Difference between revisions of "Charity admin"

From ProgClub
Jump to: navigation, search
m (moved Charity Admin to Charity admin: Lowercase name)
Line 1: Line 1:
 
This page chronicles the administrative changes to [[Charity|charity.progclub.org]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative Reference]] for other information.
 
This page chronicles the administrative changes to [[Charity|charity.progclub.org]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative Reference]] for other information.
 +
 +
= [[User:John|John]] 2011-07-30 17:15 =
 +
 +
== Configuring IPSec ==
 +
 +
jj5@charity:~$ sudo -s
 +
[sudo] password for jj5:
 +
root@charity:~# apt-get install racoon
 +
Reading package lists... Done
 +
Building dependency tree
 +
Reading state information... Done
 +
The following NEW packages will be installed:
 +
  racoon
 +
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
 +
Need to get 0B/433kB of archives.
 +
After this operation, 1,217kB of additional disk space will be used.
 +
Committing to: /etc/
 +
modified ipsec-tools.conf
 +
modified iptables.up.rules
 +
Committed revision 22.
 +
Preconfiguring packages ...
 +
Selecting previously deselected package racoon.
 +
(Reading database ... 17754 files and directories currently installed.)
 +
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
 +
Processing triggers for man-db ...
 +
Processing triggers for ureadahead ...
 +
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
 +
Starting IKE (ISAKMP/Oakley) server: racoon.
 +
 +
Processing triggers for libc-bin ...
 +
ldconfig deferred processing now taking place
 +
 +
root@charity:~# cd /etc/network/if-pre-up.d/
 +
root@charity:/etc/network/if-pre-up.d# ll
 +
total 16
 +
drwxr-xr-x 2 root root 4096 2011-07-26 17:49 ./
 +
drwxr-xr-x 6 root root 4096 2010-04-22 19:09 ../
 +
-rwxr-xr-x 1 root root  344 2011-05-17 07:41 ethtool*
 +
-rwxr-xr-x 1 root root  58 2011-07-26 17:49 iptables*
 +
root@charity:/etc/network/if-pre-up.d# cat iptables
 +
#!/bin/sh
 +
/sbin/iptables-restore < /etc/iptables.up.rules
 +
root@charity:/etc/network/if-pre-up.d# vim ip
 +
 +
#!/bin/sh
 +
# Hope
 +
ip route add 67.207.130.204 dev eth0 advmss 200
 +
# Honesty
 +
ip route add 67.207.129.103 dev eth0 advmss 200
 +
 +
root@charity:/etc/network/if-pre-up.d# chmod +x ip
 +
root@charity:/etc/network/if-pre-up.d# cd /etc/
 +
root@charity:/etc# vim iptables.up.rules
 +
 +
*filter
 +
#  Allow all loopback (lo0) traffic
 +
-A INPUT -i lo -j ACCEPT
 +
# Drop all traffic to 127/8 that does use lo0
 +
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 +
#  Accept all established inbound connections
 +
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
#  Allow all outbound traffic
 +
-A OUTPUT -j ACCEPT
 +
# Allow HTTP and HTTPS connections from anywhere
 +
-A INPUT -p tcp --dport 80 -j ACCEPT
 +
-A INPUT -p tcp --dport 443 -j ACCEPT
 +
#  Allow SSH connections
 +
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 +
# Accept anything from hope
 +
-A INPUT -s 67.207.130.204 -j ACCEPT
 +
# Accept anything from honesty
 +
-A INPUT -s 67.207.129.103 -j ACCEPT
 +
# Allow MySQL connections from John's house
 +
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
 +
# Allow MySQL connections from localhost
 +
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
 +
# Allow IPSec traffic
 +
#-A INPUT -p 50 -j ACCEPT
 +
#-A INPUT -p 51 -j ACCEPT
 +
# Allow ping
 +
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 +
# log iptables denied calls
 +
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 +
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
 +
# Reject all other inbound - default deny unless explicitly allowed policy
 +
-A INPUT -j REJECT
 +
-A FORWARD -j REJECT
 +
COMMIT
 +
 +
root@charity:/etc# vim ipsec-tools.conf
 +
 +
#!/usr/sbin/setkey -f
 +
# Charity/Hope security policy
 +
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
 +
        esp/transport//require
 +
        ah/transport//require;
 +
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
 +
        esp/transport//require
 +
        ah/transport//require;
 +
# Charity/Honesty security policy
 +
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
 +
        esp/transport//require
 +
        ah/transport//require;
 +
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
 +
        esp/transport//require
 +
        ah/transport//require;
 +
 +
root@charity:/etc# vim racoon/psk.txt
 +
 +
# Hope
 +
67.207.130.204 <secret>
 +
# Honesty
 +
67.207.129.103 <secret>
 +
 +
root@charity:/etc# vim racoon/racoon.conf
 +
 +
path pre_shared_key "/etc/racoon/psk.txt";
 +
path certificate "/etc/racoon/certs";
 +
  
 
= [[User:John|John]] 2011-07-30 09:38 =
 
= [[User:John|John]] 2011-07-30 09:38 =

Revision as of 18:44, 30 July 2011

This page chronicles the administrative changes to charity.progclub.org. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative Reference for other information.

