admin/rockfish
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2023-01-04 01:51:06 +00:00
parent b2934649f1
commit 687424391a
1 changed files with 196 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

227
docs/docs/howto.md
View File

@@ -22,10 +22,175 @@ The same format can be used to expand the set of domains a certificate contains,
certbot certonly --cert-name example.com -d example.org,www.example.org certbot certonly --cert-name example.com -d example.org,www.example.org
``` ```
SO FOR EXAMPLE for HelloAyaNova.com SO FOR EXAMPLE for a test adding sockeye to onayanova.com on devops
- Added subdomain sockeye.onayanova.com to onayanova.com domain record and pointed to Devops server.
- Edited /etc/nginx/sites-available/default file and added sockeye.onayanova.com to server block only, didn't add it to any other part:
i.e. went from this:
```yml
server {
server_name test.onayanova.com;
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin" always;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_http_version 1.1;
gzip_types application/javascript text/css application/json text/plain;
proxy_pass http://127.0.0.1:7575;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# Note: the client_max_body_size setting controls the maximum upload size for attachments in AyaNova
# it is a good security precaution to set this value only as high as absolutely needed by your staff for
# file attachment uploads
# AyaNova can handle up to 10GB maximum so the highest setting allowed here would be:
# client_max_body_size 10GB;
client_max_body_size 25M;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/test.onayanova.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/test.onayanova.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = test.onayanova.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name test.onayanova.com;
return 404; # managed by Certbot
}
```
to this:
```yml
server {
server_name test.onayanova.com sockeye.onayanova.com;
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin" always;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_http_version 1.1;
gzip_types application/javascript text/css application/json text/plain;
proxy_pass http://127.0.0.1:7575;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# Note: the client_max_body_size setting controls the maximum upload size for attachments in AyaNova
# it is a good security precaution to set this value only as high as absolutely needed by your staff for
# file attachment uploads
# AyaNova can handle up to 10GB maximum so the highest setting allowed here would be:
# client_max_body_size 10GB;
client_max_body_size 25M;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/test.onayanova.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/test.onayanova.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = test.onayanova.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name test.onayanova.com;
return 404; # managed by Certbot
}
```
Test and reload nginx the request new certificate:
(note no spaces in subdomain names or it balks)
```bash ```bash
certbot --nginx --cert-name helloayanova.com -d test.helloayanova.com,helloayanova.com,www.helloayanova.com,1665.helloayanova.com,7331.helloayanova.com,8888.helloayanova.com,a261.helloayanova.com
root@devops:/etc/nginx/sites-available# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@devops:/etc/nginx/sites-available# nginx -s reload
root@devops:/etc/nginx/sites-available# certbot --nginx --cert-name test.onayanova.com -d test.onayanova.com,sockeye.onayanova.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate test.onayanova.com to include new domain(s):
+ sockeye.onayanova.com
You are also removing previously included domain(s):
(None)
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate certificate/(C)ancel: u
Renewing an existing certificate for test.onayanova.com and 1 more domains
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.onayanova.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/test.onayanova.com/privkey.pem
This certificate expires on 2023-04-04.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for test.onayanova.com to /etc/nginx/sites-enabled/default
Successfully deployed certificate for sockeye.onayanova.com to /etc/nginx/sites-enabled/default
Your existing certificate has been successfully renewed, and the new certificate has been installed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
``` ```
## NGINX ## NGINX
@@ -133,16 +298,16 @@ select * from alicense;
#### Restore AyaNova from backup #### Restore AyaNova from backup
- Ensure have the db-xxxxxx.backup database backup and the at-xxxxx.zip attachments file - Ensure have the db-xxxxxx.backup database backup and the at-xxxxx.zip attachments file
