<-[[.:start]]

====== VPS Notes ======
<note tip>

GM4SLV.ORG.UK VPS : New VPS created 6<sup>th</sup> March 2025

   * To separate my personal wiki site from yaddnet.org server
   * Wiki backed-up and moved from yaddnet.org to new gm4slv.org.uk VPS
   * SSL Certificate replaced to enable HTTPS
</note>

<note warning>

GM4SLV.ORG.UK VPS : CANCELLED AND DELETED 9<sup>th</sup> October 2024

  * Wiki functionality easily provided by yaddnet.org VPS
  * wiki pages & data transferred to yaddnet.org 
  * Fasthosts deleted VPS following telephone confirmation
    * deletion/cancellation not possible via Control Panel
    * telephone call-back needed to confirm

</note>
===== Old information below is for historical information =====
<code>
OS      : Debian 10 (Buster)
RAM     : 0.5GB
Network : 400MB 
SSD     : 10GB

IP Address : 213.171.209.127
Hostname   : gm4slv.org.uk
Open Ports : ssh, http, https

Domain Name  : gm4slv.org.uk
Renewal date : 3/4/2024
</code>
==== Access via FastHosts ====

  * browse to [[https://admin.fasthosts.co.uk/Servers/VPS/1116040162]] and login with credentials (email : g...@..p.....)
===== Installing SSL for HTTPS =====
==== Create Certificates ====

++++
First : obtain SSL Certificates |

  * generate CSR on the server itself: 
  * <code bash>openssl req -new -newkey rsa:2048 -nodes -keyout gm4slv.org.uk.key -out gm4slv.org.uk.csr </code>
  * Use "gm4slv.org.uk" as CN (NOT www.gm4slv.org.uk)
  * on Fasthosts control panel - apply for SSL certificate and get to the page where the CSR is pasted into a box
  * paste the CSR file contents into the box and click "<whatever the button says>"
  * fill in the rest of the form with email/name/phone number etc.
  * add file to root of www as verification, as directed at Fasthosts site....

{{:server:screenshot_2022-05-04_21.02.56.png?direct&400|}}

  * download **both** certificate files from Fasthosts Control Panel

++++

==== Configure APACHE ====

++++
Second : configure Apache to use HTTPS
|

  * copy self generated gm4slv.org.uk.key from the "openssl" command to ''/usr/local/ssl/''
  * copy the *crt for the newly obtained //signed// *.crt file renamed as signed.crt to ''/usr/local/ssl''
  * copy the "intermediate" file to ''/usr/local/ssl/'' (renamed as ca.pem)
  * edit apache config... looks like ''/etc/apache2/sites-available/default-ssl.conf''
    * SSLCertificateFile      /usr/local/ssl/signed.crt
    * SSLCertificateKeyFile /usr/local/ssl/gm4slv.org.uk.key
    * SSLCertificateChainFile /usr/local/ssl/ca.pem
  * make symlink  ''sites-enabled/default-ssl.conf'' pointing to ''sites-available/default-ssl.conf''
  * ''a2enmod ssl''
  * restart apache2
  * will it be listening on port 443? yes
  * open firewall port 443 on Fasthost control panel
  * Can I reach it with ''https://gm4slv.org.uk''? yes
  * Can I still reach it with ''http://gm4slv.org.uk''? yes
  * force redirect of plain HTTP:// to HTTPS://
  * add to ''000-default.conf'':
        <code apache>
        ServerName gm4slv.org.uk
        ServerAlias www.gm4slv.org.uk
        Redirect permanent / https://gm4slv.org.uk/
        </code>
    * taken from [[https://linuxize.com/post/redirect-http-to-https-in-apache/]]
  * restart apache2
  * verify SSL access ok - yes
  * verify non-SSL is redirected to SSL - yes

++++
==== Confirm proper security ====

Browse to [[https://gm4slv.org.uk]]

 {{:server:screenshot_2022-05-04_22.00.14.png?direct&400|}}


===== 20/04/23 Renew SSL Certificate =====

  * new Signed and CA (intermediate) certificates obtained and installed in /usr/local/ssl

===== Hardware Upgrade 20/4/23 =====

   * Original configuration VPS XS : 500MB RAM and 10GB SSD @ £1 per month (plus VAT)
   * Upgrade to VPS S : 1GB RAM and 20GB SSD @ £3 per month (plus VAT)
   * VPS rebooted for upgrade
   * RAM seems to have increased to 1GB but reported 'df -h' still shows 7.5GB total for / and 1.9GB for Swap. This is only 10GB. 
   * Perhaps more time is needed for VM to catch up and expand the Virtual Hard Drive?
   * Gotcha.... the Virtual Drive was increased to 20GB, but not the partition or the filesystem... the only way to get a full 20GB was to  "rebuild" the VPS....
   * took a backup of the dokuwiki files (rsync mirrored them to shack PC). Hit "Rebuild" and built a new VPS. Applied for replacement SSL keys (had to make a new CSR/KEY first)...
   * Used rsync to send back the dokuwiki files (from the shack PC mirror)
   * set up Apache2 to use the new SSL certificates...
   * VPS is now rebuilt and all wiki files restored & Apache2 uses HTTPS.


