Table of Contents
This page outlines some of the noteworthy points on setting up Debian Bullseye on a hetzner Cloud server.
Apache Setup
apt-get install apache2 apt-get install libapache2-mod-php apt-get install default-mysql-server (mariadb is now default) mysql_secure_installation ( https://tecadmin.net/how-to-install-mariadb-on-debian-11/ ) apt-get install php-mysql a2enmod userdir vi /etc/apache2/mods-enabled/php7.4.conf comment out lines to enable php for userdirs adduser kartbuilding cd /home/kartbuilding/ mkdir public_html vi index.php <?php phpinfo(); ?>
That should be the basic lamp setup.
Virtual Hosts
vi /etc/apache2/sites-available/01-kartbuilding.conf <VirtualHost *:80> ServerAdmin email@domain.net ServerName www.kartbuilding.net ServerAlias kartbuilding.net DocumentRoot /home/kartbuilding/public_html/ CustomLog /var/log/apache2/access_kart.log combined ErrorLog /var/log/apache2/error_kart.log Loglevel warn <Directory /> Options FollowSymLinks Indexes MultiViews AllowOverride All </Directory> UserDir disabled </VirtualHost> #Repeat block for other vhosts on this domain <code> #Enable site with a2ensite 01-kartbuilding #or symlink into /etc/apache2/sites-enabled
Apache authentication htpasswd
Within a vhost, add:
<Location /> Order Allow,Deny Allow from all AuthName "Secure" AuthType Basic AuthUserFile /etc/apache2/secure/htpasswd require valid-user Allow from 127.0.0.1 </Location>
To create a htpasswd file:
htpasswd -c /etc/apache2/htpasswd username
Apache HTTPS Secure ssl
Self Signed Cert
make-ssl-cert generate-default-snakeoil <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost>
Ref: /etc/apache2/sites-available/default-ssl.conf
MySQL migrations
- mysqldump on original host as per: mysqldump
- Add new user as per: mysql_users_add_remove
- login to mysql and go “create database”
- Import mysql dump importing_a_mysql_dump
Copy across data to new server
#always source -> destination #On new server issue rsync -ave ssh user@oldserver:/home/kartbuilding/ /home/kartbuilding/
Odds and Ends
apt-get install screen dpkg-reconfigure tzdata apt-get install fail2ban apt-get install links
chkrootkit
apt-get install chkrootkit vi /etc/chkrootkit.conf #change to: RUN_DAILY="true" RUN_DAILY_OPTS="-q" DIFF_MODE="true" vi /etc/aliases #add root: localuser #then run the following to take effect: newaliases Now the user will get nightly emails with chkrootkit report.
</code>
VIM tweaks
Because vi rocks
apt-get install vim vi /etc/vim/vimrc uncomment syntax on uncomment let g:skip_defaults_vim = 1 (allows default vim control mouse off) https://unix.stackexchange.com/questions/551512/disabling-vim-visual-mode-in-etc-vim-vimrc-does-not-work
Website Updates
Wordpress
I had wordpress done via SVN, so it was easy. cd /home/kartbuilding/public_blog svn info svn sw http://core.svn.wordpress.org/tags/6.0.1/ .
php5 -> php7 woes
Where possible any webapps will have to be updated as there are a lot of changes between php5 and php7.
#Apache error log showed: PHP Parse error: syntax error, unexpected 'new' (T_NEW) in...... on line 35 Edit the php file and on line 35: Remove the &. Its not needed in php7. Example: Original php5 $bbdb =& new $bbdb_class( array( New: $bbdb = new $bbdb_class( array(
mysql woes
Where possible any webapps will have to be updated as there are a lot of changes between php5 and php7.
PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect()
Edit php script and change mysql_connect() to mysqli_connect()
Wiki
Mediawiki instance was so old. Tried to copy it and update php scripts to php7. No joy, had problems connecting to database. The latest mediawiki was nearly 300MB (previous was 60MB).
I made the decision to install and migrate to dokuwiki which doesn't use sql but flat text files.
dokuwiki
Install was very straight forward. (Info at: https://www.dokuwiki.org/install ) However for migration purposes, I chose to install an older version of dokuwiki for my php5.
