Posted :
This
article will show how to install
nginx ,
how to enable
ssl
and http2 for nginx ,
and for the web frameworks for which nginx
serves as a reverse proxy .
It will use the IPFW
firewall
to block all incoming traffic beside
http , https , and
ssh .
It will install
php ,
mariadb
,
Wordpress ,
and it will also install
Postgresql
,
mongodb
and
adminer
. It will
also install nodejs and a wiki web application
for nodejs , and it will install java and the
tomcat server for which it will serve
two web applications .
Before
starting the installation of these
software , we will install the nano editor
to edit configuration files .
- [root]$ pkg install nano
- # install nano on FreeBsd
Configure
the
IPFW
firewall to disable all incoming traffic to the server besides :
http , https and ssh .
- [root]$ sysrc firewall_enable="YES"
- # Make ipfw firewall starts , when
- # freebsd starts .
- [root]$ sysrc firewall_quiet="YES"
- # Be quite executing commands .
- [root]$ sysrc firewall_type="workstation"
- # protect the machine using stateful rules .
- [root]$ sysrc firewall_myservices="22/tcp 80/tcp 443/tcp"
- # allow ssh http and https only
- [root]$ sysrc firewall_allowservices="any"
- # any ip can access the allowed services.
- [root]$ sysrc firewall_logdeny="YES"
- # Log only the denied requests.
- [root]$ service ipfw start
- # Load the firewall rules
To install nginx , you can use :
- [root]$ pkg install nginx-full
- # install nginx freebsd
Nginx default www directory is
located under /usr/local/www/nginx/ ,
the error logs can be found
under /var/log/nginx/error.log ,
the access logs can be found
under /var/log/nginx/access.log ,
the pid is found under /var/run/nginx.pid and
the configuration file is found
under /usr/local/etc/nginx/nginx.conf .
Make
a backup of nginx.conf :
- [root]$ cd /usr/local/etc/nginx
- [root:/usr/local/etc/nginx/]$ mv nginx.conf nginx.conf.bk
Create
a new nginx.conf file :
- [root:/usr/local/etc/nginx/]$ nano nginx.conf
- # paste the following content .
- worker_processes auto;
- events {
- worker_connections 1024;
- }
- http {
- server_tokens off;
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- include mime.types;
- default_type application/octet-stream;
- gzip on;
- gzip_proxied any;
- gzip_vary on;
- gzip_http_version 1.1;
- gzip_comp_level 6;
- gzip_min_length 96;
- gzip_types text/plain;
- gzip_types text/css;
- gzip_types text/xml;
- gzip_types application/javascript;
- gzip_types application/json;
- gzip_types font/woff;
- gzip_types font/woff2;
- gzip_types font/opentype;
- gzip_types image/svg+xml;
- gzip_types image/x-icon;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:nginx_SSL:1m;
- ssl_session_timeout 1440m;
- ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
- map $sent_http_content_type $expires {
- default off;
- application/atom+xml max;
- application/javascript max;
- application/rss+xml max;
- application/vnd.ms-fontobject max;
- audio/ogg max;
- font/woff max;
- font/woff2 max;
- font/opentype max;
- image/gif max;
- image/jpeg max;
- image/png max;
- image/svg+xml max;
- image/x-icon max;
- text/css max;
- text/html epoch;
- video/mp4 max;
- }
- include servers.conf.d/*.conf;
- }
Now create a directory in /usr/local/etc/nginx/ ,
named servers.conf.d :
- [root:/usr/local/etc/nginx/]$ mkdir servers.conf.d
and create a configuration file for you website :
- [root:/usr/local/etc/nginx/servers.conf.d/]$ nano dev-freebsd.difyel.com.conf
- # create a configuration file ,
- # name it as you like , the important
- # is that it ends with .conf
- # paste the following content
- server {
- listen 80;
- listen [::]:80;
- server_name dev-freebsd.difyel.com;
- root /usr/local/www/nginx/;
- client_max_body_size 512M;
- # blog
- location /blog {
- expires $expires;
- index index.php index.html index.htm;
- try_files $uri $uri/ /blog/index.php?$args;
- }
- location ~* ^/blog/.*.php$ {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- # blog
- }
Test the configurations for any errors using :
- [root]$ nginx -t
- # output
- nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
- nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Make nginx starts when freebsd starts :
- [root]$ sysrc nginx_enable="YES"
Start nginx using :
- [root]$ service nginx start
You can check if nginx is running , stop it , restart it , and reload its configuration using :
- [root]$ service nginx status
- # Check ig nginx is running .
