| Následující verze | Předchozí verze |
| navody:uzivatele:stepan_schejbal [2015/04/06 21:41] – vytvořeno admin | navody:uzivatele:stepan_schejbal [2015/04/08 06:52] (aktuální) – stepanschebal |
|---|
| <html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body> | ====== vps====== |
| |
| <div><div title="vps"><div><div><div><h2><a></a>vps</h2></div></div><hr></div><div><div>Table of Contents</div><dl><dt><span><a href="#0.1_idp656">1. Info</a></span></dt><dt><span><a href="#0.1_idp42944">2. Základ</a></span></dt><dd><dl><dt><span><a href="#0.1_idp43584">2.1. Auktualizace systému</a></span></dt><dt><span><a href="#0.1_idp44864">2.2. Základní balíky a nastavení</a></span></dt><dt><span><a href="#0.1_idp51728">2.3. Firewall</a></span></dt><dt><span><a href="#0.1_idp67296">2.4. OpenVPN</a></span></dt><dt><span><a href="#0.1_idp90288">2.5. sendmail interface pro SMTP server</a></span></dt></dl></dd><dt><span><a href="#0.1_idp100384">3. web server</a></span></dt><dd><dl><dt><span><a href="#0.1_idp101056">3.1. Nginx</a></span></dt><dt><span><a href="#0.1_idp108528">3.2. Tomcat</a></span></dt><dt><span><a href="#0.1_idp33040">3.3. Apache + PHP</a></span></dt></dl></dd><dt><span><a href="#0.1_idp37024">4. Git</a></span></dt><dt><span><a href="#0.1_idp139840">5. Mysql</a></span></dt><dt><span><a href="#0.1_idp142304">6. Redmine</a></span></dt><dd><dl><dt><span><a href="#0.1_idp156304">6.1. Passenger v nginx</a></span></dt><dt><span><a href="#0.1_idp160720">6.2. Thin v nginx (primitivni alternativa k passengeru)</a></span></dt></dl></dd><dt><span><a href="#0.1_idp168544">7. nexus (maven repository)</a></span></dt></dl></div><div title="1. Info"><div><div><div><h2 style="clear:both"><a></a>1. Info</h2></div></div></div><p>Nainstalovaný systém je <span><strong>debian 7 | =====Info===== |
| (wheezy)</strong></span>. Původně jsem zkoušel debian 6, ale nefungoval v něm | |
| shorewall. Pak to běželo na arch linuxu, ale ten není od vpsfree moc | |
| podporovaný a navíc má rolling-updates, takže obsahují i hodně velký změny | |
| (upgrade glibc, init systému apod.), což může lehce všechno rozjebat do | |
| stavu, kdy se to musí komplet přeinstalovat.</p></div><div title="2. Základ"><div><div><div><h2 style="clear:both"><a></a>2. Základ</h2></div></div></div><div title="2.1. Auktualizace systému"><div><div><div><h3><a></a>2.1. Auktualizace systému</h3></div></div></div><div>apt-get update # nahraje info o aktualnich verzich | |
| apt-get upgrade # upgraduje baliky na nejnovejsi verze</div></div><div title="2.2. Základní balíky a nastavení"><div><div><div><h3><a></a>2.2. Základní balíky a nastavení</h3></div></div></div><div>apt-get install rsyslog man bzip2 wget sudo htop cron-apt | |
| |
| # Oracle Java: | Na serveru běží veřejné služby (web pro java aplikace) a privátní služby přes vpn (ssh, redmine, git, maven repozitář). Zabezpečení je postaveno na firewalu, který blokuje všechno kromě veřejných služeb a vpn. |
| # je potreba java-package 0.50+ kuli podpore server-jre, tohle je lepsi nez povolovat backports repozitar | |
| wget <a href="http://ftp.cz.debian.org/debian/pool/contrib/j/java-package/java-package_0.53~bpo70+1_all.deb" target="_blank">http://ftp.cz.debian.org/<WBR>debian/pool/contrib/j/java-<WBR>package/java-package_0.53~<WBR>bpo70+1_all.deb</a> | |
| dpkg -i java-package_0.53~bpo70+1_all.<WBR>deb | |
| wget --no-check-certificate --no-cookies - --header "Cookie: oraclelicense=accept-<WBR>securebackup-cookie" \ | |
| <a href="http://download.oracle.com/otn-pub/java/jdk/7u55-b13/server-jre-7u55-linux-x64.tar.gzmake-jpkg" target="_blank">http://download.oracle.com/<WBR>otn-pub/java/jdk/7u55-b13/<WBR>server-jre-7u55-linux-x64.tar.<WBR>gz | |
| make-jpkg</a> server-jre-7u55-linux-x64.tar.<WBR>gz | |
| dpkg -i oracle-java7-jre_7u55_amd64.<WBR>deb</div><div><a></a><div>Example 1. /etc/ssh/sshd_<WBR>config</div><div><p>Zkopirovat klic na prihlaseni napr. ssh-copy-id | |
| <a href="mailto:root@example.com" target="_blank">root@example.com</a>, zkontrolovat, ze to funguje, pak zakazat login s | |
| heslem:</p><div>PasswordAuthentication no</div></div></div><br><div><a></a><div>Example 2. /etc/vim/vimrc</div><div><div>set mouse-=a | |
| colorscheme elflord | |
| syntax on</div></div></div><br><div><a></a><div>Example 3. /etc/cron-apt/<WBR>config</div><div><div>MAILON="upgrade" | |
| MAILTO="<span><strong><a href="mailto:user@example.com" target="_blank">user@example.com</a></strong></span>"</div></div></div><br></div><div title="2.3. Firewall"><div><div><div><h3><a></a>2.3. Firewall</h3></div></div></div><p>Nastavení firewallu se dělá pomocí balíku | |
| <code>shorewall</code>, detaily viz. <a href="#0.1_">http://shorewall.net/<WBR>standalone.htm</a>, <a href="#0.1_">https://wiki.debian.org/HowTo/<WBR>shorewall</a>.</p><div>apt-get install shorewall | |
| cd /etc/shorewall | |
| # adresar by mel byt prazdny, krome shorewall.conf</div><div><a></a><div>Example 4. /etc/shorewall/<WBR>zones</div><div><p>Nastavení zón ($FW v ostatních souborech se automaticky | |
| nahrazuje "fw").</p><div>#ZONE TYPE OPTIONS IN OUT | |
| # OPTIONS OPTIONS | |
| fw firewall | |
| net ipv4 | |
| vpn ipv4</div></div></div><br><div><a></a><div>Example 5. /etc/shorewall/<WBR>policy</div><div><p>Tohle je nastaveni implicitních akcí (vyhodnocuje se v zadaném | |
| pořadí!).</p><div>#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | |
| # LEVEL BURST MASK | |
| |
| # povol spojeni "ze serveru na internet" | Nainstalovaný systém je **debian 7 (wheezy)** . Původně jsem zkoušel debian 6, ale nefungoval v něm shorewall. Pak to běželo na arch linuxu, ale ten není od vpsfree moc podporovaný a navíc má rolling-updates, takže obsahují i hodně velký změny (upgrade glibc, init systému apod.), což může lehce všechno rozjebat do stavu, kdy se to musí komplet přeinstalovat. |
