Následující verze | Předchozí verze |
navody:uzivatele:stepan_schejbal [2015/04/06 21:41] – vytvořeno admin | navody:uzivatele:stepan_schejbal [2015/04/08 06:52] (aktuální) – stepanschebal |
---|
<html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body> | ====== vps====== |
| |
<div><div title="vps"><div><div><div><h2><a></a>vps</h2></div></div><hr></div><div><div>Table of Contents</div><dl><dt><span><a href="#0.1_idp656">1. Info</a></span></dt><dt><span><a href="#0.1_idp42944">2. Základ</a></span></dt><dd><dl><dt><span><a href="#0.1_idp43584">2.1. Auktualizace systému</a></span></dt><dt><span><a href="#0.1_idp44864">2.2. Základní balíky a nastavení</a></span></dt><dt><span><a href="#0.1_idp51728">2.3. Firewall</a></span></dt><dt><span><a href="#0.1_idp67296">2.4. OpenVPN</a></span></dt><dt><span><a href="#0.1_idp90288">2.5. sendmail interface pro SMTP server</a></span></dt></dl></dd><dt><span><a href="#0.1_idp100384">3. web server</a></span></dt><dd><dl><dt><span><a href="#0.1_idp101056">3.1. Nginx</a></span></dt><dt><span><a href="#0.1_idp108528">3.2. Tomcat</a></span></dt><dt><span><a href="#0.1_idp33040">3.3. Apache + PHP</a></span></dt></dl></dd><dt><span><a href="#0.1_idp37024">4. Git</a></span></dt><dt><span><a href="#0.1_idp139840">5. Mysql</a></span></dt><dt><span><a href="#0.1_idp142304">6. Redmine</a></span></dt><dd><dl><dt><span><a href="#0.1_idp156304">6.1. Passenger v nginx</a></span></dt><dt><span><a href="#0.1_idp160720">6.2. Thin v nginx (primitivni alternativa k passengeru)</a></span></dt></dl></dd><dt><span><a href="#0.1_idp168544">7. nexus (maven repository)</a></span></dt></dl></div><div title="1. Info"><div><div><div><h2 style="clear:both"><a></a>1. Info</h2></div></div></div><p>Nainstalovaný systém je <span><strong>debian 7 | =====Info===== |
(wheezy)</strong></span>. Původně jsem zkoušel debian 6, ale nefungoval v něm | |
shorewall. Pak to běželo na arch linuxu, ale ten není od vpsfree moc | |
podporovaný a navíc má rolling-updates, takže obsahují i hodně velký změny | |
(upgrade glibc, init systému apod.), což může lehce všechno rozjebat do | |
stavu, kdy se to musí komplet přeinstalovat.</p></div><div title="2. Základ"><div><div><div><h2 style="clear:both"><a></a>2. Základ</h2></div></div></div><div title="2.1. Auktualizace systému"><div><div><div><h3><a></a>2.1. Auktualizace systému</h3></div></div></div><div>apt-get update # nahraje info o aktualnich verzich | |
apt-get upgrade # upgraduje baliky na nejnovejsi verze</div></div><div title="2.2. Základní balíky a nastavení"><div><div><div><h3><a></a>2.2. Základní balíky a nastavení</h3></div></div></div><div>apt-get install rsyslog man bzip2 wget sudo htop cron-apt | |
| |
# Oracle Java: | Na serveru běží veřejné služby (web pro java aplikace) a privátní služby přes vpn (ssh, redmine, git, maven repozitář). Zabezpečení je postaveno na firewalu, který blokuje všechno kromě veřejných služeb a vpn. |
# je potreba java-package 0.50+ kuli podpore server-jre, tohle je lepsi nez povolovat backports repozitar | |
wget <a href="http://ftp.cz.debian.org/debian/pool/contrib/j/java-package/java-package_0.53~bpo70+1_all.deb" target="_blank">http://ftp.cz.debian.org/<WBR>debian/pool/contrib/j/java-<WBR>package/java-package_0.53~<WBR>bpo70+1_all.deb</a> | |
dpkg -i java-package_0.53~bpo70+1_all.<WBR>deb | |
wget --no-check-certificate --no-cookies - --header "Cookie: oraclelicense=accept-<WBR>securebackup-cookie" \ | |
<a href="http://download.oracle.com/otn-pub/java/jdk/7u55-b13/server-jre-7u55-linux-x64.tar.gzmake-jpkg" target="_blank">http://download.oracle.com/<WBR>otn-pub/java/jdk/7u55-b13/<WBR>server-jre-7u55-linux-x64.tar.<WBR>gz | |
make-jpkg</a> server-jre-7u55-linux-x64.tar.<WBR>gz | |
dpkg -i oracle-java7-jre_7u55_amd64.<WBR>deb</div><div><a></a><div>Example 1. /etc/ssh/sshd_<WBR>config</div><div><p>Zkopirovat klic na prihlaseni napr. ssh-copy-id | |
<a href="mailto:root@example.com" target="_blank">root@example.com</a>, zkontrolovat, ze to funguje, pak zakazat login s | |
heslem:</p><div>PasswordAuthentication no</div></div></div><br><div><a></a><div>Example 2. /etc/vim/vimrc</div><div><div>set mouse-=a | |
colorscheme elflord | |
syntax on</div></div></div><br><div><a></a><div>Example 3. /etc/cron-apt/<WBR>config</div><div><div>MAILON="upgrade" | |
MAILTO="<span><strong><a href="mailto:user@example.com" target="_blank">user@example.com</a></strong></span>"</div></div></div><br></div><div title="2.3. Firewall"><div><div><div><h3><a></a>2.3. Firewall</h3></div></div></div><p>Nastavení firewallu se dělá pomocí balíku | |
<code>shorewall</code>, detaily viz. <a href="#0.1_">http://shorewall.net/<WBR>standalone.htm</a>, <a href="#0.1_">https://wiki.debian.org/HowTo/<WBR>shorewall</a>.</p><div>apt-get install shorewall | |
cd /etc/shorewall | |
# adresar by mel byt prazdny, krome shorewall.conf</div><div><a></a><div>Example 4. /etc/shorewall/<WBR>zones</div><div><p>Nastavení zón ($FW v ostatních souborech se automaticky | |
nahrazuje "fw").</p><div>#ZONE TYPE OPTIONS IN OUT | |
# OPTIONS OPTIONS | |
fw firewall | |
net ipv4 | |
vpn ipv4</div></div></div><br><div><a></a><div>Example 5. /etc/shorewall/<WBR>policy</div><div><p>Tohle je nastaveni implicitních akcí (vyhodnocuje se v zadaném | |
pořadí!).</p><div>#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | |
# LEVEL BURST MASK | |
| |
