466 lines
47 KiB
XML
466 lines
47 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
|
|
<title> - self-hosting</title>
|
|
<link href="https://librepages.org/tags/self-hosting/atom.xml" rel="self" type="application/atom+xml"/>
|
|
<link href="https://librepages.org"/>
|
|
<generator uri="https://www.getzola.org/">Zola</generator>
|
|
<updated>2022-12-31T00:00:00+00:00</updated>
|
|
<id>https://librepages.org/tags/self-hosting/atom.xml</id>
|
|
<entry xml:lang="en">
|
|
<title>December 2022 Monthly Report</title>
|
|
<published>2022-12-31T00:00:00+00:00</published>
|
|
<updated>2022-12-31T00:00:00+00:00</updated>
|
|
<link href="https://librepages.org/blog/december-2022-monthly-report/" type="text/html"/>
|
|
<id>https://librepages.org/blog/december-2022-monthly-report/</id>
|
|
<content type="html"><p>These past couple of months have been very busy interesting, LibrePages
|
|
went from being a simple <code>git pull</code> webhook to fully-fledged platform
|
|
that can deploy static sites from <em>any</em> Git forge.</p>
|
|
<p>This month, the following things were accomplished:</p>
|
|
<h2 id="1-deploy-site-from-dashboard">1. Deploy site from dashboard<a class="zola-anchor" href="#1-deploy-site-from-dashboard" aria-label="Anchor link for: 1-deploy-site-from-dashboard"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>It is now possible to deploy and manage websites with log inspection
|
|
right from the dashboard. LibrePages will automatically assign a
|
|
randomly generated, but friendly-sounding subdomain on a domain that the
|
|
LibrePages system manages. It is also possible to inspect deployment
|
|
events, like site updates, to troubleshoot errors in the deployment
|
|
pipelines.</p>
|
|
<p>Custom domain support isn't available at the moment but will be
|
|
implemented soon.</p>
|
|
<h2 id="2-forms-support">2. Forms support<a class="zola-anchor" href="#2-forms-support" aria-label="Anchor link for: 2-forms-support"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>Forms are useful but creating a separate backed or relying on
|
|
privacy-invasive tech like Google Forms is very inconvenient. Popular
|
|
JAMStack platforms like Netlify provide forms support, so we thought
|
|
implementing forms support will be useful.</p>
|
|
<p>LibrePages Forms is a <a href="https://git.batsense.net/LibrePages/forms">separate
|
|
service</a> that can be
|
|
integrated into the system. It accepts form submissions in both JSON and
|
|
<code>application/x-www-form-urlencode</code>. Adding it to your
|
|
LibrePages-deployed website is very simple, please see
|
|
<a href="https://docs.librepages.org/forms/add/">here</a> for instructions.</p>
|
|
<h2 id="3-forgejo-and-gitea-integration">3. Forgejo and Gitea integration<a class="zola-anchor" href="#3-forgejo-and-gitea-integration" aria-label="Anchor link for: 3-forgejo-and-gitea-integration"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>LibrePages exposes an endpoint which users can call to update their
|
|
deployments. This allows us to support all types of Git-based forges. In
|
|
addition to the endpoint, we now expose a webhook that is compatible
|
|
with Forgejo and Gitea. This way, the deployment will automatically be
|
|
updated when a push event is received at the deployed branch, without the
|
|
user (or their CI) requiring to call the endpoint.</p>
|
|
<h2 id="4-sysadmin-logging-and-debugging">4. Sysadmin: logging and debugging<a class="zola-anchor" href="#4-sysadmin-logging-and-debugging" aria-label="Anchor link for: 4-sysadmin-logging-and-debugging"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>LibrePages is complicated system made of multiple services. It also uses
|
|
several third-party applications, like Nginx, to serve websites.
