Tag: linux

Configure Nginx for WordPress on Ubuntu

sudo mkdir -p /var/www/html/wordpress

Navigate to /etc/nginx/sites-available. There, create a file with the name example.com. The name should be the same as your domain.

# Redirect HTTP -> HTTPS
server {
    listen 80;
    server_name www.example.com example.com;

    return 301 https://example.com$request_uri;
}

# Redirect WWW -> NON-WWW
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    root /var/www/html/wordpress;
    index index.php;

    # SSL parameters
    ssl_protocols         TLSv1.2 TLSv1.3;
    ssl_ciphers           HIGH:!aNULL:!MD5;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_prefer_server_ciphers off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 valid=300s;
    resolver_timeout 30s;

    # log files
    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;

    location = /favicon.ico {
    log_not_found off;
    access_log off;
    }

    location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    }

    location / {
    try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
    expires max;
    log_not_found off;
    }
}

then create a symbolic link to the sites-enabled directory.

sudo ln -s /etc/nginx/sites-available/sample.com /etc/nginx/sites-enabled/sample.com

sudo nginx -t
nginx -s reload

References
https://www.hostinger.com/tutorials/how-to-install-wordpress-with-nginx-on-ubuntu/
https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/
https://wordpress.org/documentation/article/nginx/

Add More Security to Nginx Configuration

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

References
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-20-04/

Install Redis on Ubuntu 22.04

sudo apt install redis-server
sudo nano /etc/redis/redis.conf

Inside the file, find the supervised directive. This directive allows you to declare an init system to manage Redis as a service, providing you with more control over its operation. The supervised directive is set to no by default. Since you are running Ubuntu, which uses the systemd init system, change this to systemd

. . .

# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
#   supervised no      - no supervision interaction
#   supervised upstart - signal upstart by putting Redis into SIGSTOP mode
#   supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
#   supervised auto    - detect upstart or systemd method based on
#                        UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
#       They do not enable continuous liveness pings back to your supervisor.
supervised systemd

. . .
sudo systemctl restart redis.service

References
https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-22-04

Configure Remote Access for MongoDB on Ubuntu

sudo nano /etc/mongod.conf

Find the network interfaces section, then the bindIp value:

. . .
# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1

. . .

Append a comma to this line followed by your MongoDB server’s public IP address:

. . .
# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1,mongodb_server_ip

. . .

Please note that this should be the IP address of the server on which you’ve installed MongoDB, not the IP address of your trusted remote machine.

sudo systemctl restart mongod

References
https://www.digitalocean.com/community/tutorials/how-to-configure-remote-access-for-mongodb-on-ubuntu-20-04

Install .NET 8 on Ubuntu 22.04 using Microsoft package feed

Remove the existing .NET packages from your distribution. You want to start over and ensure that you don’t install them from the wrong repository.

sudo apt remove 'dotnet*' 'aspnet*' 'netstandard*'

Configure your package manager to ignore the .NET packages from the distribution’s repository. It’s possible that you’ve installed .NET from both repositories, so you want to choose one or the other.

touch /etc/apt/preferences
nano /etc/apt/preferences
Package: dotnet* aspnet* netstandard*
Pin: origin "<your-package-source>"
Pin-Priority: -10

Make sure to replace <your-package-source> with your distribution’s package source, for example, on Ubuntu you may use archive.ubuntu.com in the US.

Use the apt-cache policy command to find the source:

apt-cache policy '~ndotnet.*' | grep -v microsoft | grep '/ubuntu' | cut -d"/" -f3 | sort -u
# Get Ubuntu version
declare repo_version=$(if command -v lsb_release &> /dev/null; then lsb_release -r -s; else grep -oP '(?<=^VERSION_ID=).+' /etc/os-release | tr -d '"'; fi)

# Download Microsoft signing key and repository
wget https://packages.microsoft.com/config/ubuntu/$repo_version/packages-microsoft-prod.deb -O packages-microsoft-prod.deb

# Install Microsoft signing key and repository
sudo dpkg -i packages-microsoft-prod.deb

# Clean up
rm packages-microsoft-prod.deb

# Update packages
sudo apt update
sudo apt-get update && \
  sudo apt-get install -y dotnet-sdk-8.0

References
https://learn.microsoft.com/en-us/dotnet/core/install/linux-ubuntu-2204
https://learn.microsoft.com/en-us/dotnet/core/install/linux-ubuntu
https://learn.microsoft.com/en-us/dotnet/core/install/linux-package-mixup?pivots=os-linux-redhat

Install NVIDIA Driver and sign the Kernel module on Fedora 39

sudo dnf install kmodtool akmods mokutil openssl


sudo kmodgenca -a
sudo mokutil --import /etc/pki/akmods/certs/public_key.der

You will be asked to enter a password, it doesn’t have to be very strong, just make sure to remember it. You’ll only need it once during  these steps.

sudo reboot

After reboot you will see MOK Manager interface and will be asked to enroll the key.
First select “Enroll MOK“.
Then “Continue“.
Hit “Yes” and enter the password.
Then select “OK” and your device will reboot again.

sudo dnf install kernel-devel-$(uname -r)
sudo dnf install gcc kernel-headers kernel-devel akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-libs xorg-x11-drv-nvidia-libs.i686
sudo akmods --force
sudo dracut --force
sudo reboot
lsmod | grep -i nvidia

References
https://blog.monosoul.dev/2022/05/17/automatically-sign-nvidia-kernel-module-in-fedora-36/
https://rpmfusion.org/Howto/NVIDIA#Current_GeForce.2FQuadro.2FTesla

Setting Up Apache2 with Advanced Features on Ubuntu

In the modern world of web development, Apache2 stands as one of the most robust, reliable, and widely used web servers. This blog post aims to guide you through the installation and configuration of Apache2 on an Ubuntu system, enabling a range of advanced features to maximize its capabilities.