# povol spojeni "ze serveru na internet" | Nainstalovaný systém je **debian 7 (wheezy)** . Původně jsem zkoušel debian 6, ale nefungoval v něm shorewall. Pak to běželo na arch linuxu, ale ten není od vpsfree moc podporovaný a navíc má rolling-updates, takže obsahují i hodně velký změny (upgrade glibc, init systému apod.), což může lehce všechno rozjebat do stavu, kdy se to musí komplet přeinstalovat. |
$FW net ACCEPT | |
| |
# zahod vsechno "z internetu na server" | |
net all DROP info | |
| |
# odmitni vsechno "z vpn na internet" (aby si vpn klienti nebrouzdali pres server) | =====Základ===== |
vpn net REJECT info | |
| |
# povol vsechno ostatni "z vpn" | |
vpn all ACCEPT | |
| |
# The FOLLOWING POLICY MUST BE LAST | ====Auktualizace systému==== |
all all REJECT info</div></div></div><br><div><a></a><div>Example 6. /etc/shorewall/<WBR>interfaces</div><div><div>FORMAT 2 | |
##############################<WBR>##############################<WBR>################### | |
#ZONE INTERFACE OPTIONS | |
net venet0 tcpflags,logmartians,nosmurfs | |
vpn tun0</div></div></div><br><div><a></a><div>Example 7. /ets/shorewall/<WBR>rules</div><div><div>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH | |
# PORT PORT(S) DEST LIMIT GROUP | |
#SECTION ALL | |
#SECTION ESTABLISHED | |
#SECTION RELATED | |
SECTION NEW | |
| |
# povoleni SSH sluzby pro klienty z internetu (NEDELAT, v pripade nouze se lze pripojit k terminalu pres administraci VPS) | apt-get update # nahraje info o aktualnich verzich |
# - pro vsechny | apt-get upgrade # upgraduje baliky na nejnovejsi verze |
#ACCEPT net $FW tcp ssh | |
# - pro urcitou IP adresu | |
#ACCEPT net:78.80.8.27 $FW tcp ssh | |
# - pro skupinu IP adres (subnet) | |
#ACCEPT net:<a href="http://81.25.21.0/24" target="_blank">81.25.21.0/24</a> $FW tcp ssh | |
| |
# OpenVPN | |
ACCEPT net $FW udp 1194 | |
ACCEPT $FW net udp - 1194 | |
| |
# WEB | |
ACCEPT all all tcp 80 | |
ACCEPT all all tcp 443</div></div></div><br><div><a></a><div>Example 8. /etc/shorewall/<WBR>shorewall.conf</div><div><div>STARTUP_ENABLED=Yes</div></div></div><br><div><a></a><div>Example 9. /etc/default/<WBR>shorewall</div><div><div>startup=1</div></div></div><br><p>Pár užitečných příkazů:</p><div>/etc/init.d/shorewall start|stop|restart|... | |
shorewall status | |
shorewall show | |
shorevall safe-start | |
shorewall safe-restart</div></div><div title="2.4. OpenVPN"><div><div><div><h3><a></a>2.4. OpenVPN</h3></div></div></div><div>apt-get install openvpn | |
cp -a /usr/share/openvpn/easy-rsa /etc/openvpn | |
cd /etc/openvpn/easy-rsa</div><div><a></a><div>Example 10. /etc/openvpn/easy-<WBR>rsa/vars</div><div><div>export KEY_SIZE=2048 | |
export KEY_COUNTRY="<span><strong>CZ</strong></span>" | |
export KEY_PROVINCE="<span><strong>Czech Republic</strong></span>" | |
export KEY_CITY="<span><strong>Prague</strong></span>" | |
export KEY_ORG="<span><strong>MOJE FIRMA s.r.o.</strong></span>" | |
export KEY_EMAIL="<span><strong><a href="mailto:support@example.com" target="_blank">support@example.com</a></strong></span><WBR>" | |
export KEY_OU=""</div></div></div><br><div>source vars | |
./clean-all | |
./build-ca # zadat např. openvpn-ca jako Common Name/Name | |
./build-key-server <span><strong>mujserver</strong></span> | |
./build-key <span><strong>tonda</strong></span> # nebo build-key-pass pro zaheslovani privatnich klicu | |
./build-key <span><strong>cenda</strong></span> | |
... | |
./build-dh | |
cd keys | |
openvpn --genkey --secret ta.key | |
cp {ca.crt,dh2048.pem,ta.key,<WBR>inter.{crt,key}} /etc/openvpn | |
chmod 600 /etc/openvpn/{ta.key,inter.<WBR>key}</div><div><a></a><div>Example 11. /etc/openvpn/<WBR>server.conf</div><div><div>dev tun | |
port 1194 | |
;proto tcp | |
proto udp | |
# VPN subnet - vybrat neco nahodnyho z <a href="http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces" target="_blank">http://en.wikipedia.org/wiki/<WBR>Private_network#Private_IPv4_<WBR>address_spaces</a> | |
# urcite ne 10.0.0.0, 10.1.1.0, 192.168.0.0, 192.168.1.0 - to pouziva vetsina "domacich" siti | |
server <span><strong>10.134.75</strong></span>.0 255.255.255.0 | |
ifconfig-pool-persist ipp.txt | |
ca ca.crt | |
crl-verify crl.pem # viz. revokace certifikatu | |
cert inter.crt | |
key inter.key | |
dh dh2048.pem | |
tls-auth ta.key 0 | |
cipher AES-256-CBC | |
comp-lzo yes</div></div></div><br><div><a></a><div>Example 12. client.conf</div><div><div>dev tun | |
port 1194 | |
proto udp | |
client | |
remote <span><strong><a href="http://mujserver.example.com" target="_blank">mujserver.example.com</a></strong></span> | |
ca ca.crt | |
cert <span><strong>tonda.crt</strong></span> | |
key <span><strong>tonda.key</strong></span> | |
tls-auth ta.key 1 | |
remote-cert-tls server | |
cipher AES-256-CBC | |
comp-lzo yes</div></div></div><br><p>Teď už je třeba jenom poslat každému klientovi | |
<code>client.conf</code>, <code>ta.key</code> a | |
odpovídající <code>crt</code> a <code>key</code> soubor. | |
<span><strong>Doporučuje se přesunout | |
<code>ca.key</code> na offline úložiště a odstranit | |
<code>key</code> soubory všech klientů.</strong></span></p><div># predpoklada nastaveni sendmailu (dale v navodu) | |
cd keys | |
key="<span><strong>tonda</strong></span>" email="<span><strong><a href="mailto:tonda@example.com" target="_blank">tonda@example.com</a></strong></span>" | |
zippwd=$(dd if=/dev/urandom bs=1 count=10 2>/dev/null | base64 | head -c 8) | |
rm -v $key.7z; 7z a -p $zippwd ca.crt $key.{crt,key} ta.key && mailx -s "openvpn keys" -a $key.7z $email <<<"heslo k archivu dodam"; rm -v $key.7z | |
echo "heslo na rozbaleni $key.7z: $zippwd"</div><div title="2.4.1. Revokace certifikátů"><div><div><div><h4><a></a>2.4.1. Revokace certifikátů</h4></div></div></div><div>cd /etc/openvpn/easy-rsa | |