- nginx is running as pid 7218.
- [root]$ service nginx stop
- # Stop nginx .
- Stopping nginx.
- Waiting for PIDS: 7218.
- [root]$ service nginx start
- # Start nginx .
- Performing sanity check on nginx configuration:
- nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
- nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
- Starting nginx.
- [root]$ service nginx restart
- # restart nginx .
- Performing sanity check on nginx configuration:
- nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
- nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
- Stopping nginx.
- Waiting for PIDS: 7280.
- Performing sanity check on nginx configuration:
- nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
- nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
- Starting nginx.
- [root]$ service nginx reload
- # reload nginx configuration
- root@freebsd:/usr/local/etc/nginx/servers.conf.d # service nginx reload
- Performing sanity check on nginx configuration:
- nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
- nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
If you are running you website locally , make your server name resolve locally
by adding the following line to /etc/hosts :
- [root]$ echo '127.0.0.1 dev-freebsd.difyel.com' >> /etc/hosts
- # Replace dev-freebsd.difyel.com with your servername
To
install php on freebsd , use :
- [root]$ pkg install php74
- # Install php version 7.4
- # you can install other versions
- # for example php73 php72 ...
- [root]$ pkg search "^php74.*" | less
- # Search for extensions to use with php
- # replace 74 with your installed php version
- # for example , 73 72 .
- [root]$ pkg install php74-bcmath php74-bz2 php74-curl php74-dom php74-exif php74-fileinfo php74-filter php74-gd php74-gettext php74-intl php74-json php74-mbstring php74-session php74-soap php74-pecl-mcrypt php74-openssl php74-xmlrpc php74-zip php74-zlib php74-pdo_mysql php74-pdo_pgsql php74-pdo_sqlite php74-pdo_firebird php74-sqlite3 php74-pgsql php74-mysqli php74-pecl-mongodb-1.7.4
- # install extensions to be used with
- # php .
Php configuration files are located under /usr/local/etc/php.ini
and /usr/local/etc/php/ . php-fpm configuration files
are located under /usr/local/etc/php-fpm.conf
and /usr/local/etc/php-fpm.d/ . php-fpm pid is
located under /var/run/php-fpm.pid.
To
configure php on freebsd , first create a php.ini link :
- # For production , create this link .
- [root]$ ln -s /usr/local/etc/php.ini-production /usr/local/etc/php.ini
- # For development , create this link
- [root]$ ln -s /usr/local/etc/php.ini-development /usr/local/etc/php.ini
Next edit /usr/local/etc/php-fpm.d/www.conf :
- [root]$ nano /usr/local/etc/php-fpm.d/www.conf
- # Open www.conf for editing .
- # search using ctrl-w for
- listen = 127.0.0.1:9000
- # and replace it with :
- listen = /var/run/php-74-fpm.sock
- # If you have installed another version
- # of php , replace 74 with your version
- # for example 73 or 72 ...
- # Uncomment the following three
- # lines by removing the semicolon.
- listen.owner = www
- listen.group = www
- listen.mode = 0660
Create a secure-php.ini file :
- [root]$ nano /usr/local/etc/php/secure-phi.ini
- max_execution_time = 30
- max_input_time = 30
- cgi.force_redirect = 1
- expose_php = Off
- display_errors = Off
- display_startup_errors = Off
- log_errors = On
- allow_url_fopen = Off
- allow_url_include = Off
- disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
- session.use_strict_mode = 1
- session.cookie_secure = 1
Make the php-fpm service starts when FreeBSD boots ,
by issuing the following command :
- [root]$ sysrc php_fpm_enable="YES"
Start the php-fpm service using :
- [root]$ service php-fpm start
You can use service stop php-fpm to stop php-fpm .
Test
if php is working correctly , create a blog directory under :
/usr/local/www/
- [root:/usr/local/www/]$ mkdir blog
- # create a blog directory under /usr/local/www/
and create a test.php file under /usr/local/www/nginx/blog/ :
- [root:/usr/local/www/nginx/blog/]$ echo '<?php phpinfo();?>' > test.php
Visit http://yourdomain.com/blog/test.php ,
and you should have the following page .
Remove the test.php file
- [root:/usr/local/www/nginx/blog/]$ rm test.php
Install certbot :
- [root$] pkg install py37-certbot
- # Install certbot under freebsd
- # you can search for the certbot package
- # using pkg search certbot .
If
you are running your server locally ,
you must manually create and add
ssl
certificate using certbot .
- [root]$ certbot certonly --manual --preferred-challenges dns -d dev-freebsd.difyel.com
- # replace dev-freebsd.difyel.com with your server name .
- Saving debug log to /var/log/letsencrypt/letsencrypt.log
- Plugins selected: Authenticator manual, Installer None
- Enter email address (used for urgent renewal and security notices)
- (Enter 'c' to cancel): uremail@address.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Please read the Terms of Service at
- https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
- agree in order to register with the ACME server at
- https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Would you be willing, once your first certificate is successfully issued, to
- share your email address with the Electronic Frontier Foundation, a founding
- partner of the Let's Encrypt project and the non-profit organization that
- develops Certbot? We'd like to send you email about our work encrypting the web,
- EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (Y)es/(N)o: y
- Obtaining a new certificate
- Performing the following challenges:
- dns-01 challenge for dev-freebsd.difyel.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- NOTE: The IP of this machine will be publicly logged as having requested this
- certificate. If you're running certbot in manual mode on a machine that is not
- your server, please ensure you're okay with that.
- Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Please deploy a DNS TXT record under the name
- _acme-challenge.dev-freebsd.difyel.com with the following value:
- qf67JA2BjjUdUsJEqjXCmTsKWHZ_KR4HZRTiNTBU33o
- Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Press Enter to Continue
If you are using namecheap you can add the text record to your domain , by going to Domain list , then select manage under your domain , and advanced .
Select add new record , for type select text ,
for host select _acme-challenge.dev-freebsd if you
have a subdomain you are configuring like
dev-freebsd.difyel.com ,
or _acme-challenge if this is
your root domain like difyel.com .
You can check if the record has been updated by name cheap using the command :
- #replace .dev-freebsd.difyel.com with your server name
- [root]$ host -t txt _acme-challenge.dev-freebsd.difyel.com
- Host _acme-challenge.dev-freebsd.difyel.com not found: 3(NXDOMAIN)
- # In this case , the record has not been updated .
- [root]$ host -t txt _acme-challenge.dev-freebsd.difyel.com
- _acme-challenge.dev-freebsd.difyel.com descriptive text "qf67JA2BjjUdUsJEqjXCmTsKWHZ_KR4HZRTiNTBU33o"
- # In this case , the record has been updated .
Once the record has been updated , press enter to continue verification .
- Waiting for verification...
- Cleaning up challenges
- Subscribe to the EFF mailing list (email: uremail@address.com).
- IMPORTANT NOTES:
- - Congratulations! Your certificate and chain have been saved at:
- /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/fullchain.pem
- Your key file has been saved at:
- /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/privkey.pem
- Your cert will expire on 2021-01-14. To obtain a new or tweaked
- version of this certificate in the future, simply run certbot
- again. To non-interactively renew *all* of your certificates, run
- "certbot renew"
- - Your account credentials have been saved in your Certbot
- configuration directory at /usr/local/etc/letsencrypt. You should
- make a secure backup of this folder now. This configuration
- directory will also contain certificates and private keys obtained
- by Certbot so making regular backups of this folder is ideal.
- - If you like Certbot, please consider supporting our work by:
- Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
- Donating to EFF: https://eff.org/donate-le
Now you must add the ssl configuration for your local domain ,
so replace your website configuration
/usr/local/etc/nginx/servers.conf.d/dev-freebsd.difyel.com.conf
with the following :
- [root]$ nano /usr/local/etc/nginx/servers.conf.d/dev-freebsd.difyel.com.conf
- # edit your website configuration , replace
- # dev-freebsd.difyel.com.conf with your conf
- # file name . and past the following code
- server {
- listen [::]:443 ssl http2 ; # Certbot
- listen 443 ssl http2 ; # Certbot
- ssl_certificate /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/fullchain.pem; # Certbot
- ssl_certificate_key /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/privkey.pem; # Certbot
- server_name dev-freebsd.difyel.com;
- root /usr/local/www/nginx/;
- client_max_body_size 512M;
- # blog
- location /blog {
- expires $expires;
- index index.php index.html index.htm;
- try_files $uri $uri/ /blog/index.php?$args;
- }
- location ~* ^/blog/.*.php$ {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- # blog
- }
- server {
- listen 80;
- listen [::]:80;
- server_name dev-freebsd.difyel.com;
- return 301 https://$host$request_uri;
- }
Test the configuration and restart nginx :
- [root]$ nginx -t
- [root]$ service nginx restart
If you are not running your website locally , so like on a vps and can be accessed from the outside world , you can issue the following command in order to install ssl certificate .
