diff options
-rw-r--r-- | tech/set up debian droplet basics + nginx.txt | 248 |
1 files changed, 0 insertions, 248 deletions
diff --git a/tech/set up debian droplet basics + nginx.txt b/tech/set up debian droplet basics + nginx.txt deleted file mode 100644 index 727a90f..0000000 --- a/tech/set up debian droplet basics + nginx.txt +++ /dev/null @@ -1,248 +0,0 @@ -Set Up Debian Droplet - Basics + Nginx - -[refernces: -<http://www.howtoforge.com/building-nginx-from-source-on-debian-squeeze> -<http://www.rosehosting.com/blog/how-to-compile-and-install-nginx-from-source-in-debian-7-wheezy/> -<https://www.digitalocean.com/community/articles/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server> -<https://www.digitalocean.com/community/articles/initial-server-setup-with-debian-7> -<https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-debian-7>] - -First login as root and set new root password: - - passwd - -Then create new user: - - adduser whatever - -Then add user to suders list: - - visudo - whatever ALL=(ALL:ALL) ALL - -test by sshing as new user. - -vultr specific: - -sudo vi /etc/hosts -sudo vi /etc/hostname - -##Secure the server - - vi /etc/ssh/sshd_config - -Add these lines: - -Port 25009 -Protocol 2 -PermitRootLogin no -UseDNS no - -Add this line to the bottom of the document, replacing demo with your username: - - AllowUsers whatever - -reload ssh: - - sudo systemctl restart sshd - -test before you log out: - - ssh -p 25009 whatever@123.45.67.890 - -Add ssh keys - - cat ~/.ssh/id_rsa4096.pub | ssh -p 25034 lxf@63.135.175.3 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" - ---- - -###Install Zsh/Tmux - -(because doing only one thing at a time sucks) - - sudo apt-get update - sudo apt-get install tmux zsh - curl -L https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh | sh - chsh -s /bin/zsh whatever - -###Set up fail2ban and UFW - - sudo apt-get install fail2ban - sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local - sudo vi /etc/fail2ban/jail.local #(add IP to exclusions, up ban time) - sudo systemctl restart fail2ban - - apt-get install ufw - sudo ufw default deny incoming - sudo ufw default deny outgoing - sudo ufw allow 25978/tcp - sudo ufw allow 80/tcp - sudo ufw allow 443/tcp - sudo ufw allow out http - sudo ufw allow out https - sudo ufw allow out 53 - sudo ufw enable - sudo ufw status verbose - ---- - -###Vim - - apt-get install vim - #I point to these in my vimrc, skip if you don't need them - mkdir -p ~/.vim/bundle/ - git clone https://github.com/VundleVim/Vundle.vim.git ~/.vim/bundle/Vundle.vim - -##Setup Nginx - - # check http://nginx.org/en/download.html for the latest version of nginx - # check https://developers.google.com/speed/pagespeed/module/build_ngx_pagespeed_from_source for latest version of ngx_pagespeed and psol - # latest headers more https://github.com/openresty/headers-more-nginx-module/tags - # naxsi: https://github.com/nbs-system/naxsi/releases - -prereqs for building stuff: - - apt-get -y install build-essential zlib1g-dev libpcre3 libpcre3-dev libbz2-dev libssl-dev tar unzip - -prereqs for geo and ssl: - - apt-get install libgeoip1 libgeoip-dev openssl libssl-dev - # then grab the libraries: - sudo mkdir -p /etc/nginx/geoip - cd /etc/nginx/geoip - sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz - sudo gunzip GeoIP.dat.gz - sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz - sudo gunzip GeoLiteCity.dat.gz - - #install the GeoIP C library. - cd /tmp - wget geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz - tar -zxvf GeoIP.tar.gz - cd GeoIP-* - ./configure - make - sudo make install - - # That's all the pre-reqs, now cd in to nginx and compile: - cd nginx-* - - -config script for nginx source (debian paths): - - ./configure \ - --prefix=/usr/share/nginx \ - --sbin-path=/usr/sbin/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --pid-path=/var/run/nginx.pid \ - --lock-path=/var/lock/nginx.lock \ - --error-log-path=/var/log/nginx/error.log \ - --http-log-path=/var/log/access.log \ - --user=www-data \ - --group=www-data \ - --without-mail_pop3_module \ - --without-mail_imap_module \ - --without-mail_smtp_module \ - --with-http_stub_status_module \ - --with-http_ssl_module \ - --with-http_v2_module \ - --with-http_gzip_static_module \ - --with-pcre \ - --with-file-aio \ - - -./configure \ ---user=http \ ---group=http \ ---prefix=/etc/nginx \ ---sbin-path=/usr/sbin/nginx \ ---conf-path=/etc/nginx/nginx.conf \ ---pid-path=/var/run/nginx.pid \ ---lock-path=/var/run/nginx.lock \ ---error-log-path=/var/log/nginx/error.log \ ---http-log-path=/var/log/nginx/access.log \ ---with-http_gzip_static_module \ ---with-http_stub_status_module \ ---with-http_ssl_module \ ---with-pcre \ ---with-file-aio \ ---with-http_v2_module \ ---with-http_realip_module \ ---without-http_scgi_module \ ---without-mail_pop3_module \ ---without-mail_imap_module \ ---without-mail_smtp_module \ ---add-module=$HOME/ngx_pagespeed-${NPS_VERSION} ${PS_NGX_EXTRA_FLAGS} - - make - sudo make install - -The next thing is to enable autostart: - - sudo vim /lib/systemd/system/nginx.service - -# Stop dance for nginx -# ======================= -# -# ExecStop sends SIGSTOP (graceful stop) to the nginx process. -# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control -# and sends SIGTERM (fast shutdown) to the main process. -# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends -# SIGKILL to all the remaining processes in the process group (KillMode=mixed). -# -# nginx signals reference doc: -# http://nginx.org/en/docs/control.html -# -[Unit] -Description=A high performance web server and a reverse proxy server -After=network.target - -[Service] -Type=forking -PIDFile=/run/nginx.pid -ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' -ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;' -ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload -ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid -TimeoutStopSec=5 -KillMode=mixed - -[Install] -WantedBy=multi-user.target - - -sudo systemctl enable nginx.service -sudo systemctl start nginx.service -sudo systemctl status nginx.service - -sudo vim /etc/nginx/nginx.conf - - -user www-data; -events { - worker_connections 1024; -} -http { - include mime.types; - include /etc/nginx/naxsi_core.rules; - default_type application/octet-stream; - types_hash_bucket_size 64; - server_names_hash_bucket_size 128; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - #access_log logs/access.log main; - more_set_headers "Server: Graf Industries Custom Server"; - sendfile on; - keepalive_timeout 65; - gzip on; - pagespeed on; - pagespeed FileCachePath /var/ngx_pagespeed_cache; - limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - include /etc/nginx/sites-enabled/*.conf; -} - - - sudo cp naxsi-0.53-2/naxci_config/naxsi_core.rule /etc/nginx - |