|
|
| Line 13: |
Line 13: |
| __TOC__ | | __TOC__ |
| == Basic Setup == | | == Basic Setup == |
| === NGINX ===
| | <p>Install required packages</p> |
| <p>Install NGINX and NGINX-Extra</p> | | <syntaxhighlight lang="console">apt install dirmngr nginx ffmpeg</syntaxhighlight> |
| <syntaxhighlight lang="console">apt install nginx nginx-extras</syntaxhighlight> | | === PHP7.4 === |
| <p>Deactivate Standard-Site (no Web-Server)</p>
| | <p>Install required packages</p> |
| <syntaxhighlight lang="console">unlink /etc/nginx/sites-enabled/default</syntaxhighlight>
| | <syntaxhighlight lang="console">apt -y install lsb-release apt-transport-https ca-certificates</syntaxhighlight> |
| <p>Create and paste [[reverse-proxy.conf]]</p>
| | <p>Add repository</p> |
| <syntaxhighlight lang="console" line>cd /etc/nginx/sites-available
| |
| nano reverse-proxy.conf</syntaxhighlight>
| |
| <p>Activate configuration</p>
| |
| <syntaxhighlight lang="console">ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf</syntaxhighlight>
| |
| <p>Check if configuration is legit</p>
| |
| <syntaxhighlight lang="console">nginx -t</syntaxhighlight>
| |
| <p>Reload configuration</p>
| |
| <syntaxhighlight lang="console">nginx -s reload</syntaxhighlight>
| |
| | |
| === certbot ===
| |
| <p>Install Certbot</p> | |
| <syntaxhighlight lang="console">apt install certbot</syntaxhighlight> | |
| <p>Download [https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py acme-dns-auth.py]-Script</p>
| |
| <syntaxhighlight lang="console">wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py</syntaxhighlight><p>Change first line of script from <code>#!/usr/bin/env python</code> to</p>
| |
| <syntaxhighlight lang="console">#!/usr/bin/env python3</syntaxhighlight>
| |
| <p>Move file to <code>/etc/letsencrypt/</code></p>
| |
| <syntaxhighlight lang="console">mv acme-dns-auth.py /etc/letsencrypt/</syntaxhighlight>
| |
| <p>Set permissions to run script</p>
| |
| <syntaxhighlight lang="console">chmod +x acme-dns-auth.py</syntaxhighlight>
| |
| <p><strong>Generate certificate manually</strong></p>
| |
| <p>Wildcard-Certificate</p>
| |
| <syntaxhighlight lang="console">certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at</syntaxhighlight>
| |
| <p>Sub-Domain-Certificate</p>
| |
| <syntaxhighlight lang="console">certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at</syntaxhighlight>
| |
| <p>Follow the questions of the script and create an cname-record.</p>
| |
| <p>Path to all certificates:</p>
| |
| <syntaxhighlight lang="console">cd /etc/letsencrypt/live/</syntaxhighlight>
| |
| <p>Test manually if certificate renewal works</p>
| |
| <syntaxhighlight lang="console">certbot renew --dry-run</syntaxhighlight>
| |
| Check if auto-renewal ist activated</p>
| |
| <syntaxhighlight lang="console">systemctl list-timers</syntaxhighlight>
| |
| | |
| == Authelia ==
| |
| For security reasons and convenience, the login portal Authelia will be installed.
