Friday 11 November 2016

How to Install and Setup Samba4 DC in a FreeNAS 9.10 Jail

بسم الله الرحمن الرحيم



Abstract 


  • A tutorial to install Samba 4.3 as an Active Directory Domain Controller in a FreeNAS 9.10 Jail.
  • Configure and enable SSL for Samba's LDAP backend.


Assumptions and Prerequisites


  • Domain: example.com
  • Hostname: dc.example.com
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: dc
  • Private IP: 10.0.0.58
  • Subnet Mask: 255.255.255.0/24
  • Main Router IP: 10.0.0.1
  • DNS Forwarder IP: 10.0.0.1 (main router)
  • Service: Samba 4.3.11
  • DNS: Internal Samba DNS 
  • NTP Host IP: 10.0.0.1 (main router)
  • CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
  • SSL Certificate File: /usr/local/etc/ssl/certs/dc.example.com.crt
  • SSL Key File: /usr/local/etc/ssl/private/dc.example.com.key


Instructions


Pre-installation setup

- Edit file /etc/rc.conf and change hostname to dc.example.com.
# vi /etc/rc.conf
  (7)    hostname="dc.example.com"

- Edit file /etc/hosts file and change the 10.0.0.58 -> dc.example.com dc
# vi /etc/hosts
  (14)   127.0.0.1               localhost localhost.localdomain dc
  (15)   10.0.0.58       dc.example.com dc

Installation 

- Install samba43. Don't install samba44 or a newer version of samba than 4.3 because the newer versions doesn't come with ntvfs option anymore. i.e no --use-ntvfs option for zfs.
# pkg install samba43

- Provision Samba as an Active Directory Domain Controller
# samba-tool domain provision --use-ntvfs --use-rfc2307 --interactive
Realm [EXAMPLE.COM]:  (press Enter)
 Domain [EXAMPLE]:  (press Enter)
 Server Role (dc, member, standalone) [dc]: (press Enter)
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
 DNS forwarder IP address (write 'none' to disable forwarding) [10.0.0.1]:  (press Enter)
Administrator password: (enter password)
Retype password: (re-enter password)

Query Result:    
Looking up IPv4 addresses 
Looking up IPv6 addresses  
No IPv6 address will be assigned 
Setting up share.ldb 
Setting up secrets.ldb  
Setting up the registry 
Setting up the privileges database 
Setting up idmap db  
Setting up SAM db      
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema 
Adding DomainDN: DC=example,DC=com 
Adding configuration container  
Setting up sam.ldb schema  
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers 
Adding users container 
Modifying users container 
Adding computers container
Modifying computers container 
Setting up sam.ldb data  
Setting up well known security principals 
Setting up sam.ldb users and groups 
Setting up self join 
Adding DNS accounts 
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions 
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized 
Fixing provision GUIDs 
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use  
Server Role:           active directory domain controller   
Hostname:              dc
NetBIOS Domain:        EXAMPLE
DNS Domain:            example.com
DOMAIN SID:            S-1-5-21-458877043-2880298934-1173284452

- Edit the /etc/resolv.conf file for host dns to point to the samba DNS.
# vi /etc/resolv.conf
  (1)   search example.com
  (2)   domain example.com
  (3)   nameserver 127.0.0.1

- Create symbolic links for the kerberos keytab and config files in the /usr/local/etc directory.
# ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/krb5.conf
# ln -s /var/db/samba4/private/dns.keytab /usr/local/etc/krb5.keytab

- Enable samba to run and also start at boot
# sysrc samba_server_enable="YES"

- Start samba server
# service samba_server start

Test Samba Server

- Verify LDAP Service DNS Record
# host -t SRV _ldap._tcp.example.com
Query Result: _ldap._tcp.example.com has SRV record 0 100 389 dc.example.com.

- Verify Kerberos Service DNS Record
# host -t SRV _kerberos._udp.example.com
Query Result: _kerberos._udp.example.com has SRV record 0 100 88 dc.example.com.

