- Tools:
- type:
- webserver, testing, drupal, flask
- maintainers:
- jayd, carl.simpao, dolf
- hostname:
- test.nightowl.foundationu.com
This machine is not managed by Ansible on purpose. It is used for testing applications only. It is hosted in Proxmox by ITOPS and snapshots can be used to go back to older (working) configurations in case of problems.
DO NOT USE THIS SERVER FOR PRODUCTION! Data can be deleted at any time without prior notice!
Applications on this server can be installed for evaluation purposes. If they are deemed useful for real-world application, migrate them to a production server in cooperation with ITOPS. nightowl.foundationu.com can possibly be used for production applications.
test.nightowl.foundationu.com points to this machine but also all subdomains from that domainname point to it with a wildcard. So we can just setup drupal7.test.nightow.foundationu.com or phpmyadmin.test.nightowl.foundationu.com
Setting up Flask on Debian Jessie Server
First we would need to add our public ssh keys to the authorized keys to be safe
Then see: Webservers, nginx, flask, drupal, etc
Security
Since this is not a production server and it's only available inside the FU network, we are not too concerned with security as we would be with a shared webhosting server or a mail server. Nonetheless we don't want to run any unnecessary risks. We therefore don't allow password authentication through SSH (passwords are easily stolen/cracked and often people have bad ones) but only allow public-key authentication. Secondly, we want to use SSL encryption for any webtraffic (so HTTPS). Especially services like phpmyadmin should not be available without HTTPS encryption, but also the login of web-applications like drupal should be encrypted. We use let's encrypt to generate SSL certificates. We can't use letsencrypt for this though because our server is not publicly visible. We therefore create a self-signed certificate manually which we install in apache.
See for docs:
We're making a wildcardcertificate for *.test.nightowl.foundationu.com plus test.nightowl.foundationu.com so it matches every site on test.nightowl.foundationu.com and it's subdomains. This is a bit tricky with openssl. The default values and most configuration parameters for the certificate have already been specified in /etc/ssl/openssl.cnf, so we're using that. With that in place and correct, you can create the certificate with (while you are in the /etc/ssl/certs/ directory): To do this, we create our own certificate authority (CA) first. This is used to sign all other certificates. If we tell our browser then to trust our CA, the browser will also trust all certificates signed by it. We are using helper scripts to do all the heavy lifting. We only need to generate the CA once. This can be skipped after the first time and we can continue directly with the new certificate signing request for new webserver certificates. To generate our own CA, use
/usr/lib/ssl/misc/CA.sh -newca
Make sure you fill in all the infor for the cerificate, like a proper CN (ca.test.nightowl.foundationu.com), city, country, province, email address, etc. Set a secure password on the CA.
For the certificate to work correctly, we need to set some configuration variables correctly in /etc/ssl/openssl.cnf. I actually did it by having two versions of the file. One the original which was present when generating the CA, the other present when generating CSR's and signing them. Make sure it contains the following: In the section under v3_req:
subjectAltName=DNS:*.test.nightowl.foundationu.com,DNS:test.nightowl.foundationu.com
Also make sure the following line is not commented:
copy_extensions = copy
And also this line should not be commented:
req_extensions = v3_req
Next you create a new certificate signing request. It asks for a password. Set one now, but you only need to remember it shortly, as we'll remove it later.
/usr/lib/ssl/misc/CA.sh -newreq
Again fill in all the right info. Make sure the Common Name is *.test.nightow.foundationu.com. And then we'll sign the certificate signing request (csr) with:
/usr/lib/ssl/misc/CA.sh -sign
The script makes a newkey.pem and newcert.pem file in the /etc/ssl/ directory. We need to move those. THe newcert.pem needs to be moved to /etc/ssl/certs and renamed to a file that corresponds to the domainname it will be used for. I renamed it to wc.test.nightowl.foundationu.com.crt (wc as in wildcard). The key first needs to be unencrypted (password removed) so the webserver can open it without needing a password. You do this with:
openssl rsa -in newkey.pem -out private/wc.test.nightowl.foundationu.com.key
This also saves it in a new file, so you can remove the newkey.pem afterwards. We don't need it anymore.
To install the CA certificate in your browser (so it trusts all certificates signed by it), you can copy /etc/ssl/demoCA/cacert.pem to your computer and import it in your browser certificates as trusted CA certificate (for identifying websites).
Installed services
- Apache
- PHP
- MySQL
- Drupal 7
- Drupal 8
- Python 3.4
- apache2-mod-wsgi-py3
- certbot
- Tools:
