Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Strato-Server ====== Der Strato-Vserver ersetzt das shared-Webhosting bei webgo Kunden-Login: https://www.strato.de/apps/CustomerService?identifier=76914820 ===== Allgemeine Links ===== * https://www.gooksu.com/2021/12/linux-basic-install-migrated-to-a-new-server-1-of-4/ und ff. ===== Zusätzliche Ubuntu-Pakete ===== rcs ===== Dienstprogramme ===== <file bash /usr/local/bin/dockerip.sh> #!/bin/bash docker inspect $1 | grep -i ipad | tail -1 | perl -pe 's/(.*"(?=\d)|",\n)//g' </file> Lazydocker von https://github.com/jesseduffield/lazydocker installiert in /usr/local/bin ===== docker ===== ==== Installation ==== Neueste Version installiert entsprechend https://docs.docker.com/engine/install/ubuntu/ Alte Versionen deinstallieren sudo apt-get remove docker docker-engine docker.io containerd runc Neues Repository einrichten, utilities und docker installieren sudo apt-get install \ ca-certificates \ curl \ gnupg \ lsb-release sudo mkdir -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin ==== Task-Limit erhöhen ==== systemctl show --property=DefaultTasksMax Initialer Wert ist 105, das ist für Docker zu niedrig Ändern in der Datei ''/etc/systemd/system.conf'' derzeit auf 1024 Neu laden des Limits mit sudo systemctl daemon-reload Siehe auch https://www.strato.de/faq/server/prozesse-vs-threads-bei-linux-v-servern/ ==== /proc/user_beancount ==== sudo cat /proc/user_beancounters | grep numproc numproc 682 682 700 700 Problem! strato setzt den Grenzwert so niedrig, dass man die theoretische Serverleistung nicht ausschöpfen kann ==== somaxconn erhöhen ==== Der mailserver beschwert sich sonst über einen zu niedrigen Wert. Abhilfe echo 1024 > /proc/sys/net/core/somaxconn Permanent setzen sudo vim /etc/sysctl.conf '''net.core.somaxconn=65535''' FIXME Testen, ob der Wert nach dem Boot bleibt ===== Domainübersicht ===== ^ Domain ^ Nameserver ^ Registrar ^ aufgeschaltet ^ 1blu? ^ kündigen? ^ | markus-spring.info | cloudflare | -.- | webgo | | ja | | markus-spring.de | cloudflare | **strato** | **strato** | | | | aberdoch.de | cloudflare | webgo | webgo | ja | | | georg-ritter.info | cloudflare | -.- | webgo | | | | babaoskar.info | -.- | -.- | webgo | | | | roswithaschmitt.de | webgo | webgo | webgo | ja | | | constance-spring.de | -.- | -.- | webgo | | | | lebenswertes-bad-reichenhall.de | -.- | netcup | webgo | | | | tauber-spring.de | -.- | netcup | webgo | ja | | | bürgerliste-reichenhall.de | webgo | webgo | webgo | ja | | | buergerliste-reichenhall.de | -.- | netcup | webgo | | | Registrar-Abfrage: https://www.eurodns.com/de/whois-suche/de-domain ===== Backup durch hermes ===== - Public-Key des Backup-docker-Images in /root installiert ===== UFW ===== apt install ufw vim /etc/default/ufw ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow http ufw allow https ufw enable Test mit ''sudo nmap strato.markus-spring.info'' Ergebnis: Nmap scan report for strato.markus-spring.info (81.169.136.167) Host is up (0.034s latency). rDNS record for 81.169.136.167: h2973155.stratoserver.net Not shown: 994 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 8000/tcp open http-alt 8080/tcp open http-proxy 9999/tcp closed abyss ===== fail2ban ===== ''apt install fail2ban ipset'' Siehe auch https://debacher.de/wiki/Strato-Server_mit_Ubuntu_20.04#Blacklist_mit_fail2ban und https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/ ==== sshd ==== Hierfür reicht die Standardeinstellung in /etc/fail2ban/jail.local ==== postfix ==== Der interne fail2ban des Docker-Mailservers wird disabled Seine Aufgabe übernimmt der Host-fail2ban. Damit die Anfragen nicht mehr an die Docker-Container weitergeleitet werden, wird der Ban von der action ''docker-action'' ausgeführt. <file bash /etc/fail2ban/jail.local> [sasl-mws] enabled = true port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = postfix-mws # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /home/springm/docker/mailserver/docker-data/dms/mail-logs/mail.warn datepattern = ^%%b %%d %%H:%%M:%%S banaction = docker-action </file> <file bash /etc/fail2ban/action.d/docker-action.conf> [Definition] actionstart = iptables -N f2b-docker iptables -A f2b-docker -j RETURN iptables -I FORWARD -p tcp -m multiport --dports 25,80,443,465,993,4190 -j f2b-docker actionstop = iptables -D FORWARD -p tcp -m multiport --dports 25,80,443,465,993,4190 -j f2b-docker iptables -F f2b-docker iptables -X f2b-docker actioncheck = iptables -n -L FORWARD | grep -q 'f2b-docker[ \t]' actionban = iptables -I f2b-docker 1 -s <ip> -j DROP actionunban = iptables -D f2b-docker -s <ip> -j DROP </file> ===== logrotate ===== ===== logwatch ===== ===== traefik2 ===== Installiert auf der Basis einer Kopie von hermes, Domain markus-spring.de. Dashboard: https://traefik.markus-spring.de Siehe auch: https://williamhayes.medium.com/traefik-letsencrypt-and-acme-json-configuration-problems-5780c914351d <code yml docker-compose.yml> # $Header: /home/springm/docker/traefik2/RCS/docker-compose.yml,v 1.2 2022/03/19 07:57:25 springm Exp springm $ # https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5 # https://medium.com/@containeroo/traefik-2-0-docker-an-advanced-guide-d098b9e9be96 version: '3' services: traefik: image: traefik:latest container_name: traefik restart: always security_opt: - no-new-privileges:true networks: - proxy ports: - 80:80 #- 993:993 - 8080:8080 - 443:443 - 9999:9999 volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.yml:/traefik.yml:ro - ./shared/acme.json:/etc/traefik/acme/acme.json - ./config.yml:/config.yml:ro #- ./traefik-provider.toml:/traefik-provider.toml # extra Konfigurationen (für z. B. Middlewares) - ./providers:/providers - ./log:/var/log command: - --certresolv.myresolver.acme.storage=./shared/acme.json environment: - CLOUDFLARE_EMAIL=m.spring@gmx.de - CLOUDFLARE_API_KEY=8199b6b1054ca9d95f18df5a4e7a1abf0b232 labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=http" - "traefik.http.routers.traefik.rule=Host(`traefik.markus-spring.de`)" - "traefik.http.middlewares.traefik-auth.basicauth.users=.......:$$............................" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=https" - "traefik.http.routers.traefik-secure.rule=Host(`traefik.markus-spring.de`)" - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare" - "traefik.http.routers.traefik-secure.tls.domains[0].main=markus-spring.de" - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.markus-spring.de" - "traefik.http.routers.traefik-secure.service=api@internal" networks: proxy: external: true </code> ==== Links ==== ===== Portainer ===== Installiert entsprechend https://deployn.de/blog/portainer-mit-traefik/ Interface: https://portainer.markus-spring.de/ ===== Wordpress / MariaDB / Redis / Matomo ===== - Erledigt: - markus-spring.info von webgo auf markus-spring.de umgezogen - georg-ritter.info von webgo umgezogen - Benutzertabelle umgezogen - notizbuch.aberdoch.de umgezogen <code>cat ~/mysql-workshop/web27_db8/sswp_4/* | mysql -h $(dockerip.sh wp-mariadb) -u wp_DqC3 -p<password> wordpress_multisite</code> - vhs-fotogruppe-reichenhall.aberdoch.de umgezogen. Id von 8 auf 5 gewechselt. <code>cat ~/mysql-workshop/web27_db8/sswp_8/* | perl -pe 's/\bsswp_8_/sswp_5_/g' | mysql -h $(dockerip.sh wp-mariadb) -u wp_DqC3 -p<password> wordpress_multisite</code> - wp-cron disablen https://rschu.me/wordpress-wp-cron-mit-cronjob-ersetzen-cf8beaecf181 ==== Users umziehen ==== Achtung: dafür müssen die keys von webgo umgezogen werden, sonst ist offensichtlich der salt der Passwörter in der users-Tabelle von Wordpress falsch. ==== Redis ==== siehe auch https://www.saotn.org/automatically-flush-redis-cache-after-publishing-a-wordpress-post/ ==== phpmyadmin ==== Anmelden mit ''MYSQL_USER'' und ''MYSQL_PASSWORD'' aus der .env-Datei ==== Links ==== * Einfach: https://github.com/nezhar/wordpress-docker-compose * Komplex: https://kentakodashima.medium.com/wordpress-wordpress-development-with-docker-compose-and-wordmove-cf720d2618d ({{ :computer:wordpress_wordpress_development_with_docker-compose_and_wordmove_by_kenta_kodashima_medium.pdf | pdf}}) * https://welaika.github.io/wordmove/ * https://entwickler.de/php/wordmove-einfaches-deployment-von-wordpress-projekten * - * https://www.hostinger.com/tutorials/wordpress/how-to-change-wordpress-urls-in-mysql-database-using-phpmyadmin * https://www.wpbeginner.com/wp-tutorials/how-to-properly-move-wordpress-to-a-new-domain-without-losing-seo/ ==== Archivierung mit Cron ==== ''crontab -e'' <file bash> 5 */12 * * * if [ $(docker inspect -f '{{.State.Running}}' matomo-matomo-app-1) ]; then docker exec -t matomo-matomo-app-1 su -s "/bin/sh" -c "/usr/local/bin/php /var/www/html/console core:archive --url=https://matomo.markus-spring.de" www-data; fi </file> ==== Backup ==== mysqldump -h $(dockerip.sh matomo-matomo-db-1) -u root -p<mysql root password> matomo > dump.sql ==== Pitfalls ==== mysqldump: Got error: 1045: "Plugin caching_sha2_password could not be loaded Lösung siehe https://stackoverflow.com/questions/49194719/authentication-plugin-caching-sha2-password-cannot-be-loaded docker exec -it CONTAINER_ID bash then log into mysql as root mysql --user=root --password Enter the password for root (Default is 'root') Finally Run: ALTER USER 'username' IDENTIFIED WITH mysql_native_password BY 'password'; ==== ublock überlisten ==== Neuer Ansatz: https://github.com/simonfrey/matomo_circumvent_adblock Konfiguriert zufällige Skript- und Variablennamen. Eingesetzt auf markus-spring.info mit folgendem Code: <script> var _paq = window._paq = window._paq || []; _paq.push(["setDomains", ["*.markus-spring.info"]]); _paq.push(["disableCookies"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { _paq.push(["setTrackerUrl", "//stats.markus-spring.de/hfjdalp.php"]); _paq.push(['setSiteId', '1']); var a = document, r = a.createElement("script"), s = a.getElementsByTagName("script")[0]; r.async = !0, r.defer = !0, r.src = "//stats.markus-spring.de/sqjrgrm.php", s.parentNode.insertBefore(r, s) })(); </script> <noscript><img src="//stats.markus-spring.de/hfjdalp.php?cyo=[1]&ahg=1" /></noscript> <del>https://wordpress.org/support/topic/way-to-avoid-being-blocked-by-ad-blocker/ Step 1: On your matomo server, create a copy of matomo.js and matomo.php and call them m.js and m.php or whatever you prefer. Step 2: In the m.js file, find and replace the following strings: “action_name” = “the_action_name” (since “action_name=” is on a blocklist) “idsite” = “siteid” (since “idsite=” is on a blocklist) Step 3: In the m.php file, add the following, right after the opening comment: if(isset($_GET['the_action_name'])) { $_GET['action_name'] = $_GET['the_action_name']; } if(isset($_GET['siteid'])) { $_GET['idsite'] = $_GET['siteid']; } Step 4: In the WP Matomo plugin, switch to manual editing the tracking code and replace matomo.js and matomo.php with your new file names respectively. </del> ===== Mail mit docker-mailserver ===== https://github.com/docker-mailserver/docker-mailserver Sendmail muss disabled sein, weil sonst port 587 blockiert ist: '''sudo service sendmail stop''', '''update-rc.d sendmail disable''' UFW muss folgende Ports öffnen: ''sudo ufw allow proto tcp from any to any port 25,80,443,110,143,465,587,993,995'' Imap muss unverschlüsseltes Login erlauben, sonst funktioniert Postie nicht (https://github.com/docker-mailserver/docker-mailserver/issues/519) Siehe auch * https://blog.raphaelpiccolo.com/post/852 * https://www.ifthenel.se/self-hosted-mail-server/ * https://andycallaghan.com/posts/deploy-a-gmail-like-email-server-in-30-minutes/ und https://www.libe.net/docker-mailserver ==== Testen ==== * https://www.mail-tester.com/ * https://de.ssl-tools.net/mailservers/markus-spring.de * https://dnschecker.org/mx-lookup.php?query=mail.markus-spring.de&dns=quad9 * ptr-record check: https://mxtoolbox.com/SuperTool.aspx?action=ptr%3a81.169.136.167&run=toolpage ==== Host-System mails versenden ==== Configure postfix to send mail We installed postfix during our basic setup. We will need to configure it so that it does not start smtpd on port 25 since it is already being used by our mailserver container and we want to configure it for relayhost only so that it only forwards it to our MTA. To disable smtpd from starting with postfix edit /etc/postfix/master.cf line 11 and comment it out #smtp inet n - n - - smtpd To configure relayhost edit /etc/postfix/main.cf and edit the following - please fill in the items in { } mydestination = $myhostname, localhost.$mydomain, localhost, {FQDN}, {HOSTNAME} relayhost = {mail.domain.name} Enable and start postfix sudo systemctl enable postfix sudo systemctl start postfix ===== Owntracks ===== ==== Mosquitto ==== mqtt.markus-spring.de Secure-Port in ''traefik.yml'' hinzugefügt mqtt: address: ":8883" Port 8883 muss auch in der UFW geöffnet werden: sudo ufw allow 8883/tcp ===== LizMap ===== ==== Links ==== ===== Wireguard ===== ==== Links ==== computer/server/stratoserver.txt Last modified: 2024/01/17 13:35by spring