source vars | |
./revoke-full <span><strong>jmeno_certifikátu</strong></span> | |
cp -v crl.pem /etc/openvpn</div></div></div><div title="2.5. sendmail interface pro SMTP server"><div><div><div><h3><a></a>2.5. sendmail interface pro SMTP server</h3></div></div></div><p>Některé komponenty (např. redmine) potřebují posílat emaily přes | |
sendmail interface (např. jejich SMTP klient z nějakého důvodu nefunguje | |
se SMTP serverem). Proto se dá nainstalovat lepší SMTP klient, který | |
podporuje sendmail interface. Detaily viz. <a href="#0.1_">http://msmtp.sourceforge.net/<WBR>doc/msmtp.html</a>.</p><div>apt-get purge exim4-config exim4 exim4-base exim4-daemon-light | |
apt-get install msmtp-mta | |
ls -l /usr/sbin/sendmail | |
# musi ukazovat na /usr/msmtp</div><div><a></a><div>Example 13. /etc/msmtprc</div><div><div># Accounts will inherit settings from this section | |
defaults | |
auth on | |
tls on | |
tls_certcheck off | |
#tls_trust_file /usr/share/ca-certificates/<WBR>mozilla/Thawte_Premium_Server_<WBR>CA.crt | |
| |
account <span><strong>blackhole</strong></span> | ====Základní balíky a nastavení==== |
host <span><strong><a href="http://smtp.example.com" target="_blank">smtp.example.com</a></strong></span> | |
port <span><strong>465</strong></span> | |
from <span><strong><a href="mailto:blackhole@example.com" target="_blank">blackhole@example.com</a></strong></span> | |
user <span><strong><a href="mailto:blackhole@example.com" target="_blank">blackhole@example.com</a></strong></span> | |
password <span><strong>my_password</strong></span> | |
tls_starttls <span><strong>off</strong></span> | |
| |
account default : <span><strong>blackhole</strong></span></div></div></div><br></div></div><div title="3. web server"><div><div><div><h2 style="clear:both"><a></a>3. web server</h2></div></div></div><div title="3.1. Nginx"><div><div><div><h3><a></a>3.1. Nginx</h3></div></div></div><p>Nginx krom jiného umožňuje provozovat více různých web serverů na | apt-get install rsyslog man bzip2 wget sudo htop cron-apt |
stejném portu (např. tomcat pro java web aplikace + apache pro php + | |
passenger pro ruby aplikace).</p><p>Protoze potrebujem <span><em>passenger</em></span> pro | # Oracle Java: |
<span><em>ruby</em></span> aplikace (napr. <span><em>redmine</em></span>), | # je potreba java-package 0.50+ kuli podpore server-jre, tohle je lepsi nez povolovat backports repozitar |
neda se to instalovat z debianich balicku.</p><div>apt-key adv --keyserver <a href="http://keyserver.ubuntu.com" target="_blank">keyserver.ubuntu.com</a> --recv-keys 561F9B9CAC40B2F7 | wget http://ftp.cz.debian.org/debian/pool/contrib/j/java-package/java-package_0.53~bpo70+1_all.deb |
apt-get install apt-transport-https ca-certificates | dpkg -i java-package_0.53~bpo70+1_all.deb |
echo "deb <a href="https://oss-binaries.phusionpassenger.com/apt/passenger" target="_blank">https://oss-binaries.<WBR>phusionpassenger.com/apt/<WBR>passenger</a> wheezy main" > /etc/apt/sources.list.d/<WBR>passenger.list | wget --no-check-certificate --no-cookies - --header "Cookie: oraclelicense=accept-securebackup-cookie" \ |
chmod 600 /etc/apt/sources.list.d/<WBR>passenger.list | http://download.oracle.com/otn-pub/java/jdk/7u55-b13/server-jre-7u55-linux-x64.tar.gz |
apt-get update | make-jpkg server-jre-7u55-linux-x64.tar.gz |
apt-get install nginx-extras passenger</div><p>Pokud se bude pouzivat SSL, tak je potreba vygenerovat | dpkg -i oracle-java7-jre_7u55_amd64.deb |
certifikat:</p><div>openssl req -new -x509 -nodes -out /etc/nginx/server.crt -keyout /etc/nginx/server.key</div><div><a></a><div>Example 14. /etc/nginx/conf/<WBR>nginx.conf</div><div><div>#user nobody; | |
worker_processes 1; | |
| |
error_log /var/log/nginx/error.log; | |
pid /var/run/nginx.pid; | |
| |
#error_log logs/error.log notice; | **/etc/ssh/sshd_config** |
#error_log logs/error.log info; | |
| |
#pid logs/nginx.pid; | Zkopirovat klic na prihlaseni napr. ssh-copy-id root@example.com, zkontrolovat, ze to funguje, pak zakazat login s heslem: |
| |
| PasswordAuthentication no |
| |
events { | |
worker_connections 128; # maximalni pocet spojeni - <a href="http://wiki.nginx.org/EventsModule#worker_connections" target="_blank">http://wiki.nginx.org/<WBR>EventsModule#worker_<WBR>connections</a> | |
} | |
| |
| |
http { | |
passenger_root /usr/lib/ruby/vendor_ruby/<WBR>phusion_passenger/locations.<WBR>ini; | |
passenger_ruby /usr/bin/ruby; | |
| |
include mime.types; | **/etc/vim/vimrc** |
default_type application/octet-stream; | |
| |
#log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | set mouse-=a |
# '$status $body_bytes_sent "$http_referer" ' | colorscheme elflord |
# '"$http_user_agent" "$http_x_forwarded_for"'; | syntax on |
| |
#access_log logs/access.log main; | |
| |
sendfile on; | |
#tcp_nopush on; | |
| |
#keepalive_timeout 0; | |
keepalive_timeout 65; | |
| |
#gzip on; | **/etc/cron-apt/config** |
| |
ssl_certificate server.crt; | MAILON="upgrade" |
ssl_certificate_key server.key; | MAILTO="user@example.com" |
| |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
}</div></div></div><br></div><div title="3.2. Tomcat"><div><div><div><h3><a></a>3.2. Tomcat</h3></div></div></div><p>Web server je tomcat 7, protožev něm chceme provozovat jednoduchý | |
javovský web aplikace (tzn. potřebujeme něco v javě, ale nepotřebujeme | |
super-druper aplikační server).</p><div>apt-get install tomcat7</div><div><a></a><div>Example 15. conf/server.xml</div><div><div><Server port="8005" shutdown="SHUTDOWN"> | |
