Sephtan Installation Guide
This my first guide i write for other people, mainly i do such things only for myself in my personal DokuWiki. As english isn't my first language so be leniant with me when some writings here reads unusual for you.
If anyone finds some parts of this guide misleading or incomprehensible i would suggest to open an new discussion about this guide so i am able to get feedback and do improvements.
My personal server experience start around 2009/2010 with an project from the german magazin ct' explaining the setup for an homeserver with xen virtualisation and ipcop as firewall appliance in a virtual host sitting between your homenetwork(green), internet (red) and an eventually existing virtualmachine with an DMZ(orange).
My first server was setup following that guide using an Atom-D525.
About 01/2014 i updated my setup to an Intel Atom-C2550 from Supermicro with 3 3TB WD Red drives as Raid5 Array for Data-Storage.
Currently i am looking for an update, drives are getting old and the chances they die are increasing.
The next setup will be with an EPYC-3202 Board again from Supermicro but that future.
This setup is for Debian10 Buster so anyone with an different distribution will have to take into account that there might more or less differences for where configuration files reside or that some packages might be not available.
I am not going to explain the general installation process for any part needed in this guide.
The intention is only to give an as complete and comrehensive as possible explanation on how to configure the parts needed.
Intention of my setup:
- separate vHost's against each other using PHP-FPM with one user per vHost (security)
- include Modsecurity WAF against attacker's
My setup is pretty much automated through a script i use to setup all what is needed for a vHost using PHP-FPM i will provide the script i use for automation at the and of this guide, it's helpful if you regulary setup different vHost's with PHP-FPM.
Though the setup it's generates has functionality, it is somewhat basic. Some webapplications have special needs that can't be taken into account in a basic setup. That's also not the intention of that script, and the resulting vHost's and PHP-FPM pool configuration have to be adjusted for the individual use case.
To understand the configuration it generates, knowledge of the directory Structure is needed:
/var/www
├── [ampache ampache ] ampache
│ ├── [ampache ampache ] conf # folder for the php-fpm socket
│ ├── [ampache ampache ] logs # your logs can go here
│ ├── [ampache ampache ] public_html # your document root
│ ├── [ampache ampache ] sessions # session folder
│ └── [ampache ampache ] tmp # folder for temp
├── [clan clan ] clan
│ ├── [clan clan ] conf # folder for the php-fpm socket
│ ├── [clan clan ] logs # your logs can go here
│ ├── [clan clan ] public_html # your document root
│ ├── [clan clan ] sessions # session folder
│ └── [clan clan ] tmp # folder for temp
├── [www-data www-data] nginx
│ └── [www-data www-data] html
└── [wiki wiki ] wiki
├── [wiki wiki ] conf # folder for the php-fpm socket
├── [wiki wiki ] logs # your logs can go here
├── [wiki wiki ] public_html # your document root
├── [wiki wiki ] sessions # session folder
└── [wiki wiki ] tmp # folder for temp
This is my working virtualhost definition for Apache2 generated by my script and adjusted to the needs of ampache :
<VirtualHost 192.168.3.8:80> # IP:Port if running multiple instances *:80 normally
ServerName ampache.sandmann.dd-dns.de # put your ampache domain here
Redirect permanent / https://ampache.sandmann.dd-dns.de/ # put your ampache domain here
</VirtualHost>
<VirtualHost 192.168.3.8:443> # IP:Port if running multiple instances *:80 normally
ServerName newampache.sandmann.dd-dns.de # put your ampache domain here
ServerAdmin webmaster@.sandmann.dd-dns.de # same for your e-mail address
# the SSL part depends on the certificats you supply
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ampache2.crt
SSLCertificateKeyFile /etc/ssl/private/ampache2.key
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
Alias /ampache /var/www/ampache/public_html/public
DocumentRoot /var/www/ampache/public_html/public
<Directory /var/www/ampache/public_html/public/>
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
<FilesMatch "\.(php)$">
SetHandler "proxy:unix:/var/www/ampache/conf/ampache-fpm74.sock|fcgi://newampache/"
ProxyErrorOverride on
</FilesMatch>
</Directory>
<Location "/server-info">
SetHandler server-info
ProxyErrorOverride on
Require all denied
Require ip 192.168.1 # allowing access only for your home network
</Location>
<Location "/server-status">
SetHandler server-status
ProxyErrorOverride on
Require all denied
Require ip 192.168.1 # allowing access only for your home network
</Location>
<Location /error/>
SetHandler none # here you can define an error handler
</Location>
# The complete locationmatch is only for modsecurity
# it can be commented out if you feel save
# maybe there will be an own chapter regarding modsecurity in this guide
# also the SecRuleRemoveById have to be adapted
# best is comment them out check error.log and
# put only needed rules here
<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleEngine On
SecRuleRemoveById 950007 # allow SQL
SecRuleRemoveById 950109 # allow Multiple URL Encoding
SecRuleRemoveById 950120 # Allow: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
SecRuleRemoveById 958291 # Allow: Range: field exists and begins with 0
SecRuleRemoveById 960024 # Allow: Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters
SecRuleRemoveById 960015 # Allow: Request Missing an Accept Header
SecRuleRemoveById 970901 # Allow: Matched Data: 500 found within RESPONSE_STATUS: 500
SecRuleRemoveById 970903 # Allow: Outbound ASP/JSP
SecRuleRemoveById 981054 # Allow: Invalid SessionID Submitted
SecRuleRemoveById 981059 # Allow: Warning - Sticky SessionID Data Changed - IP Address Mismatch
SecRuleRemoveById 981060 # Allow: Warning - Sticky SessionID Data Changed - User-Agent Mismatch
SecRuleRemoveById 981203 # Allow: Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0
SecRuleRemoveById 981001 # Allow: Possibly malicious iframe tag in output
SecRuleRemoveById 981173 # Allow: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded
SecRuleRemoveById 981184 # Allow: AppDefect: Missing HttpOnly Cookie Flag for ampache_user
SecRuleRemoveById 981242 # Allow: Detects classic SQL injection probings
SecRuleRemoveById 981243 # Allow: Detects classic SQL injection probings
SecRuleRemoveById 981245 # Allow: Detects basic SQL authentication bypass attempts
SecRuleRemoveById 981246 # Allow: Detects basic SQL authentication bypass attempts
SecRuleRemoveById 981257 # allow: MySQL comment-/space-obfuscated injections and backtick termination.
SecRuleRemoveById 981405 # allow: Response Header is Missing or not set to Deny.
SecRuleRemoveById 981401 # allow: Content-Type Response Header is Missing or Empty
SecRuleRemoveById 981407 # allow: Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff'
</IfModule>
</LocationMatch>
ServerSignature Off
ErrorLog /var/www/ampache/logs/error.log
LogLevel warn
CustomLog /var/www/ampache/logs/access.log combined
</VirtualHost>
to be continued