John 2011-07-30 17:15

Configuring IPSec

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 0B/433kB of archives.
After this operation, 1,217kB of additional disk space will be used.
Committing to: /etc/
modified ipsec-tools.conf
modified iptables.up.rules
Committed revision 22.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 17754 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@charity:~# cd /etc/network/if-pre-up.d/
root@charity:/etc/network/if-pre-up.d# ll
total 16
drwxr-xr-x 2 root root 4096 2011-07-26 17:49 ./
drwxr-xr-x 6 root root 4096 2010-04-22 19:09 ../
-rwxr-xr-x 1 root root  344 2011-05-17 07:41 ethtool*
-rwxr-xr-x 1 root root   58 2011-07-26 17:49 iptables*
root@charity:/etc/network/if-pre-up.d# cat iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
root@charity:/etc/network/if-pre-up.d# vim ip
#!/bin/sh
# Hope
ip route add 67.207.130.204 dev eth0 advmss 200
# Honesty
ip route add 67.207.129.103 dev eth0 advmss 200
root@charity:/etc/network/if-pre-up.d# chmod +x ip
root@charity:/etc/network/if-pre-up.d# cd /etc/
root@charity:/etc# vim iptables.up.rules
*filter
#  Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from hope
-A INPUT -s 67.207.130.204 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow IPSec traffic
#-A INPUT -p 50 -j ACCEPT
#-A INPUT -p 51 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
root@charity:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f
# Charity/Hope security policy
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
# Charity/Honesty security policy
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@charity:/etc# vim racoon/psk.txt
# Hope
67.207.130.204 <secret>
# Honesty
67.207.129.103 <secret>
root@charity:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";


John 2011-07-30 09:38

Configuring racoon

See this article for a run-down.

# vim /etc/racoon/psk.txt
# Hope
67.207.130.204  <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.130.204 {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo address 67.207.130.204[any] any address 67.207.130.204/32[any] any {
       pfs_group modp768;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@charity:/etc/racoon# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@charity:/etc/racoon# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@charity:/etc/racoon# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.

Still no dice... :(

John 2011-07-29 23:59

Installing racoon

Having trouble getting IPSec to work, gonna try installing racoon and giving that a go.

root@charity:/etc# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 433kB of archives.
After this operation, 1,217kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB]
Fetched 433kB in 1s (329kB/s)
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added ipsec-tools.conf.bak
Committed revision 19.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 17749 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Generating /etc/default/racoon...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added racoon
added default/racoon
added init.d/racoon
added racoon/psk.txt
added racoon/racoon-tool.conf
added racoon/racoon.conf
added rc1.d/K89racoon
added rcS.d/S40racoon
Committed revision 20.

The install promped for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.

 ┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐
 │ Racoon can be configured two ways, either by directly editing            │
 │ /etc/racoon/racoon.conf or using the racoon-tool administrative front    │
 │ end. racoon-tool is now deprecated and is only available for backward    │
 │ compatibility. New installations should always use the "direct" method.  │
 │                                                                          │
 │ Configuration mode for racoon IKE daemon.                                │
 │                                                                          │
 │                               direct                                     │
 │                               racoon-tool                                │
 │                                                                          │
 │                                                                          │
 │                                  <Ok>                                    │
 │                                                                          │
 └──────────────────────────────────────────────────────────────────────────┘


John 2011-07-28 11:32

Firstly some house-keeping

$ cd /etc
$ sudo bzr status
[sudo] password for jj5:
modified:
  shadow
$ sudo etckeeper commit "Changed password for jj5"
Committing to: /etc/
modified shadow
Committed revision 13.

Installing IPSec

See this article for instructions.

$ sudo apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (116kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 17714 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 14.

To generate two 128-bit 'ah' keys:

$ dd if=/dev/random count=16 bs=1| xxd -ps
$ dd if=/dev/random count=16 bs=1| xxd -ps

To generate two 192-bit 'esp' keys:

$ dd if=/dev/random count=24 bs=1| xxd -ps
$ dd if=/dev/random count=24 bs=1| xxd -ps

Then edit the ipsec-tools.conf file,

$ sudo vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
# Flush the SAD and SPD
flush;
spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
        0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
        0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
        0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
        0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
        esp/transport//require
        ah/transport//require;

Make sure the ipsec-tools.conf file is not world-readable:

$ sudo chmod 750 ipsec-tools.conf

Now I'll go and setup the other side of the connection...

Then,

$ sudo /etc/init.d/setkey start
* Loading IPsec SA/SP database from /etc/ipsec-tools.conf:              [ OK ]
$ sudo etckeeper commit "Configured IPSec between charity and hope"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
Committed revision 15.

Done!

...or, not-so-done. After testing discovered that IPTables was getting in the way of IPSec traffic.

John 2011-07-27 12:01

Public read-only svn access via HTTPS and HTTP

See this article for the general idea.

# cd /etc/apache2/
# vim dav_svn.ro.authz
[/]
* = r
# vim dav_svn.rw.authz
[/]
jj5 = rw
# vim sites-available/default-ssl
<Location /svn>
  DAV svn
  SVNParentPath /var/svn
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  AuthzSVNAccessFile /etc/apache2/dav_svn.rw.authz
  Require valid-user
</Location>
<Location /svnro>
  DAV svn
  SVNParentPath /var/svn
  AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz
</Location>
# vim sites-available/default
<Location /svnro>
  DAV svn
  SVNParentPath /var/svn
  AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz
</Location>
# apache2ctl graceful
# etckeeper commit "Public read-only svn access"
Committing to: /etc/
added apache2/dav_svn.ro.authz
added apache2/dav_svn.rw.authz
modified apache2/sites-available/default
modified apache2/sites-available/default-ssl
Committed revision 12.

