Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
dienste:bytecluster0001 [05.06.2017 18:39] – [Matrix IRC Bridge] mkzero | dienste:bytecluster0001 [03.05.2020 17:51] (aktuell) – Limit auf 20MB angehoben mape2k | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== bytecluster0001 ====== | + | ======= bytecluster0001 |
- | bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. Der Server wurde von der Firma Hetzner Online GmbH dankenswerter Weise zur Verfügung gestellt. | + | bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. |
- | ===== Administratoren ===== | + | ====== Administratoren |
* [[user: | * [[user: | ||
* [[user: | * [[user: | ||
* [[user: | * [[user: | ||
+ | * [[user: | ||
- | ===== Benutzer ===== | + | ====== Benutzer |
* Bernd (Webseiten) | * Bernd (Webseiten) | ||
- | ===== IPs /DNS ===== | + | ====== IPs /DNS ====== |
* bytecluster0001.bytespeicher.org | * bytecluster0001.bytespeicher.org | ||
Zeile 19: | Zeile 20: | ||
* 2a01: | * 2a01: | ||
- | ===== Installation ===== | + | ====== Installation |
* Debian 8.2 minimal | * Debian 8.2 minimal | ||
- | ==== User / Gruppen ==== | + | ===== User / Gruppen |
* mkzero -> sudo | * mkzero -> sudo | ||
* marcel -> sudo | * marcel -> sudo | ||
+ | * maddi -> sudo | ||
* stephan -> sudo | * stephan -> sudo | ||
* bernd -> sudo für www-data | * bernd -> sudo für www-data | ||
Zeile 36: | Zeile 38: | ||
* ffapi | * ffapi | ||
* synapse | * synapse | ||
- | ==== Pakete ==== | + | ===== Pakete |
* zsh | * zsh | ||
Zeile 46: | Zeile 48: | ||
* debian-goodies | * debian-goodies | ||
- | ==== Netzwerk ==== | + | ===== Netzwerk |
- | === Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) === | + | ==== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) |
< | < | ||
#!/bin/bash | #!/bin/bash | ||
Zeile 64: | Zeile 66: | ||
* //**chmod +x / | * //**chmod +x / | ||
- | === Konfiguration === | + | ==== Konfiguration |
< | < | ||
Zeile 84: | Zeile 86: | ||
</ | </ | ||
- | ==== Konfiguration SSH ==== | + | ===== Konfiguration SSH ===== |
* HostKey DSA entfernt | * HostKey DSA entfernt | ||
Zeile 101: | Zeile 103: | ||
</ | </ | ||
- | ==== SUDO ==== | + | ===== SUDO ===== |
* Administrative Benutzer sind Mitglied der Gruppe " | * Administrative Benutzer sind Mitglied der Gruppe " | ||
- | ==== IPTABLES ==== | + | ===== IPTABLES |
* iptables-persistent | * iptables-persistent | ||
Zeile 126: | Zeile 128: | ||
# Localhorst | # Localhorst | ||
-A INPUT -s 127.0.0.0/8 -j ACCEPT | -A INPUT -s 127.0.0.0/8 -j ACCEPT | ||
+ | |||
+ | # Turnserver | ||
+ | -A INPUT -p udp -m udp --dport 3478 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 5349 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT | ||
# SSH / mosh | # SSH / mosh | ||
Zeile 146: | Zeile 153: | ||
-A INPUT -p tcp --dport 4190 -j ACCEPT | -A INPUT -p tcp --dport 4190 -j ACCEPT | ||
+ | # Matrix | ||
+ | -A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT | ||
COMMIT | COMMIT | ||
</ | </ | ||
Zeile 165: | Zeile 175: | ||
# Garbage | # Garbage | ||
-A INPUT -m state --state INVALID -j DROP | -A INPUT -m state --state INVALID -j DROP | ||
+ | |||
+ | # Turnserver | ||
+ | -A INPUT -p udp -m udp --dport 3478 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 5349 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT | ||
# SSH / mosh | # SSH / mosh | ||
Zeile 185: | Zeile 200: | ||
-A INPUT -p tcp --dport 4190 -j ACCEPT | -A INPUT -p tcp --dport 4190 -j ACCEPT | ||
+ | # Matrix | ||
+ | -A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT | ||
COMMIT | COMMIT | ||
</ | </ | ||
- | ==== MySQL/ | + | ===== MySQL/ |
* mariadb-server | * mariadb-server | ||
Zeile 230: | Zeile 248: | ||
</ | </ | ||
- | ==== NGINX ==== | + | ===== NGINX ===== |
* nginx | * nginx | ||
+ | < | ||
+ | ssl_protocols TLSv1.2; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | |||
+ | ssl_ciphers " | ||
+ | ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
+ | |||
+ | ssl_session_cache shared: | ||
+ | ssl_session_timeout 10m; | ||
+ | |||
+ | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
+ | ssl_stapling on; # Requires nginx >= 1.3.7 | ||
+ | ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
+ | |||
+ | #add_header Strict-Transport-Security " | ||
+ | add_header X-Frame-Options DENY; | ||
+ | add_header X-Content-Type-Options nosniff; | ||
+ | |||
+ | resolver 213.133.98.98 213.133.99.99 valid=300s; | ||
+ | resolver_timeout 5s; | ||
+ | </ | ||
< | < | ||
- | diff -Naur / | ||
- | --- / | ||
- | +++ / | ||
- | @@ -0,0 +1,12 @@ | ||
- | +ssl_ciphers " | ||
- | +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | +ssl_prefer_server_ciphers on; | ||
- | +ssl_session_cache shared: | ||
- | +add_header Strict-Transport-Security " | ||
- | +add_header X-Frame-Options DENY; | ||
- | +add_header X-Content-Type-Options nosniff; | ||
- | +ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
- | +ssl_stapling on; # Requires nginx >= 1.3.7 | ||
- | +ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
- | +resolver 213.133.98.98 213.133.99.99 valid=300s; | ||
- | +resolver_timeout 5s; | ||
diff -Naur / | diff -Naur / | ||
--- / | --- / | ||
Zeile 276: | Zeile 299: | ||
</ | </ | ||
- | ==== Let's Encrypt (SSL-Zertifikate) ==== | + | ===== Let's Encrypt (SSL-Zertifikate) |
=== Installation === | === Installation === | ||
Zeile 320: | Zeile 343: | ||
# Reload NGINX | # Reload NGINX | ||
sudo / | sudo / | ||
+ | |||
+ | # Copy erfurt.chat-Certificate/ | ||
+ | if [ ${DOMAIN} = " | ||
+ | cp -L ${KEYFILE} / | ||
+ | cp -L ${CERTFILE} / | ||
+ | cp -L ${FULLCHAINFILE} / | ||
+ | chgrp synapse / | ||
+ | chmod 640 / | ||
+ | fi | ||
# Restart Postfix/ | # Restart Postfix/ | ||
Zeile 345: | Zeile 377: | ||
23 4 * * * | 23 4 * * * | ||
</ | </ | ||
- | === Verwendung des Let' | + | === Verwendung des LetsEncrypt |
Pro Zertifikat können mehrere Domains/ | Pro Zertifikat können mehrere Domains/ | ||
Zeile 371: | Zeile 403: | ||
... | ... | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | add_header X-Content-Type-Options nosniff; | ||
ssl_certificate / | ssl_certificate / | ||
Zeile 387: | Zeile 411: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
... | ... | ||
Zeile 396: | Zeile 418: | ||
* **// | * **// | ||
- | ==== PHP ==== | + | ===== User-Agent-Filter ===== |
+ | < | ||
+ | ### Block Mastodon | ||
+ | if ($http_user_agent ~* (Mastodon)) { | ||
+ | return 403; | ||
+ | } | ||
+ | </ | ||
+ | ===== PHP ===== | ||
* php5-fpm | * php5-fpm | ||
Zeile 417: | Zeile 446: | ||
post_max_size = 64M | post_max_size = 64M | ||
</ | </ | ||
- | ==== Ruby ==== | + | ===== Ruby ===== |
* ruby | * ruby | ||
- | ==== Bytebot ==== | + | ===== Bytebot |
Pakete: | Pakete: | ||
Zeile 465: | Zeile 494: | ||
* // | * // | ||
- | ==== Twitterstatus / Twitterstatus Makerspace ==== | + | ===== Twitterstatus / Twitterstatus Makerspace |
Die Anleitung ist für " | Die Anleitung ist für " | ||
Zeile 529: | Zeile 558: | ||
</ | </ | ||