- Verify Domain Controller DNS Record
# host -t A dc.example.com
Query Result: dc.example.com has address 10.0.0.58

- Test Kerberos Authentication
# kinit administrator@EXAMPLE.COM
# klist
Query Result:
Credentials cache: FILE:/tmp/krb5cc_0 
        Principal: administrator@EXAMPLE.COM  
                      
  Issued                Expires               Principal 
Nov  6 21:16:46 2016  Nov  7 07:16:46 2016  krbtgt/EXAMPLE.COM@EXAMPLE.COM 

- Test Samba File Server
# smbclient -L localhost -U%
Query Result:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]   
                      
        Sharename       Type      Comment 
        ---------       ----      -------  
        netlogon        Disk                
        sysvol          Disk               
        IPC$            IPC       IPC Service 
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]                                                                                     
        Server               Comment  
        ---------            -------   
                      
        Workgroup            Master  
        ---------            -------

- Test Samba User Logon
# smbclient //localhost/netlogon -Uadministrator
Query Result:
Enter administrator's password:   
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11] 
smb: \>    

- List Domain Users
# wbinfo -u | sort

- List Domain Groups
# wbinfo -g | sort  

Enable SSL for LDAP Backend

- Generate Self-Signed Certificate Authority, Server Certificate and Key.

- Edit file /usr/local/etc/smb4.conf to configure SSL certs
# vi /usr/local/etc/smb4.conf
  (13)   tls enabled  = yes
  (14)   tls cafile   = /usr/local/etc/ssl/certs/ca.pem
  (15)   tls certfile = /usr/local/etc/ssl/certs/dc.example.com.crt
  (16)   tls keyfile  = /usr/local/etc/ssl/private/dc.example.com.key

- Restart samba server
# service samba_server restart

Samba Administration

- Download and Install Remote Server Administration Tools (RSAT) for Administration for Windows

Sunday 30 October 2016

How to install and configure Certbot in a FreeNAS Jail

بسم الله الرحمن الرحيم



Abstract



  • A tutorial to install and configure certbot within a FreeNAS Jail.
  • Certbot is 'Electronic Frontier Foundation's ' implementation to issue free automated SSL certificates for webservers that are recognised by popular web browsers.  


Assumptions and Prerequisites


  • Domain: example.com
  • Hostname: www.example.com
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: www
  • Private IP: 10.0.0.56
  • Subnet Mask: 255.255.255.0/24
  • Certbot Version: 0.9.3
  • Apache has already been installed.
  • Apache Version: 2.4.23
  • Apache Webroot directory: /usr/local/www/apache24/data
  • SSL Certificate File: /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
  • SSL Key File: /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem 
  • Apache is bound to port 80 and 443.
  • Port 80 and 443 forwarding is enabled on the router to allow access to Apache webserver from the Internet.
  • Email: info@example.com (required to recover lost account details from certbot).



Instructions


- Install certbot
# pkg install py27-certbot

- Configure domain
# certbot certonly
Follow installer instructions
    domain: www.example.com
    webroot: /usr/local/www/apache24/data
    email: info@example.com

- Test certs renewal
# certbot renew --dry-run 

- Renew certs (Renews certs on port 80 for 90 days. Will not renew cert if expiry date of cert is less than 30 days).
# certbot renew --quiet

-  Force cert renewal with current issue date
# certbot renew --quiet --force-renewal

- Renew cert with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 

-  Force cert renewal on https port 443 with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 --force-renewal --tls-sni-01-port 443

- Change SSL Cert file paths in Apache to point to the new location of certbot's certificates
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
   (144)  SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem"
   (154)  SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
   (175)  #SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"

- Reload Apache config after certs renewal
# apachectl -k graceful

- Setup a cron job in FreeNAS to auto renew certs and reload the new apache settings with the following command.
# jexec www certbot renew --quiet --rsa-key-size 4096 && jexec www apachectl -k graceful

- Test the new SSL certs at the SSLABS website. This should give you an A+ on the SSL report.

