OVH8 VPS ovh vps526361 debian 9 nginx php7.2 mariadb tlsv1.3 static site (xoyize.xyz)
Debian Stretch cinay.pw + nginx + php7 + mariadb + postfix + dovecot + rspamd + nextcloud + gitlab
OVH8 VPS ovh vps526361 debian 9 nginx php7.2 mariadb tlsv1.3 static site (xoyize.xyz)
vps526361-debian9-xoyize.xyz
VPS ovh vps526361 debian 9 préinstallé avec clé ssh (ovh-ssh-ed25519.pub)
Connexion ssh avec clé
1
ssh -i .ssh/ovh-ssh-ed25519 root@193.70.43.101
Modifier le fichier de configuration /etc/ssh/sshd_config
1
2
3
Port 55027 # 22 par défaut
PermitRootLogin no # interdire accès ssh par root
PasswordAuthentication no # pas de mot de passe, uniquement les clés ed25519
Créer un utilisateur debian
1
adduser xouser # création du home et saisie mot de passe
Visudo pour les accès root via utilisateur xouser (sudo installé par défaut sur le vps)
1
echo "xouser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
Ajout de l’utilisateur courant au groupe systemd-journal
1
gpasswd -a xouser systemd-journal
Accès utilisateur aux fichiers log
1
gpasswd -a xouser adm
Modification du réseau, ajout IPV6
Sur le VPS OVH il faut désactiver l’initialisation réseau par le cloud
1
2
3
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
Création du fichier /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg en mode su
1
echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
Modifier le fichier /etc/network/interfaces
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto ens3
iface ens3 inet dhcp
iface ens3 inet6 static
address 2001:41d0:0302:2200:0000:0000:0000:1d0f
netmask 128
post-up /sbin/ip -6 route add 2001:41d0:0302:2200:0:0:0:1 dev ens3
post-up /sbin/ip -6 route add default via 2001:41d0:0302:2200:0:0:0:1 dev ens3
pre-down /sbin/ip -6 route del default via 2001:41d0:0302:2200:0:0:0:1 dev ens3
pre-down /sbin/ip -6 route del 2001:41d0:0302:2200:0:0:0:1 dev ens3
Mise à jour de la distribution debian stretch
1
apt update && apt upgrade -y
Redémarrer la machine “reboot” pour la prise en compte des modifications du réseau
Connexion SSH sur “VPS 2018 SSD 3 (2 vCores/8GoRam/80GoSSD)”
1
ssh -p 55027 -i .ssh/ovh-ssh-ed25519xouser@193.70.43.101
Vérifier le réseau ip addr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:ee:49:1f brd ff:ff:ff:ff:ff:ff
inet 193.70.43.101/32 brd 193.70.43.101 scope global ens3
valid_lft forever preferred_lft forever
inet6 2001:41d0:302:2200::1d0f/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:feee:491f/64 scope link
valid_lft forever preferred_lft forever
locale fr_FR.UTF-8
Lors de la demande de réinstallation de la VPS OVH en debian 9 , il est possible de choisir la langue
Mais, à priori ,le paramétrage des “locales” n’est pas fait…
1
2
3
4
5
6
7
8
9
10
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
Pour supprimer le “warning”, générer la locale fr_FR.UTF-8
1
2
sudo -s
locale-gen fr_FR.UTF-8
1
2
3
4
Generating locales (this might take a while)...
en_US.UTF-8... done
fr_FR.UTF-8... done
Generation complete.
Activer la locale fr
1
sudo dpkg-reconfigure locales
DNS OVH
1
2
3
4
5
6
7
$TTL 3600
@ IN SOA dns106.ovh.net. tech.ovh.net. (2018102303 86400 3600 3600000 300)
3600 IN NS dns106.ovh.net.
3600 IN NS ns106.ovh.net.
3600 IN A 193.70.43.101
3600 IN AAAA 2001:41d0:302:2200::1d0f
* 3600 IN CNAME xoyize.xyz.
