Finish the end of the workshop lab sheet
All checks were successful
continuous-integration/laminar-elessar Build 55 succeeded in 1 minute .
All checks were successful
continuous-integration/laminar-elessar Build 55 succeeded in 1 minute .
This commit is contained in:
parent
fef33c0f60
commit
20d11afcc6
2 changed files with 266 additions and 22 deletions
|
@ -3,12 +3,12 @@
|
|||
## Introduction
|
||||
|
||||
- Goals
|
||||
- Understand the process of setting up a web server
|
||||
- Understand why security is important when setting a web server.
|
||||
- Understand the process of setting up a web server
|
||||
- Understand why security is important when setting a web server.
|
||||
- Setup a basic web server to serve static files
|
||||
|
||||
- Non-goals - links to useful tutorials will be provided at the end of this lab sheet
|
||||
- Setting up HTTPS - This requires a domain name
|
||||
- Setting up HTTPS - This requires a domain name
|
||||
-
|
||||
|
||||
## Things to mention in the slide deck
|
||||
|
@ -26,22 +26,22 @@ This is because root can be used, even accidentally to damage or destory the sys
|
|||
|
||||
```adduser "yourusername" ```
|
||||
|
||||
We should create the new user as root.
|
||||
We should create the new user as root.
|
||||
|
||||
Execute the command as above, replacing ```"yourusername"``` with a desired username.
|
||||
Execute the command as above, replacing ```"yourusername"``` with a desired username.
|
||||
|
||||
During the setup, you may be asked for a password along with other information. You may customise this information as you wish.
|
||||
During the setup, you may be asked for a password along with other information. You may customise this information as you wish.
|
||||
|
||||
```usermod -aG sudo yourusername```
|
||||
|
||||
Now that the user has been created, we should ensure that that user can execute commands with escalated permissions. These are called ```sudo``` permissons.
|
||||
Now that the user has been created, we should ensure that that user can execute commands with escalated permissions. These are called ```sudo``` permissons.
|
||||
|
||||
Execute the command as above, replacing ```"yourusername"``` with the user created in the previous step.
|
||||
Execute the command as above, replacing ```"yourusername"``` with the user created in the previous step.
|
||||
|
||||
- The Linux security model: Knowing why you're typing your password
|
||||
- The Linux security model: Knowing why you're typing your password
|
||||
- SSH
|
||||
- Disable root login
|
||||
- SSH Keys
|
||||
- SSH Keys
|
||||
|
||||
|
||||
### Securing SSH
|
||||
|
@ -90,7 +90,7 @@ It will ask you a few questions, such as a password to encrypt the private key o
|
|||
|
||||
```config
|
||||
Host {bobsrockets.com}
|
||||
Hostname {ip_address}
|
||||
Hostname {ip_address}
|
||||
Port 22
|
||||
IdentityFile {path/to/private/keyfile}
|
||||
```
|
||||
|
@ -230,21 +230,265 @@ sudo ufw allow imap
|
|||
|
||||
|
||||
## Installing a Web Server
|
||||
With our server secured, we can now install our web server. In this tutorial, we'll be using _[Nginx](https://nginx.org)_.
|
||||
With our server secured, we can now install our web server. In this tutorial, we'll be using _[Nginx](https://nginx.org)_. Nginx is very powerful and [much more efficient](https://www.nginx.com/blog/nginx-vs-apache-our-view/) than Apache. This is done with `apt`, Ubuntu's package manager:
|
||||
|
||||
- systemd services
|
||||
- Nginx is a service
|
||||
-
|
||||
- Installing Nginx
|
||||
- `sudo apt install nginx`
|
||||
```bash
|
||||
sudo apt install nginx
|
||||
```
|
||||
|
||||
The `apt` package manager manages the software and libraries installed on a Linux computer. Other package managers exist too, which are used in other distributions of Linux (such as _Arch Linux_, _Alpine Linux_, and _Fedora_). The concept is broadly similar to a package manager you might use to manage the dependencies of a program you're writing, such as [NuGet](https://www.nuget.org/) (for .NET) and [NPM](https://www.npmjs.com/) (for Javascript).