|
|
Debugging an issue that affecting multiple services used be complicated
|
|
but LibrePages now includes instrumentation to monitor with
|
|
<a href="https://prometheus.io">Prometheus</a> and provides distributed tracing via
|
|
OpenTelemetry-based based utilities like <a href="https://www.jaegertracing.io/">Jagger</a>.</p>
|
|
<h2 id="5-nginx-bind-and-let-s-encrypt">5. Nginx, bind and Let's Encrypt<a class="zola-anchor" href="#5-nginx-bind-and-let-s-encrypt" aria-label="Anchor link for: 5-nginx-bind-and-let-s-encrypt"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>LibrePages is modular, it can be integrated into any existing system,
|
|
like <a href="https://gna.org">Gna!</a> and <a href="https://enough.community/">Enough
|
|
Community</a> to provide static site hosting. We
|
|
do this using
|
|
<a href="https://git.batsense.net/LibrePages/conductor">Conductor</a>, which allows
|
|
LibrePages to integrate with multiple DNS servers/providers, reverse
|
|
proxies and other third-party applications that LibrePages would depend
|
|
on.</p>
|
|
<p>Currently, we are working on supporting a system based on Nginx, Bind9 and Let's Encrypt.</p>
|
|
<h2 id="6-infrastructure-as-code">6. Infrastructure-as-Code<a class="zola-anchor" href="#6-infrastructure-as-code" aria-label="Anchor link for: 6-infrastructure-as-code"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p><a href="https://git.batsense.net/LibrePages/Infrastructure-as-Code">Infrastructure as code to deploy the full
|
|
system</a> is
|
|
being worked on. So far, we've implemented deploying a Debian server
|
|
using Terraform and libvirt. Installing and and configuring LibrePages
|
|
is being worked on.</p>
|
|
<h2 id="thanks">Thanks<a class="zola-anchor" href="#thanks" aria-label="Anchor link for: thanks"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>I would like to thank the <a href="https://www.easter-eggs.com/">Easter-eggs</a>
|
|
for funding team for funding <a href="https://forum.gna.org/t/5-000-contract-aravinth-manivannan-easter-eggs/58">my work on
|
|
LibrePages</a> &lt;3</p>
|
|
</content>
|
|
</entry>
|
|
<entry xml:lang="en">
|
|
<title>How to deploy a website WITHOUT LibrePages</title>
|
|
<published>2022-09-10T00:00:00+00:00</published>
|
|
<updated>2022-09-10T00:00:00+00:00</updated>
|
|
<link href="https://librepages.org/blog/2022-09-10-how-to-publish-website-without-librepages/" type="text/html"/>
|
|
<id>https://librepages.org/blog/2022-09-10-how-to-publish-website-without-librepages/</id>
|
|
<content type="html"><p>In this <del>blog post</del> tutorial, I'll show you how to deploy a personal
|
|
website. LibrePages automates everything that is discussed in this
|
|
tutorial and lets you focus on creating content. Automation is good
|
|
but knowing how to do it manually using industry standard
|
|
technologies always helps!</p>
|
|
<p>We will be using the following technologies to deploy our website:</p>
|
|
<ol>
|
|
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
|
|
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
|
|
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
|
|
</ol>
|
|
<p>Let's get started!</p>
|
|
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>We are going to start with a fresh GNU/Linux installation, you could get
|
|
one from a cloud provider like <a href="https://www.digitalocean.com">Digital
|
|
Ocean</a> (not affiliated).</p>
|
|
<h3 id="1-1-give-your-account-sudo-privileges">1.1) Give your account <code>sudo</code> privileges<a class="zola-anchor" href="#1-1-give-your-account-sudo-privileges" aria-label="Anchor link for: 1-1-give-your-account-sudo-privileges"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p>On GNU/Linux systems, the <code>root</code> account is the most powerful user account.