- [root]$ sudo certbot certonly --webroot -d difyel.com www.difyel.com
- # generate and install certificate for difyel.com and
- # www.difyel.com
- [root]$ echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
- # automatically renew the certificates
For local website you must renew your certificates manually .
To install mariadb , issue the following command :
- [root]$ pkg install mariadb105-server
- # Install mariadb server , you can
- # install other versions by replacing
- # 105 by the version number , for example
- # 104 or 103
Configuration files for mariadb are
found under /usr/local/etc/mysql/ .
After installation , make mariadb starts when freeBSD stars , by issuing the command :
- [root]$ sysrc mysql_enable="YES"
- # make mariadb starts when
- # freeBSD starts .
Start the mariadb server :
- [root]$ service mysql-server start
You can stop the mariadb server by running
service mysql-server stop .
Secure mariadb by running :
- [root]$ mysql_secure_installation
You can choose a password for the root user , or you can use socket authentication , you can remove anonymous account , disallow root from logging remotely , remove the test database , and reload the privileges tables .
- [root]$ mysql_secure_installation
- NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
- SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
- In order to log into MariaDB to secure it, we ll need the current
- password for the root user. If you ve just installed MariaDB, and
- haven t set the root password yet, you should just press enter here.
- Enter current password for root (enter for none):
- OK, successfully used password, moving on...
- Setting the root password or using the unix_socket ensures that nobody
- can log into the MariaDB root user without the proper authorisation.
- You already have your root account protected, so you can safely answer 'n'.
- Switch to unix_socket authentication [Y/n] n
- ... skipping.
- You already have your root account protected, so you can safely answer 'n'.
- Change the root password? [Y/n] n
- ... skipping.
- By default, a MariaDB installation has an anonymous user, allowing anyone
- to log into MariaDB without having to have a user account created for
- them. This is intended only for testing, and to make the installation
- go a bit smoother. You should remove them before moving into a
- production environment.
- Remove anonymous users? [Y/n] y
- ... Success!
- Normally, root should only be allowed to connect from 'localhost'. This
- ensures that someone cannot guess at the root password from the network.
- Disallow root login remotely? [Y/n] y
- ... Success!
- By default, MariaDB comes with a database named 'test' that anyone can
- access. This is also intended only for testing, and should be removed
- before moving into a production environment.
- Remove test database and access to it? [Y/n] y
- - Dropping test database...
- ... Success!
- - Removing privileges on test database...
- ... Success!
- Reloading the privilege tables will ensure that all changes made so far
- will take effect immediately.
- Reload privilege tables now? [Y/n] y
- ... Success!
- Cleaning up...
- All done! If you've completed all of the above steps, your MariaDB
- installation should now be secure.
- Thanks for using MariaDB!
Restart mariadb server using :
- [root]$ service mysql-server restart
To install postgresql issue the command :
- [root]$ pkg install postgresql12-server
- # You can install other versions of postgresql
- # by changing the version number for example
- # 11 or 13
Make Postgresql start , when freebsd start by issuing :
- [root]$ sysrc postgresql_enable="YES"
Initialize the database by running :
- [root]$ service postgresql initdb
Start postgresql by running :
- [root]$ service postgresql start
- # start the postgresql server .
You can stop the postgresql server by
running service postgresql stop
To install mongodb issue the following command :
- [root]$ pkg install mongodb44
- # Install mongoldb version 4.4 ,
- # You can install other versions
- # like 42 36 ..
Make monogdb starts when freeBSD starts by issuing the following command :
- [root]$ sysrc mongod_enable="YES"
You can start and stop mongodb by using the service command . Start mongodb by issuing :
- [root]$ service mongod start
To install adminer issue the commands :
- [root:/usr/local/www/nginx/]$ pkg install adminer
- # install adminer
- [root:/usr/local/www/nginx/]$ ln -s /usr/local/www/adminer/index.php /usr/local/www/nginx/adminer.php
- # create a symbolic link for
- # adminer inside nginx where
- # we are serving our website .
