Intruccións para instalar un servidor

Instruccións.md

Instalación dun servidor

1. Preparación básica

# Actualización de paquetes
apt-get update
apt-get upgrade

# Instalación doutros paquetes
apt-get install language-pack-es-base
apt-get install git
apt-get install mysql-server

# (opción A) Instalación de apache
apt-get install apache2
apt-get install libapache2-mod-php5
apt-get install libapache2-mpm-itk

# (opción B) Ou podemos instalar nginx
apt-get install nginx
apt-get install php5-fpm

# Instalación do resto de módulos de php
apt-get install php5-cli
apt-get install php5-imagick
apt-get install php5-curl

Opcional: Deshabilitar a conexión ssh por contrasinal:

# editar a configuración (ver abaixo)
vi /etc/ssh/sshd_config

# reiniciar ssh
service ssh reload

Valores necesarios en sshd_config

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

Opcional: Crear un arquivo swap

Probado en Ubuntu 14.04. Non facer baixo servidores con SSD se non é necesario:

# Crear o arquivo /swapfile de 1GB
fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

# Configurar para que se use cada vez que se inicie o sistema
echo "/swapfile none swap sw 0 0" >> /etc/fstab

# Configurar para que só se use cando queda un 10% de RAM libre e a presión ao 50%
sysctl vm.swappiness=10
sysctl vm.vfs_cache_pressure=50

# Editar a configuración para que se manteña ao iniciar o sistema
vi /etc/sysctl.conf
# dentro meter os valores: vm.swappiness=10 / vm.vfs_cache_pressure = 50

2. Crear un novo usuario para o deploy

# Creamos o usuario e asignamoslle un grupo propio e o directorio home
sudo adduser --home /var/www/example.com example

# Engadímolo ao grupo sudo (Ubuntu 16.04)
usermod -aG sudo example

# Crear directorio .ssh e meter a clave pública, deploy key, etc.
su - example
mkdir .ssh
chmod 700 .ssh
ssh-keygen
vi .ssh/authorized_keys

# Crear os directorios necesarios
mkdir www
mkdir logs

3. Crear a base de datos e un usuario

CREATE USER 'example'@'localhost' IDENTIFIED BY 'example';
GRANT ALL PRIVILEGES ON example.* TO 'example'@'localhost';
FLUSH PRIVILEGES;

4. Instalación de certificado

Para ubuntu 14.04, temos que instalalo manualmente:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
mv certbot-auto /usr/local/bin/

En ubuntu 16.04 pódese instalar con apt-get:

apt-get install letsencrypt

Agora instalamos o certificado usando letsencrypt ou certbot-auto, dependendo do que instalaramos:

certbot-auto certonly --standalone --agree-tos -d example.com

5a. Opción Apache

# Activar modulos
a2enmod rewrite
a2enmod ssl

# Configuración da redirección http => https (ver abaixo)
vi /etc/apache2/sites-available/000-default.conf

# Configuración do novo sitio (ver abaixo)
vi /etc/apache2/sites-available/001-example.com.conf

# Activar o novo sitio
ln -s /etc/apache2/sites-available/001-example.com.conf /etc/apache2/sites-enabled/001-example.com.conf

Configuración de 000-default.conf

ServerName localhost

<VirtualHost *:80>
	Redirect 301 / https://example.com/

	RewriteEngine on
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

Configuración de 001-example.com.conf

<VirtualHost *:443>
	# Nome do servidor
	ServerName example.com
	ServerAdmin webmaster@localhost

	# Root
	DocumentRoot /var/www/example.com/www

	# Logs
	ErrorLog /var/www/example.com/logs/apache.error
	CustomLog /var/www/example.com/logs/apache.log combined

	# Directorio
	<Directory /var/www/example.com/www>
		AllowOverride All
		Require all granted
	</Directory>
	
	# Usar este usuario
	AssignUserId example www-data
  
	# Certificado SSL
	SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

E finalmente reiniciar apache:

service apache2 restart

5b. Opción NGINX

Se escollemos o servidor de NGINX, debemos crear un novo pool onde se execute php.

sudo vi /etc/php5/fpm/pool.d/example.conf

Nese arquivo metemos o seguinte (cambiando "example" polos nosos valores):

[example]
user = example
group = example
listen = /var/run/php5-fpm-example.sock
listen.owner = www-data
listen.group = www-data
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

Reiniciamos php-fpm e comprobamos que todo está ok:

service php5-fpm restart

Sources

• https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers
• https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04
• https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04
• https://www.digitalocean.com/community/tutorials/how-to-create-a-new-user-and-grant-permissions-in-mysql
• https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04
• https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04

Para mirar

• https://www.inversoft.com/guides/2016-guide-to-user-data-security
• https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-16-04
• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-on-ubuntu-16-04
• https://www.exratione.com/2016/05/a-mailserver-on-ubuntu-16-04-postfix-dovecot-mysql/