|
||||
|
||||
Anyway, with Nginx installed, we should be able to test it out - just as soon as we allow it through our firewall:
|
||||
|
||||
```bash
|
||||
sudo ufw allow http
|
||||
```
|
||||
|
||||
### Testing it out
|
||||
At this point you should bee able to type the IP address of your server into your web browser and see the default configuration page. You can inspect the network interfaces and ask them for their IP addresses. This is done like so:
|
||||
|
||||
```bash
|
||||
ip addr
|
||||
```
|
||||
|
||||
This will produce a lot of output, so let's decode it. For an IPv4 address, we want to look at the bit directly after the word `inet` in the output from the command above for our server's ethernet network interface.
|
||||
|
||||
You may notice that the output follows a pattern, in which the unindented lines follow the pattern `number: interface_id blah blah blah......`. To identify the ethernet network interface, look for the entry in the output list that has an id that looks something like any of these:
|
||||
|
||||
- `eth0`
|
||||
- `enp3s0`
|
||||
- `enp2s5`
|
||||
|
||||
Note that you do **not** want any that look like this:
|
||||
|
||||
- `lo` (the local loopback interface - i.e. `127.0.0.1`)
|
||||
- `wlan0` (WiFi)
|
||||
|
||||
Once identified, look for the `inet` keyword directly after the network interface id and before the next network interface id further down. The IP address will directly follow it. For example, if I had the following output:
|
||||
|
||||
```bash
|
||||
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||
inet 127.0.0.1/8 scope host lo
|
||||
valid_lft forever preferred_lft forever
|
||||
inet6 ::1/128 scope host
|
||||
valid_lft forever preferred_lft forever
|
||||
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
|
||||
link/ether 00:22:4d:ae:00:5a brd ff:ff:ff:ff:ff:ff
|
||||
inet 1.2.3.4/24 brd 1.2.3.255 scope global eth0
|
||||
valid_lft forever preferred_lft forever
|
||||
inet6 67b0:daac:98ee:7951::1/128 scope global
|
||||
valid_lft forever preferred_lft forever
|
||||
inet6 fe80::f89:3729:c223:86da/64 scope link
|
||||
valid_lft forever preferred_lft forever
|
||||
```
|
||||
|
||||
....I could identify that my server's IP address is `1.2.3.4`, as `1.2.3.4` appears directly after the word `inet`, which appears a line or two below the line that starts with `2: eth0`.
|
||||
|
||||
Another, but less reliable, way of finding your IP address is to use an online service. Such services report back to you your external IP address. If your server is located on a complex network, the IP address such a service reports may not be the local IP address of your server, however. You can utilise a service like this as follows:
|
||||
|
||||
```bash
|
||||
curl https://icanhazip.com/
|
||||
```
|
||||
|
||||
You might need to install `curl` with `sudo apt install curl`.
|
||||
|
||||
Once you have determined your server's IP address, enter it into your web browser like so: `http://1.2.3.4/`
|
||||
|
||||
You should see a page like this:
|
||||
|
||||
![The default web page that Nginx should serve.](images/nginx-default.png)
|
||||
|
||||
If you don't see something like the above, please ask for help.
|
||||
|
||||
### Customisation
|
||||
Now that we've got our web server installed, we can customise it to our liking. This is quite easy to do. On Linux, almost everything is driven by configuration files. These are stored in the `/etc` directory - and Nginx is no exception. Nginx stores its configuration files in `/etc/nginx`. There a few important files and directories here:
|
||||
|
||||
|
||||
File | Purpose
|
||||
--------------------------------|---------------------------------
|
||||
`/etc/nginx/nginx.conf` | The main configuration file. Global settings are defined here.
|
||||
`/etc/nginx/sites-available/` | The virtual host configuration files. Put website configuration files here.
|
||||
`/etc/nginx/sites-enabled/` | The enabled virtual hosts. This directory contains [symbolic links](https://linuxhandbook.com/symbolic-link-linux/) to the `sites-enabled` directory.
|
||||
|
||||
Nginx, like most web servers, can service multiple web servers at the same time. This is done by using a variety of techniques to determine what domain name you have entered into your address bar (namely the `Host` HTTP header and, in the case, of HTTPS, [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)). To this end, it supports multiple _virtual hosts_ - which are basically configuration files that tell it which website to serve under which circumstances.
|
||||
|
||||
Try looking at some of the different configuration files in the `/etc/nginx` directory to get a feel for how it works - particularly `/etc/nginx/nginx.conf`.