<Service name="Catalina"> | |
<Connector port="<span><strong>8081</strong></span>" protocol="org.apache.coyote.<WBR>http11.Http11NioProtocol" | |
connectionTimeout="20000" | |
redirectPort="<span><strong>443</strong></span>" | |
minSpareThreads="2" maxThreads="10" /> | |
<Engine name="Catalina" defaultHost="<span><strong><a href="http://www.example.com" target="_blank">www.example.com</a></strong></span>"> | |
<Host name="<span><strong><a href="http://www.example.com" target="_blank">www.example.com</a></strong></span>" appBase="<span><strong>webapps-moje</strong></span>" | |
unpackWARs="true" autoDeploy="true"> | |
<Valve className="org.apache.<WBR>catalina.valves.<WBR>AccessLogValve" directory="logs" | |
prefix="access_log." suffix=".log" | |
pattern="%h %l %u %t &quot;%r&quot; %s %b" /> | |
</Host> | |
</Engine> | |
</Service> | |
</Server></div><p><code>appBase</code> je zmenena, protoze upgrade tomcatu | |
by mohl prepsat aplikace ve | |
<code>/var/lib/tomcat7/webapps</code> (minimalne nektery | |
distribuce to delaly).</p></div></div><br><div><a></a><div>Example 16. /etc/default/<WBR>tomcat7</div><div><div>JAVA_HOME=/usr/lib/jvm/jre-7-<WBR>oracle-x64 | |
CATALINA_OPTS=-Djava.awt.<WBR>headless=true -Xmx80m -XX:+UseConcMarkSweepGC | |
# povolit pro remote management (napr. jconsole nebo jvisualvm) | |
#JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname=<span><strong><a href="http://mujserver.example.com" target="_blank">muj<WBR>server.example.com</a></strong></span> -Djava.net.preferIPv4Stack=<WBR>true -Dcom.sun.management.<WBR>jmxremote.ssl=false -Dcom.sun.management.<WBR>jmxremote.port=5000 -Dcom.sun.management.<WBR>jmxremote.authenticate=false"</div></div></div><br><p>Nastavit nginx, aby pozadavky preposilal na tomcat:</p><div><a></a><div>Example 17. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> server { | |
# JAVA web server - treba Tomcat | |
listen *:80 default_server; | |
listen *:443 ssl; | |
| |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
| |
location / { | |
proxy_pass <a href="http://127.0.0.1:8081" target="_blank">http://127.0.0.1:8081</a>; | |
} | |
}</div></div></div><br></div><div title="3.3. Apache + PHP"><div><div><div><h3><a></a>3.3. Apache + PHP</h3></div></div></div><p>Pro PHP experimenty:</p><div><a></a><div>Example 18. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> server { | |
# PHP + phpmyadmin | |
listen *:80; | |
listen *:443 ssl; | |
server_name <span><strong><a href="http://php.example.com" target="_blank">php.example.com</a></strong></span>; # tohle je dalsi DNS jmeno pro verrejnou adresu vps serveru | |
| |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
| |
location / { | ====Firewall==== |
proxy_pass <a href="http://127.0.0.1:8082" target="_blank">http://127.0.0.1:8082</a>; | |
} | |
| |
# PHPmyadmin jenom pres SSL | Nastavení firewallu se dělá pomocí balíku //shorewall// , detaily viz. [[http:// | http://shorewall.net/standalone.htm]] , [[http:// | https://wiki.debian.org/HowTo/shorewall]] . |
location /phpmyadmin { | |
if ($scheme = "http") { | |
rewrite ^ https://$http_host$request_uri permanent; | |
} | |
if ($scheme = "https") { | |
proxy_pass <a href="http://127.0.0.1:8082" target="_blank">http://127.0.0.1:8082</a>; | |
} | |
} | |
}</div></div></div><br></div></div><div title="4. Git"><div><div><div><h2 style="clear:both"><a></a>4. Git</h2></div></div></div><p>Přístup k repozitářům gitu řídí | |
<span><em>gitolite</em></span>.</p><div># zkopirovat id_rsa.pub spravce gitu do /root/spravcegitu.pub | |
apt-get install gitolite | |
dpkg-reconfigure gitolite | |
# zmenit user na <span><strong>git</strong></span></div><div><a></a><div>Example 19. /var/lib/gitolite/<WBR>.gitolite.rc</div><div><div>$REPO_UMASK = 0027; # nastavi soubory g+rx, aby k tomu mel pristup napr. redmine</div></div></div><br><div><a></a><div>Example 20. /etc/ssh/sshd_<WBR>config</div><div><p>Zakáže se autentikace heslem (všechno běží pouze přes | |
certifikáty):</p><div>Match User git | |
PasswordAuthentication no</div></div></div><br></div><div title="5. Mysql"><div><div><div><h2 style="clear:both"><a></a>5. Mysql</h2></div></div></div><p>Mysql je potřeba např. pro redmine (viz. níže). Více na <a href="#0.1_">https://wiki.archlinux.org/<WBR>index.php/MySQL</a>.</p><div>apt-get install mysql-server | |
mysql_secure_installation</div></div><div title="6. Redmine"><div><div><div><h2 style="clear:both"><a></a>6. Redmine</h2></div></div></div><p>Podrobnosti viz. <a href="#0.1_">http://www.redmine.org/<WBR>projects/redmine/wiki/<WBR>RedmineInstall</a>.</p><div>apt-get install ruby ruby-dev make imagemagick libmagickcore-dev libmagickwand-dev libmysqlclient-dev | |
cd | |
VER=2.5.1 | |
wget <a href="http://www.redmine.org/releases/redmine-$VER.tar.gz" target="_blank">http://www.redmine.org/<WBR>releases/redmine-$VER.tar.gz</a> | |
tar xzf redmine-$VER.tar.gz -C /opt | |
chown -R root:root /opt/redmine-$VER</div><div>mysql -p # zepta se na heslo (viz. instalace mysql) | |
create database redmine character set utf8; | |
create user 'redmine'@'localhost' identified by '<span><strong>my_password</strong></span>'; | |
grant all privileges on redmine.* to 'redmine'@'localhost';</div><div><a></a><div>Example 21. config/database.<WBR>yml</div><div><div>production: | |
adapter: mysql2 | |
database: redmine | |
host: localhost | |
username: redmine | |
password: <span><strong>my_password</strong></span> | |