|
|
It is good practice to avoid working as <code>root</code> since a careless mistake
|
|
could wipe the entire system out.</p>
|
|
<p><code>sudo</code> give the ability to execute commands with <code>root</code> capabilities
|
|
from a lower-privileged account. Let's make our account sudo capable:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">su </span><span style="color:#65737e;"># become root
|
|
</span><span>
|
|
</span><span style="color:#65737e;"># add `realaravinth`, my account` to `sudo` group to be able to use `sudo`
|
|
</span><span style="color:#bf616a;">usermod -aG</span><span> sudo realaravinth </span><span style="color:#65737e;"># my account is called `realaravinth`, replace it with yours
|
|
</span><span style="color:#96b5b4;">exit
|
|
</span><span style="color:#bf616a;">$</span><span> exit
|
|
</span></code></pre>
|
|
<p>Log out and log back in.</p>
|
|
<h3 id="1-2-install-and-setup-firewall-ufw">1.2) Install and setup firewall(<code>ufw</code>)<a class="zola-anchor" href="#1-2-install-and-setup-firewall-ufw" aria-label="Anchor link for: 1-2-install-and-setup-firewall-ufw"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
|
|
Firewall(<code>ufw</code>)</a> is a
|
|
popular firewall that is easy to set up and maintain. For most
|
|
installations, this should be enough. System administrators use
|
|
firewalls to open only the ports that they think should receive traffic
|
|
from external networks. Without it, all ports will be open, causing a
|
|
security nightmare.</p>
|
|
<p>We will require standard SSH (22), and the standard web ports (80 and
|
|
443). A comprehensive list of services and the list of ports the listen
|
|
on is available at <code>/etc/services</code>.</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
|
|
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
|
|
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
|
|
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
|
|
</span></code></pre>
|
|
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p>SSH allows remote access to our servers over secure, encrypted channels.
|
|
By default, users can log in with their password using SSH. But password
|
|
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
|
|
attacks</a>,
|
|
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
|
|
public-key authentication
|
|
only</a>.</p>
|
|
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p>On your local computer, generate an SSH key pair:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> ssh-keygen
|
|
</span><span style="color:#bf616a;">Generating</span><span> public/private rsa key pair.
|
|
</span><span style="color:#bf616a;">Enter</span><span> file in which to save the key (/home/realaravinth/.ssh/id_rsa)</span><span style="color:#96b5b4;">:
|
|
</span><span style="color:#bf616a;">Enter</span><span> passphrase (empty for no passphrase)</span><span style="color:#96b5b4;">:
|
|
</span><span style="color:#bf616a;">Enter</span><span> same passphrase again:
|
|
</span><span style="color:#bf616a;">Your</span><span> identification has been saved in /home/realaravinth/.ssh/id_rsa
|
|
</span><span style="color:#bf616a;">Your</span><span> public key has been saved in /home/realaravinth/.ssh/id_rsa.pub
|
|
</span><span style="color:#bf616a;">The</span><span> key fingerprint is:
|
|
</span><span style="color:#bf616a;">SHA256:i2DE1b9BQb9DqV0r6O9MfPeVqUwfww1/T8wIXL2Xqdo</span><span> realaravinth@myserver.com
|
|
</span><span style="color:#bf616a;">The</span><span> key&#39;</span><span style="color:#a3be8c;">s random art image is:
|
|
</span><span style="color:#a3be8c;">+---[RSA 3072]----+
|
|
</span><span style="color:#a3be8c;">| .. .o. |
|
|
</span><span style="color:#a3be8c;">| . . . .. . . |
