Granting Read-Only Home Directory Access to a Flatpak Application
flatpak --user override --filesystem=/home/$USER/:ro
References
https://www.reddit.com/r/flatpak/comments/10wuajo/how_to_make_flatpak_applications_respect_my_fonts/
flatpak --user override --filesystem=/home/$USER/:ro
References
https://www.reddit.com/r/flatpak/comments/10wuajo/how_to_make_flatpak_applications_respect_my_fonts/
nano /etc/ssh/sshd_config
PermitRootLogin prohibit-password PasswordAuthentication no PubkeyAuthentication yes
systemctl restart sshd
Add your public key to the authorized keys file on remote server. To add you keys to the file, you can use the following command:
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
If you do not have the folder ~/.ssh/authorized_keys
, you can create this with the following commands:
mkdir -p ~/.ssh touch ~/.ssh/authorized_keys
References
https://medium.com/@williamkwao/how-to-add-ssh-keys-to-an-ubuntu-server-6a3a5b1bee26
server { # IPv4, HTTP listen 80 reuseport; # IPv6, HTTP listen [::]:80 reuseport; server_name example.com www.example.com; ... } server { # IPv4, HTTPS listen 443 ssl reuseport; # IPv6, HTTPS listen [::]:443 ssl reuseport; server_name example.com www.example.com; ... }
nginx -t
sudo systemctl restart nginx
References
https://www.linuxcapable.com/how-to-enable-reuseport-in-nginx/
Wrong
location = /robots.txt { allow all; log_not_found off; access_log off; }
Correct
location = /robots.txt { try_files $uri $uri/ /index.php?$args; access_log off; log_not_found off; }
References
https://medium.com/@oktay.acikalin/wordpress-nginx-virtual-robots-txt-and-404-bd5cc082725d
fallocate -l 100M yourfile
sudo mkdir -p /var/www/html/wordpress
Navigate to /etc/nginx/sites-available. There, create a file with the name example.com. The name should be the same as your domain.
# Redirect HTTP -> HTTPS server { listen 80; server_name www.example.com example.com; return 301 https://example.com$request_uri; } # Redirect WWW -> NON-WWW server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; return 301 https://example.com$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.com; root /var/www/html/wordpress; index index.php; # SSL parameters ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 30s; # log files access_log /var/log/nginx/example.com.access.log; error_log /var/log/nginx/example.com.error.log; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.1-fpm.sock; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires max; log_not_found off; } }
then create a symbolic link to the sites-enabled directory.
sudo ln -s /etc/nginx/sites-available/sample.com /etc/nginx/sites-enabled/sample.com
sudo nginx -t nginx -s reload
References
https://www.hostinger.com/tutorials/how-to-install-wordpress-with-nginx-on-ubuntu/
https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/
https://wordpress.org/documentation/article/nginx/
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;
References
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-20-04/
sudo apt install redis-server
sudo nano /etc/redis/redis.conf
Inside the file, find the supervised
directive. This directive allows you to declare an init system to manage Redis as a service, providing you with more control over its operation. The supervised
directive is set to no
by default. Since you are running Ubuntu, which uses the systemd init system, change this to systemd
. . . # If you run Redis from upstart or systemd, Redis can interact with your # supervision tree. Options: # supervised no - no supervision interaction # supervised upstart - signal upstart by putting Redis into SIGSTOP mode # supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET # supervised auto - detect upstart or systemd method based on # UPSTART_JOB or NOTIFY_SOCKET environment variables # Note: these supervision methods only signal "process is ready." # They do not enable continuous liveness pings back to your supervisor. supervised systemd . . .
sudo systemctl restart redis.service
References
https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-22-04
sudo nano /etc/mongod.conf
Find the network interfaces
section, then the bindIp
value:
. . . # network interfaces net: port: 27017 bindIp: 127.0.0.1 . . .
Append a comma to this line followed by your MongoDB server’s public IP address:
. . . # network interfaces net: port: 27017 bindIp: 127.0.0.1,mongodb_server_ip . . .
Please note that this should be the IP address of the server on which you’ve installed MongoDB, not the IP address of your trusted remote machine.
sudo systemctl restart mongod