dienste:bytecluster0001

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
dienste:bytecluster0001 [05.06.2017 18:41] – turnserver-config mape2kdienste:bytecluster0001 [03.05.2020 17:51] (aktuell) – Limit auf 20MB angehoben mape2k
Zeile 1: Zeile 1:
-====== bytecluster0001 ======+======= bytecluster0001 =======
  
-bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. Der Server wurde von der Firma Hetzner Online GmbH dankenswerter Weise zur Verfügung gestellt.+bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt.
  
-===== Administratoren =====+====== Administratoren ======
  
   * [[user:mape2k]]   * [[user:mape2k]]
   * [[user:mkzero:]]   * [[user:mkzero:]]
   * [[user:suicider]]   * [[user:suicider]]
 +  * [[user:hipposen:start|hipposen]]
  
-===== Benutzer =====+====== Benutzer ======
  
   * Bernd (Webseiten)   * Bernd (Webseiten)
  
-===== IPs /DNS =====+====== IPs /DNS ======
  
   * bytecluster0001.bytespeicher.org   * bytecluster0001.bytespeicher.org
Zeile 19: Zeile 20:
     * 2a01:4f8:c17:1214::2     * 2a01:4f8:c17:1214::2
  
-===== Installation =====+====== Installation ======
  
   * Debian 8.2 minimal   * Debian 8.2 minimal
  
-==== User / Gruppen ====+===== User / Gruppen =====
  
   * mkzero -> sudo   * mkzero -> sudo
   * marcel -> sudo   * marcel -> sudo
 +  * maddi -> sudo
   * stephan -> sudo   * stephan -> sudo
   * bernd -> sudo für www-data   * bernd -> sudo für www-data
Zeile 36: Zeile 38:
   * ffapi   * ffapi
   * synapse   * synapse
-==== Pakete ====+===== Pakete =====
  
   * zsh   * zsh
Zeile 46: Zeile 48:
   * debian-goodies   * debian-goodies
  
-==== Netzwerk ==== +===== Netzwerk ===== 
-=== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) ===+==== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) ====
 <file|/usr/local/bin/manage_ipv6_addresses.sh> <file|/usr/local/bin/manage_ipv6_addresses.sh>
 #!/bin/bash #!/bin/bash
Zeile 64: Zeile 66:
   * //**chmod +x /usr/local/bin/manage_ipv6_addresses.sh**//   * //**chmod +x /usr/local/bin/manage_ipv6_addresses.sh**//
  
-=== Konfiguration ===+==== Konfiguration ====
  
 <file|/etc/network/interfaces> <file|/etc/network/interfaces>
Zeile 84: Zeile 86:
 </file> </file>
  
-==== Konfiguration SSH ====+===== Konfiguration SSH =====
  
   * HostKey DSA entfernt   * HostKey DSA entfernt
Zeile 101: Zeile 103:
 </file> </file>
  
-==== SUDO ====+===== SUDO =====
  
   * Administrative Benutzer sind Mitglied der Gruppe "sudo"   * Administrative Benutzer sind Mitglied der Gruppe "sudo"
  
-==== IPTABLES ====+===== IPTABLES =====
  
   * iptables-persistent   * iptables-persistent
Zeile 126: Zeile 128:
 # Localhorst # Localhorst
 -A INPUT -s 127.0.0.0/8 -j ACCEPT -A INPUT -s 127.0.0.0/8 -j ACCEPT
 +
 +# Turnserver
 +-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
  
 # SSH / mosh # SSH / mosh
Zeile 146: Zeile 153:
 -A INPUT -p tcp --dport 4190 -j ACCEPT -A INPUT -p tcp --dport 4190 -j ACCEPT
  
 +# Matrix
 +-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
 +-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
 COMMIT COMMIT
 </file> </file>
Zeile 165: Zeile 175:
 # Garbage # Garbage
 -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state INVALID -j DROP
 +
 +# Turnserver
 +-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
  
 # SSH / mosh # SSH / mosh
Zeile 185: Zeile 200:
 -A INPUT -p tcp --dport 4190 -j ACCEPT -A INPUT -p tcp --dport 4190 -j ACCEPT
  