Set up basic authentication on nginx , start by generating a username and a password to protect adminer.php :
- [root:/usr/local/etc/nginx/]$ echo "username:`openssl passwd -apr1 password`" >> .htpasswd
- # replace username by your username , and password with
- # your password .
Edit nginx.conf and define a rate limiting zone , to protect from brute force attack :
- [root:/usr/local/etc/nginx/]$ nano nginx.conf
- # edit nginx.conf and add
- limit_req_zone $binary_remote_addr zone=shared:brute_force_protect:10m rate=1r/s;
- # Create a zone named : brute_force_protect
- # which will limit remote ip addresses
- # to only one http request per second .
Your nginx.conf should look like this as such :
- worker_processes auto;
- events {
- worker_connections 1024;
- }
- http {
- server_tokens off;
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- include mime.types;
- default_type application/octet-stream;
- gzip on;
- gzip_proxied any;
- gzip_vary on;
- gzip_http_version 1.1;
- gzip_comp_level 6;
- gzip_min_length 96;
- gzip_types text/plain;
- gzip_types text/css;
- gzip_types text/xml;
- gzip_types application/javascript;
- gzip_types application/json;
- gzip_types font/woff;
- gzip_types font/woff2;
- gzip_types font/opentype;
- gzip_types image/svg+xml;
- gzip_types image/x-icon;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:nginx_SSL:1m;
- ssl_session_timeout 1440m;
- ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
- map $sent_http_content_type $expires {
- default off;
- application/atom+xml max;
- application/javascript max;
- application/rss+xml max;
- application/vnd.ms-fontobject max;
- audio/ogg max;
- font/woff max;
- font/woff2 max;
- font/opentype max;
- image/gif max;
- image/jpeg max;
- image/png max;
- image/svg+xml max;
- image/x-icon max;
- text/css max;
- text/html epoch;
- video/mp4 max;
- }
- limit_req_zone $binary_remote_addr zone=brute_force_protect:10m rate=1r/s;
- include servers.conf.d/*.conf;
- }
Edit your website configuration file , in my case it is dev-freebsd.difyel.com.conf , and add :
- [root:/usr/local/etc/nginx/servers.conf.d/]$ nano dev-freebsd.difyel.com.conf
- #adminer
- location =/adminer.php{
- limit_req zone=brute_force_protect burst=20 nodelay;
- auth_basic "Adminer Admin Area";
- auth_basic_user_file .htpasswd;
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- #adminer
So your website configuration file will look like this :
- server {
- listen [::]:443 ssl http2 ; # Certbot
- listen 443 ssl http2 ; # Certbot
- ssl_certificate /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/fullchain.pem; # Certbot
- ssl_certificate_key /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/privkey.pem; # Certbot
- server_name dev-freebsd.difyel.com;
- root /usr/local/www/nginx/;
- client_max_body_size 512M;
- # blog
- location /blog {
- expires $expires;
- index index.php index.html index.htm;
- try_files $uri $uri/ /blog/index.php?$args;
- }
- location ~* ^/blog/.*.php$ {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- # blog
- #adminer
- location =/adminer.php{
- limit_req zone=brute_force_protect burst=20 nodelay;
- auth_basic "Adminer Admin Area";
- auth_basic_user_file .htpasswd;
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- #adminer
- }
- server {
- listen 80;
- listen [::]:80;
- server_name dev-freebsd.difyel.com;
- return 301 https://$host$request_uri;
- }
Test nginx configuration files using nginx -t and
restart nginx using service nginx restart
Now when you try to access adminer you will be asked for a username and a password .
To be able to
connect to mariadb using adminer , create the user adminer and grant all privileges .
- [root]$ mysql --user=root
- # connect to mysql
- CREATE USER 'adminer'@'localhost' IDENTIFIED BY 'password';
- # replace adminer and password , by your username and password .
- GRANT ALL PRIVILEGES ON *.* TO 'adminer'@'localhost' WITH GRANT OPTION;
- # replace adminer with your username
- FLUSH PRIVILEGES;
Now you can use adminer to connect to mysql :
To
be able to connect to postgresql using adminer , create the user adminer .
- [root]$ su - postgres
- $ createuser --interactive --pwprompt
- Enter name of role to add: adminer
- Enter password for new role:
- Enter it again:
- Shall the new role be a superuser? (y/n) y
Now you can use adminer to connect to postgresql :
Download
Wordpress to the blog
directory on your website :
- [root:/usr/local/www/nginx/blog/]$ wget https://wordpress.org/latest.tar.gz
- # Download the latest version of
- # wordpress using wget .
