====== Installationsanleitung Rio-Dossier-Server======

^ Version ^ Status ^ Datum ^ Author ^ URL ^
| 0.1| Erster Entwurf| 26.08.2020| Silvan Dux| |
| 0.2| Ergänzungen| TT.MM.JJJJ| Vorname Nachname| |
| 1.0| Review und Freigabe| TT.MM.JJJJ| Vorname Nachname| |

===== 1. Kurzfassung  =====

//Installationsanleitung für die Module des Rio-Dossier-Servers "dossier-zh-ruga-01" auf einer Ubunutu 20.054 LTS Standardinstallation.//



===== 2. Installation PHP 7.4 =====
<code>
Installation PHP 7.4
		Installing PHP 7.4
			<sudo apt install php7.4>
			<sudo apt-get install php7.4-mbstring>
			<sudo apt-get install php5-gd>
</code>

===== 3. Installation MongoDB =====
<code>
Installation
		<sudo apt install -y mongodb>
</code>

===== 4. Installation MySQL =====
<code>
Installtion
		<sudo apt install -y mysql-server>
</code>

===== 5.1 Installation Nginx =====
<code>
Installation Nginx
		Installing Nginx
			<sudo apt install nginx>

		Adjusting Firewall
			<sudo ufw app list>
			<sudo ufw allow 'Nginx HTTP'>
			<sudo ufw status>

		Checking Webserver
			<systemctl status nginx>
			In Browser "http://192.168.3.35" aufrufen

		Nginx Server Block
			<sudo mkdir -p /var/www/dossier.rafisa.net/html>
			<sudo chown -R $USER:$USER /var/www/dossier.rafisa.net/html>
			<sudo chmod -R 755 /var/www/dossier.rafisa.net>
			<sudo nano /var/www/dossier.rafisa.net/html/index.html>
				[nano
					<html>
    						<head>
        						<title>Welcome to dossier.rafisa.net!</title>
    						</head>
    						<body>
        						<h1>Success!  The dossier.rafisa.net server block is working!</h1>
    						</body>
					</html>
				[
			<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
				[nano
					server {
        					listen 80;
       						listen [::]:80;

        					root /var/www/dossier.rafisa.net/html;
        					index index.html index.htm index.nginx-debian.html;

        					server_name dossier.rafisa.net www.dossier.rafisa.net;

        					location / {
                					try_files $uri $uri/ =404;
        					}
					}
				]
			<sudo ln -s /etc/nginx/sites-available/dossier.rafisa.net /etc/nginx/sites-enabled/>
			<sudo nano /etc/nginx/nginx.conf>
				[nano
					...
					http {
    					    ...
    					    server_names_hash_bucket_size 64;
    					    ...
					}
					...
				]
			<sudo nginx -t>
			<sudo systemctl restart nginx>

</code>

===== 5.2 Installation Nginx SSL =====
<code>
Creating SSL Certificate
		<sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt>
		<sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096>
		<sudo nano /etc/nginx/snippets/self-signed.conf>
			[nano
				ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
				ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
			]
		<sudo nano /etc/nginx/snippets/ssl-params.conf>
			[nano
				ssl_protocols TLSv1.2;
				ssl_prefer_server_ciphers on;
				ssl_dhparam /etc/nginx/dhparam.pem;
				ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
				ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
				ssl_session_timeout  10m;
				ssl_session_cache shared:SSL:10m;
				ssl_session_tickets off; # Requires nginx >= 1.5.9
				ssl_stapling on; # Requires nginx >= 1.3.7
				ssl_stapling_verify on; # Requires nginx => 1.3.7
				resolver 8.8.8.8 8.8.4.4 valid=300s;
				resolver_timeout 5s;
				# Disable strict transport security for now. You can uncomment the following
				# line if you understand the implications.
				# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
				add_header X-Frame-Options DENY;
				add_header X-Content-Type-Options nosniff;
				add_header X-XSS-Protection "1; mode=block";
			]
		<sudo cp /etc/nginx/sites-available/dossier.rafisa.net /etc/nginx/sites-available/dossier.rafisa.net.bak>
		<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
			[nano
				server {
    					listen 80;
    					listen [::]:80;