| $FW net ACCEPT | |
| |
| # zahod vsechno "z internetu na server" | |
| net all DROP info | |
| |
| # odmitni vsechno "z vpn na internet" (aby si vpn klienti nebrouzdali pres server) | =====Základ===== |
| vpn net REJECT info | |
| |
| # povol vsechno ostatni "z vpn" | |
| vpn all ACCEPT | |
| |
| # The FOLLOWING POLICY MUST BE LAST | ====Auktualizace systému==== |
| all all REJECT info</div></div></div><br><div><a></a><div>Example 6. /etc/shorewall/<WBR>interfaces</div><div><div>FORMAT 2 | |
| ##############################<WBR>##############################<WBR>################### | |
| #ZONE INTERFACE OPTIONS | |
| net venet0 tcpflags,logmartians,nosmurfs | |
| vpn tun0</div></div></div><br><div><a></a><div>Example 7. /ets/shorewall/<WBR>rules</div><div><div>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH | |
| # PORT PORT(S) DEST LIMIT GROUP | |
| #SECTION ALL | |
| #SECTION ESTABLISHED | |
| #SECTION RELATED | |
| SECTION NEW | |
| |
| # povoleni SSH sluzby pro klienty z internetu (NEDELAT, v pripade nouze se lze pripojit k terminalu pres administraci VPS) | apt-get update # nahraje info o aktualnich verzich |
| # - pro vsechny | apt-get upgrade # upgraduje baliky na nejnovejsi verze |
| #ACCEPT net $FW tcp ssh | |
| # - pro urcitou IP adresu | |
| #ACCEPT net:78.80.8.27 $FW tcp ssh | |
| # - pro skupinu IP adres (subnet) | |
| #ACCEPT net:<a href="http://81.25.21.0/24" target="_blank">81.25.21.0/24</a> $FW tcp ssh | |
| |
| # OpenVPN | |
| ACCEPT net $FW udp 1194 | |
| ACCEPT $FW net udp - 1194 | |
| |
| # WEB | |
| ACCEPT all all tcp 80 | |
| ACCEPT all all tcp 443</div></div></div><br><div><a></a><div>Example 8. /etc/shorewall/<WBR>shorewall.conf</div><div><div>STARTUP_ENABLED=Yes</div></div></div><br><div><a></a><div>Example 9. /etc/default/<WBR>shorewall</div><div><div>startup=1</div></div></div><br><p>Pár užitečných příkazů:</p><div>/etc/init.d/shorewall start|stop|restart|... | |
| shorewall status | |
| shorewall show | |
| shorevall safe-start | |
| shorewall safe-restart</div></div><div title="2.4. OpenVPN"><div><div><div><h3><a></a>2.4. OpenVPN</h3></div></div></div><div>apt-get install openvpn | |
| cp -a /usr/share/openvpn/easy-rsa /etc/openvpn | |
| cd /etc/openvpn/easy-rsa</div><div><a></a><div>Example 10. /etc/openvpn/easy-<WBR>rsa/vars</div><div><div>export KEY_SIZE=2048 | |
| export KEY_COUNTRY="<span><strong>CZ</strong></span>" | |
| export KEY_PROVINCE="<span><strong>Czech Republic</strong></span>" | |
| export KEY_CITY="<span><strong>Prague</strong></span>" | |
| export KEY_ORG="<span><strong>MOJE FIRMA s.r.o.</strong></span>" | |
| export KEY_EMAIL="<span><strong><a href="mailto:support@example.com" target="_blank">support@example.com</a></strong></span><WBR>" | |
| export KEY_OU=""</div></div></div><br><div>source vars | |
| ./clean-all | |
| ./build-ca # zadat např. openvpn-ca jako Common Name/Name | |
| ./build-key-server <span><strong>mujserver</strong></span> | |
| ./build-key <span><strong>tonda</strong></span> # nebo build-key-pass pro zaheslovani privatnich klicu | |
| ./build-key <span><strong>cenda</strong></span> | |
| ... | |
| ./build-dh | |
| cd keys | |
| openvpn --genkey --secret ta.key | |
| cp {ca.crt,dh2048.pem,ta.key,<WBR>inter.{crt,key}} /etc/openvpn | |
| chmod 600 /etc/openvpn/{ta.key,inter.<WBR>key}</div><div><a></a><div>Example 11. /etc/openvpn/<WBR>server.conf</div><div><div>dev tun | |
| port 1194 | |
| ;proto tcp | |
| proto udp | |
| # VPN subnet - vybrat neco nahodnyho z <a href="http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces" target="_blank">http://en.wikipedia.org/wiki/<WBR>Private_network#Private_IPv4_<WBR>address_spaces</a> | |
| # urcite ne 10.0.0.0, 10.1.1.0, 192.168.0.0, 192.168.1.0 - to pouziva vetsina "domacich" siti | |
| server <span><strong>10.134.75</strong></span>.0 255.255.255.0 | |
| ifconfig-pool-persist ipp.txt | |
| ca ca.crt | |
| crl-verify crl.pem # viz. revokace certifikatu | |
| cert inter.crt | |
| key inter.key | |
| dh dh2048.pem | |
| tls-auth ta.key 0 | |
| cipher AES-256-CBC | |
| comp-lzo yes</div></div></div><br><div><a></a><div>Example 12. client.conf</div><div><div>dev tun | |
| port 1194 | |
| proto udp | |
| client | |
| remote <span><strong><a href="http://mujserver.example.com" target="_blank">mujserver.example.com</a></strong></span> | |
| ca ca.crt | |
| cert <span><strong>tonda.crt</strong></span> | |
| key <span><strong>tonda.key</strong></span> | |
| tls-auth ta.key 1 | |
| remote-cert-tls server | |
| cipher AES-256-CBC | |
| comp-lzo yes</div></div></div><br><p>Teď už je třeba jenom poslat každému klientovi | |
| <code>client.conf</code>, <code>ta.key</code> a | |
| odpovídající <code>crt</code> a <code>key</code> soubor. | |
| <span><strong>Doporučuje se přesunout | |
| <code>ca.key</code> na offline úložiště a odstranit | |
| <code>key</code> soubory všech klientů.</strong></span></p><div># predpoklada nastaveni sendmailu (dale v navodu) | |
| cd keys | |
| key="<span><strong>tonda</strong></span>" email="<span><strong><a href="mailto:tonda@example.com" target="_blank">tonda@example.com</a></strong></span>" | |
| zippwd=$(dd if=/dev/urandom bs=1 count=10 2>/dev/null | base64 | head -c 8) | |
| rm -v $key.7z; 7z a -p $zippwd ca.crt $key.{crt,key} ta.key && mailx -s "openvpn keys" -a $key.7z $email <<<"heslo k archivu dodam"; rm -v $key.7z | |
| echo "heslo na rozbaleni $key.7z: $zippwd"</div><div title="2.4.1. Revokace certifikátů"><div><div><div><h4><a></a>2.4.1. Revokace certifikátů</h4></div></div></div><div>cd /etc/openvpn/easy-rsa | |
| source vars | |
| ./revoke-full <span><strong>jmeno_certifikátu</strong></span> | |