- Links


Friday 28 October 2016

How to install a secure Wordpress CMS in a FreeNAS Jail

بسم الله الرحمن الرحيم




Abstract 


A tutorial to install a secure Wordpress CMS on a FreeNAS 9.10.1 Jail.


Assumptions and Prerequisites



  • Domain: example.com
  • Hostname: www.example.com
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: www
  • Private IP: 10.0.0.56
  • Subnet Mask: 255.255.255.0/24
  • Database Server Name: db.example.com
  • Database Type and Version: MariaDB v10.1.18
  • Database Server IP: 10.0.0.57
  • Database Username: n7if835 (random generated)
  • Database Password: TunTeR3MPzqHy1KD (should be randomly generated)
  • Database Name: n7if835 (random generated)
  • Database Table Prefix: 24686nj9po7_ (should be randomly generated)
  • Database Server has SSL configured and enabled.
  • Apache has already been installed.
  • php56 and the necessary extensions are already installed.
  • Apache Webroot directory: /usr/local/www/apache24/data/
  • Apache 'AllowOverride' set to 'All'
  • Wordpress Version: 4.6.1


Instructions


Environment Setup

- Create a database 'n7if835' with username 'n7if835' with all privileges (Data, Structure, and Administration) and password 'TunTeR3MPzqHy1KD'

- Enable mod_rewrite module in apache by editing the file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (177)   LoadModule rewrite_module libexec/apache24/mod_rewrite.so

- Install package wget to download wordpress archive
# pkg install wget

Install and Configure Wordpress

- Download wordpress from http://wordpress.org/latest.tar.gz
# cd /tmp
# wget http://wordpress.org/latest.tar.gz
- Unzip archive /tmp/latest.tar.gz
# tar xvf latest.tar.gz

- Copy /tmp/wordpress/ contents to webroot directory /usr/local/www/apache24/data/
# cp -Rfv /tmp/wordpress/* /usr/local/www/apache24/data/

- Goto https://www.example.com/ via web browser and follow the installation instructions.

- Enter the following Database details:
        Database Name: n7if835
        Username: n7if835
        Password: TunTeR3MPzqHy1KD
        Database Host: db.example.com
        Table Prefix: 24686nj9po7_

- Copy the generated code by wordpress installer into the file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php

- Click on the 'Run the Install' button and that will create the necessary database tables.

- Enter the following Site details:
        Site Title: www.exampl.com
        Username: webmin2001 (for security reasons don't use anything like 'admin')
        Password: (Enter strong password)
        Your Email: (your email address for this wordpress admin account)

- Enable Direct File System access by wordpress
# chmod -Rv 775 /usr/local/www/apache24/data/wp-content
- Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (40)    /** If you don't want to use FTP to add/delete/update plugins/themes then define this option. **/
   (41)    define('FS_METHOD','direct');

- Test by deleting and adding a plugin or theme.

Securing Wordpress

- Enable DB SSL Connection by Wordpress
Edit File /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (43)    /** Force Wordpress to use SSL connection to Database **/
   (44)    define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);

- Goto https://www.example.com/phpmyadmin via web browser and change the following details:
           Username: n7if835 SSL setting from 'REQUIRE NONE' to 'REQUIRE SSL'.
           Remove Administration Privileges for user n7if835

- Disable file editing for editing plugins and themes.
Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (46)    /** Disable File Editing **/
   (47)    define('DISALLOW_FILE_EDIT', true);

- Force SSL Logins and SSL Admin Access
# vi /usr/local/www/apache24/data/wp-config.php
   (49)    /** Force SSL Logins **/
   (50)    define('FORCE_SSL_LOGIN', true);
   (51)
   (52)    /** Force SSL Admin Access **/
   (53)    define('FORCE_SSL_ADMIN', true);

- Delete files 'license.txt' and 'readme.html' in the wordpress root directory and also 'install.php' in wp-admin directory because they are possible site security holes.
# rm -v /usr/local/www/apache24/data/license.txt 
# rm -v /usr/local/www/apache24/data/readme.html
# rm -v /usr/local/www/apache24/data/wp-admin/install.php

- Make the file /usr/local/www/apache24/data/wp-config.php only readable by user and group
# chmod 440 /usr/local/www/apache24/data/wp-config.php

- Move the file /usr/local/www/apache24/data/wp-config.php up one directory to prevent web users access.
# mv /usr/local/www/apache24/data/wp-config.php /usr/local/www/apache24/wp-config.php

- Disable php functions that are not needed (good practice if website is on a shared host).
# vi /usr/local/etc/php.ini
    (303)  disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

- Turn off expose_php in php.ini
# vi /usr/local/etc/php.ini
    (363)  expose_php = Off

- Disable opening urls as files
# vi /usr/local/etc/php.ini
    (831)  allow_url_fopen = Off

- Create .htaccess file in the wordpress root directory and write the following to prevent web directory browsing, user enumeration, includes directory access, hotlinking of images, and users from reading the wp-config file.
# vi /usr/local/www/apache24/data/.htaccess
    (1)    Options -Indexes +FollowSymLinks
    (2)  
    (3)    <IfModule mod_rewrite.c>
    (4)    RewriteEngine On
    (5)    RewriteBase /
    (6)
    (7)    # Enable Permalinks to work
    (8)    RewriteRule ^index\.php$ - [L]
    (9)    RewriteCond %{REQUEST_FILENAME} !-f
    (10)   RewriteCond %{REQUEST_FILENAME} !-d
    (11)   RewriteRule . /index.php [L]
    (12)
    (14)   # Prevent user enumeration
    (15)   RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    (16)   RewriteRule .* https://www.example.com/? [L,R=302]
    (17)   RewriteRule ^wp-admin/includes/ - [F,L]
    (18)
    (19)   # Prevent includes directory access
    (20)   RewriteRule !^wp-includes/ - [S=3]
    (21)   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    (22)   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    (23)   RewriteRule ^wp-includes/theme-compat/ - [F,L]
    (24)
    (25)   # Disable hotlinking of images with forbidden or custom image option
    (26)   RewriteCond %{HTTP_REFERER} !^$
    (27)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
    (28)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
    (29)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/example [NC]
    (30)   RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
    (31)
    (32)   # Disable XMLRPC
    (33)   RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
    (34)
    (35)   # Restrict access to plugins and themes php files from unauthorised users
    (36)   RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
    (37)   RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
    (38)   RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
    (39)   RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
    (40)   RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
    (41)   RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
    (42)
    (43)   # Prevent Script injections
    (44)   RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    (45)   RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    (46)   RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    (47)   RewriteRule ^(.*)$ index.php [F,L]
    (48)   </IfModule>
    (49)
    (50)   # Protect wp-config.php from user access
    (51)   <files wp-config.php>
    (52)   Require all denied
    (53)   </files>

- Prevent execution of php scripts in the uploads directory
# vi /usr/local/www/apache24/data/wp-content/uploads/.htaccess
    (1)    # Disable php file execution
    (2)    <files *.php>
    (3)    Require all denied
    (4)    </files>

Thursday 27 October 2016

How to install phpMyAdmin on a FreeNAS Jail

بسم الله الرحمن الرحيم


Abstract


A tutorial to install phpMyAdmin on a FreeNAS Jail. 

Assumptions and Prerequisites


  • Domain: example.com
  • Hostname: www.example.com
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: www
  • Private IP: 10.0.0.56
  • Subnet Mask: 255.255.255.0/24
  • Apache has already been installed.
  • php56 is already installed.
  • Restrict Access only to local LAN (10.0.0.0/24).

Instructions


- First install php extensions required for phpMyAdmin.    
# pkg install php56-session php56-json php56-mbstring php56-zip php56-gd php56-openssl php56-curl php56-ctype php56-bz2 php56-mcrypt php56-zlib

- Install and Configure phpMyAdmin for Database Web Administration
# pkg install phpmyadmin
- Create phpMyAdmin configuration file /usr/local/etc/apache24/Includes/phpmyadmin.conf
# vi /usr/local/etc/apache24/Includes/phpmyadmin.conf
   (1)      Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"
   (2)       
   (3)      <Directory "/usr/local/www/phpMyAdmin/">                  
   (4)          Options None
   (5)          AllowOverride Limit
   (6)
   (7)          Require local
   (8)          Require ip 10.0.0.0/24
   (9)      </Directory>

- Reload Apache Configurations
# service apache24 graceful

- Configure phpMyAdmin to connect with Database
Goto http://10.0.0.56/phpmyadmin/setup via web browser.
Click the button 'New server' and add a new server settings.
After configuring settings for the database server connection, click the 'Display' button.

- Copy the php code generated into the file /usr/local/www/phpMyAdmin/config.inc.php
# vi /usr/local/www/phpMyAdmin/config.inc.php

- Goto http://10.0.0.56/phpmyadmin via web browser and Login to phpmyadmin with your database username and password.

How to Install Apache webserver in a FreeNAS Jail

بسم الله الرحمن الرحيم


Abstract


  • A tutorial to install the Apache webserver in FreeNAS 9.10 Jail.
  • Configure and enable SSL on Apache.
  • Enable Virtual Hosts.
  • Enable and configure Apache Server Pool Management.
  • Configure Apache to run CGI and Perl scripts. 
  • Install and configure php56. 


Assumptions and Prerequisites



  • Domain: example.com
  • Hostname: www.example.com
  • System Notification Email: info@example.com 
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: www
  • Private IP: 10.0.0.56
  • Subnet Mask: 255.255.255.0/24
  • Server Location: Melbourne, Australia
  • Webserver and Version: Apache v2.4.23_1
  • Apache Document Root Directory: /usr/local/www/apache24/data
  • Apache MPM: Prefork Module
  • Disable Directory Browsing.
  • Allow Over Ride All to .htaccess files.
  • CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
  • SSL Certificate File: /usr/local/etc/ssl/certs/www.example.com.crt
  • SSL Key File: /usr/local/etc/ssl/private/www.example.com.key


Instructions


- Install Apache2.4
# pkg install apache24

- Configure Apache settings
Edit file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (214) ServerAdmin info@example.com
   (222) ServerName www.example.com
   (260) Options -Indexes +FollowSymLinks
   (267) AllowOverride All

- Set Server Defaults for Production Server
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (505) Include etc/apache24/extra/httpd-default.conf
Edit /usr/local/etc/apache24/extra/httpd-default.conf
# vi /usr/local/etc/apache24/extra/httpd-default.conf
   (55)  ServerTokens Prod

Enable apache to run and start on boot.
# sysrc apache24_enable="yes"
Start Apache Server
# service apache24 start

- Generate Self-Signed Certificate Authority, Server Certificate and Key.

Enable SSL 

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (89)   LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
   (144)  LoadModule ssl_module libexec/apache24/mod_ssl.so
   (513)  Include etc/apache24/extra/httpd-ssl.conf
Edit /usr/local/etc/apache24/extra/httpd-ssl.conf
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
   (52)   #SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
   (53)   #SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
   (65)   SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
   (66)   SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
   (124)  DocumentRoot "/usr/local/www/apache24/data"
   (125)  ServerName www.example.com:443
   (126)  ServerAdmin info@example.com
   (127)  ErrorLog "/var/log/httpd-error.log"
   (128)  TransferLog "/var/log/httpd-access.log"
   (144)  SSLCertificateFile "/ust/local/etc/ssl/certs/www.example.com.crt"
   (154)  SSLCertificateKeyFile "/usr/local/etc/ssl/certs/www.example.com.key"
   (175)  SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"
Reload new settings for Apache
# service apache24 graceful

Enable Virtual Hosts

- Enable Virtualhosts to redirect traffic from unecrypted port (80) to encrypted port (443).
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (496)  Include etc/apache24/extra/httpd-vhosts.conf
Edit /usr/local/etc/apache24/extra/httpd-vhosts.conf
# vi /usr/local/etc/apache24/extra/httpd-vhosts.conf
   (23)  
   (24)       ServerAdmin info@example.com
   (25)       DocumentRoot "/usr/local/www/apache24/data"
   (26)       ServerName www.example.com
   (27)       ServerAlias www.example.com
   (28)       ErrorLog "/var/log/www.example.com-error_log"
   (29)       CustomLog "/var/log/www.example.com-access_log" common
   (30)       Redirect "/" "https://www.example.com"
   (31)  
Reload new settings for Apache
# service apache24 graceful


Enable Server Pool Management

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (478)  Include etc/apache24/extra/httpd-mpm.conf
Change the number of concurrent connections for the server from 250 to 50 by editing the /usr/local/etc/apache24/extra/httpd-mpm.conf file
# vi /usr/local/etc/apache24/extra/httpd-mpm.conf
   (32)    MaxRequestWorkers      50
Reload new settings for Apache
# service apache24 graceful

Enable CGI and Perl Scripts


Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (162)   LoadModule cgid_module libexec/apache24/mod_cgid.so
   (165)   LoadModule cgi_module libexec/apache24/mod_cgi.so
   (260)   Options -Indexes +FollowSymLinks +ExecCGI
   (418)   AddHandler cgi-script .cgi .pl
Reload new settings for Apache
# service apache24 graceful

- Create CGI Script to test on Server
Create file /usr/local/www/apache24/data/index.cgi
#vi /usr/local/www/apache24/data/index.cgi
   (1)     #!/usr/local/bin/perl
   (2)     print "Content-type: text/html\n\n";
   (3)     print "<html>\n<body>\n";
   (4)     print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n";
   (5)     print "CGI Test Page";
   (6)     print "\n</div>\n";
   (7)     print "</body>\n</html>\n";
Change Permissions of file
# chmod 705 /usr/local/www/apache24/data/index.cgi
- Test Script in Browser

- Create Perl Script to test on Server
Create file /usr/local/www/apache24/data/index.pl
#vi /usr/local/www/apache24/data/index.pl
   (1)     #!/usr/local/bin/perl
   (2)     print "Content-type: text/html\n\n";
   (3)     print "<html>\n<body>\n";
   (4)     print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n";
   (5)     print "Perl Test Page";
   (6)     print "\n</div>\n";
   (7)     print "</body>\n</html>\n";
- Change Permissions of file
# chmod 705 /usr/local/www/apache24/data/index.pl
- Test Script in Browser

Install and Enable  php56

# pkg install -y php56 mod_php56 php56-mysql php56-mysqli php56-extensions
Create file php56 configuration file /usr/local/etc/apache24/includes/php56.conf
# vi /usr/local/etc/apache24/includes/php56.conf
   (1)     <FilesMatch "\.php$">
   (2)         SetHandler application/x-httpd-php
   (3)     </FilesMatch>
   (4)     <FilesMatch "\.phps$">
   (5)         SetHandler application/x-httpd-php-source
   (6)     </FilesMatch>
Reload new settings for Apache
# service apache24 graceful

- Change script preference to execute index.php over index.html
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (281)  DirectoryIndex index.php index.html
- Copy php.ini-production to php.ini
# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
- Edit file /usr/local/etc/php.ini
# vi /usr/local/etc/php.ini
   (936)   date.timezone = "Australia\Melbourne"
Reload new settings for Apache
# service apache24 graceful

- Create php Script to test on Server
Create file /usr/local/www/apache24/data/index.php
# vi /usr/local/www/apache24/data/index.php
   (1)       <html>
   (2)       <body>
   (3)       <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
   (4)       <?php
   (5)            print Date("Y/m/d");
   (6)       ?>
   (7)       </div>
   (8)       </body>
   (9)       </html>
- Test Script in Browser

- Links

How to install MariaDB Server in a FreeNAS Jail

بسم الله الرحمن الرحيم



Description



A tutorial to install MariaDB Server v10.1.18 on a FreeNAS 9.10.1 Jail.


