path: root/tech/set up debian droplet basics + nginx.txt

Set Up Debian Droplet - Basics + Nginx

[refernces:
<http://www.howtoforge.com/building-nginx-from-source-on-debian-squeeze>
<http://www.rosehosting.com/blog/how-to-compile-and-install-nginx-from-source-in-debian-7-wheezy/>
<https://www.digitalocean.com/community/articles/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server>
<https://www.digitalocean.com/community/articles/initial-server-setup-with-debian-7>
<https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-debian-7>]

First login as root and set new root password:

    passwd

Then create new user:

    adduser whatever

Then add user to suders list:

    visudo
    whatever    ALL=(ALL:ALL) ALL
    
test by sshing as new user.

vultr specific:

sudo vi /etc/hosts
sudo vi /etc/hostname

##Secure the server

    vi /etc/ssh/sshd_config
     
Add these lines:

Port 25009
Protocol 2
PermitRootLogin no
UseDNS no

Add this line to the bottom of the document, replacing demo with your username:
    
    AllowUsers whatever
    
reload ssh:

    sudo systemctl restart sshd
    
test before you log out:

    ssh -p 25009 whatever@123.45.67.890
   
Add ssh keys

    cat ~/.ssh/id_rsa4096.pub | ssh -p 25034 lxf@63.135.175.3 "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"

---

###Install Zsh/Tmux

(because doing only one thing at a time sucks)

    sudo apt-get update
    sudo apt-get install tmux zsh
    curl -L https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh | sh
    chsh -s /bin/zsh whatever
    
###Set up fail2ban and UFW 

    sudo apt-get install fail2ban
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    sudo vi /etc/fail2ban/jail.local #(add IP to exclusions, up ban time)
    sudo systemctl restart fail2ban 

    apt-get install ufw
    sudo ufw default deny incoming
    sudo ufw default deny outgoing
    sudo ufw allow 25978/tcp
    sudo ufw allow 80/tcp
    sudo ufw allow 443/tcp
    sudo ufw allow out http
    sudo ufw allow out https
    sudo ufw allow out 53 
    sudo ufw enable
    sudo ufw status verbose
    
---

###Vim
    
    apt-get install vim
    #I point to these in my vimrc, skip if you don't need them
    mkdir -p ~/.vim/bundle/
    git clone https://github.com/VundleVim/Vundle.vim.git ~/.vim/bundle/Vundle.vim

##Setup Nginx

    # check http://nginx.org/en/download.html for the latest version of nginx
    # check https://developers.google.com/speed/pagespeed/module/build_ngx_pagespeed_from_source for latest version of ngx_pagespeed and psol
    # latest headers more https://github.com/openresty/headers-more-nginx-module/tags
    # naxsi: https://github.com/nbs-system/naxsi/releases

prereqs for building stuff:

    apt-get -y install build-essential zlib1g-dev libpcre3 libpcre3-dev libbz2-dev libssl-dev tar unzip

prereqs for geo and ssl: 

    apt-get install libgeoip1 libgeoip-dev  openssl libssl-dev
    # then grab the libraries:
    sudo mkdir -p /etc/nginx/geoip
    cd /etc/nginx/geoip
    sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
    sudo gunzip GeoIP.dat.gz
    sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
    sudo gunzip GeoLiteCity.dat.gz

    #install the GeoIP C library. 
    cd /tmp
    wget geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
    tar -zxvf GeoIP.tar.gz
    cd GeoIP-*
    ./configure
    make
    sudo make install

    # That's all the pre-reqs, now cd in to nginx and compile:
    cd nginx-*
    
    
config script for nginx source (debian paths):

    ./configure \
        --prefix=/usr/share/nginx \
        --sbin-path=/usr/sbin/nginx \
        --conf-path=/etc/nginx/nginx.conf \
        --pid-path=/var/run/nginx.pid \
        --lock-path=/var/lock/nginx.lock \
        --error-log-path=/var/log/nginx/error.log \
        --http-log-path=/var/log/access.log \
        --user=www-data \
        --group=www-data \
        --without-mail_pop3_module \
        --without-mail_imap_module \
        --without-mail_smtp_module \
        --with-http_stub_status_module \
        --with-http_ssl_module \
        --with-http_v2_module \
        --with-http_gzip_static_module \
        --with-pcre \
        --with-file-aio \


./configure \
--user=http \
--group=http \
--prefix=/etc/nginx                   \
--sbin-path=/usr/sbin/nginx           \
--conf-path=/etc/nginx/nginx.conf     \
--pid-path=/var/run/nginx.pid         \
--lock-path=/var/run/nginx.lock       \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module        \
--with-http_stub_status_module        \
--with-http_ssl_module                \
--with-pcre                           \
--with-file-aio                       \
--with-http_v2_module \
--with-http_realip_module             \
--without-http_scgi_module            \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--add-module=$HOME/ngx_pagespeed-${NPS_VERSION} ${PS_NGX_EXTRA_FLAGS}

    make
    sudo make install
    
The next thing is to enable autostart:

    sudo vim /lib/systemd/system/nginx.service

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target


sudo systemctl enable nginx.service
sudo systemctl start nginx.service
sudo systemctl status nginx.service

sudo vim /etc/nginx/nginx.conf


user  www-data;
events {
    worker_connections  1024;
}
http {
    include mime.types;
    include /etc/nginx/naxsi_core.rules;
    default_type  application/octet-stream;
    types_hash_bucket_size 64;
    server_names_hash_bucket_size 128;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
    more_set_headers    "Server: Graf Industries Custom Server";
    sendfile        on;
    keepalive_timeout  65;
    gzip  on;
    pagespeed on;
    pagespeed FileCachePath /var/ngx_pagespeed_cache;
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include /etc/nginx/sites-enabled/*.conf;
}


    sudo cp naxsi-0.53-2/naxci_config/naxsi_core.rule /etc/nginx