encoding: utf8</div></div></div><br><div><a></a><div>Example 22. config/<WBR>configuration.yml</div><div><div>production: | |
email_delivery: | |
delivery_method: :sendmail</div></div></div><br><p>Tohle je potreba udelat az po | |
<code>config/database.yml</code>, aby to nahralo vsechny potrebny | |
doplnky (hlavne teda ty na pristup k databazi).</p><div>cd /opt/redmine-$VER | |
gem install --no-user-install bundler | |
bundle install --system --without development test postgresql sqlite | |
rake generate_secret_token | |
useradd -m --home-dir /var/lib/redmine-$VER --shell /bin/bash --system redmine | |
usermod -a -G git redmine | |
mkdir -p /var/lib/redmine-$VER/{tmp,<WBR>public/plugin_assets} | |
tar c files log tmp public/plugin_assets | tar xv -C /var/lib/redmine-$VER | |
for i in files log tmp public/plugin_assets; do rm -Rf $i; ln -nfs /var/lib/redmine-$VER/$i $i; done | |
chown -R redmine:redmine /var/lib/redmine-$VER | |
chmod -R ugo+r /var/lib/redmine-$VER</div><p>Zkopírují se data ze starého serveru:</p><div><span><strong># nejak dostat data z <code>files</code> do <code>/var/lib/redmine-1.4/files</code></strong></span> | |
mysql -u redmine -p redmine < dump_redmine_default_2012-05-<WBR>28.sql | tee restore.log | |
RAILS_ENV=production rake db:migrate</div><div title="Note" style="margin-left:0.5in;margin-right:0.5in"><h3>Note</h3><p>Novou databázi lze vytvořit pomocí:</p><div>RAILS_ENV=production rake db:migrate | |
RAILS_ENV=production rake redmine:load_default_data</div></div><p>Instalaci lze otestovat spuštěním jednoduchého web serveru (podívat | |
se na projekty a jestli funguje integrace s gitem a posílání | |
emailů):</p><div>su - -s /bin/bash redmine | |
ruby script/rails server webrick -e production</div><div title="6.1. Passenger v nginx"><div><div><div><h3><a></a>6.1. Passenger v nginx</h3></div></div></div><p>Detaily viz. <a href="#0.1_">http://www.modrails.com/<WBR>documentation/Users%20guide%<WBR>20Nginx.html#install_on_<WBR>debian_ubuntu</a>.</p><div>apt-get install ruby-passenger</div><div><a></a><div>Example 23. /etc/nginx/conf/<WBR>nginx.conf</div><div><div>http { | |
# POZOR: musi byt zapnuty passenger (viz. instalace nginx) | |
| |
server { | apt-get install shorewall |
listen 8080 default_server; | cd /etc/shorewall |
root /opt/redmine-2.5.1/public; | # adresar by mel byt prazdny, krome shorewall.conf |
passenger_enabled on; | |
# implicitne se pouzije aktualni owner/group souboru <code>config/environment.rb</code> | |
passenger_user redmine; | **/etc/shorewall/zones** |
passenger_group redmine; | |
client_max_body_size 100M; # nektere uploady do redmine budou vetsi nez default limit | Nastavení zón ($FW v ostatních souborech se automaticky nahrazuje "fw"). |
| |
| #ZONE TYPE OPTIONS IN OUT |
| # OPTIONS OPTIONS |
| fw firewall |
| net ipv4 |
| vpn ipv4 |
| |
| |
| |
| |
| **/etc/shorewall/policy** |
| |
| Tohle je nastaveni implicitních akcí (vyhodnocuje se v zadaném pořadí!). |
| |
| #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: |
| # LEVEL BURST MASK |
| |
| # povol spojeni "ze serveru na internet" |
| $FW net ACCEPT |
| |
| # zahod vsechno "z internetu na server" |
| net all DROP info |
| |
| # odmitni vsechno "z vpn na internet" (aby si vpn klienti nebrouzdali pres server) |
| vpn net REJECT info |
| |
| # povol vsechno ostatni "z vpn" |
| vpn all ACCEPT |
| |
| # The FOLLOWING POLICY MUST BE LAST |
| all all REJECT info |
| |
| |
| |
| |
| **/etc/shorewall/interfaces** |
| |
| FORMAT 2 |
| ############################################################################### |
| #ZONE INTERFACE OPTIONS |
| net venet0 tcpflags,logmartians,nosmurfs |
| vpn tun0 |
| |
| |
| |
| |
| **/ets/shorewall/rules** |
| |
| #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH |
| # PORT PORT(S) DEST LIMIT GROUP |
| #SECTION ALL |
| #SECTION ESTABLISHED |
| #SECTION RELATED |
| SECTION NEW |
| |
| # povoleni SSH sluzby pro klienty z internetu (NEDELAT, v pripade nouze se lze pripojit k terminalu pres administraci VPS) |
| # - pro vsechny |
| #ACCEPT net $FW tcp ssh |
| # - pro urcitou IP adresu |
| #ACCEPT net:78.80.8.27 $FW tcp ssh |
| # - pro skupinu IP adres (subnet) |
| #ACCEPT net:81.25.21.0/24 $FW tcp ssh |
| |
| # OpenVPN |
| ACCEPT net $FW udp 1194 |
| ACCEPT $FW net udp - 1194 |
| |
| # WEB |
| ACCEPT all all tcp 80 |
| ACCEPT all all tcp 443 |
| |
| |
| |
| |
| **/etc/shorewall/shorewall.conf** |
| |
| STARTUP_ENABLED=Yes |
| |
| |
| |
| |
| **/etc/default/shorewall** |
| |
| startup=1 |
| |
| |
| |
| |
| Pár užitečných příkazů: |
| |
| /etc/init.d/shorewall start|stop|restart|... |
| shorewall status |
| shorewall show |
| shorevall safe-start |
| shorewall safe-restart |
| |
| |
| |
| ====OpenVPN==== |
| |
| apt-get install openvpn |
| cp -a /usr/share/openvpn/easy-rsa /etc/openvpn |
| cd /etc/openvpn/easy-rsa |
| |
| |
| **/etc/openvpn/easy-rsa/vars** |
| |
| export KEY_SIZE=2048 |
| export KEY_COUNTRY="CZ" |
| export KEY_PROVINCE="Czech Republic" |
| export KEY_CITY="Prague" |
| export KEY_ORG="MOJE FIRMA s.r.o." |
| export KEY_EMAIL="support@example.com" |
| export KEY_OU="" |
| |
| |
| |
| |
| source vars |
| ./clean-all |
| ./build-ca # zadat např. openvpn-ca jako Common Name/Name |
| ./build-key-server mujserver |
| ./build-key tonda # nebo build-key-pass pro zaheslovani privatnich klicu |
| ./build-key cenda |
| ... |
| ./build-dh |
| cd keys |
| openvpn --genkey --secret ta.key |
| cp {ca.crt,dh2048.pem,ta.key,inter.{crt,key}} /etc/openvpn |
| chmod 600 /etc/openvpn/{ta.key,inter.key} |
| |
| |
| **/etc/openvpn/server.conf** |