| cp -v crl.pem /etc/openvpn</div></div></div><div title="2.5. sendmail interface pro SMTP server"><div><div><div><h3><a></a>2.5. sendmail interface pro SMTP server</h3></div></div></div><p>Některé komponenty (např. redmine) potřebují posílat emaily přes | |
| sendmail interface (např. jejich SMTP klient z nějakého důvodu nefunguje | |
| se SMTP serverem). Proto se dá nainstalovat lepší SMTP klient, který | |
| podporuje sendmail interface. Detaily viz. <a href="#0.1_">http://msmtp.sourceforge.net/<WBR>doc/msmtp.html</a>.</p><div>apt-get purge exim4-config exim4 exim4-base exim4-daemon-light | |
| apt-get install msmtp-mta | |
| ls -l /usr/sbin/sendmail | |
| # musi ukazovat na /usr/msmtp</div><div><a></a><div>Example 13. /etc/msmtprc</div><div><div># Accounts will inherit settings from this section | |
| defaults | |
| auth on | |
| tls on | |
| tls_certcheck off | |
| #tls_trust_file /usr/share/ca-certificates/<WBR>mozilla/Thawte_Premium_Server_<WBR>CA.crt | |
| |
| account <span><strong>blackhole</strong></span> | ====Základní balíky a nastavení==== |
| host <span><strong><a href="http://smtp.example.com" target="_blank">smtp.example.com</a></strong></span> | |
| port <span><strong>465</strong></span> | |
| from <span><strong><a href="mailto:blackhole@example.com" target="_blank">blackhole@example.com</a></strong></span> | |
| user <span><strong><a href="mailto:blackhole@example.com" target="_blank">blackhole@example.com</a></strong></span> | |
| password <span><strong>my_password</strong></span> | |
| tls_starttls <span><strong>off</strong></span> | |
| |
| account default : <span><strong>blackhole</strong></span></div></div></div><br></div></div><div title="3. web server"><div><div><div><h2 style="clear:both"><a></a>3. web server</h2></div></div></div><div title="3.1. Nginx"><div><div><div><h3><a></a>3.1. Nginx</h3></div></div></div><p>Nginx krom jiného umožňuje provozovat více různých web serverů na | apt-get install rsyslog man bzip2 wget sudo htop cron-apt |
| stejném portu (např. tomcat pro java web aplikace + apache pro php + | |
| passenger pro ruby aplikace).</p><p>Protoze potrebujem <span><em>passenger</em></span> pro | # Oracle Java: |
| <span><em>ruby</em></span> aplikace (napr. <span><em>redmine</em></span>), | # je potreba java-package 0.50+ kuli podpore server-jre, tohle je lepsi nez povolovat backports repozitar |
| neda se to instalovat z debianich balicku.</p><div>apt-key adv --keyserver <a href="http://keyserver.ubuntu.com" target="_blank">keyserver.ubuntu.com</a> --recv-keys 561F9B9CAC40B2F7 | wget http://ftp.cz.debian.org/debian/pool/contrib/j/java-package/java-package_0.53~bpo70+1_all.deb |
| apt-get install apt-transport-https ca-certificates | dpkg -i java-package_0.53~bpo70+1_all.deb |
| echo "deb <a href="https://oss-binaries.phusionpassenger.com/apt/passenger" target="_blank">https://oss-binaries.<WBR>phusionpassenger.com/apt/<WBR>passenger</a> wheezy main" > /etc/apt/sources.list.d/<WBR>passenger.list | wget --no-check-certificate --no-cookies - --header "Cookie: oraclelicense=accept-securebackup-cookie" \ |
| chmod 600 /etc/apt/sources.list.d/<WBR>passenger.list | http://download.oracle.com/otn-pub/java/jdk/7u55-b13/server-jre-7u55-linux-x64.tar.gz |
| apt-get update | make-jpkg server-jre-7u55-linux-x64.tar.gz |
| apt-get install nginx-extras passenger</div><p>Pokud se bude pouzivat SSL, tak je potreba vygenerovat | dpkg -i oracle-java7-jre_7u55_amd64.deb |
| certifikat:</p><div>openssl req -new -x509 -nodes -out /etc/nginx/server.crt -keyout /etc/nginx/server.key</div><div><a></a><div>Example 14. /etc/nginx/conf/<WBR>nginx.conf</div><div><div>#user nobody; | |
| worker_processes 1; | |
| |
| error_log /var/log/nginx/error.log; | |
| pid /var/run/nginx.pid; | |
| |
| #error_log logs/error.log notice; | **/etc/ssh/sshd_config** |
| #error_log logs/error.log info; | |
| |
| #pid logs/nginx.pid; | Zkopirovat klic na prihlaseni napr. ssh-copy-id root@example.com, zkontrolovat, ze to funguje, pak zakazat login s heslem: |
| |
| | PasswordAuthentication no |
| |
| events { | |
| worker_connections 128; # maximalni pocet spojeni - <a href="http://wiki.nginx.org/EventsModule#worker_connections" target="_blank">http://wiki.nginx.org/<WBR>EventsModule#worker_<WBR>connections</a> | |
| } | |
| |
| |
| http { | |
| passenger_root /usr/lib/ruby/vendor_ruby/<WBR>phusion_passenger/locations.<WBR>ini; | |
| passenger_ruby /usr/bin/ruby; | |
| |
| include mime.types; | **/etc/vim/vimrc** |
| default_type application/octet-stream; | |
| |
| #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | set mouse-=a |
| # '$status $body_bytes_sent "$http_referer" ' | colorscheme elflord |
| # '"$http_user_agent" "$http_x_forwarded_for"'; | syntax on |
| |
| #access_log logs/access.log main; | |
| |
| sendfile on; | |
| #tcp_nopush on; | |
| |
| #keepalive_timeout 0; | |
| keepalive_timeout 65; | |
| |
| #gzip on; | **/etc/cron-apt/config** |
| |
| ssl_certificate server.crt; | MAILON="upgrade" |
| ssl_certificate_key server.key; | MAILTO="user@example.com" |
| |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| }</div></div></div><br></div><div title="3.2. Tomcat"><div><div><div><h3><a></a>3.2. Tomcat</h3></div></div></div><p>Web server je tomcat 7, protožev něm chceme provozovat jednoduchý | |
| javovský web aplikace (tzn. potřebujeme něco v javě, ale nepotřebujeme | |
| super-druper aplikační server).</p><div>apt-get install tomcat7</div><div><a></a><div>Example 15. conf/server.xml</div><div><div><Server port="8005" shutdown="SHUTDOWN"> | |
| <Service name="Catalina"> | |
| <Connector port="<span><strong>8081</strong></span>" protocol="org.apache.coyote.<WBR>http11.Http11NioProtocol" | |
| connectionTimeout="20000" | |
| redirectPort="<span><strong>443</strong></span>" | |
| minSpareThreads="2" maxThreads="10" /> | |
| <Engine name="Catalina" defaultHost="<span><strong><a href="http://www.example.com" target="_blank">www.example.com</a></strong></span>"> | |