John 2011-07-27 06:12

Installing Subversion with HTTPS support

See this article for a primer.

# apt-get install subversion libapache2-svn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libneon27-gnutls libsvn1
Suggested packages:
  db4.8-util subversion-tools
The following NEW packages will be installed:
  libapache2-svn libneon27-gnutls libsvn1 subversion
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,595kB of archives.
After this operation, 7,250kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libneon27-gnutls 0.29.0-1 [136kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libsvn1 1.6.6dfsg-2ubuntu1.3 [906kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe libapache2-svn 1.6.6dfsg-2ubuntu1.3 [168kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main subversion 1.6.6dfsg-2ubuntu1.3 [385kB]
Fetched 1,595kB in 1s (866kB/s)
Selecting previously deselected package libneon27-gnutls.
(Reading database ... 17613 files and directories currently installed.)
Unpacking libneon27-gnutls (from .../libneon27-gnutls_0.29.0-1_amd64.deb) ...
Selecting previously deselected package libsvn1.
Unpacking libsvn1 (from .../libsvn1_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Selecting previously deselected package libapache2-svn.
Unpacking libapache2-svn (from .../libapache2-svn_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Selecting previously deselected package subversion.
Unpacking subversion (from .../subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Processing triggers for man-db ...
Setting up libneon27-gnutls (0.29.0-1) ...
Setting up libsvn1 (1.6.6dfsg-2ubuntu1.3) ...
Setting up libapache2-svn (1.6.6dfsg-2ubuntu1.3) ...
Considering dependency dav for dav_svn:
Enabling module dav.
Enabling module dav_svn.
Run '/etc/init.d/apache2 restart' to activate new configuration!
Setting up subversion (1.6.6dfsg-2ubuntu1.3) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added emacs
added subversion
added apache2/mods-available/dav_svn.conf
added apache2/mods-available/dav_svn.load
added apache2/mods-enabled/dav.load
added apache2/mods-enabled/dav_svn.conf
added apache2/mods-enabled/dav_svn.load
added bash_completion.d/subversion
added emacs/site-start.d
added emacs/site-start.d/50psvn.el
added subversion/config
added subversion/servers
Committed revision 9.
# apache2ctl graceful
# cd /var
# ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  spool  tmp  www
# mkdir svn
# cd svn
# svnadmin create pcrepo
# ls
pcrepo
# chown -R www-data:www-data pcrepo/
# chmod -R g+ws pcrepo/
# htpasswd -c /etc/apache2/dav_svn.passwd jj5
New password:
Re-type new password:
Adding password for user jj5
# vim /etc/apache2/sites-enabled/000-default-ssl

Add the following,

<Location /svn>
  DAV svn
  SVNParentPath /var/svn
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  Require valid-user
</Location>
# apache2ctl graceful
$ pwd
/home/jj5
$ mkdir test
$ cd test
$ svn co https://www.progclub.org/svn/pcrepo .
Authentication realm: <https://www.progclub.org> Subversion Repository
Password for 'jj5':
Checked out revision 0.

Works!

Migrating mediawiki-1.17.0 to pcwiki, and checking into svn

$ cd ..
$ mv test pcrepo
$ ls
bin  pcrepo
$ cd pcrepo/
$ mkdir pcwiki
$ cd pcwiki/
$ mkdir trunk
$ mkdir branches
$ mkdir tags
$ cp -R /var/www/www.progclub.org/mediawiki-1.17.0/* trunk/
$ ls
branches  tags  trunk
$ cd trunk/
$ ls
api.php     images             maintenance           RELEASE-NOTES
api.php5    img_auth.php       math                  resources
bin         img_auth.php5      mw-config             serialized
cache       includes           opensearch_desc.php   skins
config      index.php          opensearch_desc.php5  StartProfiler.sample
COPYING     index.php5         php5.php5             thumb.php
CREDITS     INSTALL            profileinfo.php       thumb.php5
docs        languages          README                trackback.php
extensions  load.php           redirect.php          trackback.php5
FAQ         load.php5          redirect.php5         UPGRADE
HISTORY     LocalSettings.php  redirect.phtml        wiki.phtml
$ rm LocalSettings.php
$ cd ../..
$ svn add pcwiki/
$ svn ci -m "Checking in original mediawiki files"
$ sudo etckeeper commit "Subversion HTTPS"
[sudo] password for jj5:
Committing to: /etc/
added apache2/dav_svn.passwd
modified apache2/sites-available/default-ssl
Committed revision 10.

Then using TortoiseSVN on my workstation I checked out,

https://www.progclub.org/svn/pcrepo/pcwiki/trunk

into

C:\Inetpub\wwwroot\pcwiki

Copied in LocalSettings.php, added it to the ignore list, and checked in.

# cd /var/www/www.progclub.org/
# svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki
# cp mediawiki-1.17.0/LocalSettings.php pcwiki/
# cd /etc/apache2/sites-enabled/
# vim 000-default

Changed alias on line 17,

Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# vim 000-default-ssl

Changed alias on line 17,

Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# apache2ctl graceful
# etckeeper commit "pcwiki web"
Committing to: /etc/
modified apache2/sites-available/default
modified apache2/sites-available/default-ssl
Committed revision 11.

Reloaded a page from the web-site, and everything seems to be working well.

Copied in changes for mediawiki skin oldskool on my workstation and checked in to svn. There seems to be a new-line thing going on whereby every file got updated with different line-feed sequence (I'm guessing \r\n rather than just \n) -- it changed nearly every file, but I just checked it in anyway.

