Rodeo Four Production Server: Difference between revisions
Jump to navigation
Jump to search
Peterstevens (talk | contribs) Added security section about SSL standby and password authentication. |
Kyle.Madsen (talk | contribs) No edit summary |
||
| (16 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
{| class=infobox style="float:right; border:1px solid #BBB;margin:.46em 0 0 .2em;font-size:86%;background-color:#f8f9fa" | {| class="infobox" style="float:right; border:1px solid #BBB;margin:.46em 0 0 .2em;font-size:86%;background-color:#f8f9fa" | ||
|- | |- | ||
| style="font-size:125%;text-align:center;" | | colspan="2" style="font-size:125%;text-align:center;" |'''Web Production Server''' | ||
|- | |- | ||
| '''IP Address''' || 45.55.45.195 | |'''IP Address'''||45.55.45.195 | ||
|- | |- | ||
| '''Domain Name''' || ces.fas.harvard.edu | |'''Domain Name'''||ces.fas.harvard.edu | ||
|- | |- | ||
| '''Droplet Name ''' || ces.fas.harvard.edu-production | |'''Droplet Name '''||ces.fas.harvard.edu-production | ||
|- | |- | ||
| ''' | |'''Operating System'''||Ubuntu 16.04 x64 | ||
|- | |- | ||
| ''' | |'''Host'''||DigitalOcean | ||
|- | |- | ||
| ''' | |'''Region'''||NYC3 | ||
|- | |- | ||
|'''Public Launch Date'''||July 13, 2016 | |||
| '''Public Launch Date''' || July 13, 2016 | |||
|} | |} | ||
The ''' | The '''Rodeo Four''' '''production server''' is a public-facing web application and database server that hosts the [[website]]. It was designed and developed by [[Mildly Geeky]], with additional features and bug fixes performed by [[Shotgun Flat]]. The server was provisioned by [[Peter Stevens]] using a DigitalOcean droplet. It features directory information for Center affiliates, a calendar of events, information about opportunities provided by the Center, news relating to the Center and its affiliates, and publications. | ||
==Website | ==Website updates== | ||
In July 2017, [[Gila Naderi]] began conversations with [[Mike McKenna]] on the [[2018 Website Update Pilot Project]]. | In July 2017, [[Gila Naderi]] began conversations with [[Mike McKenna]] on the [[2018 Website Update Pilot Project]]. | ||
== | ==Configurations== | ||
===Web Root=== | |||
*<code>/srv/users/serverpilot/apps/cesproduction/craft/public</code> | |||
===Logs=== | |||
*<code>/srv/users/serverpilot/apps/cesproduction/craft/storage/runtime/logs/</code> | |||
===Cron jobs=== | |||
*Every Sunday at 8am, the server will execute <code>/etc/cron.d/certrenewal</code>. Note: the Let's Encrypt certificates may not be used by the web engine. They are stored as a standby in case of certificate lapses. | |||
===Database root=== | |||
ServerPilot automatically generates a root account with a random password. The password is located in <code>/root/.my.cnf</code>. | |||
===Password authentication=== | ===Password authentication=== | ||
Password authentication is temporarily turned on due to permission denied error messages. | Password authentication is temporarily turned on due to permission denied error messages. | ||
===SSL=== | ===SSL=== | ||
The certificate is issued by Harvard InCommon, and is set to expire June of 2023. | |||
The following code blocks are old information, currently being kept as records. | |||
<code>The expired InCommon certificate and key are located at the following paths respectively: | |||
/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.crt | |||
/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.key | |||
The Let's Encrypt certificate and key are located at the following paths respectively: | The Let's Encrypt certificate and key are located at the following paths respectively: | ||
/etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem | |||
/etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem | |||
The renewed InCommon certificate and key are inactive and located at the following paths respectively: | |||
/etc/ssl/certs/ces.fas.harvard.edu.cer | |||
/etc/ssl/private/ces.fas.harvard.edu.key</code> | |||
<code>====Cold standby==== | |||
In case of certificate lapse, uncomment the lines located in /etc/nginx-sp/vhosts.d/ssl.conf which point to the Let's Encrypt certificate and key.</code> | |||
====Updating certificate==== | |||
[[Renew website certificate]] | |||
The following code blocks are old information, currently being kept as records. | |||
<code>See [https://www.robertwent.com/blog/using-letsencrypt-serverpilot/ here] for full instructions.</code> | |||
<code> Backup</code> | |||
mkdir ~/Backups/YYYY-MM-DD_certificates | |||
