| Version 3 (modified by , 5 years ago) (diff) |
|---|
Web-Dienste
Apache
neuen V-Host erstellen mit SSL-Cert und getssl
Apache und Datenverzeichnis konfigurieren
- auf Laubfrosch anmelden,
rootwerden - im Verzeichnis
/var/www- für eine Web-Service:
ein neues Verzeichnis mit dem Hostnamen anlegen:mkdir twiki.mtronig.de - für einen Nicht-Web-Server (z.B. IMAP, murmur, ...):
einen Sym-Link auflocalhostanlegen:mkdir ln -s localhost murmur.vpn21.net
- für eine Web-Service:
- SSL Verzeichnis erstellen
- mit eigenem SSL-Cert oder als zentrale Stelle für ein Sammel-Cert:
ein Unterverzeichnissslanlegen:mkdir -p twiki.mtronig.de/ssl - zu einem Sammel-Cert hinzufügen:
einen Symlink auf dassslVerzeichnis des Sammel-Cert-Halters legen:ln -s ../usvn/ssl twiki.mtronig.de/ssl - für einen Nicht-Web-Server (z.B. IMAP, murmur, ...) ist das im
localhostgeregelt.
sslVerzeichnis (Link oder physisch) werden folgende Dateien für die nachfolgende Konfigruation benötigt und müssen durch getssl.sh erstellt werden:ca-bundle.pemserver.crtserver.key_decrypted
- mit eigenem SSL-Cert oder als zentrale Stelle für ein Sammel-Cert:
- im Host-Verzeichnis die Web-Daten unterbringen, für einen Forwarder auf einen anderen Web-Service via
httpoderhttpskommen keine Daten hier hinein.
Die Web-Daten hier sollten demapacheUser gehören:chown -R apache:apache twiki.mtronig.de. - im Konfigurations-Verzeichnis
/etc/apache2/vhosts.deine neue Host-Konfiguration erstellen nach dem Namensmusternn-hostname.mit.domaine.tld.conf. Jeder V-Host bekommt eine eigene Nummer, die vor99und auch vor78einsortiert wird, normalerweise aufsteigend ab21die nächste freie Nummer. Die Konfigurationsdatei richtet sich nach den Eigenschaften des Web-Service, soll aber auf jeden Fall die Teile der SSL-Konfiguration enthalten:### Section 3: Virtual Hosts # # VirtualHost: If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs-2.0/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # # Use name-based virtual hosting. # #NameVirtualHost *:80 # # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # <VirtualHost *:80> ServerName wrp.vpn21.net RedirectMatch permanent "^(/(?!.well-known/acme-challenge?).*)" https://wrp.vpn21.net$1 </VirtualHost> <VirtualHost *:443> ServerName wrp.vpn21.net # SSLProxyEngine On # RequestHeader set Front-End-Https "On" RequestHeader edit Destination https://wrp.vpn21.net/ http://172.18.2.3:8080/ ProxyRequests Off ProxyPass /.well-known ! ProxyPass / http://172.18.2.3:8080/ ProxyPassReverse / http://172.18.2.3:8080/ SSLEngine on ## Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate # is encrypted, then you will be prompted for a pass phrase. Note that a # kill -HUP will prompt again. Keep in mind that if you have both an RSA # and a DSA certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /var/www/wrp.vpn21.net/ssl/server.crt ## Server Private Key: # If the key is not combined with the certificate, use this directive to # point at the key file. Keep in mind that if you've both a RSA and a DSA # private key you can configure both in parallel (to also allow the use of # DSA ciphers, etc.) SSLCertificateKeyFile /var/www/wrp.vpn21.net/ssl/server.key_decrypted ## Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the concatenation of # PEM encoded CA certificates which form the certificate chain for the # server certificate. Alternatively the referenced file can be the same as # SSLCertificateFile when the CA certificates are directly appended to the # server certificate for convinience. SSLCertificateChainFile /var/www/wrp.vpn21.net/ssl/ca-bundle.pem Header always add Strict-Transport-Security "max-age=15768000" </VirtualHost> - Apache neu starten/laden, um die Konfiguration zu übernehmen
getssl einrichten
- für einen Web-Host mit eigenem SSL-Cert:
- in das Verzeichnis
~root/.getsslwechseln - Host-/Domain-Verzeichnis anlegen:
mkdir twiki.mtronig.de - Konfigurationsdatei