- # If you don't have wget installed ,
- # you can install it using
- # pkg install wget
Extract and move the extracted files to blog :
- [root:/usr/local/www/nginx/blog/]$ tar -xzf latest.tar.gz
- # extract Wordpress
- [root:/usr/local/www/nginx/blog/]$ mv wordpress/* .
- # move the content of the wordpress
- # folder to blog
- [root:/usr/local/www/nginx/blog/]$ # rm -r wordpress/
- # remove the Wordpress directory
- [root:/usr/local/www/nginx/blog/]$ # rm latest.tar.gz
- # remove the latest.tar.gz file .
Create a database using adminer , go to
your http://your.web.site/adminer.php ,
and make a connection to mysql , next choose create database ,
select a name for your database and a collation ,
it is recommended to set the collation
to utf8mb4_general_ci if you don't find you language .
Then click save .
On the next page click on privileges , and then click on create user , and choose a username and a password , and tick the all privileges box , then click on save .
Next copy wp-config-sample.php into wp-config.php :
- [root:/usr/local/www/nginx/blog/]$ cp wp-config-sample.php wp-config.php
And edit it to set up the database name ,
username and password as set earlier on ,
and to enable FS_METHOD direct ,
to enable the download of plugins ,
themes and updates without having an ftp server .
- [root:/usr/local/www/nginx/blog/]$ nano wp-config.php
- define( 'DB_NAME', 'wordpress_blog' );
- define( 'DB_USER', 'wordpress_blog' );
- define( 'DB_PASSWORD', 'password' );
- define( 'DB_HOST', '127.0.0.1' );
- define( 'FS_METHOD', 'direct' );
- # save and exit
Change the ownership of wp-content/ to www :
- [root:/usr/local/www/nginx/blog/]$ chown -R www wp-content/
- # Change the ownership of wp-content to
- # www
Visit http://your.web.site/blog/wp-admin/install.php to finish installing Wordpress .
To install java , issue the following commands :
- [root]$ pkg install openjdk11
- # install jdk under Freebsd
- # You can choose to install another
- # version by substituting 11 ,
- # for the version number you want
- # to install . For example
- # openjdk8 , or openjdk13 .
- root$ mount -t fdescfs fdesc /dev/fd
- # mount fdesc on /dev/fd
- root$ mount -t procfs proc /proc
- # mount proc on /proc
- root$ echo 'fdesc /dev/fd fdescfs rw 0 0' >> /etc/fstab
- root$ echo 'proc /proc procfs rw 0 0' >> /etc/fstab
- # auto mount fdesc and proc on boot
- [root$] pkg install tomcat9
- # Install tomcat under FreeBSD
- # you can substitute 9 , for the version
- # of tomcat you want to install ,
- # for example tomcat8 .
Tomcat will be installed to /usr/local/apache-tomcat-9.0/ .
Make tomcat starts when freebsd starts by issuing the following command :
- [root]$ sysrc tomcat9_enable="YES"
Edit your website configuration file , in my case it is dev-freebsd.difyel.com.conf , and add :
- [root:/usr/local/etc/nginx/servers.conf.d/]$ nano dev-freebsd.difyel.com.conf
- # Edit website configuration , and add two locations ,
- # for tomcat manager and host manager applications .
- #tomcat webapps
- location /manager {
- limit_req zone=brute_force_protect burst=20 nodelay;
- expires $expires;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:8080/manager;
- }
- location /host-manager {
- limit_req zone=brute_force_protect burst=20 nodelay;
- expires $expires;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:8080/host-manager;
- }
- #tomcat webapps
Your website configuration file will look like this :
- root:/usr/local/etc/nginx/servers.conf.d/]$ cat nano dev-freebsd.difyel.com.conf
- # cat the content of dev-freebsd.difyel.com.conf
- server {
- listen [::]:443 ssl http2 ; # Certbot
- listen 443 ssl http2 ; # Certbot
- ssl_certificate /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/fullchain.pem; # Certbot
- ssl_certificate_key /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/privkey.pem; # Certbot
- server_name dev-freebsd.difyel.com;
- root /usr/local/www/nginx/;
- client_max_body_size 512M;
- # blog
- location /blog {
- expires $expires;
- index index.php index.html index.htm;
- try_files $uri $uri/ /blog/index.php?$args;
- }
- location ~* ^/blog/.*.php$ {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- # blog
- #adminer
- location =/adminer.php{
- limit_req zone=brute_force_protect burst=20 nodelay;
- auth_basic "Adminer Admin Area";
- auth_basic_user_file .htpasswd;
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- #adminer
- #tomcat webapps
- location /manager {
- limit_req zone=brute_force_protect burst=20 nodelay;
- expires $expires;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:8080/manager;
- }
- location /host-manager {
- limit_req zone=brute_force_protect burst=20 nodelay;
- expires $expires;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:8080/host-manager;
- }
- #tomcat webapps
- }
- server {
- listen 80;
- listen [::]:80;
- server_name dev-freebsd.difyel.com;
- return 301 https://$host$request_uri;
- }
For each tomcat web app you would like to access using nginx , you must add a location block .