mkdir ~/Backups/YYYY-MM-DD_vhosts | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem ~/Backups/YYYY-MM-DD_certificates/chain.pem | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem ~/Backups/YYYY-MM-DD_certificates/fullchain.pem | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem ~/Backups/YYYY-MM-DD_certificates/privkey.pem | |||
sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/README ~/Backups/YYYY-MM-DD_certificates/README | |||
sudo cp /etc/nginx-sp/vhosts.d/cesproduction.conf ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf | |||
sudo cp /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf ~/Backups/YYYY-MM-DD_vhosts/main.conf | |||
sudo cp /etc/nginx-sp/vhosts.d/ssl.conf ~/Backups/YYYY-MM-DD_vhosts/ssl.conf | |||
cd /opt/certbot | |||
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/cesproduction/public -d ces.fas.harvard.edu | |||
sudo service nginx-sp restart</code> | |||
<code> Rollback</code> | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/cert.pem /etc/letsencrypt/live/ces.fas.harvard.edu/cert.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/chain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/fullchain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/privkey.pem /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem | |||
sudo cp ~/Backups/YYYY-MM-DD_certificates/README /etc/letsencrypt/live/ces.fas.harvard.edu/README | |||
sudo cp ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf /etc/nginx-sp/vhosts.d/cesproduction.conf | |||
sudo cp ~/Backups/YYYY-MM-DD_vhosts/main.conf /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf | |||
sudo cp ~/Backups/YYYY-MM-DD_vhosts/ssl.conf /etc/nginx-sp/vhosts.d/ssl.conf</code> | |||
<code>This will update the certificate without modifying any configuration files. Server Pilot is touchy about modified configurations. This is what happens behind the scenes: | |||
Lets Encrypt gives certbot a challenge. | |||
Certbot places a resource with the challenge in a subdirectory of the web root, making it publicly visible. | |||
Let's Encrypt verifies the resource. | |||
Certbot removes the resource. | |||
Let's encrypt issues the certificate.</code> | |||
==Installed software== | |||
*Apache 2.4.34 | |||
*MySQL 14.14 Distrib 5.7.23 | |||
*nginx 1.15.2 | |||
*PHP 7.0.31 | |||
*ServerPilot | |||
*certbot | |||
===Web applications=== | |||
*Craft CMS 2.6.2911 | |||
===PHP modules=== | |||
*bcmath | |||
*bz2 | |||
*calendar | |||
*Core | |||
*ctype | |||
*curl | |||
*date | |||
*dom | |||
*exif | |||
*fileinfo | |||
*filter | |||
*ftp | |||
*gd | |||
*gettext | |||
*gmp | |||
*hash | |||
*iconv | |||
*imagick | |||
*imap | |||
*intl | |||
*json | |||
*ldap | |||
*libxml | |||
*mbstring | |||
*mcrypt | |||
*mysqli | |||
*mysqlnd | |||
*odbc | |||
*openssl | |||
*pcntl | |||
*pcre | |||
*PDO | |||
*pdo_dblib | |||
*pdo_mysql | |||
*PDO_ODBC | |||
*pdo_pgsql | |||
*pdo_sqlite | |||
*pgsql | |||
*Phar | |||
*posix | |||
*readline | |||
*Reflection | |||
*session | |||
*shmop | |||
*SimpleXML | |||
*snmp | |||
*soap | |||
*sockets | |||
*SPL | |||
*sqlite3 | |||
*standard | |||
*tidy | |||
*tokenizer | |||
*xml | |||
*xmlreader | |||
*xmlrpc | |||
*xmlwriter | |||
*xsl | |||
*Zend OPcache | |||
*zip | |||
*zlib | |||
Latest revision as of 15:46, 26 October 2021
| Web Production Server | |
| IP Address | 45.55.45.195 |
| Domain Name | ces.fas.harvard.edu |
| Droplet Name | ces.fas.harvard.edu-production |
| Operating System | Ubuntu 16.04 x64 |
| Host | DigitalOcean |
| Region | NYC3 |
| Public Launch Date | July 13, 2016 |
The Rodeo Four production server is a public-facing web application and database server that hosts the website. It was designed and developed by Mildly Geeky, with additional features and bug fixes performed by Shotgun Flat. The server was provisioned by Peter Stevens using a DigitalOcean droplet. It features directory information for Center affiliates, a calendar of events, information about opportunities provided by the Center, news relating to the Center and its affiliates, and publications.
Website updates
[edit | edit source]In July 2017, Gila Naderi began conversations with Mike McKenna on the 2018 Website Update Pilot Project.
Configurations
[edit | edit source]Web Root
[edit | edit source]/srv/users/serverpilot/apps/cesproduction/craft/public
Logs
[edit | edit source]/srv/users/serverpilot/apps/cesproduction/craft/storage/runtime/logs/
Cron jobs
[edit | edit source]- Every Sunday at 8am, the server will execute
/etc/cron.d/certrenewal. Note: the Let's Encrypt certificates may not be used by the web engine. They are stored as a standby in case of certificate lapses.
