Lazy admin notes ;)

Hi there! After long time without any post i’ve come back to you with new experience and few new posts. So today we gonna do install Prosody jabber server to our Linux VPS.

Few month ago a’ve installed Prosody in my server and i was surprised: the setup was really quickly, i edited all configs during 5-10 minutes since i started to do it and afterwards it is really fast and not eating all memory like ejabberd likes do. No more words, let’s begin, guys!

Like everytime, i’ve used CentOS. Let’s install it:

# yum install prosody

We should say “yes” to all packages, that will ask you to install. It is depends packages that necessary for normal Prosody work. Install from repo will fast, so i think we can go to config edit step. I’ve skiped all coments inside config for your comfort and put my own. I described only important things. If you want lern more about Prosody config – just read config’s content. My guide – is for fast install.

admins = { "system@yourdomain.com"  }

modules_enabled = {

-- Generally required

"roster"; -- Allow users to have a roster. Recommended ;)

"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.

"tls"; -- Add support for secure TLS on c2s/s2s connections

"dialback"; -- s2s dialback support

"disco"; -- Service discovery

-- Not essential, but recommended

"private"; -- Private XML storage (for room bookmarks, etc.)

"vcard"; -- Allow users to set vCards

-- These are commented by default as they have a performance impact

--"privacy"; -- Support privacy lists

--"compression"; -- Stream compression (Note: Requires installed lua-zlib RPM package)

-- Nice to have

"version"; -- Replies to server version requests

"uptime"; -- Report how long server has been running

"time"; -- Let others know the time here on this server

"ping"; -- Replies to XMPP pings with pongs

"pep"; -- Enables users to publish their mood, activity, playing music and more

"register"; -- Allow users to register on this server using a client and change passwords

-- Admin interfaces

"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands

--"admin_telnet"; -- Opens telnet console interface on localhost port 5582

-- HTTP modules

--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"

--"http_files"; -- Serve static files from a directory over HTTP

-- Other specific functionality

"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

"groups"; -- Shared roster support

--"announce"; -- Send announcement to all online users

--"welcome"; -- Welcome users who register accounts

--"watchregistrations"; -- Alert admins of registrations

--"motd"; -- Send a message to users when they log in

--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.

};

modules_disabled = {

-- "offline"; -- Store offline messages

-- "c2s"; -- Handle client connections

-- "s2s"; -- Handle server-to-server connections

};

allow_registration = true;

min_seconds_between_registrations = 300;

ssl = {

key = "/etc/prosody/sert/yourdomain.com.key";

certificate = "/etc/prosody/sert/fullchain.cer";

}

c2s_require_encryption = false

s2s_secure_auth = false

authentication = "internal_plain"

storage = "sql" -- Default is "internal" (Note: "sql" requires installed

sql = { driver = "MySQL", database = "databasename", username = "databaseuser", password = "databasepwd", host = "localhost" }

log = {

info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging

error = "/var/log/prosody/prosody.err"; -- Log errors also to file

}

pidfile = "/var/run/prosody/prosody.pid";

Include "conf.d/*.cfg.lua"

It is not finish. You also should create virtualhost for your domain in Prosody. You can edit an exist example.com.cfg.lua or create own one. I just edited an exist example.com.cfg.lua:

VirtualHost "example.com"
ssl = {
        key = "/etc/prosody/sert/example.com.key";
        certificate = "/etc/prosody/sert/fullchain.cer";
}
Component "conference.example.com" "muc"

So as you can see, i implemented 2 things in there. The first is i used mysql database, the second – i wrought path for SSL sertificate. I think that is big deal, because Jabber servers sometimes cant to connect to each other if one of them without SSL-sertificate. So i just used Let’s encrypt. How you can generate it too read in my previously topic. Lets make MySQL data base for our server:

# mysql - root -p
mysql> create database jabber;
mysql> grant usage on *.* to jabber@localhost identified by 'jabberpassword';
mysql> grant all privileges on jabber.* to jabber@localhost ;

So, we just created user and database for MySQL. After that you need to put this data to the Prosody config. You did it, right? Ok, go to the next step. Put Prosody service to autostart:

# systemctl enable prosody

We forgot something. Yes, we definatley forgot something, i see it, but i don’t know what. Oh, i see! Ofcource we forgot to put rules into firewall:

# nano /etc/sysconfig/iptables

Put this rules to file:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5223 -j ACCEPT

Yes, that’s so much better! Let’s start this beauty:

# systemctl start prosody

That’s it. You can connect to your new Jabber server and register from client.

Let’s encrypt – is a free service from google, who allows issue SSL certificates for web projects. Letsencrypt has its own API, through which easily automate the process of re-issue of certificates at the end of their period of validity. Each certificate issued Letsencrypt valid for three months. After that you need issue it again. However, this may occur automatically. Letsencrypt has many implementations to access its API. There is clients written on perl, python, C, bash and also browser clients. I decided use the most simple solution – shell-script called acme.sh. He is able to do all the required things, and does not require installation of additional software system, which is often quite difficult for older systems like FreeBSD.

As described above, we will use acme.sh script. It is compatible with FreeBSD and all popular distributions of Linux. No need to install additional software, libraries and interpreters.

Download and install

Using curl

curl https://get.acme.sh | sh

Or

wget -O - https://get.acme.sh | sh

Or using git

git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install

–install command adding to actual user cron task, which will run few times per week for update sertificates and itself. lets’encrypt ssl sertificates valid 3 months, so cron task is a really important one thing here. I’d recoment do it from user, which can use web-server. For example www-data, or www. or nginx. It depends from your server settings. Anyway it must have write acces to your website directory.

Request sertificate

Below – few fays to get sertificates for domain, and ways to authorise your domain in acme servers.

web-request method

First method – most useful and simple, it allows to get a valid one sertificate for your website immideatley. In two words it is script which sends request to get sertificate for domain, and in the same moment generates csr-request. The server acme answers and give to our script some code, that must be seen from our server and domain. Finally acme server  will connect to your domain, find there html-file with code that was sended to script and make auth succeful. After that, you will receive ssl-serteficate.
So, let’s begin practice. If you use nginx, you have to add one location to your web-site config:

location /.well-known/acme-challenge {
default_type "text/html";
}

Explaination. While authorisation, script for a few seconds puts file with path  /your-site.com/www/.well-known/acme-challenge , and after that acme check it – if file available from web-server then acme will give serteficate to you. So now, if all terms was completed, we can do serteficate request:

acme.sh --issue -d erdees.ru -w /usr/local/www/erdees.ru/

As you can see from command above, we ask script request with –issue key, for domain with -d key, -w declare our project folder. And because of that really important to make sure, that user, from which you ran script can write to website folder. After success authorisation, this file will be deleted by script automaticly. So. i’d like to say that it apears in website folder just for a few seconds.

After command run, in script folder, you will see sertificates: fullchain.cer – serteficate, а erdees.ru.key – key for that. Our serteficate have all needed intermediate and root serteficates, and works without password. So no necessary to do somethinf more – just add it to ypur web server an enjoy your ssl.

DNS authorisation method

This can be useful in few cases. First one – when serteficate needed be added to domain in internal network. For example, i can make DNS-A record to any domain, but with ip 192.168.15.25 . So in that case this method will be very useful. In this case first method will not work because internal ip cannot be listen by acme servers. If you want use this method, you should add some A-record in DNS for your domain with authorisation key. Authorization key you can receive from acme.sh script. Make request:

acme.sh --issue --dns -d erdees.ru --dnssleep 2400

After that command, script print next information (i’ve changed it special for this article):

You should get the output like below:

Add the following txt record:
Domain:_acme-challenge.ssltest.db0.ru
Txt value:9ihDbjYfTExAYeDBHTrecgvrve5o18KBzwvTEjUnSwd32-c

Please add those txt records to the domains. Waiting for the dns to take effect.

So it means that you should add  RR TXT-record to domain erdees.ru with name  _acme-challenge.erdees.ru and value 9ihDbjYfTExAYeDBHTrecgvrve5o18KBzwvTEjUnSwd32-c (each request has own value, it’s just example). After that, i’ll recommend you wait about 15-20 minutes, and run next command:

acme.sh --renew -d erdees.ru

acme will check dns record of your dns, and if we did al things correctly, script will give you serteficate. Next steps will same as in first recipe.

Standalone method

I’d not recommend this method to use, because you should turn off your website while script works. In many cases it is very uncomfortable and you may lost your site users. Soo if you wan use it anyway, first turn off your web-server which listen 80 and 433 port in internet.  It will not work without . Next, enter command

acme.sh --issue --standalone -d ssltest.db0.ru

You will receive serteficate, so time to turn on web server back.

Another script functions

Script has many useful and good options. You can show all of them – just type  –help. Frome good options script supports update, and also has parameter –sertpath, which allows copy sertificates to nginx folder, for example. While you make request typing command in acme.sh script, you can use -d key and create request to many domains in one time. In 5-10 domains, if you necessary. Script creates to actual user cron task, which will run few times per week for renew sertificates and update itself.

systemd – is initialization system for other demons to Linux, which came to replace the previously used /sbin/init. Its special feature is the intensive parallelization while start services at boot time, which can significantly speed up the launch of the operating system.
The name comes from the Unix suffix «d» to the demon (c) Wikipedia. In this article, we will speak only about CentOS, but of course, this will also be true for other systems.

A problem often encountered in systemd, when even with seemingly correct configuration, the service does not start. Looking through the logs, you can understand that mistakes are usually standard – for the example of httpd he can not listen to the port, or resolve ldap user. After many experiments, we found the optimal configuration scripts that run in servers correctly.
All startup scripts are in the directory /lib/systemd/system

Apache

The file is called httpd.service. The problem is that he did not work until until network subsystem will not loaded and resolving ldap users. For Apache start network-online.target, nss-lookup.target and nss-user-lookup.target must be loaded before Apache. It is easy to understand, if you take a look on config file below:

[Unit]
Description = The Apache HTTP Server
After = network-online.target remote-fs.target nss-lookup.target nss-user-lookup.target
Documentation = man: httpd (8)
Documentation = man: apachectl (8)

[Service]
Type = notify
EnvironmentFile = /etc/sysconfig/httpd
ExecStart = /usr/sbin/httpd $ OPTIONS -DFOREGROUND
ExecReload = /usr/sbin/ httpd $ OPTIONS -k graceful
ExecStop = /bin/kill -WINCH $ {MAINPID}
KillSignal = SIGCONT
PrivateTmp = true

[Install]
WantedBy = multi-user.target

Configuring Apache additional instances in systemd

In order to configure Apache to work on multiple ports at once (additional instances or “profiles”), you need to do a little creative action.

Create Apache configs

Additional Apache will listen to another port, so we need an another config file, which will be described. For example, here is this one.

Listen 192.168.150.214:8001
Include conf/Includes/ *. Conf
Include conf/hosting/ *. Conf
Include conf/vhosts/ *. Conf

CustomLog "/var/log/apache/access1.log" combined env =! Dontlog
ErrorLog "/var/log/apache/error1.log"

User apache
Group apache

PidFile /var/run/httpd/httpd1.pid

You must specify a folder with our configs, by analogy with the standard the httpd.conf, be sure to rename the name of the log, enter the user/group of the web server and the pid-file. In fact nothing more is needed for configuration. Let’s call httpd1.conf file for port 8001, httpd2.conf for port 8002 and then more, by analogy, if you need more.

Edit files with parameters

To get started, copy a file from the folder / etc / sysconfig

# Cp httpd httpd1

If you need to do more profiles, copy as needed.
Next, edit the copied a file. Do not touch the default file. All that should be in it, it’s two lines:

OPTIONS = -f conf / httpd1.conf
LANG = C

More, in fact, do not need anything. As you guessed, conf / httpd1.conf is a workpiece Apache config, which we did in the preceding paragraph.

Make and run the service

So, go to the folder with start scripts systemd

# Cd /lib/systemd/system

Copy the current service and a file called names by analogy with configs and files from the sysconfig

# Cp httpd.service httpd1.service.

Edit the config file which we COPIED before, leaving intact a default one

# EnvironmentFile = /etc/sysconfig/httpd

Replace the created us

# EnvironmentFile = /etc/sysconfig/httpd1

Save, switch service on

# Systemctl enable httpd1

Run it

# Systemctl start httpd1.service

Or so – also fulfills

# Systemctl start httpd1

So, you have additional instance Apache.

nginx

nginx.service adjusted by analogy – the main thing that against official documentation in “After” was present network-online.target. Also, it is important (applies also, and apache) remote-fs.target option – any occurred after loading it as a Web server files can take, for example, GlusterFS.

[Unit]
Description = The NGINX HTTP and reverse proxy server
After = syslog.target network-online.target remote-fs.target nss-lookup.target

[Service]
Type = forking
PIDFile = /run/nginx.pid
ExecStartPre = /usr/sbin/nginx -t
ExecStart = /usr/sbin/nginx
ExecReload = /bin/kill -s HUP $ MAINPID
ExecStop = /bin/kill -s QUIT $ MAINPID
PrivateTmp = true

[Install]
WantedBy = multi-user.target

Zabbix

Similarly configs web server, you need to change in the default script

After = network.target
On
After = network-online.target

Commands

For easy management, systemd has a large number of commands. Know all of them is not necessarily, but here is a list of basic and necessary good to know.

List

In the case if you edited boot scripts and other components systemd, you can restart it by command:

systemctl daemon-reload

Generate a report on the boot systemd and put it in a file (by the way, it is very useful for understanding the operation of systemd)

systemd-analyze plot> /home/vtorov/boot.svg

Take a look what services are loaded in systemd, or enabled while system start

systemctl list-units --type service

As above, but more and shows the “Target”

systemctl list-units

Switching on and off, reload/restart the service, or other actions (see them below)

systemctl <action> <object>

That is, for example,

systemctl restart httpd

Where restart is an action, but httpd is an object. The list of actions below.

Actions

reload
restart
enable
disable
stop
start
status

By the way, old chkconfig, redirecting their actions into systemd, but because it will soon be expelled from the CentOS, then to use it is not necessary to devote more time and systemd.

Итак, как же увеличить радиус действия Вашей сети? Конечно же, при помощи dd-wrt и WDS 🙂

Ингредиенты: 2 роутера с dd-wrt, прямые руки, хорошее настроение и конечно же эта инструкция.

У настройки Wi-Fi ретрансляторов существует по крайней мере три-четыре схемы, две из которых мы разберем. Первая – access point (AP) to access point, вторая –  в режиме ретранслятора.

В первом способе появляется несколько сетей, соответственно, при необходимости, клиентам при отдалении от первой точки доступа можно переключиться на вторую. Во втором же случае основным является AP, остальные же играют роль повторителей (Repeater mode). То есть сеть одна, но за счет репитеров она значительно расширяется и клиенты незаметно переключаются между ними.

Read more…

Итак, сегодня я покажу Вм, как же подключиться к VPN в Debian. Данная инструкция актуальна для большинства московских провайдеров: Beeline (Corbina) и прочие. Итак, поехали.
С самого начала скорее всего вы столкнулись с проблемой: VPN подключения в network-manager просто недоступны.

Лечится это установкой некоторых пакетов.

Для начала устанавливаем пакеты:

 aptitude install pptp-linux network-manager-pptp-gnome network-manager-pptp

После мы видим, что кнопка “Добавить” стала доступной.

Жмем “Добавить” и настраиваем соединении в соответствии с рекомендациями провайдера/сети к которой подключаетесь.