# cd /var/www/www.progclub.org/pcwiki
# svn update

Reloaded a page from the web-site, and everything seems to be in order.

# cd /var/www/www.progclub.org/
# svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki-dev
# cp pcwiki/LocalSettings.php pcwiki-dev/
# cd pcwiki-dev/
# vim LocalSettings.php
(reconfigured style and script path)
# svn update

John 2011-07-27 04:44

Configuring MySQL for (not too) public access

# cd /etc/mysql
# vim my.cnf

Changed from line 52,

#bind-address           = 127.0.0.1
bind-address            = 67.207.128.184
# service mysql restart
mysql start/running, process 2598
# etckeeper commit "Bound MySQL to public IP address"
Committing to: /etc/
modified mysql/my.cnf
Committed revision 7.
# vim /etc/iptables.up.rules
# Allows MySQL connections from John's house
-A INPUT -s <John's IP>/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allows MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# iptables -F
# iptables-restore < /etc/iptables.up.rules
# etckeeper commit "Updated firewall rules -- MySQL from John's house"
Committing to: /etc/
modified iptables.up.rules
Committed revision 8.
# mysql -uroot -p
mysql> use mysql;
mysql> select host, user from user
mysql> create user 'pcwiki'@'<John's house>' identified by '<password>';
mysql> grant all privileges on pcwiki.* to 'pcwiki'@'<John's house>' with grant option;
mysql> flush privileges;

My development version of MediaWiki can now connect to the production database!

John 2011-07-27 04:09

Installing fail2ban

See Fail2ban for information about installing and configuring the program.

# apt-get install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  whois
Suggested packages:
  python-gamin mailx
The following NEW packages will be installed:
  fail2ban whois
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 129kB of archives.
After this operation, 1032kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe fail2ban 0.8.4-1ubuntu1 [96.0kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main whois 5.0.0ubuntu3 [32.6kB]
Fetched 129kB in 1s (123kB/s)
Selecting previously deselected package fail2ban.
(Reading database ... 17493 files and directories currently installed.)
Unpacking fail2ban (from .../fail2ban_0.8.4-1ubuntu1_all.deb) ...
Selecting previously deselected package whois.
Unpacking whois (from .../whois_5.0.0ubuntu3_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up fail2ban (0.8.4-1ubuntu1) ... 
Setting up whois (5.0.0ubuntu3) ...
Processing triggers for python-central ...
Committing to: /etc/
added fail2ban
added default/fail2ban
added fail2ban/action.d
added fail2ban/fail2ban.conf
added fail2ban/filter.d
added fail2ban/jail.conf
added fail2ban/action.d/complain.conf
added fail2ban/action.d/dshield.conf
added fail2ban/action.d/hostsdeny.conf
added fail2ban/action.d/ipfilter.conf
added fail2ban/action.d/ipfw.conf
added fail2ban/action.d/iptables-allports.conf
added fail2ban/action.d/iptables-multiport-log.conf
added fail2ban/action.d/iptables-multiport.conf
added fail2ban/action.d/iptables-new.conf
added fail2ban/action.d/iptables.conf
added fail2ban/action.d/mail-buffered.conf
added fail2ban/action.d/mail-whois-lines.conf
added fail2ban/action.d/mail-whois.conf
added fail2ban/action.d/mail.conf
added fail2ban/action.d/mynetwatchman.conf
added fail2ban/action.d/sendmail-buffered.conf
added fail2ban/action.d/sendmail-whois-lines.conf
added fail2ban/action.d/sendmail-whois.conf
added fail2ban/action.d/sendmail.conf
added fail2ban/action.d/shorewall.conf
added fail2ban/filter.d/apache-auth.conf
added fail2ban/filter.d/apache-badbots.conf
added fail2ban/filter.d/apache-nohome.conf
added fail2ban/filter.d/apache-noscript.conf
added fail2ban/filter.d/apache-overflows.conf
added fail2ban/filter.d/common.conf
added fail2ban/filter.d/courierlogin.conf
added fail2ban/filter.d/couriersmtp.conf
added fail2ban/filter.d/cyrus-imap.conf
added fail2ban/filter.d/exim.conf
added fail2ban/filter.d/gssftpd.conf
added fail2ban/filter.d/lighttpd-fastcgi.conf
added fail2ban/filter.d/named-refused.conf
added fail2ban/filter.d/pam-generic.conf
added fail2ban/filter.d/php-url-fopen.conf
added fail2ban/filter.d/postfix.conf
added fail2ban/filter.d/proftpd.conf
added fail2ban/filter.d/pure-ftpd.conf
added fail2ban/filter.d/qmail.conf
added fail2ban/filter.d/sasl.conf
added fail2ban/filter.d/sieve.conf
added fail2ban/filter.d/sshd-ddos.conf
added fail2ban/filter.d/sshd.conf
added fail2ban/filter.d/vsftpd.conf
added fail2ban/filter.d/webmin-auth.conf
added fail2ban/filter.d/wuftpd.conf
added fail2ban/filter.d/xinetd-fail.conf
added init.d/fail2ban
added logrotate.d/fail2ban
added rc0.d/K99fail2ban
added rc1.d/K99fail2ban
added rc2.d/S99fail2ban
added rc3.d/S99fail2ban
added rc4.d/S99fail2ban
added rc5.d/S99fail2ban
added rc6.d/K99fail2ban
Committed revision 6.
# iptables -L
...
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Then I tried dud logins from loki.progsoc.uts.edu.au, and

# iptables -L
...
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  loki.progsoc.uts.edu.au  anywhere
RETURN     all  --  anywhere             anywhere

Which is what we wanted to see.