    					server_name dossier.rafisa.net www.dossier.rafisa.net;

    					return 302 https://$server_name$request_uri;
				}

				server {

        				# SSL configuration

        				listen 443 ssl http2 default_server;
        				listen [::]:443 ssl http2 default_server;
        				include snippets/self-signed.conf;
        				include snippets/ssl-params.conf;

        				server_name dossier.rafisa.net www.dossier.rafisa.net;

        				root /var/www/dossier.rafisa.net/html;
        				index index.html index.htm index.nginx-debian.html;
				}
			]
		<sudo ufw app list>
		<sudo ufw allow 'Nginx Full'>
		<sudo ufw delete allow 'Nginx HTTP'>
		<sudo nginx -t>
		<sudo systemctl restart nginx>
		<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
			[nano
				 return 301 https://$server_name$request_uri;
			]
		<sudo nginx -t>
		<sudo systemctl restart nginx>
</code>

===== 5.3 Installation Nginx HTTP2 ====
<code>
HTTP2 Nginx
		Prerequisites
			TLS/SSL Certificate für den Server
		Adding SSL Certificate
			<sudo mkdir /etc/nginx/ssl>
			<sudo cp /etc/ssl/certs/nginx-selfsigned.crt /etc/nginx/ssl/dossier.rafisa.net.crt>
			<sudo cp /etc/ssl/private/nginx-selfsigned.key /etc/nginx/ssl/dossier.rafisa.net.key>
		Config	
			<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
				[nano
					server {
        					listen 80;
        					listen [::]:80;
		
        					server_name dossier.rafisa.net www.dossier.rafisa.net;
		
        					return 301 https://$server_name$request_uri;
					}
	
					server {
	
        					# SSL configuration
	
        					listen 443 ssl http2 default_server;
        					listen [::]:443 ssl http2 default_server;
        					include snippets/self-signed.conf;
        					include snippets/ssl-params.conf;
		
        					server_name dossier.rafisa.net www.dossier.rafisa.net;
	
        					root /var/www/dossier.rafisa.net/html;
        					index index.html index.htm index.nginx-debian.html;
	
        					ssl_certificate /etc/nginx/ssl/dossier.rafisa.net.crt;
        					ssl_certificate_key /etc/nginx/ssl/dossier.rafisa.net.key;
					}
				]
			<sudo nano /etc/nginx/nginx.conf>
				[#Add line after ssl_prefer_server_ciphers on;
					ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
				]
			<sudo nginx -t>
			<sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048>
			<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
				[nano
					server {
        					listen 443 ssl http2 default_server;
       						listen [::]:443 ssl http2 default_server;

        					root /var/www/dossier.rafisa.net/html;

        					index index.html index.htm index.nginx-debian.html;

        					server_name 192.168.3.35;

        					location / {
                					try_files $uri $uri/ =404;
        					}

        					ssl_certificate /etc/nginx/ssl/dossier.rafisa.net.crt;
        					ssl_certificate_key /etc/nginx/ssl/dossier.rafisa.net.key;
        					ssl_dhparam /etc/nginx/ssl/dhparam.pem;
					}


					server {
       						listen         80;
       						listen    [::]:80;
      						server_name    192.168.3.35;
       						return         301 https://$server_name$request_uri;
					}

				]
			<sudo nginx -t>
			<sudo nano /etc/nginx/nginx.conf
				[#Add to hhtp Block
					ssl_session_cache shared:SSL:5m;
        				ssl_session_timeout 1h;
        				add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
				]
			<sudo nginx -t>
			<sudo systemctl restart nginx>
</code>





===== 6. Quellenverzeichnis =====
-Installation Ngnix Ubunutu 20.04 (https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04) 
-Installation Nginx Self-Signed SSL Ubuntu 18.04(https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04)
-Installation Nginx HTTP2 Ubuntu 18.04 (https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-18-04)