Nginx + bind9 + letsencrypt #1

New issue

Open

opened 2022-12-06 06:39:51 +05:30 by realaravinth · 3 comments

realaravinth commented 2022-12-06 06:39:51 +05:30

Owner

Copy link

No description provided.

realaravinth commented 2022-12-12 21:33:48 +05:30

Author

Owner

Copy link

Diff: ccb9f0f046...0507baf964

Summary:

1. Deploy new site: generate configuration file and stores it in /etc/librepages/nginx/sites-available and symlinks to /etc/librepages/nginx/sites-enabled. Nginx's configuration must be modified to include /etc/librepages/nginx/sites-enabled and the above directories must be created during installation:

  mkdir -p  /etc/librepages/nginx/sites-available
  mkdir -p  /etc/librepages/nginx/sites-enabled/
  - sed -i "s%include \/etc\/nginx\/sites-enabled%include \/etc\/librepages\/nginx\/sites-enabled%" /etc/nginx/nginx.conf

2. Configuration change event now includes default hostname assigned by LibrePages system. Please see here for more info.

3. Setup nginx in CI to run integration tests

4. Delete site

Diff: https://git.batsense.net/LibrePages/conductor/compare/ccb9f0f0464ef1314578d9cedd73897bf3c43a29...0507baf9647164b2c5ff1bb45c85076d62683887 ## Summary: 1. Deploy new site: generate configuration file and stores it in `/etc/librepages/nginx/sites-available` and symlinks to `/etc/librepages/nginx/sites-enabled`. Nginx's configuration must be modified to include `/etc/librepages/nginx/sites-enabled` and the above directories must be created during installation: ```bash mkdir -p /etc/librepages/nginx/sites-available mkdir -p /etc/librepages/nginx/sites-enabled/ - sed -i "s%include \/etc\/nginx\/sites-enabled%include \/etc\/librepages\/nginx\/sites-enabled%" /etc/nginx/nginx.conf ``` 2. Configuration change event now includes default hostname assigned by LibrePages system. Please see [here](https://git.batsense.net/LibrePages/conductor/commit/10c50969ba97214bbba921bf8e8771289015fa80) for more info. 3. Setup nginx in CI to run integration tests 4. Delete site

realaravinth added spent time 2022-12-12 21:34:35 +05:30

8 hours

realaravinth commented 2022-12-12 21:58:42 +05:30

Author

Owner

Copy link

Evaluate self-hosted acme certificate authorities for development.

1. letsencrypt/boulder: the certificate authority that LE uses. Difficult to use for testing.
2. smallstep/certificates: seems popular and fully functional but doesn't support custom DNS server, which is essential to test nginx+bind+LE setup
3. letsencrypt/pebble: supports custom DNS, built for testing purposes only.

More implementations are available here but for now, I'll try to set up pebble and see how it goes

Evaluate self-hosted acme certificate authorities for development. 1. [letsencrypt/boulder](https://github.com/letsencrypt/boulder/): the certificate authority that LE uses. Difficult to use for testing. 2. [smallstep/certificates](https://github.com/smallstep/certificates): seems popular and fully functional but doesn't support custom DNS server, which is essential to test `nginx+bind+LE` setup 3. [letsencrypt/pebble](https://github.com/letsencrypt/pebble): supports custom DNS, built for testing purposes only. More implementations are available [here](https://github.com/topics/certificate-authority) but for now, I'll try to set up pebble and see how it goes

realaravinth added spent time 2022-12-12 21:58:47 +05:30

1 hour

realaravinth commented 2022-12-13 20:57:40 +05:30

Author

Owner

Copy link

Taught myself bind9 and a bit of Ansible:

Resources:

1. Bind9 official documentation
2. Debian Wiki: Bind9 page
3. TSIG
4. Bind Hardening guides:
   1. https://www.debian.org/doc/manuals/securing-debian-manual/sec-bind.en.html
   2. https://security-24-7.com/hardening-guide-for-bind9-debian-platform/
   3. https://kb.isc.org/docs/bind-best-practices-authoritative

I also explored PowerDNS a bit. It supports updates through a web
interface. I'll switch to PowerDNS if Bind9 is difficult to work with.

LibrePages will need GeoIP and DDNS. I'm not sure how GeoIP updates can
be made with DDNS.

Taught myself bind9 and a bit of Ansible: ## Resources: 1. [Bind9 official documentation](https://bind9.readthedocs.io/en/latest/) 2. [Debian Wiki: Bind9 page](https://wiki.debian.org/Bind9) 3. [TSIG](http://www.grok.org.uk/docs/tsig.html) 4. Bind Hardening guides: 1. https://www.debian.org/doc/manuals/securing-debian-manual/sec-bind.en.html 2. https://security-24-7.com/hardening-guide-for-bind9-debian-platform/ 3. https://kb.isc.org/docs/bind-best-practices-authoritative I also explored PowerDNS a bit. It supports updates through a web interface. I'll switch to PowerDNS if Bind9 is difficult to work with. LibrePages will need GeoIP and DDNS. I'm not sure how GeoIP updates can be made with DDNS.

realaravinth added spent time 2022-12-13 20:57:47 +05:30

9 hours

realaravinth added spent time 2022-12-15 00:24:09 +05:30

4 hours

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/actix-web-prom-0.x

renovate/derive_more-1.x

renovate/sqlx-0.x

renovate/actix-web-httpauth-0.x-lockfile

fix-ci-deploy

bearer-auth

tracing

feat-nginx

feat-publish-bins

http-auth

min-libconductor

No results found.

Labels

Clear labels

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

renovate-bot

  

renovate-security

  

security

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

renovate-bot

renovate-security

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Total time spent: 22 hours

realaravinth

22 hours

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: LibrePages/conductor#1

No description provided.