John 2011-07-27 03:41

Configuring IPTables

See this article for information on configuring IPTables.

# vim /etc/iptables.up.rules
*filter
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
# iptables-restore < /etc/iptables.up.rules
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:30000
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
# vim /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
# chmod +x /etc/network/if-pre-up.d/iptables
# etckeeper commit "Configured IPTables"
Committing to: /etc/
added iptables.up.rules
added network/if-pre-up.d/iptables
Committed revision 4.

The commands for modifying IPTables firewall rules are now:

# vim /etc/iptables.up.rules
# /sbin/iptables -F
# /sbin/iptables-restore < /etc/iptables.up.rules
# etckeeper commit "Updated firewall rules"

John 2011-07-27 03:33

Disabling root SSH login

Per the instructions Disabling Direct Root Login (SSH),

$ sudo -s
# cd /etc/ssh
# vim sshd_config

Changed line 26 to,

PermitRootLogin no

Then,

$ sudo service ssh restart
$ sudo etckeeper commit "Disabled root logins"

John 2011-07-27 03:27

Configuring the system locale

Per the instructions,

$ sudo /usr/sbin/locale-gen en_AU.UTF-8
Generating locales...
  en_AU.UTF-8... done
Generation complete.
$ sudo /usr/sbin/update-locale LANG=en_AU.UTF-8
$ sudo etckeeper commit "Set system locale"

John 2011-07-27 03:20

Configuring jj5's environment

Per the instructions about configuring the Environment, I added,

# JE 2011-07-27 03:16
export EDITOR=/usr/bin/vim

to end of /home/jj5/.profile

and ran,

$ sudo update-alternatives --config editor
There are 3 choices for the alternative editor (providing /usr/bin/editor).
  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    10        manual mode
Press enter to keep the current choice[*], or type selection number: 2
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode.

to configure the visudo editor. (Forgot to commit with etckeeper!)

John 2011-07-27 01:20

Creating a favicon.ico

MediaWiki is configured to use one, and web-browsers are requesting it, and it's 404ing, so best if I put a file there. Used iconj to generate a favicon.ico file, and used WinSCP to copy it to /var/www/www.progclub.org/favicon.ico on Charity.

Was having a problem with the favicon.ico loading in firefox, so I generated a new one with favicon.cc. I don't actually think the favicon.ico file was the problem though. But the change has been made now, and there's no point reverting it, because it's all working.

John 2011-07-27 01:01

Configuring robots.txt

Having some trouble with search engine looking for URLs from the previous domain owners. Going to setup a robots.txt file to try and fix up what I can there. Found 6 methods to control what and how your content appears in search engines to help guide me.

# cd /var/www/www.progclub.org/
# vim robots.txt
User-agent: *
Disallow: /stories/
Disallow: /story/
Disallow: /members/
Disallow: /vehicles/

Will expand on this as other URLs that need addressing become apparent in the logs.

Watching the Apache web-logs

Created /home/jj5/bin/spy to setup a window to watch the web-logs.

#!/bin/bash
sudo tail -f /var/log/apache2/access.log /var/log/apache2/ssl_access.log

John 2011-07-26 22:25

Adding user key720

# adduser key720
Adding user `key720' ...
Adding new group `key720' (1003) ...
Adding new user `key720' (1003) with group `key720' ...
Creating home directory `/home/key720' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for key720
Enter the new value, or press ENTER for the default
        Full Name []: <name>
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]

Also added Key to the wiki.

Tasaio 2011-07-26 21:39

Setting up Etckeeper

$ sudo apt-get install etckeeper

That's really all there is to it. There's an auto commit every day, an autocommit whenever you apt-get install something and you can manually commit your changes using:

$ sudo etckeeper commit "Changed foo to achieve bar"

See the commit log for a file with:

$ sudo bzr log /etc/passwd

This means we should be able to see with reasonable accuracy what changed when, and as long as people commit their changes (and use sudo rather than abusing sudo su or the like), we'll even know who did it. Useful for quickly rolling back silly changes and catching those changes people forget to log on the wiki.

John 2011-07-26 09:55

Adding user sanguinev

# adduser sanguinev
Adding user `sanguinev' ...
Adding new group `sanguinev' (1002) ...
Adding new user `sanguinev' (1002) with group `sanguinev' ...
Creating home directory `/home/sanguinev' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sanguinev
Enter the new value, or press ENTER for the default
        Full Name []: Thomas
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
# gpasswd -a sanguinev sudo
Adding user sanguinev to group sudo

Added a wiki user too.

John 2011-07-26 09:13

Adding user jj5

root@charity:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
        Full Name []: John Elliot
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo

That was easy. PuTTY says it works!

Adding user tasaio

root@charity:~# adduser tasaio
Adding user `tasaio' ...
Adding new group `tasaio' (1001) ...
Adding new user `tasaio' (1001) with group `tasaio' ...
Creating home directory `/home/tasaio' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for tasaio
Enter the new value, or press ENTER for the default
        Full Name []: Justin
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a tasaio sudo
Adding user tasaio to group sudo

That was easy too! Will create a wiki user for him too.

John 2011-07-26 08:47

I could be accused of ignorance. When I created my key file for the CSR request I nominated a pass-phrase. This phrase is required to be entered every time you restart Apache. Gah! Until I can figure out a way to fix it I've created a script in /sbin called restart-apache which enters the key's pass-phrase automatically.