| |
| dev tun |
| port 1194 |
| ;proto tcp |
| proto udp |
| # VPN subnet - vybrat neco nahodnyho z http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces |
| # urcite ne 10.0.0.0, 10.1.1.0, 192.168.0.0, 192.168.1.0 - to pouziva vetsina "domacich" siti |
| server 10.134.75.0 255.255.255.0 |
| ifconfig-pool-persist ipp.txt |
| ca ca.crt |
| crl-verify crl.pem # viz. revokace certifikatu |
| cert inter.crt |
| key inter.key |
| dh dh2048.pem |
| tls-auth ta.key 0 |
| cipher AES-256-CBC |
| comp-lzo yes |
| |
| |
| |
| |
| **client.conf** |
| |
| dev tun |
| port 1194 |
| proto udp |
| client |
| remote mujserver.example.com |
| ca ca.crt |
| cert tonda.crt |
| key tonda.key |
| tls-auth ta.key 1 |
| remote-cert-tls server |
| cipher AES-256-CBC |
| comp-lzo yes |
| |
| |
| |
| |
| Teď už je třeba jenom poslat každému klientovi ''client.conf'' , ''ta.key'' a odpovídající ''crt'' a ''key'' soubor. **Doporučuje se přesunout ''ca.key'' na offline úložiště a odstranit ''key'' soubory všech klientů.** |
| |
| # predpoklada nastaveni sendmailu (dale v navodu) |
| cd keys |
| key="tonda" email="tonda@example.com" |
| zippwd=$(dd if=/dev/urandom bs=1 count=10 2>/dev/null | base64 | head -c 8) |
| rm -v $key.7z; 7z a -p $zippwd ca.crt $key.{crt,key} ta.key && mailx -s "openvpn keys" -a $key.7z $email <<<"heslo k archivu dodam"; rm -v $key.7z |
| echo "heslo na rozbaleni $key.7z: $zippwd" |
| |
| |
| |
| ===Revokace certifikátů=== |
| |
| cd /etc/openvpn/easy-rsa |
| source vars |
| ./revoke-full jmeno_certifikátu |
| cp -v crl.pem /etc/openvpn |
| |
| |
| |
| ====sendmail interface pro SMTP server==== |
| |
| Některé komponenty (např. redmine) potřebují posílat emaily přes sendmail interface (např. jejich SMTP klient z nějakého důvodu nefunguje se SMTP serverem). Proto se dá nainstalovat lepší SMTP klient, který podporuje sendmail interface. Detaily viz. [[http:// | http://msmtp.sourceforge.net/doc/msmtp.html]] . |
| |
| apt-get purge exim4-config exim4 exim4-base exim4-daemon-light |
| apt-get install msmtp-mta |
| ls -l /usr/sbin/sendmail |
| # musi ukazovat na /usr/msmtp |
| |
| |
| **/etc/msmtprc** |
| |
| # Accounts will inherit settings from this section |
| defaults |
| auth on |
| tls on |
| tls_certcheck off |
| #tls_trust_file /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt |
| |
| account blackhole |
| host smtp.example.com |
| port 465 |
| from blackhole@example.com |
| user blackhole@example.com |
| password my_password |
| tls_starttls off |
| |
| account default : blackhole |
| |
| |
| |
| |
| |
| =====web server===== |
| |
| |
| ====Nginx==== |
| |
| Nginx krom jiného umožňuje provozovat více různých web serverů na stejném portu (např. tomcat pro java web aplikace + apache pro php + passenger pro ruby aplikace). |
| |
| Protoze potrebujem **passenger** pro **ruby** aplikace (napr. **redmine** ), neda se to instalovat z debianich balicku. |
| |
| apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7 |
| apt-get install apt-transport-https ca-certificates |
| echo "deb https://oss-binaries.phusionpassenger.com/apt/passenger wheezy main" > /etc/apt/sources.list.d/passenger.list |
| chmod 600 /etc/apt/sources.list.d/passenger.list |
| apt-get update |
| apt-get install nginx-extras passenger |
| |
| |
| Pokud se bude pouzivat SSL, tak je potreba vygenerovat certifikat: |
| |
| openssl req -new -x509 -nodes -out /etc/nginx/server.crt -keyout /etc/nginx/server.key |
| |
| |
| **/etc/nginx/conf/nginx.conf** |
| |
| #user nobody; |
| worker_processes 1; |
| |
| error_log /var/log/nginx/error.log; |
| pid /var/run/nginx.pid; |
| |
| #error_log logs/error.log notice; |
| #error_log logs/error.log info; |
| |
| #pid logs/nginx.pid; |
| |
| |
| events { |
| worker_connections 128; # maximalni pocet spojeni - http://wiki.nginx.org/EventsModule#worker_connections |
| } |
| |
| |
| http { |
| passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini; |
| passenger_ruby /usr/bin/ruby; |
| |
| include mime.types; |
| default_type application/octet-stream; |
| |
| #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
| # '$status $body_bytes_sent "$http_referer" ' |
| # '"$http_user_agent" "$http_x_forwarded_for"'; |
| |
| #access_log logs/access.log main; |
| |
| sendfile on; |
| #tcp_nopush on; |
| |
| #keepalive_timeout 0; |
| keepalive_timeout 65; |
| |
| #gzip on; |
| |
| ssl_certificate server.crt; |
| ssl_certificate_key server.key; |
| |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header Host $http_host; |
} | } |
}</div></div></div><br></div><div title="6.2. Thin v nginx (primitivni alternativa k passengeru)"><div><div><div><h3><a></a>6.2. Thin v nginx (primitivni alternativa k passengeru)</h3></div></div></div><div>gem install --no-user-install thin | |
thin install</div><p>Pridat nasledujici:</p><div><a></a><div>Example 24. /opt/redmine-1.4/<WBR>Gemfile</div><div><div>gem 'thin'</div></div></div><br><div><a></a><div>Example 25. /etc/thin/redmine.<WBR>yml</div><div><div>--- | |
chdir: /opt/redmine-1.4 | |
environment: production | |
timeout: 30 | |
log: /var/log/thin/redmine.log | |
pid: /var/lib/redmine-1.4/thin.pid # musi byt zapisovatelny userem redmine | |
max_conns: 1024 | |
max_persistent_conns: 100 | |
require: [] | |
wait: 30 | |
socket: /var/lib/redmine-1.4/thin.sock # musi byt zapisovatelny userem redmine | |
daemonize: true | |
user: redmine | |
group: redmine | |
servers: 1</div></div></div><br><p>A nakonec v <code>/etc/rc.conf</code> přidat | |
