Inhaltsverzeichnis

Installationsanleitung Rio-Dossier-Server

Version Status Datum Author URL
0.1 Erster Entwurf 26.08.2020 Silvan Dux
0.2 Ergänzungen TT.MM.JJJJ Vorname Nachname
1.0 Review und Freigabe TT.MM.JJJJ Vorname Nachname

1. Kurzfassung

Installationsanleitung für die Module des Rio-Dossier-Servers „dossier-zh-ruga-01“ auf einer Ubunutu 20.054 LTS Standardinstallation.

2. Installation PHP 7.4

Installation PHP 7.4
		Installing PHP 7.4
			<sudo apt install php7.4>
			<sudo apt-get install php7.4-mbstring>
			<sudo apt-get install php5-gd>

3. Installation MongoDB

Installation
		<sudo apt install -y mongodb>

4. Installation MySQL

Installtion
		<sudo apt install -y mysql-server>

5.1 Installation Nginx

Installation Nginx
		Installing Nginx
			<sudo apt install nginx>

		Adjusting Firewall
			<sudo ufw app list>
			<sudo ufw allow 'Nginx HTTP'>
			<sudo ufw status>

		Checking Webserver
			<systemctl status nginx>
			In Browser "http://192.168.3.35" aufrufen

		Nginx Server Block
			<sudo mkdir -p /var/www/dossier.rafisa.net/html>
			<sudo chown -R $USER:$USER /var/www/dossier.rafisa.net/html>
			<sudo chmod -R 755 /var/www/dossier.rafisa.net>
			<sudo nano /var/www/dossier.rafisa.net/html/index.html>
				[nano
					<html>
    						<head>
        						<title>Welcome to dossier.rafisa.net!</title>
    						</head>
    						<body>
        						<h1>Success!  The dossier.rafisa.net server block is working!</h1>
    						</body>
					</html>
				[
			<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
				[nano
					server {
        					listen 80;
       						listen [::]:80;

        					root /var/www/dossier.rafisa.net/html;
        					index index.html index.htm index.nginx-debian.html;

        					server_name dossier.rafisa.net www.dossier.rafisa.net;

        					location / {
                					try_files $uri $uri/ =404;
        					}
					}
				]
			<sudo ln -s /etc/nginx/sites-available/dossier.rafisa.net /etc/nginx/sites-enabled/>
			<sudo nano /etc/nginx/nginx.conf>
				[nano
					...
					http {
    					    ...
    					    server_names_hash_bucket_size 64;
    					    ...
					}
					...
				]
			<sudo nginx -t>
			<sudo systemctl restart nginx>

5.2 Installation Nginx SSL

Creating SSL Certificate
		<sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt>
		<sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096>
		<sudo nano /etc/nginx/snippets/self-signed.conf>
			[nano
				ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
				ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
			]
		<sudo nano /etc/nginx/snippets/ssl-params.conf>
			[nano
				ssl_protocols TLSv1.2;
				ssl_prefer_server_ciphers on;
				ssl_dhparam /etc/nginx/dhparam.pem;
				ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
				ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
				ssl_session_timeout  10m;
				ssl_session_cache shared:SSL:10m;
				ssl_session_tickets off; # Requires nginx >= 1.5.9
				ssl_stapling on; # Requires nginx >= 1.3.7
				ssl_stapling_verify on; # Requires nginx => 1.3.7
				resolver 8.8.8.8 8.8.4.4 valid=300s;
				resolver_timeout 5s;
				# Disable strict transport security for now. You can uncomment the following
				# line if you understand the implications.
				# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
				add_header X-Frame-Options DENY;
				add_header X-Content-Type-Options nosniff;
				add_header X-XSS-Protection "1; mode=block";
			]
		<sudo cp /etc/nginx/sites-available/dossier.rafisa.net /etc/nginx/sites-available/dossier.rafisa.net.bak>
		<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
			[nano
				server {
    					listen 80;
    					listen [::]:80;

    					server_name dossier.rafisa.net www.dossier.rafisa.net;

    					return 302 https://$server_name$request_uri;
				}

				server {

        				# SSL configuration

        				listen 443 ssl http2 default_server;
        				listen [::]:443 ssl http2 default_server;
        				include snippets/self-signed.conf;
        				include snippets/ssl-params.conf;

        				server_name dossier.rafisa.net www.dossier.rafisa.net;

        				root /var/www/dossier.rafisa.net/html;
        				index index.html index.htm index.nginx-debian.html;
				}
			]
		<sudo ufw app list>
		<sudo ufw allow 'Nginx Full'>
		<sudo ufw delete allow 'Nginx HTTP'>
		<sudo nginx -t>
		<sudo systemctl restart nginx>
		<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
			[nano
				 return 301 https://$server_name$request_uri;
			]
		<sudo nginx -t>
		<sudo systemctl restart nginx>

5.3 Installation Nginx HTTP2

HTTP2 Nginx
		Prerequisites
			TLS/SSL Certificate für den Server
		Adding SSL Certificate
			<sudo mkdir /etc/nginx/ssl>
			<sudo cp /etc/ssl/certs/nginx-selfsigned.crt /etc/nginx/ssl/dossier.rafisa.net.crt>
			<sudo cp /etc/ssl/private/nginx-selfsigned.key /etc/nginx/ssl/dossier.rafisa.net.key>
		Config	
			<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
				[nano
					server {
        					listen 80;
        					listen [::]:80;
		
        					server_name dossier.rafisa.net www.dossier.rafisa.net;
		
        					return 301 https://$server_name$request_uri;
					}
	
					server {
	
        					# SSL configuration
	
        					listen 443 ssl http2 default_server;
        					listen [::]:443 ssl http2 default_server;
        					include snippets/self-signed.conf;
        					include snippets/ssl-params.conf;
		
        					server_name dossier.rafisa.net www.dossier.rafisa.net;
	
        					root /var/www/dossier.rafisa.net/html;
        					index index.html index.htm index.nginx-debian.html;
	
        					ssl_certificate /etc/nginx/ssl/dossier.rafisa.net.crt;
        					ssl_certificate_key /etc/nginx/ssl/dossier.rafisa.net.key;
					}
				]
			<sudo nano /etc/nginx/nginx.conf>
				[#Add line after ssl_prefer_server_ciphers on;
					ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
				]
			<sudo nginx -t>
			<sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048>
			<sudo nano /etc/nginx/sites-available/dossier.rafisa.net>
				[nano
					server {
        					listen 443 ssl http2 default_server;
       						listen [::]:443 ssl http2 default_server;

        					root /var/www/dossier.rafisa.net/html;

        					index index.html index.htm index.nginx-debian.html;

        					server_name 192.168.3.35;

        					location / {
                					try_files $uri $uri/ =404;
        					}

        					ssl_certificate /etc/nginx/ssl/dossier.rafisa.net.crt;
        					ssl_certificate_key /etc/nginx/ssl/dossier.rafisa.net.key;
        					ssl_dhparam /etc/nginx/ssl/dhparam.pem;
					}


					server {
       						listen         80;
       						listen    [::]:80;
      						server_name    192.168.3.35;
       						return         301 https://$server_name$request_uri;
					}

				]
			<sudo nginx -t>
			<sudo nano /etc/nginx/nginx.conf
				[#Add to hhtp Block
					ssl_session_cache shared:SSL:5m;
        				ssl_session_timeout 1h;
        				add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
				]
			<sudo nginx -t>
			<sudo systemctl restart nginx>

6. Quellenverzeichnis

-Installation Ngnix Ubunutu 20.04 (https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04) -Installation Nginx Self-Signed SSL Ubuntu 18.04(https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04) -Installation Nginx HTTP2 Ubuntu 18.04 (https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-18-04)