# cd /sbin
# vim restart-apache
#!/bin/bash
echo <the pass phrase> | apache2ctl graceful
# chmod u+x restart-apache
# restart-apache

Works swimmingly. Will reboot to see what happens when apache tries to load from a boot.

Apache chokes on boot. Found this article, which suggests,

# cd ~
# cp progclub.key progclub.key.pass-phrase
# openssl rsa -in progclub.key.pass-phrase -out progclub.key
# chmod 400 progclub.*
# reboot

Hopefully Apache comes back up this time... yep!

Will keep the restart-apache script in sbin, but will remove the part that specified the key pass-phrase.

John 2011-07-26 06:20

Getting an HTTPS certificate

Searched for certificate sni cheap, found Go Daddy SSL Certificate. Decided on the Multiple Domains UCC - A$82.93/yr setup, which looks like it will suit us. Picked up to 5 domains for 3 years. It offered me free .mobi registration, so I added progclub.mobi. I then also added progclub.biz and progclub.co, I'm a sucker. Registration information recorded in Blackbrick Account Manager. Setup the nameservers for the new domains to point to ns*.slicehost.net via My Account.

Had to generate a Certificate Signing Request (CSR) per these instructions (for Apache 2.x).

# cd ~
# openssl genrsa -des3 -out progclub.key 2048
# openssl req -new -key progclub.key -out progclub.csr

See Blackbrick Account Manager for full details.

Certificate Type

  • Hosting: Third Party Hosting
  • Domain Name: www.progclub.org
  • Certificate Issuing Organization: Go Daddy
  • Subject Alt Names: www.progclub.net www.progclub.mobi www.progclub.info www.progclub.co
You're through!
Your certificate will be issued shortly.
You can monitor the progress of your certificate application by going to the
Pending Requests folder and clicking your Common Name. When we are through
verifying your application, you will receive an email with further instructions.

Downloaded the progclub.org.zip that was eventually generated, and used WinSCP to copy it to root's home directory on charity. Found info about Installing an SSL Certificate in Apache.

# cd /etc/apache2/sites-available/
# vim default-ssl

Set,

ServerAdmin jj5@jj5.net
DocumentRoot /var/www/www.progclub.org
# cd ~
# ls
progclub.csr  progclub.key  progclub.org.zip
# unzip progclub.org.zip
-bash: unzip: command not found
# apt-get install unzip
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  zip
The following NEW packages will be installed:
  unzip
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 189kB of archives.
After this operation, 406kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main unzip 6.0-1build1 [189kB]
Fetched 189kB in 0s (195kB/s)
Selecting previously deselected package unzip.
(Reading database ... 15343 files and directories currently installed.)
Unpacking unzip (from .../unzip_6.0-1build1_amd64.deb) ...
Processing triggers for man-db ...
Setting up unzip (6.0-1build1) ...
# unzip progclub.org.zip
Archive:  progclub.org.zip
  inflating: gd_bundle.crt
  inflating: progclub.org.crt
# ls
gd_bundle.crt  progclub.csr  progclub.key  progclub.org.crt  progclub.org.zip
# cd /etc/apache2/sites-available/
# vim default-ssl
#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateFile /root/progclub.org.crt
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateKeyFile /root/progclub.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /root/gd_bundle.crt

Saved changes.

# a2ensite default-ssl
# /etc/init.d/apache2 reload
 * Reloading web server config apache2                                   [ OK ]
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
# /etc/init.d/apache2 restart

Navigated to https://www.progclub.org/, and it worked!

# cd /etc/apache2/sites-enabled/
# vim 000-default-ssl
Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php

The secure wiki is now working!

John 2011-07-25 17:53

Installing MediaWiki

Found the MediaWiki download page, which references mediawiki-1.17.0.tar.gz.

# cd /var/www/www.progclub.org/
# wget http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz
# ls
index.html  mediawiki-1.17.0.tar.gz  test.php
# tar xzf mediawiki-1.17.0.tar.gz
# ls
index.html  mediawiki-1.17.0  mediawiki-1.17.0.tar.gz  test.php
# rm mediawiki-1.17.0.tar.gz
# cd mediawiki-1.17.0/
# ls
COPYING               bin            languages             redirect.php5
CREDITS               cache          load.php              redirect.phtml
FAQ                   config         load.php5             resources
HISTORY               docs           maintenance           serialized
INSTALL               extensions     math                  skins
README                images         mw-config             thumb.php
RELEASE-NOTES         img_auth.php   opensearch_desc.php   thumb.php5
StartProfiler.sample  img_auth.php5  opensearch_desc.php5  trackback.php
UPGRADE               includes       php5.php5             trackback.php5
api.php               index.php      profileinfo.php       wiki.phtml
api.php5              index.php5     redirect.php

Didn't find a LocalSettings.php, which is what I was expecting, so reading INSTALL.

# less INSTALL

It told me to navigate to the setup page. The setup page complained about a missing LocalSettings.php, so they haven't changed that after all. Clicked on setup the wiki.

Specified,

* Your language: en - English
* Wiki language: en - English

Clicked continue, and amoung it's checks was a complaint:

Could not find a suitable database driver! You need to install a database driver for PHP. The following
database types are supported: MySQL, PostgreSQL, Oracle, SQLite.
If you are on shared hosting, ask your hosting provider to install a suitable database driver. If you compiled
PHP yourself, reconfigure it with a database client enabled, for example using ./configure --with-mysql. 
If you installed PHP from a Debian or Ubuntu package, then you also need install the php5-mysql module.