<code>thin</code> do <code>DAEMONS</code>.</p><div><a></a><div>Example 26. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> upstream redmine { | |
server unix:/var/lib/redmine-1.4/<WBR>thin.0.sock; | |
} | |
| |
| |
| |
| |
| |
| ====Tomcat==== |
| |
| Web server je tomcat 7, protožev něm chceme provozovat jednoduchý javovský web aplikace (tzn. potřebujeme něco v javě, ale nepotřebujeme super-druper aplikační server). |
| |
| apt-get install tomcat7 |
| |
| |
| **conf/server.xml** |
| |
| <Server port="8005" shutdown="SHUTDOWN"> |
| <Service name="Catalina"> |
| <Connector port="8081" protocol="org.apache.coyote.http11.Http11NioProtocol" |
| connectionTimeout="20000" |
| redirectPort="443" |
| minSpareThreads="2" maxThreads="10" /> |
| <Engine name="Catalina" defaultHost="www.example.com"> |
| <Host name="www.example.com" appBase="webapps-moje" |
| unpackWARs="true" autoDeploy="true"> |
| <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" |
| prefix="access_log." suffix=".log" |
| pattern="%h %l %u %t "%r" %s %b" /> |
| </Host> |
| </Engine> |
| </Service> |
| </Server> |
| |
| |
| ''appBase'' je zmenena, protoze upgrade tomcatu by mohl prepsat aplikace ve ''/var/lib/tomcat7/webapps'' (minimalne nektery distribuce to delaly). |
| |
| |
| |
| **/etc/default/tomcat7** |
| |
| JAVA_HOME=/usr/lib/jvm/jre-7-oracle-x64 |
| CATALINA_OPTS=-Djava.awt.headless=true -Xmx80m -XX:+UseConcMarkSweepGC |
| # povolit pro remote management (napr. jconsole nebo jvisualvm) |
| #JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname=mujserver.example.com -Djava.net.preferIPv4Stack=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=5000 -Dcom.sun.management.jmxremote.authenticate=false" |
| |
| |
| |
| |
| Nastavit nginx, aby pozadavky preposilal na tomcat: |
| |
| **/etc/nginx/conf/nginx.conf** |
| |
| server { |
| # JAVA web server - treba Tomcat |
| listen *:80 default_server; |
| listen *:443 ssl; |
| |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header Host $http_host; |
| |
| location / { |
| proxy_pass http://127.0.0.1:8081; |
| } |
| } |
| |
| |
| |
| |
| |
| ====Apache + PHP==== |
| |
| Pro PHP experimenty: |
| |
| **/etc/nginx/conf/nginx.conf** |
| |
| server { |
| # PHP + phpmyadmin |
| listen *:80; |
| listen *:443 ssl; |
| server_name php.example.com; # tohle je dalsi DNS jmeno pro verrejnou adresu vps serveru |
| |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header Host $http_host; |
| |
| location / { |
| proxy_pass http://127.0.0.1:8082; |
| } |
| |
| # PHPmyadmin jenom pres SSL |
| location /phpmyadmin { |
| if ($scheme = "http") { |
| rewrite ^ https://$http_host$request_uri permanent; |
| } |
| if ($scheme = "https") { |
| proxy_pass http://127.0.0.1:8082; |
| } |
| } |
| } |
| |
| |
| |
| |
| |
| =====Git===== |
| |
| Přístup k repozitářům gitu řídí **gitolite** . |
| |
| # zkopirovat id_rsa.pub spravce gitu do /root/spravcegitu.pub |
| apt-get install gitolite |
| dpkg-reconfigure gitolite |
| # zmenit user na git |
| |
| |
| **/var/lib/gitolite/.gitolite.rc** |
| |
| $REPO_UMASK = 0027; # nastavi soubory g+rx, aby k tomu mel pristup napr. redmine |
| |
| |
| |
| |
| **/etc/ssh/sshd_config** |
| |
| Zakáže se autentikace heslem (všechno běží pouze přes certifikáty): |
| |
| Match User git |
| PasswordAuthentication no |
| |
| |
| |
| |
| |
| =====Mysql===== |
| |
| Mysql je potřeba např. pro redmine (viz. níže). Více na [[http:// | https://wiki.archlinux.org/index.php/MySQL]] . |
| |
| apt-get install mysql-server |
| mysql_secure_installation |
| |
| |
| |
| =====Redmine===== |
| |
| Podrobnosti viz. [[http:// | http://www.redmine.org/projects/redmine/wiki/RedmineInstall]] . |
| |
| apt-get install ruby ruby-dev make imagemagick libmagickcore-dev libmagickwand-dev libmysqlclient-dev |
| cd |
| VER=2.5.1 |
| wget http://www.redmine.org/releases/redmine-$VER.tar.gz |
| tar xzf redmine-$VER.tar.gz -C /opt |
| chown -R root:root /opt/redmine-$VER |
| |
| |
| mysql -p # zepta se na heslo (viz. instalace mysql) |
| create database redmine character set utf8; |
| create user 'redmine'@'localhost' identified by 'my_password'; |
| grant all privileges on redmine.* to 'redmine'@'localhost'; |
| |
| |
| **config/database.yml** |
| |
| production: |
| adapter: mysql2 |
| database: redmine |
| host: localhost |
| username: redmine |
| password: my_password |
| encoding: utf8 |
| |
| |
| |
| |
| **config/configuration.yml** |
| |
| production: |
| email_delivery: |
| delivery_method: :sendmail |
| |
| |
| |
| |
| Tohle je potreba udelat az po ''config/database.yml'' , aby to nahralo vsechny potrebny doplnky (hlavne teda ty na pristup k databazi). |
| |
| cd /opt/redmine-$VER |
| gem install --no-user-install bundler |
| bundle install --system --without development test postgresql sqlite |
| rake generate_secret_token |
| useradd -m --home-dir /var/lib/redmine-$VER --shell /bin/bash --system redmine |
| usermod -a -G git redmine |
| mkdir -p /var/lib/redmine-$VER/{tmp,public/plugin_assets} |
| tar c files log tmp public/plugin_assets | tar xv -C /var/lib/redmine-$VER |
| for i in files log tmp public/plugin_assets; do rm -Rf $i; ln -nfs /var/lib/redmine-$VER/$i $i; done |
| chown -R redmine:redmine /var/lib/redmine-$VER |
| chmod -R ugo+r /var/lib/redmine-$VER |
| |
| |
| Zkopírují se data ze starého serveru: |
| |
| # nejak dostat data z files do /var/lib/redmine-1.4/files |
| mysql -u redmine -p redmine < dump_redmine_default_2012-05-28.sql | tee restore.log |
| RAILS_ENV=production rake db:migrate |
| |
| |
| |
| |
| :!::!::!::!::!::!::!::!::!::!: |
| |