- | ==== Freifunk-API ==== | + | ===== Freifunk-API |
=== Pakete === | === Pakete === | ||
Zeile 581: | Zeile 610: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | add_header X-Content-Type-Options nosniff; | ||
ssl_certificate / | ssl_certificate / | ||
Zeile 597: | Zeile 618: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 635: | Zeile 654: | ||
* // | * // | ||
- | ==== paste.bytespeicher.org ==== | + | ===== paste.bytespeicher.org |
* Datenbank: bs_paste | * Datenbank: bs_paste | ||
Zeile 656: | Zeile 675: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 670: | Zeile 682: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 700: | Zeile 710: | ||
</ | </ | ||
- | ==== bytespeicher.org ==== | + | ===== bytespeicher.org |
* Datenbank: wp_bs | * Datenbank: wp_bs | ||
Zeile 712: | Zeile 722: | ||
| | ||
+ | | ||
| | ||
Zeile 729: | Zeile 740: | ||
| | ||
+ | |||
+ | | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
| | ||
- | | ||
| | ||
Zeile 747: | Zeile 752: | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 764: | Zeile 767: | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
| | ||
- | add_header X-Content-Type-Options nosniff; | + | |
| | ||
| | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 837: | Zeile 830: | ||
</ | </ | ||
- | ==== status.bytespeicher.org ==== | + | ===== status.bytespeicher.org |
* **//useradd spacestatus -m -G www-data// | * **//useradd spacestatus -m -G www-data// | ||
* **//sudo -u spacestatus / | * **//sudo -u spacestatus / | ||
* **//cd ~//** | * **//cd ~//** | ||
- | * **//git clone https:/ / | + | * **//< |
* **//mkdir www//** | * **//mkdir www//** | ||
* **// | * **// | ||
Zeile 901: | Zeile 894: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | add_header | + | add_header |
+ | |||
ssl_certificate / | ssl_certificate / | ||
ssl_certificate_key / | ssl_certificate_key / | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
} | } | ||
</ | </ | ||
- | ==== makerspace-erfurt.de / fablab-erfurt.de ==== | + | ===== makerspace-erfurt.de / fablab-erfurt.de |
* Datenbank: makerspace_wp | * Datenbank: makerspace_wp | ||
Zeile 946: | Zeile 930: | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
| | ||
- | add_header X-Content-Type-Options nosniff; | + | |
| | ||
| | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 1004: | Zeile 978: | ||
</ | </ | ||
- | ==== cloud.technikkultur-erfurt.de (Owncloud) ==== | + | ===== cloud.technikkultur-erfurt.de (Nextcloud) ===== |
* Datenbank: makerspace_oc | * Datenbank: makerspace_oc | ||
Zeile 1025: | Zeile 999: | ||
ssl on; | ssl on; | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
| | ||
Zeile 1037: | Zeile 1004: | ||
| | ||
- | | ||
- | | ||
| | ||
Zeile 1147: | Zeile 1112: | ||
</ | </ | ||
- | ==== Redmine ==== | + | ===== Redmine |
* Datenbank: redmine | * Datenbank: redmine | ||
Zeile 1268: | Zeile 1233: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 1282: | Zeile 1240: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 1302: | Zeile 1258: | ||
</ | </ | ||
- | ==== Dokuwiki ==== | + | ===== Dokuwiki |
* DocumentRoot: | * DocumentRoot: | ||
Zeile 1315: | Zeile 1271: | ||
listen [::]:443 ssl; | listen [::]:443 ssl; | ||
+ | include snippets/ | ||
include snippets/ | include snippets/ | ||
Zeile 1328: | Zeile 1285: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 1342: | Zeile 1292: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
- | # Maximum file upload size is 4MB - change accordingly if needed | + | # Maximum file upload size is 20MB - change accordingly if needed |