|
||||
|
||||
In our case, we already have a default virtual host created for us. It's located in `/etc/nginx/sites-available/default`. Open it for editing now:
|
||||
|
||||
```bash
|
||||
sudo nano /etc/nginx/sites-available/default
|
||||
# or, if you're a `vim` user:
|
||||
sudo vim /etc/nginx/sites-available/default
|
||||
```
|
||||
|
||||
`nano` is usually best for beginners, as it's easier to use. You might see something like this:
|
||||
|
||||
```bash
|
||||
##
|
||||
# You should look at the following URL's in order to grasp a solid understanding
|
||||
# of Nginx configuration files in order to fully unleash the power of Nginx.
|
||||
# https://www.nginx.com/resources/wiki/start/
|
||||
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
|
||||
# https://wiki.debian.org/Nginx/DirectoryStructure
|
||||
#
|
||||
# In most cases, administrators will remove this file from sites-enabled/ and
|
||||
# leave it as reference inside of sites-available where it will continue to be
|
||||
# updated by the nginx packaging team.
|
||||
#
|
||||
# This file will automatically load configuration files provided by other
|
||||
# applications, such as Drupal or Wordpress. These applications will be made
|
||||
# available underneath a path with that package name, such as /drupal8.
|
||||
#
|
||||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
|
||||
##
|
||||
|
||||
# Default server configuration
|
||||
#
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
# SSL configuration
|
||||
#
|
||||
# listen 443 ssl default_server;
|
||||
# listen [::]:443 ssl default_server;
|
||||
#
|
||||
# Note: You should disable gzip for SSL traffic.
|
||||
# See: https://bugs.debian.org/773332
|
||||
#
|
||||
# Read up on ssl_ciphers to ensure a secure configuration.
|
||||
# See: https://bugs.debian.org/765782
|
||||
#
|
||||
# Self signed certs generated by the ssl-cert package
|
||||
# Don't use them in a production server!
|
||||
#
|
||||
# include snippets/snakeoil.conf;
|
||||
|
||||
root /var/www/html;
|
||||
|
||||
# Add index.php to the list if you are using PHP
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
|
||||
server_name _;
|
||||
|
||||
location / {
|
||||
# First attempt to serve request as file, then
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
# pass PHP scripts to FastCGI server
|
||||
#
|
||||
#location ~ \.php$ {
|
||||
# include snippets/fastcgi-php.conf;
|
||||
#
|
||||
# # With php-fpm (or other unix sockets):
|
||||
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
|
||||
# # With php-cgi (or other tcp sockets):
|
||||
# fastcgi_pass 127.0.0.1:9000;
|
||||
#}
|
||||
|
||||
# deny access to .htaccess files, if Apache's document root
|
||||
# concurs with nginx's one
|
||||
#
|
||||
#location ~ /\.ht {
|
||||
# deny all;
|
||||
#}
|
||||
}
|
||||
|
||||
|
||||
# Virtual Host configuration for example.com
|
||||
#
|
||||
# You can move that to a different file under sites-available/ and symlink that
|
||||
# to sites-enabled/ to enable it.
|
||||
#
|
||||
#server {
|
||||
# listen 80;
|
||||
# listen [::]:80;
|
||||
#
|
||||
# server_name example.com;
|
||||
#
|
||||
# root /var/www/example.com;
|
||||
# index index.html;
|
||||
#
|
||||
# location / {
|
||||
# try_files $uri $uri/ =404;
|
||||
# }
|
||||
#}
|
||||
```
|
||||
|
||||
There's a lot of 'stuff' here, so let's break it down. Nginx works on the concept of servers. Each virtual host has it's own `server { }` block in a configuration file inside `/etc/nginx/sites-available`. Lines that start with a hash `#` are comments - and are ignored by Nginx (just like Python and Bash comments).
|
||||
|
||||
The `listen` directives tell Nginx to listen on Ipv4 and IPv6 for requests.
|
||||
|
||||
The `root /var/www/html;` directive tells Nginx where to find the files that it should serve. For our example, let's change this from `/var/www/html` to `/srv/www`.
|
||||
|
||||
The `location { }` blocks allow us to tell Nginx to do specific things for specific subdirectories. They are quite complex, and are out-of-scope of this workshop. However, the default configuration file contains some links that you can use to find out more - and you can always ask on the [Freeside Discord](http://discord.freeside.co.uk/) too.