Database root
[edit | edit source]ServerPilot automatically generates a root account with a random password. The password is located in /root/.my.cnf.
Password authentication
[edit | edit source]Password authentication is temporarily turned on due to permission denied error messages.
SSL
[edit | edit source]The certificate is issued by Harvard InCommon, and is set to expire June of 2023.
The following code blocks are old information, currently being kept as records.
The expired InCommon certificate and key are located at the following paths respectively:
/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.crt
/etc/nginx-sp/certs/ces.fas.harvard.edu/ces1.unix.fas.harvard.edu.key
The Let's Encrypt certificate and key are located at the following paths respectively:
/etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem
/etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem
The renewed InCommon certificate and key are inactive and located at the following paths respectively:
/etc/ssl/certs/ces.fas.harvard.edu.cer
/etc/ssl/private/ces.fas.harvard.edu.key
====Cold standby====
In case of certificate lapse, uncomment the lines located in /etc/nginx-sp/vhosts.d/ssl.conf which point to the Let's Encrypt certificate and key.
Updating certificate
[edit | edit source]The following code blocks are old information, currently being kept as records.
See here for full instructions.
Backup
mkdir ~/Backups/YYYY-MM-DD_certificates mkdir ~/Backups/YYYY-MM-DD_vhosts sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem ~/Backups/YYYY-MM-DD_certificates/chain.pem sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem ~/Backups/YYYY-MM-DD_certificates/fullchain.pem sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem ~/Backups/YYYY-MM-DD_certificates/privkey.pem sudo cp /etc/letsencrypt/live/ces.fas.harvard.edu/README ~/Backups/YYYY-MM-DD_certificates/README sudo cp /etc/nginx-sp/vhosts.d/cesproduction.conf ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf sudo cp /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf ~/Backups/YYYY-MM-DD_vhosts/main.conf sudo cp /etc/nginx-sp/vhosts.d/ssl.conf ~/Backups/YYYY-MM-DD_vhosts/ssl.conf cd /opt/certbot ./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/cesproduction/public -d ces.fas.harvard.edu sudo service nginx-sp restart
Rollback
sudo cp ~/Backups/YYYY-MM-DD_certificates/cert.pem /etc/letsencrypt/live/ces.fas.harvard.edu/cert.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/chain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/chain.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/fullchain.pem /etc/letsencrypt/live/ces.fas.harvard.edu/fullchain.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/privkey.pem /etc/letsencrypt/live/ces.fas.harvard.edu/privkey.pem sudo cp ~/Backups/YYYY-MM-DD_certificates/README /etc/letsencrypt/live/ces.fas.harvard.edu/README sudo cp ~/Backups/YYYY-MM-DD_vhosts/cesproduction.conf /etc/nginx-sp/vhosts.d/cesproduction.conf sudo cp ~/Backups/YYYY-MM-DD_vhosts/main.conf /etc/nginx-sp/vhosts.d/cesproduction.d/main.conf sudo cp ~/Backups/YYYY-MM-DD_vhosts/ssl.conf /etc/nginx-sp/vhosts.d/ssl.conf
This will update the certificate without modifying any configuration files. Server Pilot is touchy about modified configurations. This is what happens behind the scenes:
Lets Encrypt gives certbot a challenge.
Certbot places a resource with the challenge in a subdirectory of the web root, making it publicly visible.
Let's Encrypt verifies the resource.
Certbot removes the resource.
Let's encrypt issues the certificate.
Installed software
[edit | edit source]- Apache 2.4.34
- MySQL 14.14 Distrib 5.7.23
- nginx 1.15.2
- PHP 7.0.31
- ServerPilot
- certbot
Web applications
[edit | edit source]- Craft CMS 2.6.2911
PHP modules
[edit | edit source]- bcmath
- bz2
- calendar
- Core
- ctype
- curl
- date
- dom
- exif
- fileinfo
- filter
- ftp
- gd
- gettext
- gmp
- hash
- iconv
- imagick
- imap
- intl
- json
- ldap
- libxml
- mbstring
- mcrypt
- mysqli
- mysqlnd
- odbc
- openssl
- pcntl
- pcre
- PDO
- pdo_dblib
- pdo_mysql
- PDO_ODBC
- pdo_pgsql
- pdo_sqlite
- pgsql
- Phar
- posix
- readline
- Reflection
- session
- shmop
- SimpleXML
- snmp
- soap
- sockets
- SPL
- sqlite3
- standard
- tidy
- tokenizer
- xml
- xmlreader
- xmlrpc
- xmlwriter
- xsl
- Zend OPcache
- zip
- zlib