- | client_max_body_size | + | client_max_body_size |
client_body_buffer_size 128k; | client_body_buffer_size 128k; | ||
Zeile 1378: | Zeile 1326: | ||
</ | </ | ||
- | ==== Pad ==== | + | ===== Pad ===== |
* Software: Etherpad-lite | * Software: Etherpad-lite | ||
Zeile 1423: | Zeile 1371: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
Zeile 1437: | Zeile 1378: | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 1502: | Zeile 1441: | ||
* https:// | * https:// | ||
- | ==== wall.technikkultur-erfurt.de ==== | + | ===== wall.technikkultur-erfurt.de |
* Config: / | * Config: / | ||
Zeile 1525: | Zeile 1464: | ||
</ | </ | ||
- | ==== Piwik ==== | + | ===== opendata.bytespeicher.org ===== |
+ | |||
+ | * Webspace: / | ||
+ | |||
+ | < | ||
+ | server { | ||
+ | listen 80; | ||
+ | listen [::]:80; | ||
+ | |||
+ | listen 443 ssl; | ||
+ | listen [::]:443 ssl; | ||
+ | |||
+ | include snippets/ | ||
+ | |||
+ | root / | ||
+ | |||
+ | index index.html; | ||
+ | |||
+ | server_name opendata.bytespeicher.org; | ||
+ | |||
+ | location / { | ||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | # PHP | ||
+ | location ~ \.php$ { | ||
+ | fastcgi_pass | ||
+ | include | ||
+ | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
+ | fastcgi_param REDIRECT_STATUS 200; | ||
+ | } | ||
+ | |||
+ | ssl on; | ||
+ | |||
+ | # Use SSL as default | ||
+ | # if ($scheme != " | ||
+ | # | ||
+ | # } | ||
+ | # add_header Strict-Transport-Security " | ||
+ | |||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | |||
+ | ssl_dhparam / | ||
+ | |||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | ssl_trusted_certificate / | ||
+ | |||
+ | # Security options | ||
+ | add_header X-Frame-Options SAMEORIGIN; | ||
+ | add_header X-Content-Type-Options nosniff; | ||
+ | add_header Access-Control-Allow-Origin *; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ===== Piwik ===== | ||
* Datenbank: bs_piwik | * Datenbank: bs_piwik | ||
Zeile 1549: | Zeile 1544: | ||
</ | </ | ||
- | ==== Roundcube ==== | + | ===== Roundcube |
* Datenbank: roundcubemail | * Datenbank: roundcubemail | ||
Zeile 1607: | Zeile 1602: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
add_header Strict-Transport-Security " | add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | | + | |
ssl_certificate / | ssl_certificate / | ||
ssl_certificate_key / | ssl_certificate_key / | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
root / | root / | ||
+ | |||
+ | client_max_body_size 64m; | ||
index index.php index.html; | index index.php index.html; | ||
Zeile 1674: | Zeile 1661: | ||
* //**rm -rf / | * //**rm -rf / | ||
- | ==== Matrix/ | + | ===== Matrix/ |
* useradd -m synapse | * useradd -m synapse | ||
* apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev coturn | * apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev coturn | ||
+ | |||
+ | * mkdir / | ||
+ | * chown synapse: | ||
+ | * chmod 770 / | ||
+ | * usermod -G synapse letsencrypt | ||
< | < | ||
Zeile 1697: | Zeile 1689: | ||
} | } | ||
root / | root / | ||
+ | |||
+ | client_max_body_size 32m; | ||
location /_matrix { | location /_matrix { | ||
Zeile 1704: | Zeile 1698: | ||
ssl on; | ssl on; | ||
- | |||
- | ssl_session_cache shared: | ||
- | ssl_session_timeout 10m; | ||
- | |||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
- | ssl_ciphers " | ||