|
|
</span><span style="color:#a3be8c;">| o o + o .|
|
|
</span><span style="color:#a3be8c;">| . o* + .+|
|
|
</span><span style="color:#a3be8c;">| o S ooB o+.|
|
|
</span><span style="color:#a3be8c;">| . . . o.. +o*=|
|
|
</span><span style="color:#a3be8c;">| . . . ooo*X|
|
|
</span><span style="color:#a3be8c;">| +=.ooB|
|
|
</span><span style="color:#a3be8c;">| o+E .o|
|
|
</span><span style="color:#a3be8c;">+----[SHA256]-----+
|
|
</span></code></pre>
|
|
<p>Set a strong password the program prompts for one and save it somewhere
|
|
safe. Your public key will be at <code>~/.ssh/id_rsa.pub</code> and your private key at
|
|
<code>~/.ssh/id_rsa</code>. <strong>Never share the private key with anyone</strong>.</p>
|
|
<h3 id="1-3-2-setup-public-key-authentication">1.3.2) Setup public-key authentication<a class="zola-anchor" href="#1-3-2-setup-public-key-authentication" aria-label="Anchor link for: 1-3-2-setup-public-key-authentication"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p>We have to copy the public key that we generated in the previous setup
|
|
onto our server:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> ssh-copy-id</span><span style="color:#bf616a;"> -i ~</span><span>/.ssh/id_rsa.pub myserver.com
|
|
</span><span style="color:#bf616a;">/usr/bin/ssh-copy-id:</span><span> INFO: Source of key(s) </span><span style="color:#bf616a;">to</span><span> be installed: &quot;</span><span style="color:#a3be8c;">/home/realaravinth/.ssh/id_rsa.pub</span><span>&quot;
|
|
</span><span style="color:#bf616a;">/usr/bin/ssh-copy-id:</span><span> INFO: attempting to log in with the new key(s)</span><span style="color:#bf616a;">,</span><span> to filter out any that are already installed
|
|
</span><span style="color:#bf616a;">/usr/bin/ssh-copy-id:</span><span> INFO: 1 key(s) </span><span style="color:#bf616a;">remain</span><span> to be installed -- if you are prompted now it is to install the new keys
|
|
</span><span style="color:#bf616a;">realaravinth@myserver.com</span><span>&#39;</span><span style="color:#a3be8c;">s password:
|
|
</span><span style="color:#a3be8c;">
|
|
</span><span style="color:#a3be8c;">Number of key(s) added: 1
|
|
</span><span style="color:#a3be8c;">
|
|
</span><span style="color:#a3be8c;">Now try logging into the machine, with: &quot;ssh </span><span>&#39;</span><span style="color:#bf616a;">myserver.com</span><span>&#39;</span><span style="color:#a3be8c;">&quot;
|
|
</span><span style="color:#a3be8c;">and check to make sure that only the key(s) you wanted were added.
|
|
</span></code></pre>
|
|
<h3 id="1-3-3-disable-ssh-password-authentication">1.3.3) Disable SSH password authentication<a class="zola-anchor" href="#1-3-3-disable-ssh-password-authentication" aria-label="Anchor link for: 1-3-3-disable-ssh-password-authentication"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<blockquote>
|
|
<p><strong>NOTE: Verify you can log into your account before proceeding</strong></p>
|
|
</blockquote>
|
|
<p>Now that we have a private-key authentication setup on both the client and
|
|
the server, let's disable password authentication on the server:</p>
|
|
<p>Open <code>/etc/ssh/sshd_config</code> and add the following lines:</p>
|
|
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>PubkeyAuthentication yes
|
|
</span><span>PasswordAuthentication no
|
|
</span></code></pre>
|
|
<p>And restart the SSH server:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo systemctl restart sshd
|
|
</span></code></pre>
|
|
<h3 id="1-3-install-and-setup-fail2ban">1.3) Install and setup <code>fail2ban</code><a class="zola-anchor" href="#1-3-install-and-setup-fail2ban" aria-label="Anchor link for: 1-3-install-and-setup-fail2ban"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p>We will be using
