LibrePages
/
conductor
3
0
Fork 0
Code Issues 3 Pull Requests Packages Projects Releases Wiki Activity

Nginx + bind9 + letsencrypt #1

New Issue
Open
opened 2022-12-06 06:39:51 +05:30 by realaravinth · 3 comments
realaravinth commented 2022-12-06 06:39:51 +05:30
Owner
Copy Link
No description provided.
realaravinth commented 2022-12-12 21:33:48 +05:30
Author
Owner
Copy Link

Diff: ccb9f0f046...0507baf964

Summary:

  1. Deploy new site: generate configuration file and stores it in /etc/librepages/nginx/sites-available and symlinks to /etc/librepages/nginx/sites-enabled. Nginx's configuration must be modified to include /etc/librepages/nginx/sites-enabled and the above directories must be created during installation:
  mkdir -p  /etc/librepages/nginx/sites-available
  mkdir -p  /etc/librepages/nginx/sites-enabled/
  - sed -i "s%include \/etc\/nginx\/sites-enabled%include \/etc\/librepages\/nginx\/sites-enabled%" /etc/nginx/nginx.conf

  1. Configuration change event now includes default hostname assigned by LibrePages system. Please see here for more info.

  2. Setup nginx in CI to run integration tests

  3. Delete site

Diff: https://git.batsense.net/LibrePages/conductor/compare/ccb9f0f0464ef1314578d9cedd73897bf3c43a29...0507baf9647164b2c5ff1bb45c85076d62683887 ## Summary: 1. Deploy new site: generate configuration file and stores it in `/etc/librepages/nginx/sites-available` and symlinks to `/etc/librepages/nginx/sites-enabled`. Nginx's configuration must be modified to include `/etc/librepages/nginx/sites-enabled` and the above directories must be created during installation: ```bash mkdir -p /etc/librepages/nginx/sites-available mkdir -p /etc/librepages/nginx/sites-enabled/ - sed -i "s%include \/etc\/nginx\/sites-enabled%include \/etc\/librepages\/nginx\/sites-enabled%" /etc/nginx/nginx.conf ``` 2. Configuration change event now includes default hostname assigned by LibrePages system. Please see [here](https://git.batsense.net/LibrePages/conductor/commit/10c50969ba97214bbba921bf8e8771289015fa80) for more info. 3. Setup nginx in CI to run integration tests 4. Delete site
realaravinth added spent time 2022-12-12 21:34:35 +05:30
8 hours
realaravinth commented 2022-12-12 21:58:42 +05:30
Author
Owner
Copy Link

Evaluate self-hosted acme certificate authorities for development.

  1. letsencrypt/boulder: the certificate authority that LE uses. Difficult to use for testing.
  2. smallstep/certificates: seems popular and fully functional but doesn't support custom DNS server, which is essential to test nginx+bind+LE setup
  3. letsencrypt/pebble: supports custom DNS, built for testing purposes only.

More implementations are available here but for now, I'll try to set up pebble and see how it goes

Evaluate self-hosted acme certificate authorities for development. 1. [letsencrypt/boulder](https://github.com/letsencrypt/boulder/): the certificate authority that LE uses. Difficult to use for testing. 2. [smallstep/certificates](https://github.com/smallstep/certificates): seems popular and fully functional but doesn't support custom DNS server, which is essential to test `nginx+bind+LE` setup 3. [letsencrypt/pebble](https://github.com/letsencrypt/pebble): supports custom DNS, built for testing purposes only. More implementations are available [here](https://github.com/topics/certificate-authority) but for now, I'll try to set up pebble and see how it goes
realaravinth added spent time 2022-12-12 21:58:47 +05:30
1 hour
realaravinth commented 2022-12-13 20:57:40 +05:30
Author
Owner
Copy Link

Taught myself bind9 and a bit of Ansible:

Resources:

  1. Bind9 official documentation
  2. Debian Wiki: Bind9 page
  3. TSIG
  4. Bind Hardening guides:
    1. https://www.debian.org/doc/manuals/securing-debian-manual/sec-bind.en.html
    2. https://security-24-7.com/hardening-guide-for-bind9-debian-platform/
    3. https://kb.isc.org/docs/bind-best-practices-authoritative

I also explored PowerDNS a bit. It supports updates through a web
interface. I'll switch to PowerDNS if Bind9 is difficult to work with.

LibrePages will need GeoIP and DDNS. I'm not sure how GeoIP updates can
be made with DDNS.

Taught myself bind9 and a bit of Ansible: ## Resources: 1. [Bind9 official documentation](https://bind9.readthedocs.io/en/latest/) 2. [Debian Wiki: Bind9 page](https://wiki.debian.org/Bind9) 3. [TSIG](http://www.grok.org.uk/docs/tsig.html) 4. Bind Hardening guides: 1. https://www.debian.org/doc/manuals/securing-debian-manual/sec-bind.en.html 2. https://security-24-7.com/hardening-guide-for-bind9-debian-platform/ 3. https://kb.isc.org/docs/bind-best-practices-authoritative I also explored PowerDNS a bit. It supports updates through a web interface. I'll switch to PowerDNS if Bind9 is difficult to work with. LibrePages will need GeoIP and DDNS. I'm not sure how GeoIP updates can be made with DDNS.
realaravinth added spent time 2022-12-13 20:57:47 +05:30
9 hours
realaravinth added spent time 2022-12-15 00:24:09 +05:30
4 hours
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
bearer-auth
tracing
feat-nginx
feat-publish-bins
http-auth
min-libconductor
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Total Time Spent: 22 hours
realaravinth
22 hours
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: LibrePages/conductor#1
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?