# add_header Strict-Transport-Security " | # add_header Strict-Transport-Security " | ||
add_header X-Frame-Options SAMEORIGIN; | add_header X-Frame-Options SAMEORIGIN; | ||
- | | + | |
ssl_certificate / | ssl_certificate / | ||
ssl_certificate_key / | ssl_certificate_key / | ||
ssl_dhparam / | ssl_dhparam / | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
Zeile 1735: | Zeile 1719: | ||
< | < | ||
external-ip=88.198.111.196 | external-ip=88.198.111.196 | ||
+ | min-port=49152 | ||
+ | max-port=59999 | ||
lt-cred-mech | lt-cred-mech | ||
use-auth-secret | use-auth-secret | ||
static-auth-secret=[your secret key here] | static-auth-secret=[your secret key here] | ||
realm=erfurt.chat | realm=erfurt.chat | ||
+ | no-tcp | ||
+ | no-tls | ||
no-tcp-relay | no-tcp-relay | ||
+ | cert=/ | ||
+ | pkey=/ | ||
+ | cipher-list=" | ||
+ | syslog | ||
denied-peer-ip=10.0.0.0-10.255.255.255 | denied-peer-ip=10.0.0.0-10.255.255.255 | ||
denied-peer-ip=192.168.0.0-192.168.255.255 | denied-peer-ip=192.168.0.0-192.168.255.255 | ||
denied-peer-ip=172.16.0.0-172.31.255.255 | denied-peer-ip=172.16.0.0-172.31.255.255 | ||
allowed-peer-ip=172.31.1.100 | allowed-peer-ip=172.31.1.100 | ||
- | syslog | ||
no-sslv2 | no-sslv2 | ||
no-sslv3 | no-sslv3 | ||
Zeile 1763: | Zeile 1754: | ||
< | < | ||
--- homeserver.yaml.orig 2017-06-05 12: | --- homeserver.yaml.orig 2017-06-05 12: | ||
- | +++ homeserver.yaml 2017-06-05 14:00:36.981444634 | + | +++ homeserver.yaml 2018-04-17 13:40:25.760622831 |
- | @@ -120,7 +120,7 @@ | + | @@ -4,10 +4,10 @@ |
- | | + | # autogenerates on launch with your own SSL certificate + key pair |
- | | + | # if you like. Any required intermediary certificates can be |
- | tls: false | + | # appended after the primary certificate in hierarchical order. |
- | - bind_addresses: | + | -tls_certificate_path: |
- | + | + | +tls_certificate_path: |
+ | |||
+ | # PEM encoded private key for TLS | ||
+ | -tls_private_key_path: | ||
+ | +tls_private_key_path: | ||
+ | |||
+ | # PEM dh parameters for ephemeral keys | ||
+ | | ||
+ | @@ -50,7 +50,7 @@ | ||
+ | pid_file: / | ||
+ | |||
+ | # Whether to serve a web client from the HTTP/HTTPS root resource. | ||
+ | -web_client: | ||
+ | +web_client: | ||
+ | |||
+ | # The root directory to server for the above web client. | ||
+ | # If left undefined, synapse will serve the matrix-angular-sdk web client. | ||
+ | @@ -59,7 +59,7 @@ | ||
+ | # web_client_location: "/ | ||
+ | |||
+ | # The public-facing base URL for the client API (not including _matrix/ | ||
+ | -# public_baseurl: https:// | ||
+ | +public_baseurl: | ||
+ | |||
+ | # Set the soft limit on the number of file descriptors synapse can use | ||
+ | # Zero is used to indicate synapse should set the soft limit to the | ||
+ | @@ -71,7 +71,9 @@ | ||
+ | |||
+ | # Set the limit on the returned events in the timeline in the get | ||
+ | # and sync operations. The default value is -1, means no upper limit. | ||
+ | -# filter_timeline_limit: | ||
+ | + | ||
+ | +## activated by maddi | ||
+ | +filter_timeline_limit: | ||
+ | |||
+ | # List of ports that Synapse should listen on, their purpose and their | ||
+ | # configuration. | ||
+ | @@ -85,11 +87,11 @@ | ||
+ | # Local addresses to listen on. | ||
+ | # This will listen on all IPv4 addresses by default. | ||
+ | bind_addresses: | ||
+ | - - ' | ||
+ | + # | ||
+ | # Uncomment to listen on all IPv6 interfaces | ||
+ | # N.B: On at least Linux this will also listen on all IPv4 | ||
+ | # addresses, so you will need to comment out the line above. | ||