|
|
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
|
|
intrusion prevention by blacklisting entities (users, bots, etc.) based
|
|
on failed login attempts.</p>
|
|
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt install fail2ban
|
|
</span></code></pre>
|
|
<h4 id="1-3-2-enable-fail2ban-for-sshd">1.3.2) Enable <code>fail2ban</code> for <code>sshd</code><a class="zola-anchor" href="#1-3-2-enable-fail2ban-for-sshd" aria-label="Anchor link for: 1-3-2-enable-fail2ban-for-sshd"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<p>Open <code>fail2ban</code> configuration at <code>/etc/fail2ban/jail.conf</code> and add the following lines:</p>
|
|
<pre data-lang="yml" style="background-color:#2b303b;color:#c0c5ce;" class="language-yml "><code class="language-yml" data-lang="yml"><span>[</span><span style="color:#a3be8c;">sshd</span><span>]
|
|
</span><span style="color:#a3be8c;">enabled = true
|
|
</span></code></pre>
|
|
<h4 id="1-3-3-configure-fail2ban-to-start-on-boot">1.3.3) Configure <code>fail2ban</code> to start on boot<a class="zola-anchor" href="#1-3-3-configure-fail2ban-to-start-on-boot" aria-label="Anchor link for: 1-3-3-configure-fail2ban-to-start-on-boot"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo systemctl enable fail2ban
|
|
</span><span style="color:#bf616a;">$</span><span> sudo systemctl start fail2ban
|
|
</span></code></pre>
|
|
<h3 id="1-4-install-and-setup-nginx">1.4) Install and setup <code>nginx</code><a class="zola-anchor" href="#1-4-install-and-setup-nginx" aria-label="Anchor link for: 1-4-install-and-setup-nginx"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p><code>nginx</code> is a popular web server that can be used to serve static sites.
|
|
It is fast, stable, and easy to set up.</p>
|
|
<p>To install, run the following command:</p>
|
|
<h4 id="1-4-1-install-nginx">1.4.1) Install <code>nginx</code>:<a class="zola-anchor" href="#1-4-1-install-nginx" aria-label="Anchor link for: 1-4-1-install-nginx"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt install nginx
|
|
</span></code></pre>
|
|
<h4 id="1-4-2-allow-web-traffic-open-ports-80-and-443">1.4.2) Allow web traffic: open ports <code>80</code> and <code>443</code><a class="zola-anchor" href="#1-4-2-allow-web-traffic-open-ports-80-and-443" aria-label="Anchor link for: 1-4-2-allow-web-traffic-open-ports-80-and-443"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<p>Ports <code>80</code> is the default for HTTP and <code>443</code> for HTTPS. To serve
|
|
web traffic, we'll have to Configure <code>ufw</code> to accept traffic on them:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo ufw allow 80 </span><span style="color:#65737e;"># open ports 80 HTTP traffic
|
|
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow 443 </span><span style="color:#65737e;"># open ports 443 for HTTPS traffic
|
|
</span></code></pre>
|
|
<h4 id="1-4-2-configure-nginx-to-start-on-boot">1.4.2) Configure <code>nginx</code> to start on boot<a class="zola-anchor" href="#1-4-2-configure-nginx-to-start-on-boot" aria-label="Anchor link for: 1-4-2-configure-nginx-to-start-on-boot"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo systemctl enable nginx </span><span style="color:#65737e;"># automatically start nginx on boot
|
|
</span><span style="color:#bf616a;">$</span><span> sudo systemctl start nginx </span><span style="color:#65737e;"># start nginx server
|
|
</span></code></pre>
|
|
<p>And verify it works:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> curl localhost
|
|
</span><span>&lt;!DOCTYPE </span><span style="color:#bf616a;">html</span><span>&gt;
|
|
</span><span>&lt;html&gt;
|
|
</span><span>&lt;head&gt;
|
|