Test the nginx configuration , and restart nginx .
- [root]$ nginx -t
- [root]$ service nginx restart
Edit the tomcat-users.xml file , and add the line <user username ... , to enable access to the manager and host manager apps .
- [root:/usr/local/apache-tomcat-9.0/conf/]$ nano tomcat-users.xml
- <?xml version="1.0" encoding="UTF-8"?>
- <tomcat-users xmlns="http://tomcat.apache.org/xml"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
- version="1.0">
- <user username="admin" password="password" roles="manager-gui , admin-gui"/>
- </tomcat-users>
Replace username with your username , and password with your password.
Edit both context.xml in
the manager and host-manager web apps
and comment out the valve part to enable remote access
to the manager and host manager apps .
- [root:/usr/local/apache-tomcat-9.0/webapps/manager/META-INF/]$ nano context.xml
- # edit manager context.xml
- <?xml version="1.0" encoding="UTF-8"?>
- <Context antiResourceLocking="false" privileged="true" >
- <!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
- <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
- </Context>
- [root:/usr/local/apache-tomcat-9.0/webapps/host-manager/META-INF/]$ nano context.xml
- # edit host-manager context.xml
- <?xml version="1.0" encoding="UTF-8"?>
- <Context antiResourceLocking="false" privileged="true" >
- <!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->
- <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
- </Context>
Edit tomcat server.xmlfile and add a remote ip valve under host localhost , to enable correct passing of remote IP address and host information .
- # Add a remote ip valve under
- # <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
- <Valve
- className="org.apache.catalina.valves.RemoteIpValve"
- internalProxies="127\.0\.0\.1"
- remoteIpHeader="x-forwarded-for"
- protocolHeader="x-forwarded-proto"
- requestAttributesEnabled="true"
- />
So your server.xml file will look like this :
- <?xml version="1.0" encoding="UTF-8"?>
- <Server port="8005" shutdown="SHUTDOWN">
- <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
- <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
- <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
- <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
- <GlobalNamingResources>
- <Resource name="UserDatabase" auth="Container"
- type="org.apache.catalina.UserDatabase"
- description="User database that can be updated and saved"
- factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
- pathname="conf/tomcat-users.xml" />
- </GlobalNamingResources>
- <Service name="Catalina">
- <Connector port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" />
- <Engine name="Catalina" defaultHost="localhost">
- <Realm className="org.apache.catalina.realm.LockOutRealm">
- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
- </Realm>
- <Host name="localhost" appBase="webapps"
- unpackWARs="true" autoDeploy="true">
- <Valve
- className="org.apache.catalina.valves.RemoteIpValve"
- internalProxies="127\.0\.0\.1"
- remoteIpHeader="x-forwarded-for"
- protocolHeader="x-forwarded-proto"
- requestAttributesEnabled="true"
- />
- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
- prefix="localhost_access_log" suffix=".txt"
- pattern="%h %l %u %t "%r" %s %b" />
- </Host>
- </Engine>
- </Service>
- </Server>
You can start , stop , restart tomcat by using the service command . Start tomcat by issuing the command :
- [root]$ service tomcat9 start
Go to your manager app , by visiting the address http://your.web.site/manager/
To install nodejs and npm issue the following commands :
- [root]$ pkg instal node-14.13.0 npm-6.14.8
- # You can substitute node version
- # number by another one .
To install Raneto wiki issue the following commands :
- [root]$ npm install git
- # install git
- [root]$ npm install pm2 -g
- # install process manager
- # to start stop and daemonize
- # nodejs applications or other
- # applications or scripts .