+ | - # - '::' | ||
+ | + - '::' | ||
+ | |||
+ | # This is a ' | ||
type: http | type: http | ||
- | + | @@ -123,7 +125,7 @@ | |
- | | + | bind_addresses: |
- | @@ -231,7 +231,7 @@ | + | type: http |
+ | |||
+ | - | ||
+ | + x_forwarded: | ||
+ | |||
+ | | ||
+ | - names: [client, webclient] | ||
+ | @@ -141,14 +143,18 @@ | ||
+ | # Database configuration | ||
+ | | ||
+ | # The database engine name | ||
+ | - name: " | ||
+ | + name: " | ||
+ | # Arguments to pass to the engine | ||
+ | | ||
+ | - # Path to the database | ||
+ | - database: "/ | ||
+ | + #user: synapse | ||
+ | + database: synapse | ||
+ | + #host: localhost | ||
+ | + # | ||
+ | + cp_min: 5 | ||
+ | + cp_max: 25 | ||
+ | |||
+ | # Number of events to cache in memory. | ||
+ | -event_cache_size: | ||
+ | +event_cache_size: | ||
+ | |||
+ | |||
+ | |||
+ | @@ -156,7 +162,7 @@ | ||
+ | | ||
+ | |||
+ | # File to write logging to. Ignored if log_config is specified. | ||
+ | -log_file: "/ | ||
+ | +log_file: "/ | ||
+ | |||
+ | # A yaml python logging config file | ||
+ | | ||
+ | @@ -171,7 +177,9 @@ | ||
+ | | ||
+ | |||
+ | # The federation window size in milliseconds | ||
+ | -federation_rc_window_size: | ||
+ | +## edit by maddi | ||
+ | +# federation_rc_window_size: | ||
+ | +federation_rc_window_size: | ||
+ | |||
+ | # The number of federation requests from a single server in a window | ||
+ | # before the server will delay processing the request. | ||
+ | @@ -183,14 +191,19 @@ | ||
+ | |||
+ | # The maximum number of concurrent federation requests allowed | ||
+ | # from a single server | ||
+ | -federation_rc_reject_limit: | ||
+ | +## edit by maddi | ||
+ | +# federation_rc_reject_limit: | ||
+ | +federation_rc_reject_limit: | ||
+ | |||
+ | # The number of federation requests to concurrently process from a | ||
+ | # single server | ||
+ | -federation_rc_concurrent: | ||
+ | - | ||
+ | - | ||
+ | - | ||
+ | +# | ||
+ | +## edit by maddi | ||
+ | +federation_rc_concurrent: | ||
+ | + | ||
+ | +## add by maddi | ||
+ | +federation_domain_whitelist: | ||
+ | + | ||
+ | # Directory where uploaded images and attachments are stored. | ||
+ | | ||
+ | |||
+ | @@ -231,7 +244,7 @@ | ||
# Is the preview URL API enabled? | # Is the preview URL API enabled? | ||
# an explicit url_preview_ip_range_blacklist of IPs that the spider is | # an explicit url_preview_ip_range_blacklist of IPs that the spider is | ||
Zeile 1779: | Zeile 1894: | ||
-url_preview_enabled: | -url_preview_enabled: | ||
+url_preview_enabled: | +url_preview_enabled: | ||
- | + | ||
# List of IP address CIDR ranges that the URL preview spider is denied | # List of IP address CIDR ranges that the URL preview spider is denied | ||
# from accessing. | # from accessing. | ||
- | @@ -241,14 +241,14 @@ | + | @@ -241,14 +254,14 @@ |
# synapse to issue arbitrary GET requests to your internal services, | # synapse to issue arbitrary GET requests to your internal services, | ||
# causing serious security issues. | # causing serious security issues. | ||
Zeile 1805: | Zeile 1920: | ||
# to access even if they are specified in url_preview_ip_range_blacklist. | # to access even if they are specified in url_preview_ip_range_blacklist. | ||
# This is useful for specifying exceptions to wide-ranging blacklisted | # This is useful for specifying exceptions to wide-ranging blacklisted | ||
- | @@ -322,10 +322,10 @@ | + | @@ -322,10 +335,10 @@ |
## Turn ## | ## Turn ## | ||
- | + | ||