Went for an old stable release at: https://download.dokuwiki.org/archive If its too new, you'll get errors when running with php5.
chmod 777 and run install.php
Migration of mediawiki
Setup and have dokuwiki installed with new install and user.
https://www.dokuwiki.org/tips:mediawiki_to_dokuwiki_converter For old Media wiki. https://github.com/tetsuo13/MediaWiki-to-DokuWiki-Importer/archive/99b29b645fb7f5bb8c5c03b23d1bfbb4eee642ed.zip Download and extract Zip. Browse to and edit: public_html/mediatodoc/src/MediaWiki2DokuWiki/settings.php Update paths. Run via browser /mediatodoc/src/MediaWiki2DokuWiki/index.php (got an error the first time, and had to add: $wgDBtype = "mysql"; to LocalSettings. Explore to dokuwiki, go to Site Map and all pages should be listed. Copy folder to newserver. Upgraded as per dokuwiki info ( https://www.dokuwiki.org/install:upgrade )
Swap File for VM
Hetzner cloud server did not come with swap space. While you could console and resize, creating a swap file was a nice quick solution.
Check for swap
root@sun:~# free total used free shared buff/cache available Mem: 1981092 180740 250956 15668 1549396 1596964 Swap: 0 0 0 cat /etc/fstab #shows no swap
Create swap file
fallocate -l 2G /swapfile chmod 600 /swapfile mkswap /swapfile swapon /swapfile root@sun:~# free total used free shared buff/cache available Mem: 1981092 182696 245032 15668 1553364 1594984 Swap: 2097148 0 2097148
Add to fstab for reboot
vi /etc/fstab #add /swapfile swap swap defaults 0 0 swapon --show
Delete Swap file
swapoff -v /swapfile edit fstab rm the file
Mail Server Setup
Followed postfix_smtp which was mostly OK and still accurate (updated portions of this page at same time for debian bullseye. )
Also followed courier_imaps_server_-_maildir again, mostly which was OK (updated this wiki page at the same time for debian bullseye.)
See final Postfix config → debian_bullseye_config
Secure smtpd using Postfix and sasl
Debian bullseye had a lot set by default and changed a lot since secure_outgoing_smtp_via_postfix_courier_tls_and_sasl
apt-get install libsasl2-modules, postfix, sasl2-bin #postfix and the first will most likely be installed. vi /etc/postfix/main.cf #add/check smtpd_tls_auth_only = yes smtpd_sasl_auth_enable = yes vi /etc/postfix/sasl/smtpd.conf #enter pwcheck_method: saslauthd mech_list: PLAIN LOGIN vi /etc/default/saslauthd #add/update to the following: START=yes MECHANISMS="pam" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" mkdir -p /var/spool/postfix/var/run/saslauthd dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd adduser postfix sasl
Error message I seen in mail.log → /etc/courier/shared/index: Permission denied
Fix: chmod 755 /etc/courier/shared cd /etc/courier/shared touch index chown courier index
smtpd certs
There was a default cert created after installing. The main locations this resides is:
/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key
Postfix then read these via main.cf with smtpd_tls_cert_file and smtpd_tls_key_file respectively.
It wasn't self signed, so I said I'd use the imapd.pem cert at /etc/courier/imapd.pem
NOTE: May not be the best way, but worked.
mv /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil-orig.pem mv /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil-orig.key cp /etc/courier/imapd.pem /etc/ssl/certs/ssl-cert-snakeoil.pem vi /etc/ssl/certs/ssl-cert-snakeoil.pem #edit and only have -----BEGIN CERTIFICATE----- .. -----END CERTIFICATE----- cp /etc/courier/imapd.pem /etc/ssl/private/ssl-cert-snakeoil.key vi /etc/ssl/private/ssl-cert-snakeoil.key #edit and have -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- Restart postfix etc. Note: Thunderbird does NOT like self-signed certs [[courier_imaps_server_-_maildir#testing_imaps_via_a_client_pc_and_problems|See here]] You can get it working, but it'll take time. If you get errors, most likely its thunderbird, so check another mail client also.