 +# Matrix
 +-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
 +-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
 COMMIT COMMIT
 </file> </file>
  
-==== MySQL/MariaDB ====+===== MySQL/MariaDB =====
  
   * mariadb-server   * mariadb-server
Zeile 230: Zeile 248:
 </file> </file>
  
-==== NGINX ====+===== NGINX =====
  
   * nginx   * nginx
  
 +<file|/etc/nginx/conf.d/ssl.conf>
 +ssl_protocols TLSv1.2;
 +ssl_prefer_server_ciphers on;
 +
 +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128";
 +ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 +
 +ssl_session_cache shared:SSL:10m;
 +ssl_session_timeout 10m;
 +
 +ssl_session_tickets off; # Requires nginx >= 1.5.9
 +ssl_stapling on; # Requires nginx >= 1.3.7
 +ssl_stapling_verify on; # Requires nginx => 1.3.7
 +
 +#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 +add_header X-Frame-Options DENY;
 +add_header X-Content-Type-Options nosniff;
 +
 +resolver 213.133.98.98 213.133.99.99 valid=300s;
 +resolver_timeout 5s;
 +</file>
 <file|/etc/nginx/patch> <file|/etc/nginx/patch>
-diff -Naur /etc/nginx.dist/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf 
---- /etc/nginx.dist/conf.d/ssl.conf 1970-01-01 01:00:00.000000000 +0100 
-+++ /etc/nginx/conf.d/ssl.conf 2015-11-04 22:41:34.269315957 +0100 
-@@ -0,0 +1,12 @@ 
-+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; 
-+ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-+ssl_prefer_server_ciphers on; 
-+ssl_session_cache shared:SSL:10m; 
-+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 
-+add_header X-Frame-Options DENY; 
-+add_header X-Content-Type-Options nosniff; 
-+ssl_session_tickets off; # Requires nginx >= 1.5.9 
-+ssl_stapling on; # Requires nginx >= 1.3.7 
-+ssl_stapling_verify on; # Requires nginx => 1.3.7 
-+resolver 213.133.98.98 213.133.99.99 valid=300s; 
-+resolver_timeout 5s; 
 diff -Naur /etc/nginx.dist/nginx.conf /etc/nginx/nginx.conf diff -Naur /etc/nginx.dist/nginx.conf /etc/nginx/nginx.conf
 --- /etc/nginx.dist/nginx.conf 2014-12-01 12:12:00.000000000 +0100 --- /etc/nginx.dist/nginx.conf 2014-12-01 12:12:00.000000000 +0100
Zeile 276: Zeile 299:
 </file> </file>
  
-==== Let's Encrypt (SSL-Zertifikate) ====+===== Let's Encrypt (SSL-Zertifikate) =====
  
 === Installation === === Installation ===
Zeile 320: Zeile 343:
     # Reload NGINX     # Reload NGINX
     sudo /bin/systemctl reload nginx.service     sudo /bin/systemctl reload nginx.service
 +
 +    # Copy erfurt.chat-Certificate/Key to synapse-directory
 +    if [ ${DOMAIN} = "erfurt.chat" ]; then
 +      cp -L ${KEYFILE} /home/synapse/ssl/
 +      cp -L ${CERTFILE} /home/synapse/ssl/
 +      cp -L ${FULLCHAINFILE} /home/synapse/ssl/
 +      chgrp synapse /home/synapse/ssl/*.pem
 +      chmod 640 /home/synapse/ssl/*.pem
 +    fi
  
     # Restart Postfix/Dovecot     # Restart Postfix/Dovecot
Zeile 345: Zeile 377:
 23 4 * * *     letsencrypt  /home/letsencrypt/letsencrypt.sh/letsencrypt.sh -c > /home/letsencrypt/letsencrypt.log 2>&1 23 4 * * *     letsencrypt  /home/letsencrypt/letsencrypt.sh/letsencrypt.sh -c > /home/letsencrypt/letsencrypt.log 2>&1
 </file> </file>
-=== Verwendung des Let'sEncrypt Client für eine neue Domain ===+=== Verwendung des LetsEncrypt Client für eine neue Domain ===
  