# The public URIs of the TURN server to give to clients | # The public URIs of the TURN server to give to clients | ||
-turn_uris: [] | -turn_uris: [] | ||
+turn_uris: [ " | +turn_uris: [ " | ||
- | + | ||
# The shared secret used to compute passwords for the TURN server | # The shared secret used to compute passwords for the TURN server | ||
-turn_shared_secret: | -turn_shared_secret: | ||
- | +turn_shared_secret: | + | +turn_shared_secret: |
- | + | ||
# The Username and password if the TURN server needs them and | # The Username and password if the TURN server needs them and | ||
# does not use a token | # does not use a token | ||
- | @@ -346,7 +346,7 @@ | + | @@ -346,7 +359,7 @@ |
## Registration ## | ## Registration ## | ||
- | + | ||
# Enable registration for new users. | # Enable registration for new users. | ||
-enable_registration: | -enable_registration: | ||
+enable_registration: | +enable_registration: | ||
- | + | ||
# If set, allows registration by anyone who also has the shared | # If set, allows registration by anyone who also has the shared | ||
# secret, even if registration is otherwise disabled. | # secret, even if registration is otherwise disabled. | ||
- | @@ -360,7 +360,7 @@ | + | @@ -360,7 +373,7 @@ |
# Allows users to register as guests without a password/ | # Allows users to register as guests without a password/ | ||
# participate in rooms hosted on this server which have been made | # participate in rooms hosted on this server which have been made | ||
Zeile 1833: | Zeile 1948: | ||
-allow_guest_access: | -allow_guest_access: | ||
+allow_guest_access: | +allow_guest_access: | ||
- | + | ||
# The list of identity servers trusted to verify third party | # The list of identity servers trusted to verify third party | ||
# identifiers by this server. | # identifiers by this server. | ||
- | @@ -461,7 +461,8 @@ | + | @@ -388,7 +401,9 @@ |
+ | |||
+ | |||
+ | # A list of application service config file to use | ||
+ | -app_service_config_files: | ||
+ | +# | ||
+ | +## deactivated by maddi | ||
+ | +app_service_config_files: | ||
+ | |||
+ | |||
+ | | ||
+ | @@ -402,7 +417,7 @@ | ||
+ | | ||
+ | |||
+ | # The keys that the server used to sign messages with but won't use | ||
+ | -# to sign new messages. E.g. it has lost its private key | ||
+ | +# to sign new messages. dE.g. it has lost its private key | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | @@ -461,7 +476,8 @@ | ||
enabled: true | enabled: true | ||
# Uncomment and change to a secret random string for extra security. | # Uncomment and change to a secret random string for extra security. | ||
# DO NOT CHANGE THIS AFTER INITIAL SETUP! | # DO NOT CHANGE THIS AFTER INITIAL SETUP! | ||
- # | - # | ||
- | + | + | + |
- | + | + | |
- | + | ||
- | + | ||
- | @@ -473,20 +474,20 @@ | + | |
+ | @@ -473,20 +489,20 @@ | ||
# If your SMTP server requires authentication, | # If your SMTP server requires authentication, | ||
# smtp_pass variables should be used | # smtp_pass variables should be used | ||
Zeile 1868: | Zeile 2004: | ||
+ | + | ||
+ | + | ||
- | + | + | + |
+ | + | ||
+ | + | ||
+ | + | ||
- | + | + | + |
+ | + | ||
+ | + | ||
Zeile 1878: | Zeile 2014: | ||
+ | + | ||
+ | |||
+ | # password_providers: | ||
</ | </ | ||
+ | < | ||
+ | |||
+ | version: 1 | ||
+ | |||
+ | formatters: | ||
+ | precise: | ||
+ | | ||
+ | |||
+ | filters: | ||
+ | context: | ||
+ | (): synapse.util.logcontext.LoggingContextFilter | ||
+ | request: "" | ||
+ | |||
+ | handlers: | ||