So,

# apt-get install php5-mysql
# apache2ctl graceful

Then reloaded the config page,

The environment has been checked. You can install MediaWiki.

Clicked continue, and got the Connect to database page. Looks like I'm going to need a database user for the wiki, so

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'pcwiki'@'localhost' identified by '<password>';
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye

Back on the config page:

* Database type: MySQL
* Database host: localhost
* Database name: pcwiki
* Database table prefix: pcwiki__
* Database username: pcwiki
* Database password: <password>

Clicked continue, and got the Database settings page. Specified,

* Database account for web access: Use the same account as for installation
* Storage engine: InnoDB (the default, other choice was MyISAM)
* Database character set: UTF-8 (not the default, the default choice was Binary)

Clicked continue, and got the Name page. Specified,

* Name of wiki: ProgClub
* Project namespace: Same as the wiki name: ProgClub

Configuration for the Administrator account,

* Your name: John
* Password: <password>
* Password again: <password>
* E-mail address: jj5@jj5.net
You are almost done! You can now skip the remaining configuration and install the wiki right now.

Chose Ask me more questions, and got the Options page. Specified,

* User rights profile: Traditional wiki
* Copyright and license: No license footer
* Enable outbound e-mail: true
* Return e-mail address: wiki@progclub.org
* Enable user-to-user e-mail: true
* Enable user talk page notification: true
* Enable watchlist notification: true
* Enable e-mail authentication: true
* Enable file uploads: true
* Directory for deleted files: /var/www/www.progclub.org/mediawiki-1.17.0/images/deleted
* Logo URL: /res/img/logo.png
* Settings for object caching: No caching

Clicked Continue, and got the confirmation page. Clicked Continue again. Got an error because the database user couldn't create the database. Created the database manually,

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database `pcwiki`;
Query OK, 1 row affected (0.00 sec)
mysql> exit
Bye

Decided it would be easier to let MediaWiki create the database, so went back and specified the database config details to use the root user. I will change this to be the pcwiki user manually after the database has been created.

Setting up database... done
Creating tables... done
Creating database user... done
Populating default interwiki table... done
Initializing statistics... done
Generating secret keys... done
Creating administrator user account... done
Creating main page with default content... done

Clicked continue,

Congratulations! You have successfully installed MediaWiki.
The installer has generated a LocalSettings.php file. It contains all your configuration.
You will need to download it and put it in the base of your wiki installation (the same
directory as index.php). The download should have started automatically.
If the download was not offered, or if you cancelled it, you can restart the download by
clicking the link below: Download LocalSettings.php
Note: If you do not do this now, this generated configuration file will not be available
to you later if you exit the installation without downloading it.
When that has been done, you can enter your wiki.

Downloaded the LocalSettings.php file and copied it to /var/www/www.progclub.org/mediawiki.1.17.0

Edited LocalSettings.php and changed the database user:

$wgDBuser           = "pcwiki";
$wgDBpassword       = "<password>";

Also added an article path:

$wgArticlePath      = "/pc/$1";

Also need to grant access for pcwiki user:

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 54
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant all privileges on pcwiki.* to pcwiki@localhost;
Query OK, 0 rows affected (0.11 sec)
mysql> exit
Bye

Then need to edit apache conf file to include the pc alias:

# cd /etc/apache2/sites-enabled/
# vim 000-default

added,

Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php

then,

# apache2ctl graceful

Also,

# cd /var/www/www.progclub.org/
# mkdir res
# mkdir res/img

Then uploaded a logo.png to there with WinSCP. The logo settings hadn't been properly specified in the generated LocalSettings.php file, so,

# cd /var/www/www.progclub.org/mediawiki-1.17.0/
# vim LocalSettings.php

and changed the logo setting,

$wgLogo             = "/res/img/logo.png";

Checked the wiki, and it's all working nicely.

John 2011-07-25 17:12

Preparing WWW hosting

# cd /var/www
# mkdir www.progclub.org
# mv index.html test.php www.progclub.org/
# ls
# cd www.progclub.org/
# ls
index.html  test.php

Everything is in order.

# cd /etc/apache2/sites-enabled/
# ls
000-default
# vim 000-default

Specified ServerAdmin,

ServerAdmin jj5@progclub.org

Changed document root,

DocumentRoot /var/www/www.progclub.org/

Changed the <Directory /var/www/> section to,

<Directory /var/www/www.progclub.org/>

Saved changes and quit vim. Restarted apache,

# apache2ctl graceful

Apache complained,

apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName

Searched for "apache2: Could not reliably determine the server's fully qualified domain name, using " and found an answer.

Ran,

# hostname charity.progclub.org

which I guess is a better way to set the hostname than editing /etc/hostname like I did. :P

Ran,

# apache2ctl graceful

again, and got the same error,

apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName

Tried a reboot to see if the hostname is updated after that,

# reboot

Still having problems with,

# apache2ctl graceful

So read more of the answer, and then,

# hostname charity
# vim /etc/hosts

Specified the file contents as

127.0.0.1          localhost localhost.localdomain
67.207.128.184     charity charity.progclub.org

Then rebooted,

# reboot

Ran hostname and got,

# hostname
charity.progclub.org

So edited /etc/hostname and specified

charity

Rebooted,

# reboot

Searched for "/etc/hostname", and found an answer. Short name goes in /etc/hostname, so we should be configured correctly now. Apache is still complaining though,

# apache2ctl graceful
apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName

and it's using the IP address rather than charity.progclub.org now. Will manually specify ServerName in /etc/apache2/sites-enabled/000-default

# cd /etc/apache2/sites-enabled/
# vim 000-default

Added,

ServerName  charity.progclub.org

Ran,

# apache2ctl graceful

again, and got the same friggin' error! More web-searching... found a different answer, tried editing /etc/hosts to put the names the other way around,

# vim /etc/hosts
127.0.0.1          localhost.localdomain localhost
67.207.128.184     charity.progclub.org charity

Rebooted,

# reboot

Tried apache2ctl again,

# apache2ctl graceful

And got no error! Yay!

