(Modifié le 01/11/2018)

vps526361-debian9-xoyize.xyz

VPS ovh vps526361 debian 9 préinstallé avec clé ssh (ovh-ssh-ed25519.pub)

Connexion ssh avec clé

ssh -i .ssh/ovh-ssh-ed25519 root@193.70.43.101

Modifier le fichier de configuration /etc/ssh/sshd_config

Port 55027                # 22 par défaut
PermitRootLogin no        # interdire accès ssh par root
PasswordAuthentication no # pas de mot de passe, uniquement les clés ed25519

Créer un utilisateur debian

adduser xouser # création du home et saisie mot de passe

Visudo pour les accès root via utilisateur xouser (sudo installé par défaut sur le vps)

echo "xouser     ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

Ajout de l’utilisateur courant au groupe systemd-journal

gpasswd -a xouser systemd-journal

Accès utilisateur aux fichiers log

gpasswd -a xouser adm

Modification du réseau, ajout IPV6

Sur le VPS OVH il faut désactiver l’initialisation réseau par le cloud

# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}

Création du fichier /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg en mode su

echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

Modifier le fichier /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto ens3
iface ens3 inet dhcp
iface ens3 inet6 static
 address 2001:41d0:0302:2200:0000:0000:0000:1d0f
 netmask 128
 post-up /sbin/ip -6 route add 2001:41d0:0302:2200:0:0:0:1 dev ens3
 post-up /sbin/ip -6 route add default via 2001:41d0:0302:2200:0:0:0:1 dev ens3
 pre-down /sbin/ip -6 route del default via 2001:41d0:0302:2200:0:0:0:1 dev ens3
 pre-down /sbin/ip -6 route del 2001:41d0:0302:2200:0:0:0:1 dev ens3

Mise à jour de la distribution debian stretch

apt update && apt upgrade -y

Redémarrer la machine “reboot” pour la prise en compte des modifications du réseau

Connexion SSH sur “VPS 2018 SSD 3 (2 vCores/8GoRam/80GoSSD)”

ssh -p 55027 -i .ssh/ovh-ssh-ed25519xouser@193.70.43.101

Vérifier le réseau ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:ee:49:1f brd ff:ff:ff:ff:ff:ff
    inet 193.70.43.101/32 brd 193.70.43.101 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2001:41d0:302:2200::1d0f/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:feee:491f/64 scope link 
       valid_lft forever preferred_lft forever

locale fr_FR.UTF-8

Lors de la demande de réinstallation de la VPS OVH en debian 9 , il est possible de choisir la langue
Mais, à priori ,le paramétrage des “locales” n’est pas fait…

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory

Pour supprimer le “warning”, générer la locale fr_FR.UTF-8

sudo -s
locale-gen fr_FR.UTF-8
Generating locales (this might take a while)...
  en_US.UTF-8... done
  fr_FR.UTF-8... done
Generation complete.

Activer la locale fr

sudo dpkg-reconfigure locales

DNS OVH

$TTL 3600
@	IN SOA dns106.ovh.net. tech.ovh.net. (2018102303 86400 3600 3600000 300)
    3600 IN NS     dns106.ovh.net.
    3600 IN NS     ns106.ovh.net.
    3600 IN A      193.70.43.101
    3600 IN AAAA   2001:41d0:302:2200::1d0f
*   3600 IN CNAME  xoyize.xyz.

Certificats Letsencrypt

Serveur , installer et renouveler les certificats SSL Let’s encrypt

Prérequis

sudo apt install netcat git -y 

Installation client acme.sh

cd ~
sudo -s  # en mode super utilisateur
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install # --nocron 
cd ..
rm -rf acme.sh/

Les clés de l’api OVH OVH_AK et OVH_AS
Génération des certificats

/root/.acme.sh/acme.sh --dns dns_ovh --issue --keylength 4096 -d xoyize.xyz -d *.xoyize.xyz
[Tue Oct 23 10:20:43 CEST 2018] Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=op3eQxvOjEBvg7Y0P1bQIfnxdKYWtoWfWywmX

Valider l’api en ouvrant le lien demandé, puis relancer la commande précédente.