 Pro Zertifikat können mehrere Domains/Subdomains integriert werden. Diese müssen in der domains.txt in einer Zeile stehen. Pro Zertifikat können mehrere Domains/Subdomains integriert werden. Diese müssen in der domains.txt in einer Zeile stehen.
Zeile 371: Zeile 403:
   ...   ...
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff; 
  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
Zeile 387: Zeile 411:
   ssl_dhparam /etc/ssl/example.org/dhparam.pem;   ssl_dhparam /etc/ssl/example.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
   ...   ...
Zeile 396: Zeile 418:
     * **//systemctl reload nginx.service//**     * **//systemctl reload nginx.service//**
  
-==== PHP ====+===== User-Agent-Filter ===== 
 +<file|/etc/nginx/snippets/filter_useragents.conf> 
 +### Block Mastodon 
 +if ($http_user_agent ~* (Mastodon)) { 
 +    return 403; 
 +
 +</file> 
 +===== PHP =====
  
   * php5-fpm   * php5-fpm
Zeile 417: Zeile 446:
 post_max_size = 64M post_max_size = 64M
 </file> </file>
-==== Ruby ====+===== Ruby =====
  
   * ruby   * ruby
  
-==== Bytebot ====+===== Bytebot =====
  
 Pakete: Pakete:
Zeile 465: Zeile 494:
   * //**systemctl start bytebot.service**//   * //**systemctl start bytebot.service**//
  
-==== Twitterstatus / Twitterstatus Makerspace ====+===== Twitterstatus / Twitterstatus Makerspace =====
  
 Die Anleitung ist für "twitterstatus". Die Einrichtung von "twitterstatus-ms" erfolgt Die Anleitung ist für "twitterstatus". Die Einrichtung von "twitterstatus-ms" erfolgt
Zeile 529: Zeile 558:
 </code> </code>
  
-==== Freifunk-API ====+===== Freifunk-API =====
  
 === Pakete === === Pakete ===
Zeile 581: Zeile 610:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff; 
  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
Zeile 597: Zeile 618:
   ssl_dhparam /etc/ssl/api.erfurt.freifunk.net/dhparam.pem;   ssl_dhparam /etc/ssl/api.erfurt.freifunk.net/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
  
Zeile 635: Zeile 654:
   * //**systemctl reload nginx**//   * //**systemctl reload nginx**//
  
-==== paste.bytespeicher.org ====+===== paste.bytespeicher.org =====
  
   * Datenbank: bs_paste   * Datenbank: bs_paste
Zeile 656: Zeile 675:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 670: Zeile 682:
   ssl_dhparam /etc/ssl/paste.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/paste.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/fullchain.pem;
  
Zeile 700: Zeile 710:
 </file> </file>
  
-==== bytespeicher.org ====+===== bytespeicher.org =====
  
   * Datenbank: wp_bs   * Datenbank: wp_bs
Zeile 712: Zeile 722:
  server_name www.bytespeicher.org staging.bytespeicher.org bytespeicher.org radio.bytespeicher.org;  server_name www.bytespeicher.org staging.bytespeicher.org bytespeicher.org radio.bytespeicher.org;
  
 + include snippets/filter_useragents.conf;
  include snippets/letsencrypt.conf;  include snippets/letsencrypt.conf;
  
Zeile 729: Zeile 740:
  
  server_name www.bytespeicher.org;  server_name www.bytespeicher.org;
 +
 + include snippets/filter_useragents.conf;
  
  ssl on;  ssl on;
- 
- ssl_session_cache shared:SSL:10m; 
- ssl_session_timeout 10m; 
- 
- ssl_prefer_server_ciphers on; 
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
  add_header Strict-Transport-Security "max-age=31536000";  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff; 
  
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
Zeile 747: Zeile 752:
  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
  
- ssl_stapling on; 
- ssl_stapling_verify on; 
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
  
Zeile 764: Zeile 767:
  
  ssl on;  ssl on;
- 
- ssl_session_cache shared:SSL:10m; 
- ssl_session_timeout 10m; 
- 
- ssl_prefer_server_ciphers on; 
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
  add_header Strict-Transport-Security "max-age=31536000";  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff; + 
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/privkey.pem;  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/privkey.pem;
  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
  