Checked

* www.progclub.org

and found everything to be working. Web hosting is now configured.

John 2011-07-25 17:11

PHP software installation

I created a test.php file at /var/www/test.php to see if PHP was working out-of-the-box. I navigated to test.php to check, and it tried to download the PHP file, so I guess PHP isn't installed.

The test.php file I used was,

<? phpinfo(); ?>

Searched for PHP installation candidate,

# apt-cache search php5 | less

Found php5, which looks promising.

# apt-get install php5
The following extra packages will be installed:
 apache2-mpm-prefork libapache2-mod-php5 php5-common
Suggested packages:
 php-pear php5-suhosin
The following packages will be REMOVED:
 apache2-mpm-worker
The following NEW packages will be installed:
 apache2-mpm-prefork libapache2-mod-php5 php5 php5-common
0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded.
Need to get 3544kB of archives.
After this operation, 9568kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main apache2-mpm-prefork 2.2.14-5ubuntu8.4 [2420B]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-common 5.3.2-1ubuntu4.9 [551kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libapache2-mod-php5 5.3.2-1ubuntu4.9 [2990kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5 5.3.2-1ubuntu4.9 [1112B]
Fetched 3544kB in 1s (1913kB/s)
dpkg: apache2-mpm-worker: dependency problems, but removing anyway as you requested:
 apache2 depends on apache2-mpm-worker (= 2.2.14-5ubuntu8.4) | apache2-mpm-prefork (= 2.2.14-5ubuntu8.4) | apache2-mpm-event (= 2.2.14-5ubuntu8.4) | apache2-mpm-itk (= 2.2.14-5ubuntu8.4); however:
 Package apache2-mpm-worker is to be removed.
 Package apache2-mpm-prefork is not installed.
 Package apache2-mpm-event is not installed.
 Package apache2-mpm-itk is not installed.
(Reading database ... 15291 files and directories currently installed.)
Removing apache2-mpm-worker ...
 * Stopping web server apache2                                                  apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
... waiting .                                                           [ OK ]
Selecting previously deselected package apache2-mpm-prefork.
(Reading database ... 15283 files and directories currently installed.)
Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.14-5ubuntu8.4_amd64.deb) ...
Selecting previously deselected package php5-common.
Unpacking php5-common (from .../php5-common_5.3.2-1ubuntu4.9_amd64.deb) ...
Selecting previously deselected package libapache2-mod-php5.
Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.3.2-1ubuntu4.9_amd64.deb) ...
Selecting previously deselected package php5.
Unpacking php5 (from .../php5_5.3.2-1ubuntu4.9_all.deb) ...
Setting up apache2-mpm-prefork (2.2.14-5ubuntu8.4) ...
 * Starting web server apache2                                                  apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
                                                                        [ OK ]
Setting up php5-common (5.3.2-1ubuntu4.9) ...
Setting up libapache2-mod-php5 (5.3.2-1ubuntu4.9) ...
Creating config file /etc/php5/apache2/php.ini with new version
 * Reloading web server config apache2                                          apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
                                                                        [ OK ]
Setting up php5 (5.3.2-1ubuntu4.9) ...

Noticed the complaining about the server's fully qualified domain name, so

# vim /etc/hostname

and changed from

charity

to

charity.progclub.org

Then I rebooted,

# reboot

Logged in again and checked the hostname,

# hostname

which was correctly reported as,

charity.progclub.org

Then I navigated to the test.php page, and got back the phpinfo().

John 2011-07-25 16:40

Apache and MySQL software installation

Searched for MySQL software,

# apt-cache search mysql | less

Found mysql-server, which looks like a good candidate.

Searched for Apache software,

# apt-cache search apache2 | less

Found apache2, which looks like a good candidate.

# apt-get install apache2 mysql-server
The following extra packages will be installed:
 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1
 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl
 libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16
 libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1
 mysql-common mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert
Suggested packages:
 www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw dbishell
 libipc-sharedcache-perl tinyca mailx
The following NEW packages will be installed:
 apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common
 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap
 libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl
 libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1
 mysql-client-core-5.1 mysql-common mysql-server mysql-server-5.1
 mysql-server-core-5.1 psmisc ssl-cert

Configuring mysql-server-5.1

Dpkg showed a configuration screen for configuring the root password. I set one.

Apache and MySQL software installation, continued

I rebooted after installing the above software,

# reboot

I checked the Apache installation by navigating to www.progclub.org and It Works!

John 2011-07-25 16:34

SSH'ed in as root and ran:

# apt-get update
# apt-get dist-upgrade
# reboot

John 2011-07-25 16:00

Had to stuff around with resetting the root password on charity, but remote logins via SSH are working now for root.

John 2011-07-25 15:52

Configured the name server with progclub.org, progclub.net and progclub.info DNS zones on slicehost. The SliceManager should be used to maintain the DNS records for progclub.