| <Host name="<span><strong><a href="http://www.example.com" target="_blank">www.example.com</a></strong></span>" appBase="<span><strong>webapps-moje</strong></span>" | |
| unpackWARs="true" autoDeploy="true"> | |
| <Valve className="org.apache.<WBR>catalina.valves.<WBR>AccessLogValve" directory="logs" | |
| prefix="access_log." suffix=".log" | |
| pattern="%h %l %u %t &quot;%r&quot; %s %b" /> | |
| </Host> | |
| </Engine> | |
| </Service> | |
| </Server></div><p><code>appBase</code> je zmenena, protoze upgrade tomcatu | |
| by mohl prepsat aplikace ve | |
| <code>/var/lib/tomcat7/webapps</code> (minimalne nektery | |
| distribuce to delaly).</p></div></div><br><div><a></a><div>Example 16. /etc/default/<WBR>tomcat7</div><div><div>JAVA_HOME=/usr/lib/jvm/jre-7-<WBR>oracle-x64 | |
| CATALINA_OPTS=-Djava.awt.<WBR>headless=true -Xmx80m -XX:+UseConcMarkSweepGC | |
| # povolit pro remote management (napr. jconsole nebo jvisualvm) | |
| #JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname=<span><strong><a href="http://mujserver.example.com" target="_blank">muj<WBR>server.example.com</a></strong></span> -Djava.net.preferIPv4Stack=<WBR>true -Dcom.sun.management.<WBR>jmxremote.ssl=false -Dcom.sun.management.<WBR>jmxremote.port=5000 -Dcom.sun.management.<WBR>jmxremote.authenticate=false"</div></div></div><br><p>Nastavit nginx, aby pozadavky preposilal na tomcat:</p><div><a></a><div>Example 17. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> server { | |
| # JAVA web server - treba Tomcat | |
| listen *:80 default_server; | |
| listen *:443 ssl; | |
| |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| |
| location / { | |
| proxy_pass <a href="http://127.0.0.1:8081" target="_blank">http://127.0.0.1:8081</a>; | |
| } | |
| }</div></div></div><br></div><div title="3.3. Apache + PHP"><div><div><div><h3><a></a>3.3. Apache + PHP</h3></div></div></div><p>Pro PHP experimenty:</p><div><a></a><div>Example 18. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> server { | |
| # PHP + phpmyadmin | |
| listen *:80; | |
| listen *:443 ssl; | |
| server_name <span><strong><a href="http://php.example.com" target="_blank">php.example.com</a></strong></span>; # tohle je dalsi DNS jmeno pro verrejnou adresu vps serveru | |
| |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| |
| location / { | ====Firewall==== |
| proxy_pass <a href="http://127.0.0.1:8082" target="_blank">http://127.0.0.1:8082</a>; | |
| } | |
| |
| # PHPmyadmin jenom pres SSL | Nastavení firewallu se dělá pomocí balíku //shorewall// , detaily viz. [[http:// | http://shorewall.net/standalone.htm]] , [[http:// | https://wiki.debian.org/HowTo/shorewall]] . |
| location /phpmyadmin { | |
| if ($scheme = "http") { | |
| rewrite ^ https://$http_host$request_uri permanent; | |
| } | |
| if ($scheme = "https") { | |
| proxy_pass <a href="http://127.0.0.1:8082" target="_blank">http://127.0.0.1:8082</a>; | |
| } | |
| } | |
| }</div></div></div><br></div></div><div title="4. Git"><div><div><div><h2 style="clear:both"><a></a>4. Git</h2></div></div></div><p>Přístup k repozitářům gitu řídí | |
| <span><em>gitolite</em></span>.</p><div># zkopirovat id_rsa.pub spravce gitu do /root/spravcegitu.pub | |
| apt-get install gitolite | |
| dpkg-reconfigure gitolite | |
| # zmenit user na <span><strong>git</strong></span></div><div><a></a><div>Example 19. /var/lib/gitolite/<WBR>.gitolite.rc</div><div><div>$REPO_UMASK = 0027; # nastavi soubory g+rx, aby k tomu mel pristup napr. redmine</div></div></div><br><div><a></a><div>Example 20. /etc/ssh/sshd_<WBR>config</div><div><p>Zakáže se autentikace heslem (všechno běží pouze přes | |
| certifikáty):</p><div>Match User git | |
| PasswordAuthentication no</div></div></div><br></div><div title="5. Mysql"><div><div><div><h2 style="clear:both"><a></a>5. Mysql</h2></div></div></div><p>Mysql je potřeba např. pro redmine (viz. níže). Více na <a href="#0.1_">https://wiki.archlinux.org/<WBR>index.php/MySQL</a>.</p><div>apt-get install mysql-server | |
| mysql_secure_installation</div></div><div title="6. Redmine"><div><div><div><h2 style="clear:both"><a></a>6. Redmine</h2></div></div></div><p>Podrobnosti viz. <a href="#0.1_">http://www.redmine.org/<WBR>projects/redmine/wiki/<WBR>RedmineInstall</a>.</p><div>apt-get install ruby ruby-dev make imagemagick libmagickcore-dev libmagickwand-dev libmysqlclient-dev | |
| cd | |
| VER=2.5.1 | |
| wget <a href="http://www.redmine.org/releases/redmine-$VER.tar.gz" target="_blank">http://www.redmine.org/<WBR>releases/redmine-$VER.tar.gz</a> | |
| tar xzf redmine-$VER.tar.gz -C /opt | |
| chown -R root:root /opt/redmine-$VER</div><div>mysql -p # zepta se na heslo (viz. instalace mysql) | |
| create database redmine character set utf8; | |
| create user 'redmine'@'localhost' identified by '<span><strong>my_password</strong></span>'; | |
| grant all privileges on redmine.* to 'redmine'@'localhost';</div><div><a></a><div>Example 21. config/database.<WBR>yml</div><div><div>production: | |
| adapter: mysql2 | |
| database: redmine | |
| host: localhost | |
| username: redmine | |
| password: <span><strong>my_password</strong></span> | |
| encoding: utf8</div></div></div><br><div><a></a><div>Example 22. config/<WBR>configuration.yml</div><div><div>production: | |
| email_delivery: | |
| delivery_method: :sendmail</div></div></div><br><p>Tohle je potreba udelat az po | |
| <code>config/database.yml</code>, aby to nahralo vsechny potrebny | |
| doplnky (hlavne teda ty na pristup k databazi).</p><div>cd /opt/redmine-$VER | |
| gem install --no-user-install bundler | |
| bundle install --system --without development test postgresql sqlite | |
| rake generate_secret_token | |
| useradd -m --home-dir /var/lib/redmine-$VER --shell /bin/bash --system redmine | |