+ | file: | ||
+ | class: logging.handlers.RotatingFileHandler | ||
+ | formatter: precise | ||
+ | filename: / | ||
+ | maxBytes: 104857600 | ||
+ | backupCount: | ||
+ | filters: [context] | ||
+ | console: | ||
+ | class: logging.StreamHandler | ||
+ | formatter: precise | ||
+ | filters: [context] | ||
+ | |||
+ | loggers: | ||
+ | synapse: | ||
+ | level: INFO | ||
+ | |||
+ | synapse.storage.SQL: | ||
+ | # beware: increasing this to DEBUG will make synapse log sensitive | ||
+ | # information such as access tokens. | ||
+ | level: INFO | ||
+ | |||
+ | root: | ||
+ | level: INFO | ||
+ | handlers: [file] | ||
+ | # handlers: [file, console] | ||
+ | </ | ||
< | < | ||
[Unit] | [Unit] | ||
Zeile 1920: | Zeile 2098: | ||
</ | </ | ||
- | === Matrix IRC Bridge === | + | ==== Matrix IRC Bridge |
* curl -sL https:// | * curl -sL https:// | ||
Zeile 2298: | Zeile 2476: | ||
</ | </ | ||
+ | * matrix-appservice-irc -r -f ircbridge_registration.yaml -u " | ||
* systemctl enable matrix-irc-bridge.service | * systemctl enable matrix-irc-bridge.service | ||
* systemctl start matrix-irc-bridge.service | * systemctl start matrix-irc-bridge.service | ||
- | === Externe Synapse Dokumentation === | + | ==== Upgrade zu Postgres ==== |
+ | * wget -q https:// | ||
+ | * echo deb http:// | ||
+ | * apt update | ||
+ | * apt install postgresql-10 postgresql-client-10 libpq-dev | ||
+ | * sudo -u postgres createuser -e synapse | ||
+ | * sudo -u postgres psql -c " | ||
+ | * service synapse stop | ||
+ | * cp -a / | ||
+ | * cp -a / | ||
+ | |||
+ | < | ||
+ | [...] | ||
+ | |||
+ | # Database configuration | ||
+ | database: | ||
+ | # The database engine name | ||
+ | name: " | ||
+ | # Arguments to pass to the engine | ||
+ | args: | ||
+ | database: synapse | ||
+ | cp_min: 5 | ||
+ | cp_max: 25 | ||
+ | |||
+ | [...] | ||
+ | </ | ||
+ | |||
+ | * service synapse start | ||
+ | * sudo -u synapse bash | ||
+ | * source ~/ | ||
+ | * pip install psycopg2 | ||
+ | * cd ~/ | ||
+ | * synapse_port_db --sqlite-database homeserver.db.snapshot --postgres-config homeserver-postgres.yaml | ||
+ | * (as root) service synapse stop | ||
+ | * synapse_port_db --sqlite-database homeserver.db --postgres-config homeserver-postgres.yaml | ||
+ | * mv homeserver.yaml{, | ||
+ | * mv homeserver{-postgres, | ||
+ | * mv homeserver.db{, | ||
+ | * exit | ||
+ | * service synapse start | ||
+ | |||
+ | |||
+ | Es wurde https:// | ||
+ | |||
+ | ==== Externe Synapse Dokumentation | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
- | ==== users.bytespeicher.org ==== | + | ===== users.bytespeicher.org |
< | < | ||
Zeile 2328: | Zeile 2551: | ||
</ | </ | ||
- | ===== Datensicherung ===== | + | ====== Datensicherung |
Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user: | Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user: | ||
Zeile 2454: | Zeile 2677: | ||
30 2 * * * | 30 2 * * * | ||
</ | </ | ||
+ | |||
+ | ====== Postfächer und Forward-Konten ====== | ||
+ | |||
+ | Als Mailserver wird Postfix eingesetzt. | ||
+ | Aliase für Forwarding-Postfächer werden in der Datei ''/ | ||
+ | |||
+ | [mehr Dokumentation nötig…] | ||
+ | |||
+ | |||
+ | ===== Postfach anlegen ==== | ||
+ | |||
+ | mit '' | ||
+ | |||
+ | Passwort-Hash mit FQDN-Mail in / | ||
+ | |||
+ | |||
+ | in den mail-ordner Wechsel und Postfach-Ordner anlegen und Besitzer sowie Rechte anpassen | ||
+ | |||
+ | |||
+ | '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | |||
+ | |||
+ |