done?
This commit is contained in:
parent
58d5004f18
commit
2991314b8e
103
README.md
103
README.md
|
@ -21,26 +21,27 @@ informations on the system setup.
|
|||
## Install required packages
|
||||
|
||||
```bash
|
||||
# SELinux policy tools
|
||||
# To download this repo and lighttpd sources.
|
||||
dnf install git
|
||||
# SELinux policy tools.
|
||||
dnf install policycoreutils-python-utils
|
||||
|
||||
# Extra Packages for Entreprise Linux 9 repository in which ufw package is.
|
||||
dnf install epel-release
|
||||
# Uncomplicated Firewall.
|
||||
dnf install ufw
|
||||
# Dependencies for building lighttpd from sources.
|
||||
dnf groupinstall "Development Tools"
|
||||
dnf install git pcre2-devel
|
||||
|
||||
# MariaDB and PHP for Bonus.
|
||||
dnf install mariadb-server php-fpm php-mysqlnd
|
||||
|
||||
# FTP server for Bonus
|
||||
# FTP server for Bonus.
|
||||
dnf install vsftpd
|
||||
```
|
||||
|
||||
Enable services:
|
||||
|
||||
```bash
|
||||
systemctl enable mariadb
|
||||
systemctl enable php-fpm
|
||||
systemctl enable ufw
|
||||
systemctl enable vsftpd@Born2beroot
|
||||
systemctl enable mariadb php-fpm ufw --now
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
@ -64,36 +65,26 @@ Disable root SSH login and change listening port adding
|
|||
configuration file.
|
||||
|
||||
You also have to edit SELinux policy to allow `sshd` to listen on the
|
||||
non-default TCP port 4242:
|
||||
non-default TCP port 4242 and reload service:
|
||||
|
||||
```bash
|
||||
semanage port --add -t ssh_port_t -p tcp 4242
|
||||
```
|
||||
|
||||
### Firewall
|
||||
|
||||
Install and enable the firewall and configure it:
|
||||
|
||||
```bash
|
||||
# Extra Packages for Entreprise Linux 9 repository in which ufw package is.
|
||||
dnf install epel-release
|
||||
# Uncomplicated Firewall.
|
||||
dnf install ufw
|
||||
|
||||
ufw enable
|
||||
# Remove all rules and then add the following one for SSH:
|
||||
ufw allow in 4242/tcp
|
||||
systemctl reload sshd
|
||||
```
|
||||
|
||||
### PHP
|
||||
|
||||
Allow `php-fpm` to access the web server web root and then restart it:
|
||||
Copy PHP configuration files
|
||||
[/etc/php.d/99-lighttpd.ini](rootfs/etc/php.d/99-lighttpd.ini) and
|
||||
[/etc/php-fpm.d/www.conf].
|
||||
|
||||
The allow `php-fpm` to access the web server web root and then restart it:
|
||||
|
||||
```bash
|
||||
semanage boolean --modify --on httpd_unified
|
||||
semanage fcontext -a -t httpd_sys_content_t /srv/www/htdocs
|
||||
restorecon -R /srv
|
||||
systemctl restart php-fpm
|
||||
mkdir -p /srv/www/htdocs
|
||||
semanage fcontext -a -t httpd_sys_content_t /srv/www
|
||||
systemctl reload php-fpm
|
||||
```
|
||||
|
||||
### MariaDB
|
||||
|
@ -127,14 +118,8 @@ cd lighttpd1.4
|
|||
make install
|
||||
```
|
||||
|
||||
<!--TODO: Test kickstart setup
|
||||
Add an user and group for the daemon:
|
||||
|
||||
```bash
|
||||
groupadd -r lighttpd
|
||||
useradd -md /var/lib/lighttpd -g lighttpd -r -s /bin/false lighttpd
|
||||
```
|
||||
-->
|
||||
Copy systemd unit file
|
||||
[/etc/systemd/system/lighttpd.service](rootfs/etc/systemd/system/lighttpd.service).
|
||||
|
||||
Create log dir:
|
||||
|
||||
|
@ -142,14 +127,58 @@ Create log dir:
|
|||
install -d -o root -g lighttpd -m 770 /var/log/lighttpd
|
||||
```
|
||||
|
||||
And copy config into [/usr/local/etc/lighttpd](rootfs/usr/local/etc/lighttpd).
|
||||
Finally enable and start it:
|
||||
|
||||
```bash
|
||||
systemctl daemon-reload
|
||||
systemctl enable lighttpd --now
|
||||
```
|
||||
|
||||
### Wordpress
|
||||
|
||||
```bash
|
||||
cd /srv/www/htdocs
|
||||
mkdir wp
|
||||
chmod -R u=rXw,g=rX,o=rX /srv/www
|
||||
setfacl -dm u:lighttpd:rXw wp
|
||||
setfacl -m u:lighttpd:rXw wp
|
||||
git clone --depth 1 --branch 6.0-branch https://github.com/WordPress/WordPress.git wp
|
||||
restorecon -R /srv/www
|
||||
```
|
||||
|
||||
Download wordpress and unpack it somewhere under `/srv/www/htdocs`. Then, give
|
||||
`php-fpm` the right to write to it and make sure to have the right SELinux
|
||||
context set by using `restorecon` on Wordpress directory.
|
||||
|
||||
Now it should be accessible by HTTP.
|
||||
|
||||
### FTP
|
||||
|
||||
Copy configuration into [/etc/vsftpd/Born2beroot.conf](rootfs/etc/vsftpd/Born2beroot.conf),
|
||||
and then create FTP dir, enable and start daemon:
|
||||
|
||||
```bash
|
||||
mkdir /srv/ftp
|
||||
echo "Hola, món!" > /srv/ftp/hola.txt
|
||||
systemctl enable vsftpd@Born2beroot --now
|
||||
```
|
||||
|
||||
### Firewall
|
||||
|
||||
Enable the firewall with `ufw enable`, delete all rules with successive calls
|
||||
to `ufw delete 1` and the add the following ones:
|
||||
|
||||
```bash
|
||||
# SSH:
|
||||
ufw allow in 4242/tcp
|
||||
# HTTP
|
||||
ufw allow in 80/tcp
|
||||
# FTP
|
||||
ufw allow in 21/tcp
|
||||
ufw allow in 21000:21999/tcp
|
||||
```
|
||||
|
||||
### Mandatory Access Control
|
||||
|
||||
Make sure all files have the right SELinux context:
|
||||
|
|
|
@ -38,8 +38,6 @@ logvol / --fstype="xfs" --size=10240 --label="root" --name=root --vgname=LV
|
|||
# We don't want the default firewall.
|
||||
-firewalld
|
||||
sudo
|
||||
# Will need them to build lighttpd
|
||||
@Development Tools
|
||||
%end
|
||||
|
||||
# Create the user groups requested by subject.
|
||||
|
|
Loading…
Reference in a new issue