| usermod -a -G git redmine | |
| mkdir -p /var/lib/redmine-$VER/{tmp,<WBR>public/plugin_assets} | |
| tar c files log tmp public/plugin_assets | tar xv -C /var/lib/redmine-$VER | |
| for i in files log tmp public/plugin_assets; do rm -Rf $i; ln -nfs /var/lib/redmine-$VER/$i $i; done | |
| chown -R redmine:redmine /var/lib/redmine-$VER | |
| chmod -R ugo+r /var/lib/redmine-$VER</div><p>Zkopírují se data ze starého serveru:</p><div><span><strong># nejak dostat data z <code>files</code> do <code>/var/lib/redmine-1.4/files</code></strong></span> | |
| mysql -u redmine -p redmine < dump_redmine_default_2012-05-<WBR>28.sql | tee restore.log | |
| RAILS_ENV=production rake db:migrate</div><div title="Note" style="margin-left:0.5in;margin-right:0.5in"><h3>Note</h3><p>Novou databázi lze vytvořit pomocí:</p><div>RAILS_ENV=production rake db:migrate | |
| RAILS_ENV=production rake redmine:load_default_data</div></div><p>Instalaci lze otestovat spuštěním jednoduchého web serveru (podívat | |
| se na projekty a jestli funguje integrace s gitem a posílání | |
| emailů):</p><div>su - -s /bin/bash redmine | |
| ruby script/rails server webrick -e production</div><div title="6.1. Passenger v nginx"><div><div><div><h3><a></a>6.1. Passenger v nginx</h3></div></div></div><p>Detaily viz. <a href="#0.1_">http://www.modrails.com/<WBR>documentation/Users%20guide%<WBR>20Nginx.html#install_on_<WBR>debian_ubuntu</a>.</p><div>apt-get install ruby-passenger</div><div><a></a><div>Example 23. /etc/nginx/conf/<WBR>nginx.conf</div><div><div>http { | |
| # POZOR: musi byt zapnuty passenger (viz. instalace nginx) | |
| |
| server { | apt-get install shorewall |
| listen 8080 default_server; | cd /etc/shorewall |
| root /opt/redmine-2.5.1/public; | # adresar by mel byt prazdny, krome shorewall.conf |
| passenger_enabled on; | |
| # implicitne se pouzije aktualni owner/group souboru <code>config/environment.rb</code> | |
| passenger_user redmine; | **/etc/shorewall/zones** |
| passenger_group redmine; | |
| client_max_body_size 100M; # nektere uploady do redmine budou vetsi nez default limit | Nastavení zón ($FW v ostatních souborech se automaticky nahrazuje "fw"). |
| | |
| | #ZONE TYPE OPTIONS IN OUT |
| | # OPTIONS OPTIONS |
| | fw firewall |
| | net ipv4 |
| | vpn ipv4 |
| | |
| | |
| | |
| | |
| | **/etc/shorewall/policy** |
| | |
| | Tohle je nastaveni implicitních akcí (vyhodnocuje se v zadaném pořadí!). |
| | |
| | #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: |
| | # LEVEL BURST MASK |
| | |
| | # povol spojeni "ze serveru na internet" |
| | $FW net ACCEPT |
| | |
| | # zahod vsechno "z internetu na server" |
| | net all DROP info |
| | |
| | # odmitni vsechno "z vpn na internet" (aby si vpn klienti nebrouzdali pres server) |
| | vpn net REJECT info |
| | |
| | # povol vsechno ostatni "z vpn" |
| | vpn all ACCEPT |
| | |
| | # The FOLLOWING POLICY MUST BE LAST |
| | all all REJECT info |
| | |
| | |
| | |
| | |
| | **/etc/shorewall/interfaces** |
| | |
| | FORMAT 2 |
| | ############################################################################### |
| | #ZONE INTERFACE OPTIONS |
| | net venet0 tcpflags,logmartians,nosmurfs |
| | vpn tun0 |
| | |
| | |
| | |
| | |
| | **/ets/shorewall/rules** |
| | |
| | #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH |
| | # PORT PORT(S) DEST LIMIT GROUP |
| | #SECTION ALL |
| | #SECTION ESTABLISHED |
| | #SECTION RELATED |
| | SECTION NEW |
| | |
| | # povoleni SSH sluzby pro klienty z internetu (NEDELAT, v pripade nouze se lze pripojit k terminalu pres administraci VPS) |
| | # - pro vsechny |
| | #ACCEPT net $FW tcp ssh |
| | # - pro urcitou IP adresu |
| | #ACCEPT net:78.80.8.27 $FW tcp ssh |
| | # - pro skupinu IP adres (subnet) |
| | #ACCEPT net:81.25.21.0/24 $FW tcp ssh |
| | |
| | # OpenVPN |
| | ACCEPT net $FW udp 1194 |
| | ACCEPT $FW net udp - 1194 |
| | |
| | # WEB |
| | ACCEPT all all tcp 80 |
| | ACCEPT all all tcp 443 |
| | |
| | |
| | |
| | |
| | **/etc/shorewall/shorewall.conf** |
| | |
| | STARTUP_ENABLED=Yes |
| | |
| | |
| | |
| | |
| | **/etc/default/shorewall** |
| | |
| | startup=1 |
| | |
| | |
| | |
| | |
| | Pár užitečných příkazů: |
| | |
| | /etc/init.d/shorewall start|stop|restart|... |
| | shorewall status |
| | shorewall show |
| | shorevall safe-start |
| | shorewall safe-restart |
| | |
| | |
| | |
| | ====OpenVPN==== |
| | |
| | apt-get install openvpn |
| | cp -a /usr/share/openvpn/easy-rsa /etc/openvpn |
| | cd /etc/openvpn/easy-rsa |
| | |
| | |
| | **/etc/openvpn/easy-rsa/vars** |
| | |
| | export KEY_SIZE=2048 |
| | export KEY_COUNTRY="CZ" |
| | export KEY_PROVINCE="Czech Republic" |
| | export KEY_CITY="Prague" |
| | export KEY_ORG="MOJE FIRMA s.r.o." |
| | export KEY_EMAIL="support@example.com" |
| | export KEY_OU="" |
| | |
| | |
| | |
| | |
| | source vars |
| | ./clean-all |
| | ./build-ca # zadat např. openvpn-ca jako Common Name/Name |
| | ./build-key-server mujserver |
| | ./build-key tonda # nebo build-key-pass pro zaheslovani privatnich klicu |
| | ./build-key cenda |
| | ... |
| | ./build-dh |
| | cd keys |
| | openvpn --genkey --secret ta.key |
| | cp {ca.crt,dh2048.pem,ta.key,inter.{crt,key}} /etc/openvpn |
| | chmod 600 /etc/openvpn/{ta.key,inter.key} |
| | |
| | |
| | **/etc/openvpn/server.conf** |
| | |
| | dev tun |
| | port 1194 |
| | ;proto tcp |
| | proto udp |
| | # VPN subnet - vybrat neco nahodnyho z http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces |
| | # urcite ne 10.0.0.0, 10.1.1.0, 192.168.0.0, 192.168.1.0 - to pouziva vetsina "domacich" siti |
| | server 10.134.75.0 255.255.255.0 |
| | ifconfig-pool-persist ipp.txt |
| | ca ca.crt |
| | crl-verify crl.pem # viz. revokace certifikatu |
| | cert inter.crt |
| | key inter.key |
| | dh dh2048.pem |
| | tls-auth ta.key 0 |