twiki.mtronig.de/getssl.cfgerstellen:# Uncomment and modify any variables you need # see https://github.com/srvrco/getssl/wiki/Config-variables for details # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs # # The staging server is best for testing CA="https://acme-staging-v02.api.letsencrypt.org/directory" # This server issues full certificates, however has rate limits #CA="https://acme-v02.api.letsencrypt.org" #PRIVATE_KEY_ALG="rsa" # Additional domains - this could be multiple domains / subdomains in a comma separated list # Note: this is Additional domains - so should not include the primary domain. #SANS="trac.mtronig.de" # Acme Challenge Location. The first line for the domain, the following ones for each additional domain. # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. # An ssh key will be needed to provide you with access to the remote server. # Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign. # If left blank, the username on the local server will be used to authenticate against the remote server. # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location # These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" # where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. #ACL=('/var/www/twiki.mtronig.de/web/.well-known/acme-challenge' # 'ssh:server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge' # 'ssh:sshuserid@server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge' # 'ftp:ftpuserid:ftppassword:usvn.vpn21.net:/web/.well-known/acme-challenge') #Set USE_SINGLE_ACL="true" to use a single ACL for all checks #USE_SINGLE_ACL="false" # Location for all your certs, these can either be on the server (full path name) # or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/server.crt" DOMAIN_KEY_LOCATION="/var/www/twiki.mtronig.de/ssl/server.key_decrypted" CA_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/ca-bundle.pem" #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert #DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert # The command needed to reload apache / nginx or whatever you use #RELOAD_CMD="" # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which # will be checked for certificate expiry and also will be checked after # an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true #SERVER_TYPE="https" #CHECK_REMOTE="true" getsslKonfiguration testen:
getssl twiki.mtronig.de
- in das Verzeichnis
Trac
Der tracd läuft in einem Docker-Container, in einem Docker-Netzwerk lf-net unter der IP 172.18.1.2.
SSL wird vom Apachen gemacht, dann wird ge-forwarded. SSL-Cert wird per getssl von Lets-Encrypt bezogen.
Die Projekt-Daten und die SVN-Repos sind als Volumes gemountet.
Docker-Kommando:
$ docker run --restart unless-stopped --name trac -d --net lf-net --ip 172.18.1.2 -v /var/www/trac.vpn21.net/files:/trac -v /var/www/usvn/public_html/files/svn:/trac/repos:ro joluxer/trac:1.2-babel-svn-scratch
Neues Projekt hinzufügen
$ docker exec -it trac /bin/bash -il
# trac-admin /trac/projects/P21-GLT initenv --inherit=/trac/projects/Mtronig/conf/trac.ini
Creating a new Trac environment at /trac/projects/P21-GLT
Trac will first ask a few questions about your environment
in order to initialize and prepare the project database.
Please enter the name of your project.
This name will be used in page titles and descriptions.
Project Name [My Project]> P21 GLT
Please specify the connection string for the database to use.
By default, a local SQLite database is created in the environment
directory. It is also possible to use an existing MySQL or
PostgreSQL database (check the Trac documentation for the exact
connection string syntax).
Database connection string [sqlite:db/trac.db]>
Creating and Initializing Project
Initenv for '/trac/projects/P21-GLT' failed.
Failed to create environment.
'Environment' object has no attribute 'get_db_cnx'
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/trac/admin/console.py", line 497, in do_initenv
options=options)
File "/usr/lib/python2.7/dist-packages/trac/core.py", line 128, in __call__
self.__init__(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/trac/env.py", line 301, in __init__
setup_participant.environment_created()
File "/usr/lib/python2.7/dist-packages/mastertickets/api.py", line 25, in environment_created
self.upgrade_environment(self.env.get_db_cnx())
AttributeError: 'Environment' object has no attribute 'get_db_cnx'
# _
Das geht jetzt scheinbar schief, weil der Vorgang (sehr spät) mit einem Fehler abbricht, aber die Einrichtung ist im Prinzip schon fertig. Die DB und das Wiki muss noch aktualisiert werden und ein oder mehrere Admins benannt werden.
# trac-admin /trac/projects/P21-GLT upgrade # trac-admin /trac/projects/P21-GLT wiki upgrade # trac-admin /trac/projects/P21-GLT permission add Admin TRAC_ADMIN # trac-admin /trac/projects/P21-GLT permission add lode TRAC_ADMIN
Projekt-Konfiguration
tbd.
SVN
tbd.
Next-Cloud
tbd.
Etherpad Texteditor
tbd.
Tracks
tbd.