Les certificats

[Tue Oct 23 10:25:28 CEST 2018] Your cert is in  /root/.acme.sh/xoyize.xyz/xoyize.xyz.cer 
[Tue Oct 23 10:25:28 CEST 2018] Your cert key is in  /root/.acme.sh/xoyize.xyz/xoyize.xyz.key 
[Tue Oct 23 10:25:28 CEST 2018] The intermediate CA cert is in  /root/.acme.sh/xoyize.xyz/ca.cer 
[Tue Oct 23 10:25:28 CEST 2018] And the full chain certs is there:  /root/.acme.sh/xoyize.xyz/fullchain.cer 

nginx php7.2 mariadb

Debian Stretch compilation nginx avec modules dynamiques et TLSv1.3 + PHP7.2 + MariaDB

Tester http://193.70.43.101/info.php

Configuration nginx avec certificats

sudo -s  # en mode super utilisateur

Les liens avec certificats

ln -s /root/.acme.sh/xoyize.xyz/fullchain.cer /etc/ssl/private/xoyize.xyz.fullchain.cer.pem
ln -s /root/.acme.sh/xoyize.xyz/xoyize.xyz.key /etc/ssl/private/xoyize.xyz.key.pem

Fichier de configuration nginx

rm /etc/nginx/conf.d/default.conf
nano /etc/nginx/conf.d/default.conf
server {
    listen 80;
    listen [::]:80;

    ## redirect http to https ##
    server_name xoyize.xyz;
    return  301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name xoyize.xyz;
    root /var/www/ ;

    ssl_certificate /etc/ssl/private/xoyize.xyz.fullchain.cer.pem;
    ssl_certificate_key /etc/ssl/private/xoyize.xyz.key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;

    # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
    # (this doesn't work on jessie though ...?)
    # ssl_ecdh_curve secp521r1:secp384r1:prime256v1;

    # As suggested by https://cipherli.st/
    ssl_ecdh_curve secp384r1;

    ssl_prefer_server_ciphers on;

    # Ciphers with modern compatibility
    #---------------------------------
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AESGCM:EECDH+CHACHA20:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;

    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
    # https://observatory.mozilla.org/ 
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
    add_header Content-Security-Policy "upgrade-insecure-requests";
    add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header X-Frame-Options "SAMEORIGIN";

    index index.php;
        location ~ \.php$ {
           fastcgi_split_path_info ^(.+\.php)(/.+)$;
           fastcgi_pass unix:/run/php/php7.2-fpm.sock;    # PHP7.2 
           fastcgi_index index.php;
           include fastcgi_params;
           fastcgi_param SCRIPT_FILENAME $request_filename;
        }
}

Rechargement nginx

systemctl reload nginx

Lien https://xoyize.xyz/info.php

Vérifier TLS

ssl tls

Parefeu

Parefeu (firewall) iptables IPV4/IPV6 bureau/serveur

wikistatic

Ruby via compilation ou RVM + serveur statique Jekyll sur Debian

  • Installation ruby par compilation
  • Installation jekyll thème “minima”
  • Installation dépendances et wikistatic

Jekyll/Nginx SANS Proxy

Fichier de configuration nginx

sudo nano /etc/nginx/conf.d/static.xoyize.xyz.conf
server {
    listen 80;
    listen [::]:80;

    ## redirect http to https ##
    server_name static.xoyize.xyz;
    return  301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name static.xoyize.xyz;
    root /srv/wikistatic/_site/ ;

    ssl_certificate /etc/ssl/private/xoyize.xyz.fullchain.cer.pem;
    ssl_certificate_key /etc/ssl/private/xoyize.xyz.key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;

    # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
    # (this doesn't work on jessie though ...?)
    # ssl_ecdh_curve secp521r1:secp384r1:prime256v1;

    # As suggested by https://cipherli.st/
    ssl_ecdh_curve secp384r1;

    ssl_prefer_server_ciphers on;

    # Ciphers with modern compatibility
    #---------------------------------
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AESGCM:EECDH+CHACHA20:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;

    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
    # https://observatory.mozilla.org/ 
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
    add_header Content-Security-Policy "upgrade-insecure-requests";
    add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header X-Frame-Options "SAMEORIGIN";

    access_log /var/log/nginx/static.xoyize.xyz-access.log;
    error_log /var/log/nginx/static.xoyize.xyz-error.log;

}

Vérifier et relancer le serveur

sudo nginx -t
sudo systemctl reload nginx

Accès https://static.xoyize.xyz