| | cipher AES-256-CBC |
| | comp-lzo yes |
| | |
| | |
| | |
| | |
| | **client.conf** |
| | |
| | dev tun |
| | port 1194 |
| | proto udp |
| | client |
| | remote mujserver.example.com |
| | ca ca.crt |
| | cert tonda.crt |
| | key tonda.key |
| | tls-auth ta.key 1 |
| | remote-cert-tls server |
| | cipher AES-256-CBC |
| | comp-lzo yes |
| | |
| | |
| | |
| | |
| | Teď už je třeba jenom poslat každému klientovi ''client.conf'' , ''ta.key'' a odpovídající ''crt'' a ''key'' soubor. **Doporučuje se přesunout ''ca.key'' na offline úložiště a odstranit ''key'' soubory všech klientů.** |
| | |
| | # predpoklada nastaveni sendmailu (dale v navodu) |
| | cd keys |
| | key="tonda" email="tonda@example.com" |
| | zippwd=$(dd if=/dev/urandom bs=1 count=10 2>/dev/null | base64 | head -c 8) |
| | rm -v $key.7z; 7z a -p $zippwd ca.crt $key.{crt,key} ta.key && mailx -s "openvpn keys" -a $key.7z $email <<<"heslo k archivu dodam"; rm -v $key.7z |
| | echo "heslo na rozbaleni $key.7z: $zippwd" |
| | |
| | |
| | |
| | ===Revokace certifikátů=== |
| | |
| | cd /etc/openvpn/easy-rsa |
| | source vars |
| | ./revoke-full jmeno_certifikátu |
| | cp -v crl.pem /etc/openvpn |
| | |
| | |
| | |
| | ====sendmail interface pro SMTP server==== |
| | |
| | Některé komponenty (např. redmine) potřebují posílat emaily přes sendmail interface (např. jejich SMTP klient z nějakého důvodu nefunguje se SMTP serverem). Proto se dá nainstalovat lepší SMTP klient, který podporuje sendmail interface. Detaily viz. [[http:// | http://msmtp.sourceforge.net/doc/msmtp.html]] . |
| | |
| | apt-get purge exim4-config exim4 exim4-base exim4-daemon-light |
| | apt-get install msmtp-mta |
| | ls -l /usr/sbin/sendmail |
| | # musi ukazovat na /usr/msmtp |
| | |
| | |
| | **/etc/msmtprc** |
| | |
| | # Accounts will inherit settings from this section |
| | defaults |
| | auth on |
| | tls on |
| | tls_certcheck off |
| | #tls_trust_file /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt |
| | |
| | account blackhole |
| | host smtp.example.com |
| | port 465 |
| | from blackhole@example.com |
| | user blackhole@example.com |
| | password my_password |
| | tls_starttls off |
| | |
| | account default : blackhole |
| | |
| | |
| | |
| | |
| | |
| | =====web server===== |
| | |
| | |
| | ====Nginx==== |
| | |
| | Nginx krom jiného umožňuje provozovat více různých web serverů na stejném portu (např. tomcat pro java web aplikace + apache pro php + passenger pro ruby aplikace). |
| | |
| | Protoze potrebujem **passenger** pro **ruby** aplikace (napr. **redmine** ), neda se to instalovat z debianich balicku. |
| | |
| | apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7 |
| | apt-get install apt-transport-https ca-certificates |
| | echo "deb https://oss-binaries.phusionpassenger.com/apt/passenger wheezy main" > /etc/apt/sources.list.d/passenger.list |
| | chmod 600 /etc/apt/sources.list.d/passenger.list |
| | apt-get update |
| | apt-get install nginx-extras passenger |
| | |
| | |
| | Pokud se bude pouzivat SSL, tak je potreba vygenerovat certifikat: |
| | |
| | openssl req -new -x509 -nodes -out /etc/nginx/server.crt -keyout /etc/nginx/server.key |
| | |
| | |
| | **/etc/nginx/conf/nginx.conf** |
| | |
| | #user nobody; |
| | worker_processes 1; |
| | |
| | error_log /var/log/nginx/error.log; |
| | pid /var/run/nginx.pid; |
| | |
| | #error_log logs/error.log notice; |
| | #error_log logs/error.log info; |
| | |
| | #pid logs/nginx.pid; |
| | |
| | |
| | events { |
| | worker_connections 128; # maximalni pocet spojeni - http://wiki.nginx.org/EventsModule#worker_connections |
| | } |
| | |
| | |
| | http { |
| | passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini; |
| | passenger_ruby /usr/bin/ruby; |
| | |
| | include mime.types; |
| | default_type application/octet-stream; |
| | |
| | #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
| | # '$status $body_bytes_sent "$http_referer" ' |
| | # '"$http_user_agent" "$http_x_forwarded_for"'; |
| | |
| | #access_log logs/access.log main; |
| | |
| | sendfile on; |
| | #tcp_nopush on; |
| | |
| | #keepalive_timeout 0; |
| | keepalive_timeout 65; |
| | |
| | #gzip on; |
| | |
| | ssl_certificate server.crt; |
| | ssl_certificate_key server.key; |
| | |
| | proxy_set_header X-Real-IP $remote_addr; |
| | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| | proxy_set_header Host $http_host; |
| } | } |
| }</div></div></div><br></div><div title="6.2. Thin v nginx (primitivni alternativa k passengeru)"><div><div><div><h3><a></a>6.2. Thin v nginx (primitivni alternativa k passengeru)</h3></div></div></div><div>gem install --no-user-install thin | |
| thin install</div><p>Pridat nasledujici:</p><div><a></a><div>Example 24. /opt/redmine-1.4/<WBR>Gemfile</div><div><div>gem 'thin'</div></div></div><br><div><a></a><div>Example 25. /etc/thin/redmine.<WBR>yml</div><div><div>--- | |
| chdir: /opt/redmine-1.4 | |
| environment: production | |
| timeout: 30 | |
| log: /var/log/thin/redmine.log | |
| pid: /var/lib/redmine-1.4/thin.pid # musi byt zapisovatelny userem redmine | |
| max_conns: 1024 | |
| max_persistent_conns: 100 | |
| require: [] | |
| wait: 30 | |
| socket: /var/lib/redmine-1.4/thin.sock # musi byt zapisovatelny userem redmine | |
| daemonize: true | |
| user: redmine | |
| group: redmine | |
| servers: 1</div></div></div><br><p>A nakonec v <code>/etc/rc.conf</code> přidat | |
| <code>thin</code> do <code>DAEMONS</code>.</p><div><a></a><div>Example 26. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> upstream redmine { | |
| server unix:/var/lib/redmine-1.4/<WBR>thin.0.sock; | |
| } | |
| |
| | |
| | |
| | |
| | |
| | ====Tomcat==== |
| | |
| | Web server je tomcat 7, protožev něm chceme provozovat jednoduchý javovský web aplikace (tzn. potřebujeme něco v javě, ale nepotřebujeme super-druper aplikační server). |