</span><span>&lt;title&gt;Welcome </span><span style="color:#bf616a;">to</span><span> nginx!&lt;/title&gt;
|
|
</span><span>&lt;style&gt;
|
|
</span><span> </span><span style="color:#bf616a;">body </span><span>{
|
|
</span><span> width: 35em;
|
|
</span><span> margin: 0 auto;
|
|
</span><span> font-family: Tahoma, Verdana, Arial, sans-serif;
|
|
</span><span> }
|
|
</span><span>&lt;/style&gt;
|
|
</span><span>&lt;/head&gt;
|
|
</span><span>&lt;body&gt;
|
|
</span><span>&lt;h1&gt;Welcome </span><span style="color:#bf616a;">to</span><span> nginx!&lt;/h1&gt;
|
|
</span><span>&lt;p&gt;If </span><span style="color:#bf616a;">you</span><span> see this page, the nginx web server is successfully installed and
|
|
</span><span style="color:#bf616a;">working.</span><span> Further configuration is required.&lt;/p&gt;
|
|
</span><span>
|
|
</span><span>&lt;p&gt;For </span><span style="color:#bf616a;">online</span><span> documentation and support please refer to
|
|
</span><span>&lt;a </span><span style="color:#bf616a;">href</span><span>=&quot;</span><span style="color:#a3be8c;">http://nginx.org/</span><span>&quot;&gt;nginx.org&lt;/a&gt;.&lt;br/&gt;
|
|
</span><span style="color:#bf616a;">Commercial</span><span> support is available at
|
|
</span><span>&lt;a </span><span style="color:#bf616a;">href</span><span>=&quot;</span><span style="color:#a3be8c;">http://nginx.com/</span><span>&quot;&gt;nginx.com&lt;/a&gt;.&lt;/p&gt;
|
|
</span><span>
|
|
</span><span>&lt;p&gt;&lt;em&gt;Thank </span><span style="color:#bf616a;">you</span><span> for using nginx.&lt;/em&gt;&lt;/p&gt;
|
|
</span><span>&lt;/body&gt;
|
|
</span><span>&lt;/html&gt;
|
|
</span></code></pre>
|
|
<p><code>nginx</code> is working!</p>
|
|
<h2 id="2-deploy-website">2) Deploy website<a class="zola-anchor" href="#2-deploy-website" aria-label="Anchor link for: 2-deploy-website"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h2>
|
|
<p>For this demo, we'll deploy a single file(<code>index.html</code>)
|
|
HTML website.</p>
|
|
<h3 id="2-1-install-the-webpage-on-the-server">2.1) Install the webpage on the server<a class="zola-anchor" href="#2-1-install-the-webpage-on-the-server" aria-label="Anchor link for: 2-1-install-the-webpage-on-the-server"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p>Edit <code>/var/www/html/index.html</code> and add the following HTML to it:</p>
|
|
<pre data-lang="html" style="background-color:#2b303b;color:#c0c5ce;" class="language-html "><code class="language-html" data-lang="html"><span>&lt;!</span><span style="color:#b48ead;">DOCTYPE </span><span style="color:#d08770;">html</span><span>&gt;
|
|
</span><span>&lt;</span><span style="color:#bf616a;">html</span><span>&gt;
|
|
</span><span> &lt;</span><span style="color:#bf616a;">head</span><span>&gt;
|
|
</span><span> &lt;</span><span style="color:#bf616a;">title</span><span>&gt;My cool website!&lt;/</span><span style="color:#bf616a;">title</span><span>&gt;
|
|
</span><span> &lt;/</span><span style="color:#bf616a;">head</span><span>&gt;
|
|
</span><span> &lt;</span><span style="color:#bf616a;">body</span><span>&gt;
|
|
</span><span> &lt;</span><span style="color:#bf616a;">h1</span><span>&gt;Welcome to my website! o/&lt;/</span><span style="color:#bf616a;">h1</span><span>&gt;
|
|
</span><span> &lt;/</span><span style="color:#bf616a;">body</span><span>&gt;
|
|
</span><span>&lt;/</span><span style="color:#bf616a;">html</span><span>&gt;
|
|
</span></code></pre>
|
|
<p>The webpage should now be available on localhost, and we should see it when we run the following command:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> curl localhost
|
|
</span><span>&lt;!DOCTYPE </span><span style="color:#bf616a;">html</span><span>&gt;
|
|
</span><span>&lt;html&gt;
|
|
</span><span> &lt;head&gt;
|
|
</span><span> &lt;title&gt;My </span><span style="color:#bf616a;">cool</span><span> website!&lt;/title&gt;
|
|
</span><span> &lt;/head&gt;
|
|
</span><span> &lt;body&gt;
|
|
</span><span> &lt;h1&gt;Welcome </span><span style="color:#bf616a;">to</span><span> my website! o/&lt;/h1&gt;
|
|
</span><span> &lt;/body&gt;
|
|
</span><span>&lt;/html&gt;
|
|
</span></code></pre>
|
|
<h3 id="2-2-serve-webpage-on-a-custom-domain">2.2) Serve webpage on a custom domain<a class="zola-anchor" href="#2-2-serve-webpage-on-a-custom-domain" aria-label="Anchor link for: 2-2-serve-webpage-on-a-custom-domain"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<h4 id="2-2-1-buy-a-domain-if-you-don-t-own-one-already">2.2.1) Buy a domain if you don't own one already<a class="zola-anchor" href="#2-2-1-buy-a-domain-if-you-don-t-own-one-already" aria-label="Anchor link for: 2-2-1-buy-a-domain-if-you-don-t-own-one-already"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<h4 id="2-2-2-go-to-the-domain-s-dns-dashboard-and-add-the-following-record">2.2.2) Go to the domain's DNS dashboard and add the following record<a class="zola-anchor" href="#2-2-2-go-to-the-domain-s-dns-dashboard-and-add-the-following-record" aria-label="Anchor link for: 2-2-2-go-to-the-domain-s-dns-dashboard-and-add-the-following-record"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>@ A 300 &lt;your server IP address&gt;
|
|
</span></code></pre>
|
|
<h4 id="2-2-3-setup-nginx-to-serve-the-website-at-http-your-domain">2.2.3) Setup <code>nginx</code> to serve the website at <code>http://&lt;your-domain&gt;</code><a class="zola-anchor" href="#2-2-3-setup-nginx-to-serve-the-website-at-http-your-domain" aria-label="Anchor link for: 2-2-3-setup-nginx-to-serve-the-website-at-http-your-domain"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<p>Open <code>/etc/nginx/sites-available/your-domain</code> and add the following:</p>
|
|
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>server {
|
|
</span><span> # serve website on port 80
|
|
</span><span> listen [::]:80;
|
|
</span><span> listen 80;
|
|
</span><span>
|
|
</span><span> # write error logs to file
|
|
</span><span> error_log /var/log/nginx/&lt;your-domain&gt;.error.log;
|
|
</span><span> # write access logs to file
|
|
</span><span> access_log /var/log/nginx/&lt;your-domain&gt;.access.log;
|
|
</span><span>
|
|
</span><span> # serve only on this domain:
|
|
</span><span> server_name &lt;your-domain&gt;; # replace me
|
|
</span><span>
|
|
</span><span>
|
|
</span><span> # use files from this directory
|
|
</span><span> root /var/www/html/;
|
|
</span><span>
|
|
</span><span> # remove .html from URL; it is cleaner this way
|
|
</span><span> rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
|
|
</span><span>
|
|
</span><span> # when a request is received, try the index.html in the directory
|
|
</span><span> # or $uri.html
|
|
</span><span> try_files $uri/index.html $uri.html $uri/ $uri =404;
|
|
</span><span>}
|
|
</span></code></pre>
|
|
<p>It is good practice to have all <code>nginx</code> deployment configurations in
|
|
<code>/etc/nginx/sites-available/</code> directory and link production websites to
|
|
`/etc/nginx/sites-enabled directory. Doing so allows you to
|
|
work-in-progress configurations or delete deployments without losing
|
|
the configuration files.</p>
|
|
<p>Let's enable <code>&lt;your-domain&gt;</code></p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo ln</span><span style="color:#bf616a;"> -s</span><span> /etc/nginx/sites-available/&lt;your-domain&gt; /etc/nginx/sites-enabled/&lt;your-domain&gt;
|
|
</span></code></pre>
|
|
<p>Verify configurations before deploying, <code>nginx</code> has a command
|
|