Certificats Letsencrypt
Serveur , installer et renouveler les certificats SSL Let’s encrypt
Prérequis
1
sudo apt install netcat git -y
Installation client acme.sh
1
2
3
4
5
6
7
cd ~
sudo -s # en mode super utilisateur
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install # --nocron
cd ..
rm -rf acme.sh/
Les clés de l’api OVH OVH_AK et OVH_AS
Génération des certificats
1
/root/.acme.sh/acme.sh --dns dns_ovh --issue --keylength 4096 -d xoyize.xyz -d *.xoyize.xyz
1
[Tue Oct 23 10:20:43 CEST 2018] Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=op3eQxvOjEBvg7Y0P1bQIfnxdKYWtoWfWywmX
Valider l’api en ouvrant le lien demandé, puis relancer la commande précédente.
Les certificats
1
2
3
4
[Tue Oct 23 10:25:28 CEST 2018] Your cert is in /root/.acme.sh/xoyize.xyz/xoyize.xyz.cer
[Tue Oct 23 10:25:28 CEST 2018] Your cert key is in /root/.acme.sh/xoyize.xyz/xoyize.xyz.key
[Tue Oct 23 10:25:28 CEST 2018] The intermediate CA cert is in /root/.acme.sh/xoyize.xyz/ca.cer
[Tue Oct 23 10:25:28 CEST 2018] And the full chain certs is there: /root/.acme.sh/xoyize.xyz/fullchain.cer
nginx php7.2 mariadb
Debian Stretch compilation nginx avec modules dynamiques et TLSv1.3 + PHP7.2 + MariaDB
Tester http://193.70.43.101/info.php
Configuration nginx avec certificats
1
sudo -s # en mode super utilisateur
Les liens avec certificats
1
2
ln -s /root/.acme.sh/xoyize.xyz/fullchain.cer /etc/ssl/private/xoyize.xyz.fullchain.cer.pem
ln -s /root/.acme.sh/xoyize.xyz/xoyize.xyz.key /etc/ssl/private/xoyize.xyz.key.pem
Fichier de configuration nginx
1
2
rm /etc/nginx/conf.d/default.conf
nano /etc/nginx/conf.d/default.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
server {
listen 80;
listen [::]:80;
## redirect http to https ##
server_name xoyize.xyz;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xoyize.xyz;
root /var/www/ ;
ssl_certificate /etc/ssl/private/xoyize.xyz.fullchain.cer.pem;
ssl_certificate_key /etc/ssl/private/xoyize.xyz.key.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
# (this doesn't work on jessie though ...?)
# ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
# As suggested by https://cipherli.st/
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
# Ciphers with modern compatibility
#---------------------------------
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
# Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AESGCM:EECDH+CHACHA20:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# Uncomment the following directive after DH generation
# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;
# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Content-Security-Policy "upgrade-insecure-requests";
add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options "SAMEORIGIN";
index index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.2-fpm.sock; # PHP7.2
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
Rechargement nginx
1
systemctl reload nginx
Lien https://xoyize.xyz/info.php
Vérifier TLS
Parefeu
Parefeu (firewall) iptables IPV4/IPV6 bureau/serveur
wikistatic
Ruby via compilation ou RVM + serveur statique Jekyll sur Debian
- Installation ruby par compilation
- Installation jekyll thème “minima”
- Installation dépendances et wikistatic
Jekyll/Nginx SANS Proxy
Fichier de configuration nginx
1
sudo nano /etc/nginx/conf.d/static.xoyize.xyz.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
server {
listen 80;
listen [::]:80;
## redirect http to https ##
server_name static.xoyize.xyz;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name static.xoyize.xyz;
root /srv/wikistatic/_site/ ;
ssl_certificate /etc/ssl/private/xoyize.xyz.fullchain.cer.pem;
ssl_certificate_key /etc/ssl/private/xoyize.xyz.key.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
# (this doesn't work on jessie though ...?)
# ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
# As suggested by https://cipherli.st/
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
# Ciphers with modern compatibility
#---------------------------------
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
# Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AESGCM:EECDH+CHACHA20:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# Uncomment the following directive after DH generation
# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;
# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Content-Security-Policy "upgrade-insecure-requests";
add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options "SAMEORIGIN";
access_log /var/log/nginx/static.xoyize.xyz-access.log;
error_log /var/log/nginx/static.xoyize.xyz-error.log;
}
Vérifier et relancer le serveur
1
2
sudo nginx -t
sudo systemctl reload nginx
Accès https://static.xoyize.xyz
Cet article est sous licence
CC BY 4.0
par l'auteur.