- [root]$ adduser
- # create a user named node_pm2
- # with home directory set to
- # /usr/local/www/node_apps/
- Username: node_pm2
- Full name:
- Uid (Leave empty for default):
- Login group [node_pm2]:
- Login group is node_pm2. Invite node_pm2 into other groups? []:
- Login class [default]:
- Shell (sh csh tcsh bash rbash git-shell nologin) [sh]: bash
- Home directory [/home/node_pm2]: /usr/local/www/node_apps/
- Home directory permissions (Leave empty for default):
- Use password-based authentication? [yes]:
- Use an empty password? (yes/no) [no]:
- Use a random password? (yes/no) [no]:
- Enter password:
- Enter password again:
- Lock out the account after creation? [no]:
- Username : node_pm2
- Password : *****
- Full Name :
- Uid : 1002
- Class :
- Groups : node_pm2
- Home : /usr/local/www/node_apps/
- Home Mode :
- Shell : /usr/local/bin/bash
- Locked : no
- OK? (yes/no): y
- adduser: INFO: Successfully added (node_pm2) to the user database.
- Add another user? (yes/no): n
- Goodbye!
- [root]$ su - node_pm2
- # change to user node_pm2
- [node_pm2:/usr/local/www/]$ git clone https://github.com/gilbitron/Raneto.git && cd Raneto
- # clone Raneto and cd into it
- [node_pm2:/usr/local/www/Raneto/]$ npm install && npm run gulp
- # install the Raneto application
- [node_pm2:/usr/local/www/Raneto/]$ nano example/config.default.js
- # search for base_url: '' , and
- # replace it with :
- # base_url: '/wiki'
- [node_pm2:/usr/local/www/Raneto/]$ pm2 start npm --name "Raneto" -- start
- # start the Raneto application using
- # pm2 , it will be restarted if it
- # crashes .
- [node_pm2:/usr/local/www/Raneto/] exit
- # switch back to the root account
- [root]$ bash
- # change to the bash shell .
- [root]$ env PATH=$PATH:/usr/local/bin pm2 startup rcd -u node_pm2 --hp /usr/local/www/node_apps/
- # execute the following command to make
- # node_pm2 starts when freebsd starts ,
- # and startup any application.
- [root]$ su - node_pm2
- # change to user node_pm2
- [node_pm2:/usr/local/www/]$ pm2 save
- # Save list of applications to
- # be started when freeBSD starts .
- [node_pm2:/usr/local/www/]$ exit
- # exit back to root
Edit nginx website configuration files , to proxy the wiki application just installed by adding the #wiki raneto block :
- [root:/usr/local/etc/nginx/servers.conf.d]$ nano dev-freebsd.difyel.com.conf
- # edit your website configuration
- # file and add the raneto block
- server {
- listen [::]:443 ssl http2 ; # Certbot
- listen 443 ssl http2 ; # Certbot
- ssl_certificate /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/fullchain.pem; # Certbot
- ssl_certificate_key /usr/local/etc/letsencrypt/live/dev-freebsd.difyel.com/privkey.pem; # Certbot
- server_name dev-freebsd.difyel.com;
- root /usr/local/www/nginx/;
- client_max_body_size 512M;
- # blog
- location /blog {
- expires $expires;
- index index.php index.html index.htm;
- try_files $uri $uri/ /blog/index.php?$args;
- }
- location ~* ^/blog/.*.php$ {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- # blog
- #adminer
- location =/adminer.php{
- limit_req zone=brute_force_protect burst=20 nodelay;
- auth_basic "Adminer Admin Area";
- auth_basic_user_file .htpasswd;
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-74-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- #adminer
- #tomcat webapps
- location /manager {
- limit_req zone=brute_force_protect burst=20 nodelay;
- expires $expires;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:8080/manager;
- }
- location /host-manager {
- limit_req zone=brute_force_protect burst=20 nodelay;
- expires $expires;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:8080/host-manager;
- }
- #tomcat webapps
- #wiki raneto
- location /wiki {
- expires $expires;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_pass http://127.0.0.1:3000/wiki/;
- }
- #wiki raneto
- }
- server {
- listen 80;
- listen [::]:80;
- server_name dev-freebsd.difyel.com;
- return 301 https://$host$request_uri;
- }
Test the configuration and restart nginx :
- [root]$ nginx -t
- # Test the configuration
- [root]$ service nginx restart
- # Restart the nginx server .
Visit the wiki at the address your.website.com/wiki , and you will see the following page .
Can be added using the same method , by using nginx as reverse proxy .
Home