| | |
| | apt-get install tomcat7 |
| | |
| | |
| | **conf/server.xml** |
| | |
| | <Server port="8005" shutdown="SHUTDOWN"> |
| | <Service name="Catalina"> |
| | <Connector port="8081" protocol="org.apache.coyote.http11.Http11NioProtocol" |
| | connectionTimeout="20000" |
| | redirectPort="443" |
| | minSpareThreads="2" maxThreads="10" /> |
| | <Engine name="Catalina" defaultHost="www.example.com"> |
| | <Host name="www.example.com" appBase="webapps-moje" |
| | unpackWARs="true" autoDeploy="true"> |
| | <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" |
| | prefix="access_log." suffix=".log" |
| | pattern="%h %l %u %t "%r" %s %b" /> |
| | </Host> |
| | </Engine> |
| | </Service> |
| | </Server> |
| | |
| | |
| | ''appBase'' je zmenena, protoze upgrade tomcatu by mohl prepsat aplikace ve ''/var/lib/tomcat7/webapps'' (minimalne nektery distribuce to delaly). |
| | |
| | |
| | |
| | **/etc/default/tomcat7** |
| | |
| | JAVA_HOME=/usr/lib/jvm/jre-7-oracle-x64 |
| | CATALINA_OPTS=-Djava.awt.headless=true -Xmx80m -XX:+UseConcMarkSweepGC |
| | # povolit pro remote management (napr. jconsole nebo jvisualvm) |
| | #JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname=mujserver.example.com -Djava.net.preferIPv4Stack=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=5000 -Dcom.sun.management.jmxremote.authenticate=false" |
| | |
| | |
| | |
| | |
| | Nastavit nginx, aby pozadavky preposilal na tomcat: |
| | |
| | **/etc/nginx/conf/nginx.conf** |
| | |
| | server { |
| | # JAVA web server - treba Tomcat |
| | listen *:80 default_server; |
| | listen *:443 ssl; |
| | |
| | proxy_set_header X-Real-IP $remote_addr; |
| | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| | proxy_set_header Host $http_host; |
| | |
| | location / { |
| | proxy_pass http://127.0.0.1:8081; |
| | } |
| | } |
| | |
| | |
| | |
| | |
| | |
| | ====Apache + PHP==== |
| | |
| | Pro PHP experimenty: |
| | |
| | **/etc/nginx/conf/nginx.conf** |
| | |
| | server { |
| | # PHP + phpmyadmin |
| | listen *:80; |
| | listen *:443 ssl; |
| | server_name php.example.com; # tohle je dalsi DNS jmeno pro verrejnou adresu vps serveru |
| | |
| | proxy_set_header X-Real-IP $remote_addr; |
| | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| | proxy_set_header Host $http_host; |
| | |
| | location / { |
| | proxy_pass http://127.0.0.1:8082; |
| | } |
| | |
| | # PHPmyadmin jenom pres SSL |
| | location /phpmyadmin { |
| | if ($scheme = "http") { |
| | rewrite ^ https://$http_host$request_uri permanent; |
| | } |
| | if ($scheme = "https") { |
| | proxy_pass http://127.0.0.1:8082; |
| | } |
| | } |
| | } |
| | |
| | |
| | |
| | |
| | |
| | =====Git===== |
| | |
| | Přístup k repozitářům gitu řídí **gitolite** . |
| | |
| | # zkopirovat id_rsa.pub spravce gitu do /root/spravcegitu.pub |
| | apt-get install gitolite |
| | dpkg-reconfigure gitolite |
| | # zmenit user na git |
| | |
| | |
| | **/var/lib/gitolite/.gitolite.rc** |
| | |
| | $REPO_UMASK = 0027; # nastavi soubory g+rx, aby k tomu mel pristup napr. redmine |
| | |
| | |
| | |
| | |
| | **/etc/ssh/sshd_config** |
| | |
| | Zakáže se autentikace heslem (všechno běží pouze přes certifikáty): |
| | |
| | Match User git |
| | PasswordAuthentication no |
| | |
| | |
| | |
| | |
| | |
| | =====Mysql===== |
| | |
| | Mysql je potřeba např. pro redmine (viz. níže). Více na [[http:// | https://wiki.archlinux.org/index.php/MySQL]] . |
| | |
| | apt-get install mysql-server |
| | mysql_secure_installation |
| | |
| | |
| | |
| | =====Redmine===== |
| | |
| | Podrobnosti viz. [[http:// | http://www.redmine.org/projects/redmine/wiki/RedmineInstall]] . |
| | |
| | apt-get install ruby ruby-dev make imagemagick libmagickcore-dev libmagickwand-dev libmysqlclient-dev |
| | cd |
| | VER=2.5.1 |
| | wget http://www.redmine.org/releases/redmine-$VER.tar.gz |
| | tar xzf redmine-$VER.tar.gz -C /opt |
| | chown -R root:root /opt/redmine-$VER |
| | |
| | |
| | mysql -p # zepta se na heslo (viz. instalace mysql) |
| | create database redmine character set utf8; |
| | create user 'redmine'@'localhost' identified by 'my_password'; |
| | grant all privileges on redmine.* to 'redmine'@'localhost'; |
| | |
| | |
| | **config/database.yml** |
| | |
| | production: |
| | adapter: mysql2 |
| | database: redmine |
| | host: localhost |
| | username: redmine |
| | password: my_password |
| | encoding: utf8 |
| | |
| | |
| | |
| | |
| | **config/configuration.yml** |
| | |
| | production: |
| | email_delivery: |
| | delivery_method: :sendmail |
| | |
| | |
| | |
| | |
| | Tohle je potreba udelat az po ''config/database.yml'' , aby to nahralo vsechny potrebny doplnky (hlavne teda ty na pristup k databazi). |
| | |
| | cd /opt/redmine-$VER |
| | gem install --no-user-install bundler |
| | bundle install --system --without development test postgresql sqlite |
| | rake generate_secret_token |
| | useradd -m --home-dir /var/lib/redmine-$VER --shell /bin/bash --system redmine |
| | usermod -a -G git redmine |
| | mkdir -p /var/lib/redmine-$VER/{tmp,public/plugin_assets} |
| | tar c files log tmp public/plugin_assets | tar xv -C /var/lib/redmine-$VER |
| | for i in files log tmp public/plugin_assets; do rm -Rf $i; ln -nfs /var/lib/redmine-$VER/$i $i; done |
| | chown -R redmine:redmine /var/lib/redmine-$VER |
| | chmod -R ugo+r /var/lib/redmine-$VER |
| | |
| | |
| | Zkopírují se data ze starého serveru: |
| | |
| | # nejak dostat data z files do /var/lib/redmine-1.4/files |
| | mysql -u redmine -p redmine < dump_redmine_default_2012-05-28.sql | tee restore.log |
| | RAILS_ENV=production rake db:migrate |
| | |
| | |
| | |
| | |
| | :!::!::!::!::!::!::!::!::!::!: |
| | |
| | **NOTE:** Novou databázi lze vytvořit pomocí: |
| | |
| | RAILS_ENV=production rake db:migrate |
