Commit 74d24c0f authored by Elias Ojala's avatar Elias Ojala
Browse files

Import from legacy wiki

parents
<!-- TITLE: Android Captiveportal Server -->
<!-- SUBTITLE: Set custom captive portal check server to your Android. -->
By default, Android is using Google's server for captive portal checking.
## Afwall custom script
```bash
# captive portal
su
settings put global captive_portal_detection_enabled 1
settings put global captive_portal_mode 1
settings put global captive_portal_use_https 1
settings put global captive_portal_server captivecheck.theel0ja.info
settings put global captive_portal_http_url http://captivecheck.theel0ja.info
settings put global captive_portal_https_url https://captivecheck.theel0ja.info
```
Replace `captivecheck.theel0ja.info` with your own server, if you want.
The server should return 204 on the root.
Example with PHP:
```php
<?php
http_response_code(204);
```
# Installation
<script src="https://gist.github.com/theel0ja/1dc59681efdd94ecb1e3446ad9a5137d.js"></script>
[link to gist](https://gist.github.com/theel0ja/1dc59681efdd94ecb1e3446ad9a5137d)
<!-- TITLE: Certbot -->
<!-- SUBTITLE: My certbot stuff -->
### Required packages (Debian 9)
* [certbot](https://packages.debian.org/stretch-backports/certbot) (stretch-backports)
* [python3-certbot-dns-cloudflare](https://packages.debian.org/stretch-backports/python3-certbot-dns-cloudflare) (stretch-backports)
`sudo apt install certbot python3-certbot-dns-cloudflare -t stretch-backports`
### Required packages (CentOS 7)
* python2-certbot
* python2-certbot-dns-cloudflare
## Wildcard certificate (DNS, Cloudflare)
```bash
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory \
--dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini \
-d *.example.com -d example.com certonly
```
## Wildcard (DNS, Manual)
```bash
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory \
--manual \
--preferred-challenges dns \
-d *.example.com -d example.com certonly
```
## DH params
```bash
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
```
## Cloudflare Credentials
```bash
sudo mkdir /etc/letsencrypt
sudo touch /etc/letsencrypt/dnscloudflare.ini
sudo chmod 600 /etc/letsencrypt/dnscloudflare.ini
sudo nano /etc/letsencrypt/dnscloudflare.ini
```
## Nginx Sites-available
```nginx
server {
# SSL configuration
#
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
include snippets/ssl-params.conf;
include snippets/ssl/example.com.conf;
root /var/www/example.com;
# Add index.php to the list if you are using PHP
index index.php index.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
```
## nginx
```bash
sudo mkdir /etc/nginx/snippets/ssl/
sudo mkdir /etc/nginx/sites-available/_utilities
sudo nano /etc/nginx/snippets/ssl-params.conf
sudo nano /etc/nginx/sites-available/_utilities/http-redirect
sudo ln -s /etc/nginx/sites-available/_utilities/http-redirect /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default -rf
```
## http redirect
filename: `/etc/nginx/sites-available/_utilities/http-redirect`
```nginx
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
return 301 https://$host$request_uri;
}
}
```
## nginx per-cert config
filename: `/etc/nginx/snippets/ssl/example.com.conf`
```nginx
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
```
## SSL params
filename: `/etc/nginx/snippets/ssl-params.conf`
```nginx
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0f&hsts=yes&profile=modern
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000";
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
```
<!-- TITLE: Initial Server Setup Debian 9 -->
# Prevent login without pubkey
Change this in `/etc/ssh/sshd_config`:
```
PermitRootLogin yes
```
to:
```
PermitRootLogin no
```
and this:
```
#PasswordAuthentication yes
```
to this:
```
PasswordAuthentication no
```
## SSH tweaks
Comment out line with `AcceptEnv LANG LC_*`
# Create new user
```
adduser eliaso
```
## sudo
```
apt update
apt install sudo -y
# add your user to sudo group
usermod -aG sudo eliaso
```
# setup firewall
```
sudo apt install ufw -y
```
Then, proceed here: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04#step-4-%E2%80%94-setting-up-a-basic-firewall
# enable login for your new user
```
sudo apt install rsync -y
rsync --archive --chown=eliaso:eliaso ~/.ssh /home/eliaso
```
<!-- this needs sudo -->
Then, restart sshd with the following command:
```
sudo service sshd restart
```
Then, login to your new user. Try `sudo whoami` for root.
<!-- TITLE: MySQL -->
This is my notebook for MySQL related stuff.
```sql
CREATE DATABASE database_name;
CREATE USER 'user_name'@'localhost' IDENTIFIED BY 'password';
GRANT ALL ON database_name.* TO 'user_name'@'localhost' IDENTIFIED BY 'password';
```
## Code generator
TODO: Make one
\ No newline at end of file
<!-- TITLE: Phusion Passenger -->
<!-- SUBTITLE: Phusion Passenger configuration -->
## Create new user
```bash
sudo adduser --no-create-home --disabled-login --disabled-password kouluruoka-turku-api
```
\ No newline at end of file
<!-- TITLE: Solus Wireguard -->
<!-- SUBTITLE: Guide for building Wireguard on Solus -->
## Dependencies
```bash
sudo eopkg it -c system.devel
sudo eopkg install libmnl-devel
sudo eopkg it -c kernel.devel
sudo eopkg install libelf-devel
sudo eopkg install jq # for azirevpn script
```
## Download repo
```bash
cd ~
git clone --depth=1 https://git.zx2c4.com/WireGuard
```
## Add this to your .bashrc or .zshrc
```bash
alias wg-rebuild='cd ~/WireGuard/ && git pull https://git.zx2c4.com/WireGuard && cd src && make -j8 && sudo make install && make clean'
```
Then, run `wg-rebuild`.
## Thanks
* [@As4fN1v](https://twitter.com/As4fN1v) ([github](https://github.com/asafniv))
\ No newline at end of file
<!-- TITLE: Useful Tools -->
<!-- SUBTITLE: Useful Tools for Server Administration -->
* [rpl](https://packages.debian.org/stretch/rpl) - intelligent recursive search/replace utility ([guide on StackExchange](https://unix.stackexchange.com/a/251742/237994))
* [dnstools](https://packages.debian.org/stretch/dnsutils) - for example, `dig` utility is in this page. Not included in Debian, so useful package.
## commands to remember
`sudo named-checkconf` - check dns configuration
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment