Differences

This shows you the differences between two versions of the page.

--- computer:server:stratoserver [2024/01/17 13:35] – removed - external edit (Unknown date) 127.0.0.1
+++ computer:server:stratoserver [2024/01/17 13:35] (current) – ↷ Page moved from computer:stratoserver to computer:server:stratoserver spring
@@ Line 1: / Line 1: @@
+====== Strato-Server ======
+Der Strato-Vserver ersetzt das shared-Webhosting bei webgo
+Kunden-Login: https://www.strato.de/apps/CustomerService?identifier=76914820
+===== Allgemeine Links =====
+* https://www.gooksu.com/2021/12/linux-basic-install-migrated-to-a-new-server-1-of-4/ und ff.
+===== Zusätzliche Ubuntu-Pakete =====
+  rcs
+===== Dienstprogramme =====
+<file bash /usr/local/bin/dockerip.sh>
+#!/bin/bash
+docker inspect $1 | grep -i ipad | tail -1 | perl -pe 's/(.*"(?=\d)|",\n)//g'
+</file>
+Lazydocker von https://github.com/jesseduffield/lazydocker installiert in /usr/local/bin
+===== docker =====
+==== Installation ====
+Neueste Version installiert entsprechend https://docs.docker.com/engine/install/ubuntu/
+Alte Versionen deinstallieren
+  sudo apt-get remove docker docker-engine docker.io containerd runc
+Neues Repository einrichten, utilities und docker installieren
+  sudo apt-get install \
+     ca-certificates \
+     curl \
+     gnupg \
+     lsb-release
+  sudo mkdir -p /etc/apt/keyrings
+  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+  sudo apt-get update
+  sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
+==== Task-Limit erhöhen ====
+   systemctl show --property=DefaultTasksMax
+Initialer Wert ist 105, das ist für Docker zu niedrig
+Ändern in der Datei ''/etc/systemd/system.conf'' derzeit auf 1024
+Neu laden des Limits mit
+  sudo systemctl daemon-reload
+Siehe auch https://www.strato.de/faq/server/prozesse-vs-threads-bei-linux-v-servern/
+==== /proc/user_beancount ====
+  sudo cat /proc/user_beancounters | grep numproc
+            numproc                       682                  682                  700                  700
+Problem! strato setzt den Grenzwert so niedrig, dass man die theoretische Serverleistung nicht ausschöpfen kann
+==== somaxconn erhöhen ====
+Der mailserver beschwert sich sonst über einen zu niedrigen Wert. Abhilfe
+  echo 1024 > /proc/sys/net/core/somaxconn
+Permanent setzen
+  sudo vim /etc/sysctl.conf
+'''net.core.somaxconn=65535'''
+FIXME Testen, ob der Wert nach dem Boot bleibt
+===== Domainübersicht =====
+^ Domain      ^ Nameserver ^ Registrar       ^ aufgeschaltet ^ 1blu? ^ kündigen? ^
+| markus-spring.info   | cloudflare  | -.-    | webgo        |       | ja        |
+| markus-spring.de     | cloudflare  | **strato**  | **strato**       |     |           |
+| aberdoch.de          | cloudflare  | webgo  | webgo        | ja    |           |
+| georg-ritter.info    | cloudflare  | -.-    | webgo        |       |           |
+| babaoskar.info       | -.-         | -.-    | webgo        |       |           |
+| roswithaschmitt.de   | webgo       | webgo  | webgo        | ja    |           |
+| constance-spring.de  | -.-         | -.-    | webgo        |       |           |
+| lebenswertes-bad-reichenhall.de | -.- | netcup | webgo        |       |           |
+| tauber-spring.de     | -.-         | netcup    | webgo        | ja    |           |
+| bürgerliste-reichenhall.de | webgo | webgo | webgo         | ja    |           |
+| buergerliste-reichenhall.de | -.-  | netcup   | webgo         |       |           |
+Registrar-Abfrage: https://www.eurodns.com/de/whois-suche/de-domain
+===== Backup durch hermes =====
+  - Public-Key des Backup-docker-Images in /root installiert
+===== UFW =====
+  apt install ufw
+  vim /etc/default/ufw
+  ufw default deny incoming
+  ufw default allow outgoing
+  ufw allow ssh
+  ufw allow http
+  ufw allow https
+  ufw enable
+Test mit ''sudo nmap strato.markus-spring.info''
+Ergebnis:
+  Nmap scan report for strato.markus-spring.info (81.169.136.167)
+  Host is up (0.034s latency).
+  rDNS record for 81.169.136.167: h2973155.stratoserver.net
+  Not shown: 994 filtered ports
+  PORT     STATE  SERVICE
+/tcp   open   ssh
+/tcp   open   http
+/tcp  open   https
+/tcp open   http-alt
+/tcp open   http-proxy
+/tcp closed abyss
+===== fail2ban =====
+''apt install fail2ban ipset''
+Siehe auch https://debacher.de/wiki/Strato-Server_mit_Ubuntu_20.04#Blacklist_mit_fail2ban und https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/
+==== sshd ====
+Hierfür reicht die Standardeinstellung in /etc/fail2ban/jail.local
+==== postfix ====
+Der interne fail2ban des Docker-Mailservers wird disabled
+Seine Aufgabe übernimmt der Host-fail2ban. Damit die Anfragen nicht mehr an die Docker-Container weitergeleitet werden, wird der Ban von der action ''docker-action'' ausgeführt.
+<file bash /etc/fail2ban/jail.local>
+  [sasl-mws]
+  enabled = true
+  port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+  filter = postfix-mws
+  # You might consider monitoring /var/log/mail.warn instead if you are
+  # running postfix since it would provide the same log lines at the
+  # "warn" level but overall at the smaller filesize.
+  logpath = /home/springm/docker/mailserver/docker-data/dms/mail-logs/mail.warn
+  datepattern = ^%%b %%d %%H:%%M:%%S
+  banaction   = docker-action
+</file>
+<file bash /etc/fail2ban/action.d/docker-action.conf>
+  [Definition]
+  actionstart = iptables -N f2b-docker
+              iptables -A f2b-docker -j RETURN
+              iptables -I FORWARD -p tcp -m multiport --dports 25,80,443,465,993,4190 -j f2b-docker
+  actionstop = iptables -D FORWARD -p tcp -m multiport --dports 25,80,443,465,993,4190 -j f2b-docker
+             iptables -F f2b-docker
+             iptables -X f2b-docker
+  actioncheck = iptables -n -L FORWARD | grep -q 'f2b-docker[ \t]'
+  actionban = iptables -I f2b-docker 1 -s <ip> -j DROP
+  actionunban = iptables -D f2b-docker -s <ip> -j DROP
+</file>
+===== logrotate =====
+===== logwatch =====
+===== traefik2 =====
+Installiert auf der Basis einer Kopie von hermes, Domain markus-spring.de. Dashboard: https://traefik.markus-spring.de
+Siehe auch: https://williamhayes.medium.com/traefik-letsencrypt-and-acme-json-configuration-problems-5780c914351d
+<code yml docker-compose.yml>
+# $Header: /home/springm/docker/traefik2/RCS/docker-compose.yml,v 1.2 2022/03/19 07:57:25 springm Exp springm $
+# https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5
+# https://medium.com/@containeroo/traefik-2-0-docker-an-advanced-guide-d098b9e9be96
+version: '3'
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - proxy
+    ports:
+      - 80:80
+      #- 993:993
+      - 8080:8080
+      - 443:443
+      - 9999:9999
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik.yml:/traefik.yml:ro
+      - ./shared/acme.json:/etc/traefik/acme/acme.json
+      - ./config.yml:/config.yml:ro
+      #- ./traefik-provider.toml:/traefik-provider.toml
+      # extra Konfigurationen (für z. B. Middlewares)
+      - ./providers:/providers
+      - ./log:/var/log
+    command:
+      - --certresolv.myresolver.acme.storage=./shared/acme.json
+    environment:
+      - CLOUDFLARE_EMAIL=m.spring@gmx.de
+      - CLOUDFLARE_API_KEY=8199b6b1054ca9d95f18df5a4e7a1abf0b232
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=http"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.markus-spring.de`)"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=.......:$$............................"
+      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.markus-spring.de`)"
+      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].main=markus-spring.de"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.markus-spring.de"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+networks:
+  proxy:
+    external: true
+</code>
+==== Links ====
+===== Portainer =====
+Installiert entsprechend https://deployn.de/blog/portainer-mit-traefik/
+Interface: https://portainer.markus-spring.de/
+===== Wordpress / MariaDB / Redis / Matomo =====
+  - Erledigt:
+    - markus-spring.info von webgo auf markus-spring.de umgezogen
+    - georg-ritter.info von webgo umgezogen
+    - Benutzertabelle umgezogen
+    - notizbuch.aberdoch.de umgezogen <code>cat ~/mysql-workshop/web27_db8/sswp_4/* | mysql -h $(dockerip.sh wp-mariadb) -u wp_DqC3 -p<password> wordpress_multisite</code>
+    - vhs-fotogruppe-reichenhall.aberdoch.de umgezogen. Id von 8 auf 5 gewechselt. <code>cat ~/mysql-workshop/web27_db8/sswp_8/* | perl -pe 's/\bsswp_8_/sswp_5_/g' | mysql -h $(dockerip.sh wp-mariadb) -u wp_DqC3 -p<password> wordpress_multisite</code>
+    - wp-cron disablen https://rschu.me/wordpress-wp-cron-mit-cronjob-ersetzen-cf8beaecf181
+==== Users umziehen ====
+Achtung: dafür müssen die keys von webgo umgezogen werden, sonst ist offensichtlich der salt der Passwörter in der users-Tabelle von Wordpress falsch.
+==== Redis ====
+siehe auch https://www.saotn.org/automatically-flush-redis-cache-after-publishing-a-wordpress-post/
+==== phpmyadmin ====
+Anmelden mit ''MYSQL_USER'' und ''MYSQL_PASSWORD'' aus der .env-Datei
+==== Links ====
+  * Einfach: https://github.com/nezhar/wordpress-docker-compose
+  * Komplex: https://kentakodashima.medium.com/wordpress-wordpress-development-with-docker-compose-and-wordmove-cf720d2618d ({{ :computer:wordpress_wordpress_development_with_docker-compose_and_wordmove_by_kenta_kodashima_medium.pdf | pdf}})
+  * https://welaika.github.io/wordmove/
+  * https://entwickler.de/php/wordmove-einfaches-deployment-von-wordpress-projekten
+  * -
+  * https://www.hostinger.com/tutorials/wordpress/how-to-change-wordpress-urls-in-mysql-database-using-phpmyadmin
+  * https://www.wpbeginner.com/wp-tutorials/how-to-properly-move-wordpress-to-a-new-domain-without-losing-seo/
+==== Archivierung mit Cron ====
+''crontab -e''
+<file bash>
+*/12 * * * if [ $(docker inspect -f '{{.State.Running}}' matomo-matomo-app-1) ]; then docker exec -t matomo-matomo-app-1 su -s "/bin/sh" -c "/usr/local/bin/php /var/www/html/console core:archive --url=https://matomo.markus-spring.de" www-data; fi
+</file>
+==== Backup ====
+  mysqldump -h $(dockerip.sh matomo-matomo-db-1) -u root -p<mysql root password> matomo > dump.sql
+==== Pitfalls ====
+  mysqldump: Got error: 1045: "Plugin caching_sha2_password could not be loaded
+Lösung siehe https://stackoverflow.com/questions/49194719/authentication-plugin-caching-sha2-password-cannot-be-loaded
+  docker exec -it CONTAINER_ID bash
+then log into mysql as root
+  mysql --user=root --password
+Enter the password for root (Default is 'root') Finally Run:
+  ALTER USER 'username' IDENTIFIED WITH mysql_native_password BY 'password';
+==== ublock überlisten ====
+Neuer Ansatz: https://github.com/simonfrey/matomo_circumvent_adblock
+Konfiguriert zufällige Skript- und Variablennamen. Eingesetzt auf markus-spring.info mit folgendem Code:
+  <script>
+  var _paq = window._paq = window._paq || [];
+  _paq.push(["setDomains", ["*.markus-spring.info"]]);
+  _paq.push(["disableCookies"]);
+  _paq.push(['trackPageView']);
+  _paq.push(['enableLinkTracking']);
+  (function() {
+      _paq.push(["setTrackerUrl", "//stats.markus-spring.de/hfjdalp.php"]);
+      _paq.push(['setSiteId', '1']);
+      var a = document, r = a.createElement("script"), s = a.getElementsByTagName("script")[0];
+      r.async = !0, r.defer = !0, r.src = "//stats.markus-spring.de/sqjrgrm.php", s.parentNode.insertBefore(r, s)
+  })();
+  </script>
+  <noscript><img src="//stats.markus-spring.de/hfjdalp.php?cyo=[1]&ahg=1" /></noscript>
+<del>https://wordpress.org/support/topic/way-to-avoid-being-blocked-by-ad-blocker/
+Step 1: On your matomo server, create a copy of matomo.js and matomo.php and call them m.js and m.php or whatever you prefer.
+Step 2: In the m.js file, find and replace the following strings:
+“action_name” = “the_action_name” (since “action_name=” is on a blocklist)
+“idsite” = “siteid” (since “idsite=” is on a blocklist)
+Step 3: In the m.php file, add the following, right after the opening comment:
+  if(isset($_GET['the_action_name'])) { $_GET['action_name'] = $_GET['the_action_name']; }
+  if(isset($_GET['siteid'])) { $_GET['idsite'] = $_GET['siteid']; }
+Step 4: In the WP Matomo plugin, switch to manual editing the tracking code and replace matomo.js and matomo.php with your new file names respectively.
+</del>
+===== Mail mit docker-mailserver =====
+https://github.com/docker-mailserver/docker-mailserver
+Sendmail muss disabled sein, weil sonst port 587 blockiert ist: '''sudo service sendmail stop''', '''update-rc.d sendmail disable'''
+UFW muss folgende Ports öffnen: ''sudo ufw allow proto tcp from any to any port 25,80,443,110,143,465,587,993,995''
+Imap muss unverschlüsseltes Login erlauben, sonst funktioniert Postie nicht (https://github.com/docker-mailserver/docker-mailserver/issues/519)
+Siehe auch
+  * https://blog.raphaelpiccolo.com/post/852
+  * https://www.ifthenel.se/self-hosted-mail-server/
+  * https://andycallaghan.com/posts/deploy-a-gmail-like-email-server-in-30-minutes/ und https://www.libe.net/docker-mailserver
+==== Testen ====
+  * https://www.mail-tester.com/
+  * https://de.ssl-tools.net/mailservers/markus-spring.de
+  * https://dnschecker.org/mx-lookup.php?query=mail.markus-spring.de&dns=quad9
+  * ptr-record check: https://mxtoolbox.com/SuperTool.aspx?action=ptr%3a81.169.136.167&run=toolpage
+==== Host-System mails versenden ====
+Configure postfix to send mail
+We installed postfix during our basic setup. We will need to configure it so that it does not start smtpd on port 25 since it is already being used by our mailserver container and we want to configure it for relayhost only so that it only forwards it to our MTA.
+To disable smtpd from starting with postfix edit /etc/postfix/master.cf line 11 and comment it out
+  #smtp      inet  n       -       n       -       -       smtpd
+To configure relayhost edit /etc/postfix/main.cf and edit the following - please fill in the items in { }
+  mydestination = $myhostname, localhost.$mydomain, localhost, {FQDN}, {HOSTNAME}
+  relayhost = {mail.domain.name}
+Enable and start postfix
+  sudo systemctl enable postfix
+  sudo systemctl start postfix
+===== Owntracks =====
+==== Mosquitto ====
+mqtt.markus-spring.de
+Secure-Port in ''traefik.yml'' hinzugefügt
+  mqtt:
+    address: ":8883"
+Port 8883 muss auch in der UFW geöffnet werden:
+  sudo ufw allow 8883/tcp
+===== LizMap =====
+==== Links ====
+===== Wireguard =====
+==== Links ====