- ssl_stapling on; 
- ssl_stapling_verify on; 
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
  
Zeile 837: Zeile 830:
 </file> </file>
  
-==== status.bytespeicher.org ====+===== status.bytespeicher.org =====
  
   * **//useradd spacestatus -m -G www-data//**   * **//useradd spacestatus -m -G www-data//**
   * **//sudo -u spacestatus /bin/bash//**   * **//sudo -u spacestatus /bin/bash//**
   * **//cd ~//**   * **//cd ~//**
-  * **//git clone https:/ /github.com/Bytespeicher/space-status//**+  * **//<nowiki>git clone https://github.com/Bytespeicher/space-status</nowiki>//**
   * **//mkdir www//**   * **//mkdir www//**
   * **//virtualenv env//**   * **//virtualenv env//**
Zeile 901: Zeile 894:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff+  add_header Access-Control-Allow-Origin *
 +  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/privkey.pem;   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/privkey.pem;
   ssl_dhparam /etc/ssl/status.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/status.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
 } }
 </file> </file>
  
-==== makerspace-erfurt.de / fablab-erfurt.de ====+===== makerspace-erfurt.de / fablab-erfurt.de =====
  
   * Datenbank: makerspace_wp   * Datenbank: makerspace_wp
Zeile 946: Zeile 930:
  
  ssl on;  ssl on;
- 
- ssl_session_cache shared:SSL:10m; 
- ssl_session_timeout 10m; 
- 
- ssl_prefer_server_ciphers on; 
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
  add_header Strict-Transport-Security "max-age=31536000";  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff; + 
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/privkey.pem;  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/privkey.pem;
  ssl_dhparam /etc/ssl/makerspace-erfurt.de/dhparam.pem;  ssl_dhparam /etc/ssl/makerspace-erfurt.de/dhparam.pem;
  
- ssl_stapling on; 
- ssl_stapling_verify on; 
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
  
Zeile 1004: Zeile 978:
 </file> </file>
  
-==== cloud.technikkultur-erfurt.de (Owncloud) ====+===== cloud.technikkultur-erfurt.de (Nextcloud=====
  
   * Datenbank: makerspace_oc   * Datenbank: makerspace_oc
Zeile 1025: Zeile 999:
  
  ssl on;  ssl on;
- 
- ssl_session_cache shared:SSL:10m; 
- ssl_session_timeout 10m; 
- 
- ssl_prefer_server_ciphers on; 
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;
Zeile 1037: Zeile 1004:
  ssl_dhparam /etc/ssl/cloud.technikkultur-erfurt.de/dhparam.pem;  ssl_dhparam /etc/ssl/cloud.technikkultur-erfurt.de/dhparam.pem;
  
- ssl_stapling on; 
- ssl_stapling_verify on; 
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;
  
Zeile 1147: Zeile 1112:
 </file> </file>
  
-==== Redmine ====+===== Redmine =====
  
   * Datenbank: redmine   * Datenbank: redmine
Zeile 1268: Zeile 1233:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 1282: Zeile 1240:
   ssl_dhparam /etc/ssl/redmine.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/redmine.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/fullchain.pem;
  
Zeile 1302: Zeile 1258:
 </file> </file>
  
-==== Dokuwiki ====+===== Dokuwiki =====
  
   * DocumentRoot: /var/www/technikkultur-erfurt.de/public_html   * DocumentRoot: /var/www/technikkultur-erfurt.de/public_html
Zeile 1315: Zeile 1271:
   listen [::]:443 ssl;   listen [::]:443 ssl;
  
 +  include snippets/filter_useragents.conf;
   include snippets/letsencrypt.conf;   include snippets/letsencrypt.conf;
  
Zeile 1328: Zeile 1285:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 1342: Zeile 1292:
   ssl_dhparam /etc/ssl/example.org/dhparam.pem;   ssl_dhparam /etc/ssl/example.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
  
