Linux-101/Linux-201/Lab-Sheet.md

118 lines
4.3 KiB
Markdown
Raw Normal View History

# Linux 201: Web Server Setup
2019-06-20 15:45:01 +00:00
## Introduction
- Goals
- Understand the process of setting up a web server
- Understand why security is important when setting a web server.
2019-06-20 15:45:01 +00:00
- Setup a basic web server to serve static files
2019-06-20 15:45:01 +00:00
- Non-goals - links to useful tutorials will be provided at the end of this lab sheet
- Setting up HTTPS - This requires a domain name
-
2019-06-20 15:45:01 +00:00
## Things to mention in the slide deck
-
- Apache vs Nginx
- Thread-based vs event-based servers
## Basic Security
- Creating a non-root account
2019-08-15 15:44:16 +00:00
- `adduser` "yourusername"
2019-06-20 16:01:37 +00:00
- `sudo` permissions
2019-08-15 15:44:16 +00:00
-
2019-06-20 16:01:37 +00:00
- The Linux security model: Knowing why you're typing your password
- SSH
- Disable root login
- SSH Keys
2019-08-15 15:42:32 +00:00
### Setting up a firewall
Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called `ufw`, the 'uncomplicated firewall' is already present. It acts as a nice front-end to `iptables`, which I find to be difficult to understand and use. We will be using that as our firewall. If for some reason it is not installed already, install it like so:
```bash
sudo apt install ufw
```
### Activation
Ufw, by default, allows all outgoing connections and denies all incoming connections. This means that if you are using ssh to connect to your server, you will need to open the appropriate ports first *before* enabling ufw. Do that like this:
```bash
sudo ufw allow 22/tcp
```
2019-08-15 15:53:26 +00:00
Ufw will automatically configure `iptables` to allow incoming connections on port 22 that use `tcp`. I will talk more about allowing and denying different connections later.
2019-08-15 15:42:32 +00:00
Just in case ufw blocks your ssh connection and you are unable to get back in, you can use another program called `at` to schedule the disabling of the ufw so that you can get back in again. If you don't have it installed, you can install it with `sudo apt install at`.
```bash
sudo at -vM now +10 minutes
ufw disable
^D
```
Where `^D` stands for `CTRL + D`. Now that you have it set such that ufw will disable itself in 10 minutes time, we go ahead and turn ufw on:
```bash
sudo ufw enable
```
<!-- TODO: check that `yes` is the correct response -->
It will warn you that this may disrupt any existing ssh connections you have open. Reply `yes` to this. Once it have been enabled successfully, you should check that you can still ssh into your server (if that is the method that you are using to control it). If yes, great! If not, ufw will disable itself in 10 minutes and then you can try again.
Now that we have ufw enabled, we can cancel the `at` job we created to disable ufw. Type `sudo atq` to list the jobs you have schedules, and `sudo atrm <number>` to remove it, where `<number>` is the number of the jobs that you want to delete.
You may also want to check the status of ufw to make sure that it is enabled, or to get a list of the rules that are currently in force. You can do that like this:
```bash
sudo ufw status
```
```
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere
```
#### Allowing connections
2019-08-15 15:53:26 +00:00
Since we're going to be setting up a web server, we'll need to allow it through our new firewall. Doing so is easy. Simply do this:
2019-08-15 15:42:32 +00:00
```bash
sudo ufw allow 80/tcp
```
Ufw will automatically configure iptables, in this example, to allow all connections on port 80 that use TCP. It will also configure it appropriately for both ipv4 and ipv6.
If you ever want to incoming connections on another port in the future, replace `80` with the port number you want to allow and `tcp` with `udp` if needed.
Ufw also understands several protocol names, and can configure itself accordingly:
```bash
sudo ufw allow http
sudo ufw allow imap
```
## Installing a Web Server
2019-08-15 15:27:56 +00:00
With our server secured, we can now install our web server. In this tutorial, we'll be using _[Nginx](https://nginx.org)_.
2019-06-20 15:45:01 +00:00
- systemd services
- Nginx is a service
-
- Installing Nginx
- `sudo apt install nginx`
## Configuration
- `/etc/nginx/nginx.conf`
2019-06-20 16:02:03 +00:00
- `/etc/nginx/sites-available/*`
- `/etc/nginx/sites-enabled/*`
## References and Further Reading
- [Nginx](https://www.nginx.com/)
- [How to Secure a Linux Server](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/)
- [SSL Certificates](https://letsencrypt.org)
- [Freeside Discord Invite](http://discord.freeside.co.uk)