- Make a backup of the data folders first for insurance - Make a backup of the data folders first for insurance
- restart ayanova with permanently erase database set, this will erase the db adn also all attachments - restart ayanova with permanently erase database set, this will erase the db adn also all attachments
- Stop the AyaNova server `systemctl stop ayanova.service` - Stop the AyaNova server `systemctl stop ayanova.service`
- Upload the attachments to the root home folder - Upload the attachments to the root home folder
- Upload the database backup to `/var/lib/postgresql` - Upload the database backup to `/var/lib/postgresql`
- Unzip attachments: from ayanova data attachments folder run `unzip ~/at-20220920220001750` - Unzip attachments: from ayanova data attachments folder run `unzip ~/at-20220920220001750`
- Restore the database from anywhere with this command: `sudo -u postgres pg_restore -U postgres -c -d AyaNova /var/lib/postgresql/db-20220920220000302.backup` - Restore the database from anywhere with this command: `sudo -u postgres pg_restore -U postgres -c -d AyaNova /var/lib/postgresql/db-20220920220000302.backup`
- Start the AyaNova server `systemctl start ayanova.service` - Start the AyaNova server `systemctl start ayanova.service`
- confirm can login all is well - confirm can login all is well
#### List all dbs #### List all dbs
@@ -243,17 +408,17 @@ In a pinch the keys could be moved / removed to another computer but this is mos
How to generate a key and upload to digitalocean for using with droplet and saving to keepass How to generate a key and upload to digitalocean for using with droplet and saving to keepass
- open puttygen - open puttygen
- keep RSA change bits from 2048 to 4096 - keep RSA change bits from 2048 to 4096
- click generate - click generate
- mouse around - mouse around
- change key comment to serversubdomainname.onayanova.com (or whatever the actual subdomain / domain is for this key) - change key comment to serversubdomainname.onayanova.com (or whatever the actual subdomain / domain is for this key)
- save the private key temporarily to a folder (it will end up in keepass as an attachment) - save the private key temporarily to a folder (it will end up in keepass as an attachment)
- DO NOT SET A PASSWORD HERE, keepass will secure the key, there's no need for the extra password and this is all about saving time - DO NOT SET A PASSWORD HERE, keepass will secure the key, there's no need for the extra password and this is all about saving time
- copy the public key box text and go to digitalocean Settings -> Security SSH keys section and add it as a new saved public key named same subdomina.onayanova.com or as appropriate - copy the public key box text and go to digitalocean Settings -> Security SSH keys section and add it as a new saved public key named same subdomina.onayanova.com or as appropriate
- can close puttygen at this point if ever need it can get teh public key from the private key file again in future - can close puttygen at this point if ever need it can get teh public key from the private key file again in future
- Use this when creating a droplet, OR you can manually add it later via text editor: https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/to-existing-droplet/ - Use this when creating a droplet, OR you can manually add it later via text editor: https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/to-existing-droplet/
(note, the public key format displayed in puttygen when you open or generate the private key in the public key box is the only one that works with ssh, not the format used when it's saved to a file from puttygen ) (note, the public key format displayed in puttygen when you open or generate the private key in the public key box is the only one that works with ssh, not the format used when it's saved to a file from puttygen )
### KeePass / KeeAgent ### KeePass / KeeAgent
@@ -417,14 +582,14 @@ Updates done outside the hours of 8am to 6pm in each data centers location
4:00pm our local Courtenay time is good for almost everyone except san francisco data center 4:00pm our local Courtenay time is good for almost everyone except san francisco data center
- New York, USA 7:00 pm EDT - New York, USA 7:00 pm EDT
- Amsterdam, Netherlands 1:00 am CEST - Amsterdam, Netherlands 1:00 am CEST
- Victoria, Canada 4:00 pm PDT - Victoria, Canada 4:00 pm PDT
- Singapore, Singapore 7:00 am SGT - Singapore, Singapore 7:00 am SGT
- London, United Kingdom 12:00 midn BST - London, United Kingdom 12:00 midn BST
- Frankfurt, Germany 1:00 am CEST - Frankfurt, Germany 1:00 am CEST
- Bengaluru, India 4:30 am IST - Bengaluru, India 4:30 am IST
- San Francisco 7am - San Francisco 7am
## Website general ## Website general