===== Debian Upgrade 15/2/24 =====

  * Upgraded from Buster (10) -> Bullseye (11)
  * Upgraded Dokuwiki (this needed PHP7.4 from Buster, which is why the Debian upgrade was necessary) to the newest version (Release 2024-02-06a "Kaos")
  * Upgraded from Bullseye (11) -> Bookwork (12) - might as well get to ''STABLE''

===== Debian Upgrade 16/2/24 =====

  * Upgraded to Trixie (testing)

<code bash>
gm4slv@gm4slv:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux trixie/sid
Release:        n/a
Codename:       trixie

</code>

<code bash>

deb http://deb.debian.org/debian trixie main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian trixie main contrib non-free non-free-firmware


#deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
#deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware

deb http://deb.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian-security trixie-security main contrib non-free non-free-firmware

</code>

  * Dokuwiki still working correctly with latest versions of Apache and PHP 

<code bash>

gm4slv@gm4slv:~$ php --version
PHP 8.2.12 (cli) (built: Jan  8 2024 06:21:20) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.12, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.12, Copyright (c), by Zend Technologies

</code>


===== 2024 gm4slv.org.uk domain renewed =====

  * 03/04/24 Domain Name auto-renewed for 2 years until April 2026
  * 04/04/24 SSL Certificate auto-renewed for 1 year until May 2025

===== 04/04/24 : Install Renewed SSL Certificate =====

  * SSL Certificates **Auto Renewed** by Fasthosts
  * download new certificates from Fasthosts control panel:
    * New "Certificate" downloaded and renamed "signed.crt"
    * New "Intermediate Certificate" downloaded and renamed "ca.pem"
  * copied both -> VPS $HOME dir via SCP
  * On VPS ->
    * copied current **/usr/local/ssl/ca.pem** -> **ca_old.pem**
    * copied current **/usr/local/ssl/signed.crt** -> **signed_old.crt**
    * copied new ca.pem from $HOME to **/usr/local/ssl/ca.pem**
    * copied new signed.crt from $HOME to **/usr/local/ssl/signed.crt**
    * restarted apache ''sudo service apache2 restart''
  * check new valid certificate now in use in web browser
    * {{:public:linux:screenshot_2024-04-04_07.24.16.png?400|}} 
    * Validity Issued on & Expires on dates now show new certificate is in use

===== New VPS : March 2025 =====

  * New VPS 1 obtained at Fasthosts

<code>
Type:Virtual Machine
Size:vps 1 2 60
Cpu:1 vCore
RAM:2 GB
Disk:60 GB NVMe SSD
</code>

<code>
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble
</code>

  * Installed PHP and Apache2

<code bash>
gm4slv@gm4slv:~ $ php --version
PHP 8.3.6 (cli) (built: Dec  2 2024 12:36:18) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
</code>
  * configured SSL per previous method [[public:computers:ssl_install_vsp|]]
  * changed SSH port from default 22 to a //new// port, changed VPS firewall to suit new SSH port
  * Ubunto OS brought up to date: ''sudo apt-get update'' and ''sudo apt-get upgrade'' and ''sudo apt-get dist-upgrade''

===== Dokuwiki Security =====

  * previous installations used .htaccess to prevent web access to data/conf/lib/bin etc. directories
  * this time I decided not to use .htaccess but to follow the alternative instructions in [[https://www.dokuwiki.org/security]] to use **LocationMatch**

==== LocationMatch method ====

Apache is told which directories (data, conf, bin, inc, vendor) to make private. The downside is that this configuration might need altering if new directories are added during ''dokuwiki'' upgrades. 

add to ''/etc/apache2/apache2.conf''
<code apache>
<LocationMatch "/(data|conf|bin|inc|vendor)/">
    Order allow,deny
    Deny from all
    Satisfy All
</LocationMatch>
</code>

''sudo service apache2 restart''

==== .htaccess method ====

the secured directories in ''dokuwiki'' have suitable .htaccess files already. Apache needs to betold to allow them to alter behaviour <code apache>AllowOverride All</code>


add to ''/etc/apache2/apache2.conf''

<code apache>
         <Directory /var/www/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</code>

''sudo service apache2 restart''

===== SSH Security =====

  * Configured ''sshd'' to disallow password-logins and only accept public-key authentication
    * be careful to check the files in ''/etc/ssh/sshd_conf.d'' for hidden config options!
  * uploaded public keys from 
    * Puttygen for [[https://www.putty.org/ | putty]] on laptop
    * [[https://connectbot.org/ | ConnectBot ]] app on phone
  * saved both in ''~/.ssh/authorized_keys''
  * now only logins with a valid public key will succeed. 
    * In the event of a loss of the public keys it's still possible to gain access via Fasthosts account dashboard
      * -> then reconfigure sshd to accept password logins again until new keys can be uploaded.

 
Page Updated : ~~LASTMOD~~

{{tag>vps linux ssl}}