| | RAILS_ENV=production rake redmine:load_default_data |
| | |
| | |
| | :!::!::!::!::!::!::!::!::!::!: |
| | |
| | Instalaci lze otestovat spuštěním jednoduchého web serveru (podívat se na projekty a jestli funguje integrace s gitem a posílání emailů): |
| | |
| | su - -s /bin/bash redmine |
| | ruby script/rails server webrick -e production |
| | |
| | |
| | |
| | ====Passenger v nginx==== |
| | |
| | Detaily viz. [[http:// | http://www.modrails.com/documentation/Users%20guide%20Nginx.html#install_on_debian_ubuntu]] . |
| | |
| | apt-get install ruby-passenger |
| | |
| | |
| | **/etc/nginx/conf/nginx.conf** |
| | |
| | http { |
| | # POZOR: musi byt zapnuty passenger (viz. instalace nginx) |
| | |
| server { | server { |
| listen *:8080 default_server; | listen 8080 default_server; |
| client_max_body_size 100M; | root /opt/redmine-2.5.1/public; |
| | passenger_enabled on; |
| | # implicitne se pouzije aktualni owner/group souboru config/environment.rb |
| | passenger_user redmine; |
| | passenger_group redmine; |
| | client_max_body_size 100M; # nektere uploady do redmine budou vetsi nez default limit |
| | } |
| | } |
| | |
| | |
| | |
| | |
| | |
| | ====Thin v nginx (primitivni alternativa k passengeru)==== |
| | |
| | gem install --no-user-install thin |
| | thin install |
| | |
| | |
| | Pridat nasledujici: |
| | |
| | **/opt/redmine-1.4/Gemfile** |
| | |
| | gem 'thin' |
| | |
| | |
| | |
| | |
| | **/etc/thin/redmine.yml** |
| | |
| | # comment |
| | --- |
| | chdir: /opt/redmine-1.4 |
| | environment: production |
| | timeout: 30 |
| | log: /var/log/thin/redmine.log |
| | pid: /var/lib/redmine-1.4/thin.pid # musi byt zapisovatelny userem redmine |
| | max_conns: 1024 |
| | max_persistent_conns: 100 |
| | require: [] |
| | wait: 30 |
| | socket: /var/lib/redmine-1.4/thin.sock # musi byt zapisovatelny userem redmine |
| | daemonize: true |
| | user: redmine |
| | group: redmine |
| | servers: 1 |
| | |
| | |
| | |
| | |
| | A nakonec v ''/etc/rc.conf'' přidat //thin// do //DAEMONS// . |
| | |
| | **/etc/nginx/conf/nginx.conf** |
| | |
| | upstream redmine { |
| | server unix:/var/lib/redmine-1.4/thin.0.sock; |
| | } |
| | |
| | server { |
| | listen *:8080 default_server; |
| | client_max_body_size 100M; |
| | |
| | location / { |
| | proxy_pass http://redmine; |
| | } |
| | } |
| | |
| | |
| | |
| | |
| | |
| | =====nexus (maven repository)===== |
| | |
| | |
| | |
| | :!::!::!::!::!::!::!::!::!::!: |
| | |
| | **NOTE:** Mozna by stalo za uvahu jenom hodit war do tomcatu, at tam zbytecne nejede 2x JVM. Ale bacha, tomcat je videt z internetu, my chceme nexus jenom na vpn. |
| | |
| | :!::!::!::!::!::!::!::!::!::!: |
| | |
| | useradd --system --shell /bin/bash --home-dir /var/lib/nexus -m nexus |
| | wget http://www.sonatype.org/downloads/nexus-latest-bundle.tar.gz |
| | tar xzf nexus-latest-bundle.tar.gz -C /opt |
| | ln -nfsv /opt/nexus-2.7.0-05 /opt/nexus |
| | mkdir /var/run/nexus |
| | chown nexus:nexus /var/run/nexus |
| | mkdir /var/lib/nexus/{logs,tmp} |
| | chown nexus:nexus /var/lib/nexus/{logs,tmp} |
| | rm -rfv /opt/nexus/{logs,tmp} |
| | ln -fsv /var/lib/nexus/logs /opt/nexus |
| | ln -fsv /var/lib/nexus/tmp /opt/nexus |
| | cp /opt/nexus/bin/nexus /etc/init.d |
| | chmod ugo+x /etc/init.d/nexus |
| | update-rc.d nexus defaults |
| | |
| | |
| | **/etc/init.d/nexus** |
| | |
| | NEXUS_HOME="/opt/nexus" |
| | #JAVA_HOME="/opt/jdk-7" |
| | RUN_AS_USER="nexus" |
| | PIDDIR="/var/lib/nexus" # musi byt writeable uzivatelem nexus |
| | |
| | |
| | |
| | |
| | **/opt/nexus/conf/nexus.properties** |
| | |
| | application-port=8083 |
| | nexus-work=/var/lib/nexus |
| | |
| | |
| | |
| | |
| | **/opt/nexus/bin/jsw/conf/wrapper.conf** |
| | |
| | wrapper.java.maxmemory=80 |
| | |
| | |
| | |
| | |
| | Zbytek viz. [[http:// | http://books.sonatype.com/nexus-book/reference/install-sect-repoman-post-install.html]] |
| |
| location / { | |
| proxy_pass <a href="http://redmine" target="_blank">http://redmine</a>; | |
| } | |
| }</div></div></div><br></div></div><div title="7. nexus (maven repository)"><div><div><div><h2 style="clear:both"><a></a>7. nexus (maven repository)</h2></div></div></div><div title="Note" style="margin-left:0.5in;margin-right:0.5in"><h3>Note</h3><p>Mozna by stalo za uvahu jenom hodit war do tomcatu, at tam | |
| zbytecne nejede 2x JVM.</p></div><div>useradd --system --shell /bin/bash --home-dir /var/lib/nexus -m nexus | |
| wget <a href="http://www.sonatype.org/downloads/nexus-latest-bundle.tar.gz" target="_blank">http://www.sonatype.org/<WBR>downloads/nexus-latest-bundle.<WBR>tar.gz</a> | |
| tar xzf nexus-latest-bundle.tar.gz -C /opt | |
| ln -nfsv /opt/nexus-2.7.0-05 /opt/nexus | |
| mkdir /var/run/nexus | |
| chown nexus:nexus /var/run/nexus | |
| mkdir /var/lib/nexus/{logs,tmp} | |
| chown nexus:nexus /var/lib/nexus/{logs,tmp} | |
| rm -rfv /opt/nexus/{logs,tmp} | |
| ln -fsv /var/lib/nexus/logs /opt/nexus | |
| ln -fsv /var/lib/nexus/tmp /opt/nexus | |
| cp /opt/nexus/bin/nexus /etc/init.d | |
| chmod ugo+x /etc/init.d/nexus | |
| update-rc.d nexus defaults</div><div><a></a><div>Example 27. /etc/init.d/nexus</div><div><div>NEXUS_HOME="/opt/nexus" | |
| #JAVA_HOME="/opt/jdk-7" | |
| RUN_AS_USER="nexus" | |
| PIDDIR="/var/lib/nexus" # musi byt writeable uzivatelem nexus</div></div></div><br><div><a></a><div>Example 28. /opt/nexus/conf/<WBR>nexus.properties</div><div><div>application-port=8083 | |
| nexus-work=/var/lib/nexus</div></div></div><br><div><a></a><div>Example 29. /opt/nexus/bin/<WBR>jsw/conf/wrapper.conf</div><div><div>wrapper.java.maxmemory=80</div></div></div><br><p>Zbytek viz. <a href="#0.1_">http://books.sonatype.com/<WBR>nexus-book/reference/install-<WBR>sect-repoman-post-install.html</a></p></div></div></div> | |
| </body></html> | |
