
        AuthName "Munin"
        AuthType Basic
        require valid-user
        <IfModule mod_fcgid.c>
            SetHandler fcgid-script
        </IfModule>
        <IfModule !mod_fcgid.c>
            SetHandler cgi-script
        </IfModule>
</Location>

Reload web server:

sudo service apache2 reload

nginx

If you using nginx web server, then open config file:

sudo mcedit /etc/nginx/sites-available/localhost.conf

And add next lines:

location ^~ /munin {
    alias /var/cache/munin/www;
    auth_basic "Admin Zone";
    auth_basic_user_file /etc/munin/munin-htpasswd;
}

Reload web server:

sudo service nginx reload

Plugins

Apache monitoring

For activate Apache monitoring enter this on node servers:

ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/apache_accesses
ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/apache_processes
ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/apache_volume
mcedit /etc/munin/plugin-conf.d/munin-node

Find/add apache configuration:

[apache_*]
env.url http://127.0.0.1:%d/server-status?auto
env.ports 8070

Reload node:

sudo service munin-node restart

Check what it works:

sudo apt install lynx
lynx http://127.0.0.1:8070/server-status?auto
munin-node-configure --suggest | grep apache

It have to be only “yes | yes”.

nginx monitoring

ln -s /usr/share/munin/plugins/nginx_request /etc/munin/plugins/nginx_request
ln -s /usr/share/munin/plugins/nginx_status /etc/munin/plugins/nginx_status
mcedit /etc/munin/plugin-conf.d/munin-node

Find/add next lines:

[nginx*] 
env.url http://localhost/nginx-status

Reload node:

sudo service munin-node restart

And check what it works:

sudo apt install lynx
lynx http://127.0.0.1/nginx-status
munin-node-configure --suggest | grep nginx

MySQL monitoring

ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
sudo apt install libdbi-perl
sudo apt install libcache-cache-perl
sudo service munin-node restart
munin-node-configure --suggest | grep mysql
 39   20 d  
 16   20 d  
 8   20 d  
 16   20 d  
 21   22 d  
 50   1 mon  
 32   1 mon  

How to turn off monitoring and saving CHMOD in Git

Main command:

git config --global core.fileMode false

Unfortunately, it will be working for new cloned repositories only. Why? Because, when you cloned repositories earlier, Git placed the choice “fileMode = true” in their files of a configuration. And now you need to use this command in every cloned repository for fully fixing CHMOD issue:

cd your_first_repository/
git config --unset core.fileMode
cd your_second_repository/
git config --unset core.fileMode
... and next

Now, earlier cloned repositories will use the global configuration at the beginning of this instruction.

 32   1 mon  
Earlier Ctrl + ↓