to do it:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo nginx</span><span style="color:#bf616a;"> -t
|
|
</span></code></pre>
|
|
<p>If there are no errors, reload <code>nginx</code> to deploy the website:</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo nginx</span><span style="color:#bf616a;"> -s</span><span> reload
|
|
</span></code></pre>
|
|
<p>Your webpage should now be accessible at <code>http://&lt;your-domain&gt;</code>!</p>
|
|
<h3 id="2-3-install-certbot-to-set-up-https">2.3) Install <code>certbot</code> to set up HTTPS<a class="zola-anchor" href="#2-3-install-certbot-to-set-up-https" aria-label="Anchor link for: 2-3-install-certbot-to-set-up-https"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h3>
|
|
<p>HTTP is insecure. We'll have to set up SSL to serve our website using
|
|
HTTPS. To do that, we will be using <a href="https://letsencrypt.org/">Let's
|
|
Encrypt</a> a popular nonprofit certificate
|
|
authority to get our SSL certificates.</p>
|
|
<p>SSL certificates come with set lifetimes, so we renew them before they expire. The process, when done manually, is demanding: you
|
|
will have to log in every three months and renew the
|
|
certificate. If you fail or forget it, your visitors will see security
|
|
warnings on your website.</p>
|
|
<p>Thankfully, there is a way to automate this process through
|
|
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
|
|
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code><a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt install certbot python3-certbot-nginx
|
|
</span></code></pre>
|
|
<h4 id="2-3-2-get-a-certificate-for-your-domain">2.3.2) Get a certificate for <code>&lt;your-domain&gt;</code><a class="zola-anchor" href="#2-3-2-get-a-certificate-for-your-domain" aria-label="Anchor link for: 2-3-2-get-a-certificate-for-your-domain"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo certbot</span><span style="color:#bf616a;"> --nginx -d </span><span>&lt;your-domain&gt;
|
|
</span></code></pre>
|
|
<p><code>certbot</code> will prompt you for an email ID, and ask you to accept their
|
|
terms and conditions, privacy policy, etc. Be sure to read them before
|
|
agreeing to them. It will then try to authenticate your domain ownership
|
|
using the <a href="https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment">ACME
|
|
protocol</a>.
|
|
By configuring the DNS to point to our server and by telling <code>nginx</code> at
|
|
that domain.</p>
|
|
<p>When it has verified ownership, it will automatically issue, deploy the
|
|
certificate on <code>nginx</code> and setup redirects.</p>
|
|
<h4 id="2-3-3-setup-cronjob-to-automate-ssl-certificate-renewals">2.3.3) Setup cronjob to automate SSL certificate renewals<a class="zola-anchor" href="#2-3-3-setup-cronjob-to-automate-ssl-certificate-renewals" aria-label="Anchor link for: 2-3-3-setup-cronjob-to-automate-ssl-certificate-renewals"
|
|
><span class="anchor-icon">#</span></a
|
|
>
|
|
</h4>
|
|
<p>Become root and edit crontab</p>
|
|
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> su
|
|
</span><span style="color:#bf616a;">crontab -e
|
|
</span></code></pre>
|
|
<p>Add the following job and exit:</p>
|
|
<pre style="background-color:#2b303b;color:#c0c5ce;"><code><span>0 */12 * * * certbot -n --nginx renew
|
|
</span></code></pre>
|
|
<p>It will attempt to renew SSL certificates every 12 hours. If a the
|
|
certificate is due for renewal, <code>certbot</code> will go through the ACME
|
|
challenge, get the new certificates and automatically deploy them for
|
|
you.</p>
|
|
<p>Now our GNU/Linux server is configured and ready to serve our website at
|
|
<code>http://&lt;your-website&gt;</code>!</p>
|
|
</content>
|
|
</entry>
|
|
</feed>
|