| |
| | |
| ==== Redis-Server ====
| |
| <p>Install Redis with the following command:</p>
| |
| <syntaxhighlight lang="console">apt install redis-server</syntaxhighlight>
| |
| | |
| <p>After installing Redis, start redis service and enable it to start after system reboot with the following command:</p> | |
| <syntaxhighlight lang="console" line> | | <syntaxhighlight lang="console" line> |
| systemctl start redis-server
| | wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg |
| systemctl enable redis-server
| | echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | <p>Update packages</p> |
| <p>Verify the status of the redis server:</p> | | <syntaxhighlight lang="console">apt update && apt upgrade</syntaxhighlight> |
| <syntaxhighlight lang="console"> | | <p>Install PHP7.4</p> |
| systemctl status redis-server
| | <syntaxhighlight lang="console">apt install php7.4-{cli,fpm,json,common,mysql,zip,gd,mbstring,curl,xml,bcmath,tokenizer} openssl</syntaxhighlight> |
| </syntaxhighlight> | | <p>Check if everything is running correctly</p> |
| | | <syntaxhighlight lang="console">systemctl status php7.4-fpm nginx</syntaxhighlight> |
| <p>By default, Redis listening on the localhost on port 6379. You can check it with the following command:</p> | | <p>Edit php.ini</p> |
| <syntaxhighlight lang="console">
| | <syntaxhighlight lang="console">nano /etc/php/7.4/fpm/php.ini</syntaxhighlight> |
| ps -ef | grep redis
| |
| </syntaxhighlight>
| |
| | |
| ==== SMTP-Server ====
| |
| <p>Install <syntaxhighlight lang="console" inline>mailutils</syntaxhighlight> and <syntaxhighlight lang="console" inline>postfix</syntaxhighlight>:</p>
| |
| <syntaxhighlight lang="console"> | |
| apt install mailutils postfix | |
| </syntaxhighlight> | |
| | |
| <p>Test if SMTP-Server is working:</p> | |
| <syntaxhighlight lang="console"> | |
| echo "This is the body of the email" | mail -s "This is the subject line" your_email_address
| |
| </syntaxhighlight>
| |
| | |
| === Installation ===
| |
| <p>Download, unzip and rename latest Authelia archive:</p>
| |
| <syntaxhighlight lang="console" line>
| |
| cd /usr/bin
| |
| wget https://github.com/authelia/authelia/releases/download/v4.26.2/authelia-linux-amd64.tar.gz
| |
| tar -xzf authelia-linux-amd64.tar.gz
| |
| rm authelia-linux-amd64.tar.gz
| |
| mv ./authelia-linux-amd64 ./authelia
| |
| </syntaxhighlight> | |
| | |
| <p>After unzipping, the service file <syntaxhighlight lang="console" inline>authelia.service</syntaxhighlight> has to be moved:</p>
| |
| <syntaxhighlight lang="console">
| |
| mv authelia.service /etc/systemd/system/
| |
| </syntaxhighlight>
| |
| | |
| <p>Create folder for the authelia configuration file:</p>
| |
| <syntaxhighlight lang="console" line> | |
| mkdir /etc/authelia
| |
| cd /etc/authelia
| |
| </syntaxhighlight>
| |
| | |
| <p>Move the unzipped file <syntaxhighlight lang="console" inline>config.template.yml</syntaxhighlight> to the created folder:</p>
| |
| <syntaxhighlight lang="console">
| |
| mv config.template.yml /etc/authelia/
| |
| </syntaxhighlight>
| |
| | |
| ==== [[users_database.yml]] ====
| |
| <p>Create ''[[users_database.yml]]'' in the folder <syntaxhighlight lang="console" inline>/etc/authelia/</syntaxhighlight>:</p>
| |
| <syntaxhighlight lang="console">
| |
| nano users_database.yml
| |
| </syntaxhighlight> | |
| | |
| <p>An user entry looks like this:</p>
| |
| <syntaxhighlight lang="yaml" line>
| |
| john:
| |
| displayname: "John Doe"
| |
| password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
| |
| email: john.doe@authelia.com
| |
| groups:
| |
| - admins
| |
| - dev
| |
| </syntaxhighlight>
| |
| | |
| <p>The password is encrypted so we have to get the hash value with:</p>
| |
| <syntaxhighlight lang="console">
| |
| authelia hash-password 'yourpassword'
| |
| </syntaxhighlight>
| |
| | |
| ==== [[configuration.yml]] ====
| |
| <p>Create ''[[configuration.yml]]'' at the same folder:</p>
| |
| <syntaxhighlight lang="console" line>
| |
| nano configuration.yml
| |
| </syntaxhighlight>
| |
| | |
| <p>Start authelia and check status:</p>
| |
| <syntaxhighlight lang="console" line>
| |
| systemctl start authelia
| |
| systemctl status authelia
| |
| </syntaxhighlight>
| |
| | |
| LATEST STATE:
| |
| * https://www.authelia.com/docs/configuration/access-control.html
| |
| * https://www.authelia.com/docs/configuration/authentication/file.html
| |
| | |
| == Sources == | | == Sources == |
| * [https://www.nginx.com/ NGINX] (ReverseProxy) | | * [https://www.nginx.com/ NGINX] (ReverseProxy) |