Assumptions and Prerequisites 




  • Domain: example.com
  • Hostname: db.example.com
  • OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
  • Container: Warden Jail
  • Jail Name: db
  • Private IP: 10.0.0.57
  • Subnet Mask: 255.255.255.0/24
  • Database Version: MariaDB v10.1.18
  • Database Server Type: Medium
  • SSL Certificates have been generated 
  • CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
  • SSL Certificate File: /usr/local/etc/ssl/certs/db.example.com.crt
  • SSL Key File: /usr/local/etc/ssl/private/db.example.com.key


Instructions


Install MariaDB
# pkg install mariadb101-server

Configure Settings
Choose Configuration file for Database server: my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf
# cp /usr/local/share/mysql/my-medium.cnf /usr/local/etc/my.cnf 

Enable MariaDB Server to run and start on boot
# sysrc mysql_enable=yes

Start MariaDB Server
# service mysql-server start

Configure secure setup for production
# mysql_secure_installation
   Set root password? [Y/n]: y
   Remove anonymous users? [Y/n]: y
   Disallow root login remotely? [Y/n]: y
   Remove test database and access to it? [Y/n]: y
   Reload privilege tables now? [Y/n]: y

Test root Login
# mysql -u root -p

Test sql queries
# select user,host,password from mysql.user;
# show databases; 
# exit;

Enable SSL on MariaDB Server
# vi /usr/local/etc/my.cnf
   (27)  # The MariaDB server
   (28)  [mysqld]
   (29)  ssl-ca=/usr/local/etc/ssl/certs/ca.pem
   (30)  ssl-cert=/usr/local/etc/ssl/certs/db.example.com.crt
   (31)  ssl-key=/usr/local/etc/ssl/private/db.example.com.key 
   (32)  bind-address    = 10.0.0.57 
   (33)  port = 3306

Monday 3 October 2016

How to install Webmin in a FreeNAS Jail

بسم الله الرحمن الرحيم


Description


This is a tutorial on how to install Webmin 1.810 inside a FreeNAS 9.10.-U1 warden jail.

Assumptions and Prerequisites 


  • OS: FreeNAS 9.10.1-U1
  • Webmin Version: 1.810
  • Jail Name: zen
  • DNS Name: zen.houseofjaleel.com
  • Domain: houseofjaleel.com
  • Private IP Address: 10.0.0.10
  • Jail has been updated to the latest packages with the command # pkg -y update && pkg -y upgrade

Instructions


1. Install Webmin 
# pkg install -y webmin

2. Run the Webmin setup script
# /usr/local/lib/webmin/setup.sh
Log file directory [/var/log/webmin]: press Enter to accept default
Full path to perl (default /usr/local/bin/perl): press Enter to accept default
Web server port (default 10000): press Enter to accept default
Login name (default admin): press Enter to accept default
Login password: (set your password here)
Password again: (set you password here)
Use SSL (y/n): y
3. Enable Webmin to run and also run on boot
# sysrc webmin_enable="YES"

4. Start Webmin service
# service webmin start

Conclusion


Login to webmin via the browser with the username: admin and password you set with the setup script earlier.

If DNS is configured for the jail then you can access webmin through either of the three URLs, or just the IP.
  1. https://10.0.0.10:10000
  2. https://zen:10000
  3. https://zen.houseofjaleel.com:10000