| **NOTE:** Novou databázi lze vytvořit pomocí: |
| |
| RAILS_ENV=production rake db:migrate |
| RAILS_ENV=production rake redmine:load_default_data |
| |
| |
| :!::!::!::!::!::!::!::!::!::!: |
| |
| Instalaci lze otestovat spuštěním jednoduchého web serveru (podívat se na projekty a jestli funguje integrace s gitem a posílání emailů): |
| |
| su - -s /bin/bash redmine |
| ruby script/rails server webrick -e production |
| |
| |
| |
| ====Passenger v nginx==== |
| |
| Detaily viz. [[http:// | http://www.modrails.com/documentation/Users%20guide%20Nginx.html#install_on_debian_ubuntu]] . |
| |
| apt-get install ruby-passenger |
| |
| |
| **/etc/nginx/conf/nginx.conf** |
| |
| http { |
| # POZOR: musi byt zapnuty passenger (viz. instalace nginx) |
| |
server { | server { |
listen *:8080 default_server; | listen 8080 default_server; |
client_max_body_size 100M; | root /opt/redmine-2.5.1/public; |
| passenger_enabled on; |
| # implicitne se pouzije aktualni owner/group souboru config/environment.rb |
| passenger_user redmine; |
| passenger_group redmine; |
| client_max_body_size 100M; # nektere uploady do redmine budou vetsi nez default limit |
| } |
| } |
| |
| |
| |
| |
| |
| ====Thin v nginx (primitivni alternativa k passengeru)==== |
| |
| gem install --no-user-install thin |
| thin install |
| |
| |
| Pridat nasledujici: |
| |
| **/opt/redmine-1.4/Gemfile** |
| |
| gem 'thin' |
| |
| |
| |
| |
| **/etc/thin/redmine.yml** |
| |
| # comment |
| --- |
| chdir: /opt/redmine-1.4 |
| environment: production |
| timeout: 30 |
| log: /var/log/thin/redmine.log |
| pid: /var/lib/redmine-1.4/thin.pid # musi byt zapisovatelny userem redmine |
| max_conns: 1024 |
| max_persistent_conns: 100 |
| require: [] |
| wait: 30 |
| socket: /var/lib/redmine-1.4/thin.sock # musi byt zapisovatelny userem redmine |
| daemonize: true |
| user: redmine |
| group: redmine |
| servers: 1 |
| |
| |
| |
| |
| A nakonec v ''/etc/rc.conf'' přidat //thin// do //DAEMONS// . |
| |
| **/etc/nginx/conf/nginx.conf** |
| |
| upstream redmine { |
| server unix:/var/lib/redmine-1.4/thin.0.sock; |
| } |
| |
| server { |
| listen *:8080 default_server; |
| client_max_body_size 100M; |
| |
| location / { |
| proxy_pass http://redmine; |
| } |
| } |
| |
| |
| |
| |
| |
| =====nexus (maven repository)===== |
| |
| |
| |
| :!::!::!::!::!::!::!::!::!::!: |
| |
| **NOTE:** Mozna by stalo za uvahu jenom hodit war do tomcatu, at tam zbytecne nejede 2x JVM. Ale bacha, tomcat je videt z internetu, my chceme nexus jenom na vpn. |
| |
| :!::!::!::!::!::!::!::!::!::!: |
| |
| useradd --system --shell /bin/bash --home-dir /var/lib/nexus -m nexus |
| wget http://www.sonatype.org/downloads/nexus-latest-bundle.tar.gz |
| tar xzf nexus-latest-bundle.tar.gz -C /opt |
| ln -nfsv /opt/nexus-2.7.0-05 /opt/nexus |
| mkdir /var/run/nexus |
| chown nexus:nexus /var/run/nexus |
| mkdir /var/lib/nexus/{logs,tmp} |
| chown nexus:nexus /var/lib/nexus/{logs,tmp} |
| rm -rfv /opt/nexus/{logs,tmp} |
| ln -fsv /var/lib/nexus/logs /opt/nexus |
| ln -fsv /var/lib/nexus/tmp /opt/nexus |
| cp /opt/nexus/bin/nexus /etc/init.d |
| chmod ugo+x /etc/init.d/nexus |
| update-rc.d nexus defaults |
| |
| |
| **/etc/init.d/nexus** |
| |
| NEXUS_HOME="/opt/nexus" |
| #JAVA_HOME="/opt/jdk-7" |
| RUN_AS_USER="nexus" |
| PIDDIR="/var/lib/nexus" # musi byt writeable uzivatelem nexus |
| |
| |
| |
| |
| **/opt/nexus/conf/nexus.properties** |
| |
| application-port=8083 |
| nexus-work=/var/lib/nexus |
| |
| |
| |
| |
| **/opt/nexus/bin/jsw/conf/wrapper.conf** |
| |
| wrapper.java.maxmemory=80 |
| |
| |
| |
| |
| Zbytek viz. [[http:// | http://books.sonatype.com/nexus-book/reference/install-sect-repoman-post-install.html]] |
| |
location / { | |
proxy_pass <a href="http://redmine" target="_blank">http://redmine</a>; | |
} | |
}</div></div></div><br></div></div><div title="7. nexus (maven repository)"><div><div><div><h2 style="clear:both"><a></a>7. nexus (maven repository)</h2></div></div></div><div title="Note" style="margin-left:0.5in;margin-right:0.5in"><h3>Note</h3><p>Mozna by stalo za uvahu jenom hodit war do tomcatu, at tam | |
zbytecne nejede 2x JVM.</p></div><div>useradd --system --shell /bin/bash --home-dir /var/lib/nexus -m nexus | |
wget <a href="http://www.sonatype.org/downloads/nexus-latest-bundle.tar.gz" target="_blank">http://www.sonatype.org/<WBR>downloads/nexus-latest-bundle.<WBR>tar.gz</a> | |
tar xzf nexus-latest-bundle.tar.gz -C /opt | |
ln -nfsv /opt/nexus-2.7.0-05 /opt/nexus | |
mkdir /var/run/nexus | |
chown nexus:nexus /var/run/nexus | |
mkdir /var/lib/nexus/{logs,tmp} | |
chown nexus:nexus /var/lib/nexus/{logs,tmp} | |
rm -rfv /opt/nexus/{logs,tmp} | |
ln -fsv /var/lib/nexus/logs /opt/nexus | |
ln -fsv /var/lib/nexus/tmp /opt/nexus | |
cp /opt/nexus/bin/nexus /etc/init.d | |
chmod ugo+x /etc/init.d/nexus | |
update-rc.d nexus defaults</div><div><a></a><div>Example 27. /etc/init.d/nexus</div><div><div>NEXUS_HOME="/opt/nexus" | |
#JAVA_HOME="/opt/jdk-7" | |
RUN_AS_USER="nexus" | |
PIDDIR="/var/lib/nexus" # musi byt writeable uzivatelem nexus</div></div></div><br><div><a></a><div>Example 28. /opt/nexus/conf/<WBR>nexus.properties</div><div><div>application-port=8083 | |
nexus-work=/var/lib/nexus</div></div></div><br><div><a></a><div>Example 29. /opt/nexus/bin/<WBR>jsw/conf/wrapper.conf</div><div><div>wrapper.java.maxmemory=80</div></div></div><br><p>Zbytek viz. <a href="#0.1_">http://books.sonatype.com/<WBR>nexus-book/reference/install-<WBR>sect-repoman-post-install.html</a></p></div></div></div> | |
</body></html> | |