Prerequisites

  • Ubuntu Server (18.04/20.04/22.04 LTS recommended)
  • Terminal access (SSH or direct)
  • Sudo privileges

Step 1: Installing Apache2

Open your terminal and run the following command to install Apache2:

apt-get -y install apache2

The -y flag automatically confirms the installation, saving you from having to do so manually.

Step 2: Enabling Modules

Apache2 is highly modular, allowing you to enable or disable various features according to your needs. To enable a range of advanced modules, execute the following commands:

sudo a2enmod proxy
sudo a2enmod ssl
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo a2enmod rewrite
sudo a2enmod deflate
sudo a2enmod headers
sudo a2enmod proxy_balancer
sudo a2enmod proxy_connect
sudo a2enmod proxy_html
sudo a2enmod remoteip
sudo a2enmod proxy_fcgi
sudo a2enmod proxy_wstunnel
sudo a2enmod expires

Important: Remember to restart the Apache server after installing new modules for the changes to take effect

Step 3: Editing Configuration File

To apply custom configurations to Apache2, you’ll need to edit its main configuration file. Use the nano editor to open it:

nano /etc/apache2/apache2.conf

Here you can add or modify directives according to your specific needs. After making the desired changes, save and exit the file.

Step 4: Managing the Apache2 Service

After making all the changes, it’s important to restart the Apache2 service for the new configurations to take effect:

sudo systemctl restart apache2

Additionally, you can stop or start Apache2 using the following commands:

  • To stop the service: 
    sudo systemctl stop apache2
  • To start the service: 
    sudo systemctl start apache2

Conclusion

You’ve successfully installed Apache2 and enabled a host of advanced features, setting a solid foundation for whatever web-based projects you plan to host. This flexible, modular setup ensures you have all the tools you need to build a robust, high-performance web server.

Install the .NET SDK on Fedora

In the ever-evolving world of web development, security is paramount. Here we provide a step-by-step guide to not only installing the .NET Software Development Kit (SDK) on Fedora, but also generating an SSL Certificate for your .NET apps, thus ensuring secure connections between client and server.

Part 1: Installing the .NET SDK on Fedora

Our first step is to install the .NET SDK. The .NET SDK is a set of libraries and tools that allow developers to create .NET apps and libraries. It is the foundation for building applications and libraries with .NET Core.

Here’s how you can install the .NET SDK on your Fedora system:

  1. Open a terminal window.
  2. Input the following command: 
    sudo dnf install dotnet-sdk-7.0
  3. Press Enter. You might be asked for your password; if so, provide it and press Enter again.
  4. Let the installation process finish.

After the completion of the above steps, the .NET SDK should be installed successfully on your Fedora system.

Part 2: Creating an SSL Certificate for Your .NET Apps

Creating an SSL certificate for your .NET applications can enhance the security of your applications. Here’s how you can generate an SSL certificate:

  1. First, we need to install Easy-RSA, a CLI utility to build and manage a PKI CA. Run this command: 
    sudo dnf install easy-rsa
  2. Now, navigate to the home directory and create a new directory .easyrsa with permissions set to 700: 
    cd ~
mkdir .easyrsa
chmod 700 .easyrsa
  3. Copy the Easy-RSA scripts to our newly created directory: 
    cd .easyrsa
cp -r /usr/share/easy-rsa/3/* ./
  4. Initialize the Public Key Infrastructure: 
    ./easyrsa init-pki
  5. We need to set some variables for our certificate. Create a new file called vars and add the following details in it (You can modify these details according to your requirement): 
    cat << EOF > vars
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "Texas"
set_var EASYRSA_REQ_CITY "Houston"
set_var EASYRSA_REQ_ORG "Development"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "LocalDevelopment"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
EOF
  6. Now build the CA with nopass option to not secure the CA key with a passphrase: 
    ./easyrsa build-ca nopass
  7. Copy the generated certificate to the trusted CA directory and update the CA trust on your system: 
    sudo cp ./pki/ca.crt /etc/pki/ca-trust/source/anchors/easyrsaca.crt
sudo update-ca-trust
  8. Generate a new key and a certificate signing request for localhost: 
    mkdir req
cd req
openssl genrsa -out localhost.key
openssl req -new -key localhost.key -out localhost.req -subj /C=US/ST=Texas/L=Houston/O=Development/OU=LocalDevelopment/CN=localhost
cd ..
  9. Import the certificate signing request and sign it: 
    ./easyrsa import-req ./req/localhost.req localhost
./easyrsa sign-req server localhost
  10. Now, move the server certificate and key to a new directory .certs and convert the certificate to PKCS#12 format: 
    cd ~
mkdir .certs
cp .easyrsa/pki/issued/localhost.crt .certs/localhost.crt
cp .easyrsa/req/localhost.key .certs/localhost.key
cd .certs
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
  11. Lastly, add the path and the password for the certificate in the .bashrc file so the .NET Core Kestrel server can find it (replace YOUR_USERNAME with your actual username and PASSWORD with the password you want to use for your certificate): 
    cat << EOF >> ~/.bashrc
# .NET
export ASPNETCORE_Kestrel__Certificates__Default__Password="PASSWORD"
export ASPNETCORE_Kestrel__Certificates__Default__Path="/home/YOUR_USERNAME/.certs/localhost.pfx"
EOF

And that’s it! You’ve now installed the .NET SDK and generated an SSL certificate for your .NET apps. Your applications are not only more secure but also more professional, creating trust with users who value their data privacy and security.