|
||||
|
||||
You may wish to enable [directory listing](https://nginxlibrary.com/enable-directory-listing/), so that if Nginx does not find an `index.html` file it will list the contents of the directory instead. You can do this by creating a new line directly below the `root` directory like so:
|
||||
|
||||
```nginx
|
||||
autoindex on;
|
||||
```
|
||||
|
||||
Once you've finished editing the file, save and close it with **Ctrl + X**, then **Y**, then **Enter** (if using `nano`), or **Esc** followed by typing `:wq` for `vim`.
|
||||
|
||||
With the configuration file edited, we should restart Nginx. Before we do that though, let's test that configuration file:
|
||||
|
||||
```bash
|
||||
sudo nginx -t
|
||||
```
|
||||
|
||||
If all goes well, Nginx should say something like this:
|
||||
|
||||
```
|
||||
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
|
||||
nginx: configuration file /etc/nginx/nginx.conf test is successful
|
||||
```
|
||||
|
||||
If it doesn't, then go back and check the syntax of the configuration file you edited. You might want to ask for help.
|
||||
|
||||
Before we reload Nginx though, we need to create that new web root directory we decided on earlier. Let's do that now:
|
||||
|
||||
```bash
|
||||
sudo mkdir /srv/www
|
||||
sudo chown -R www-data:www-data /srv/www
|
||||
sudo chmod 0775 /srv/www
|
||||
```
|
||||
|
||||
With that in place, you can now reload Nginx like so:
|
||||
|
||||
```bash
|
||||
sudo systemctl reload nginx
|
||||
```
|
||||
|
||||
This will cause Nginx to reload it's configuration files from disk without restarting. Not all services support this, but if they do it's handy to take advantage of it.
|
||||
|
||||
The final step here is to upload some files to your new web server to serve. To do this, we will need to ensure that our user account has permission to write to the new folder. Do tha like this:
|
||||
|
||||
```bash
|
||||
sudo usermod -a -G www-data YOUR_USERNAME_HERE
|
||||
```
|
||||
|
||||
This adds your user account to the `www-data` group. You will need to log out and log back in again at this stage for the change to take effect.
|
||||
|
||||
Actually uploading files can be done using SFTP. Windows users can use [WinSCP Portable](https://winscp.net/eng/docs/portable), while Linux users can use their native file manager (try entering `sftp://username@1.2.3.4/` into your address bar).
|
||||
|
||||
Once you have uploaded some files to your web server, try refreshing your web browser! You should see your new website appear before your eyes.
|
||||
|
||||
## Conclusion
|
||||
We've looked at setting up a basic Linux web server with Ubuntu Server 18.04 and Nginx. We've done this by first taking some basic steps to secure our server, and then installing and configuring the necessary software.
|
||||
|
||||
This workshop should provide you with a good starting point from which to explore more complex uses for Linux. For example, you could now use your new web server to serve a [personal static website and blog](https://www.staticgen.com/), or you could take your skills further and learn about containerisation technologies such as [LXD](https://linuxcontainers.org/lxd/) and [Docker](https://www.docker.com/). You could even learn how to deploy your own application to a Linux server using a [system service](https://starbeamrainbowlabs.com/blog/article.php?article=posts/326-systemd-service-files.html) and [syslog](https://starbeamrainbowlabs.com/blog/article.php?article=posts/345-logrotate.html) - the possibilities are endless!
|
||||
|
||||
Be sure to join the [Freeside Discord](http://discord.freeside.co.uk/), where you can learn more about Linux and hang out with other Linux users.
|
||||
|
||||
## Configuration
|
||||
- `/etc/nginx/nginx.conf`
|
||||
- `/etc/nginx/sites-available/*`
|
||||
- `/etc/nginx/sites-enabled/*`
|
||||
|
||||
## References and Further Reading
|
||||
- [Nginx](https://www.nginx.com/)
|
||||
- [How to Secure a Linux Server](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/)
|
||||
- [SSL Certificates](https://letsencrypt.org)
|
||||
- [Freeside Discord Invite](http://discord.freeside.co.uk)
|
||||
- [Freeside Discord Invite](http://discord.freeside.co.uk/)
|
||||
- [Static Site Generators Comparison](https://www.staticgen.com/)
|
||||
|
|
BIN
Linux-201/images/nginx-default.png
Normal file
BIN
Linux-201/images/nginx-default.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 32 KiB |
Loading…
Reference in a new issue