-  # Maximum file upload size is 4MB - change accordingly if needed +  # Maximum file upload size is 20MB - change accordingly if needed 
-  client_max_body_size 4M;+  client_max_body_size 20M;
   client_body_buffer_size 128k;   client_body_buffer_size 128k;
    
Zeile 1378: Zeile 1326:
 </file> </file>
  
-==== Pad ====+===== Pad =====
  
   * Software: Etherpad-lite   * Software: Etherpad-lite
Zeile 1423: Zeile 1371:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 1437: Zeile 1378:
   ssl_dhparam /etc/ssl/pad.technikkultur-erfurt.de/dhparam.pem;   ssl_dhparam /etc/ssl/pad.technikkultur-erfurt.de/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.pem;   ssl_trusted_certificate /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.pem;
  
Zeile 1502: Zeile 1441:
   * https://github.com/ether/etherpad-lite/wiki/Manipulating-the-database   * https://github.com/ether/etherpad-lite/wiki/Manipulating-the-database
  
-==== wall.technikkultur-erfurt.de ====+===== wall.technikkultur-erfurt.de =====
  
   * Config: /var/www/wall.technikkultur-erfurt.de/config.php   * Config: /var/www/wall.technikkultur-erfurt.de/config.php
Zeile 1525: Zeile 1464:
 </file> </file>
  
-==== Piwik ====+===== opendata.bytespeicher.org ===== 
 + 
 +  * Webspace: /var/www/opendata.bytepseicher.org/public_html 
 +  
 +<file|/etc/nginx/sites-available/opendata.bytespeicher.org> 
 +server { 
 +  listen 80; 
 +  listen [::]:80; 
 + 
 +  listen 443 ssl; 
 +  listen [::]:443 ssl; 
 + 
 +  include snippets/letsencrypt.conf; 
 + 
 +  root /var/www/opendata.bytespeicher.org/public_html; 
 + 
 +  index index.html; 
 + 
 +  server_name opendata.bytespeicher.org; 
 + 
 +  location / { 
 +    try_files $uri $uri/ =404; 
 +  } 
 + 
 +  # PHP 
 +  location ~ \.php$ { 
 +    fastcgi_pass   unix:/var/run/php5-fpm.sock; 
 +    include         fastcgi_params; 
 +    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
 +    fastcgi_param REDIRECT_STATUS 200; 
 +  } 
 + 
 +  ssl on; 
 + 
 +  # Use SSL as default 
 +  # if ($scheme != "https") { 
 +  #   rewrite ^ https://$host$uri permanent; 
 +  # } 
 +  # add_header Strict-Transport-Security "max-age=31536000"; 
 + 
 +  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem; 
 +  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/privkey.pem; 
 + 
 +  ssl_dhparam /etc/ssl/opendata.bytespeicher.org/dhparam.pem; 
 + 
 +  ssl_stapling on; 
 +  ssl_stapling_verify on; 
 +  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem; 
 + 
 +  # Security options 
 +  add_header X-Frame-Options SAMEORIGIN; 
 +  add_header X-Content-Type-Options nosniff; 
 +  add_header Access-Control-Allow-Origin *; 
 +
 +</file> 
 + 
 +===== Piwik =====
  
   * Datenbank: bs_piwik   * Datenbank: bs_piwik
Zeile 1549: Zeile 1544:
 </file> </file>
  
-==== Roundcube ====+===== Roundcube =====
  
   * Datenbank: roundcubemail   * Datenbank: roundcubemail
Zeile 1607: Zeile 1602:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff; +  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/privkey.pem;   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/privkey.pem;
   ssl_dhparam /etc/ssl/mail.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/mail.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
  
   root /var/www/mail.bytespeicher.org/;   root /var/www/mail.bytespeicher.org/;
 +
 +  client_max_body_size 64m;
  
   index index.php index.html;   index index.php index.html;
Zeile 1674: Zeile 1661:
   * //**rm -rf /var/www/mail.bytespeicher.org/installer/**//   * //**rm -rf /var/www/mail.bytespeicher.org/installer/**//
  
-==== Matrix/Synapse ====+===== Matrix/Synapse =====
  
   * useradd -m synapse   * useradd -m synapse
   * apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev coturn   * apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev coturn
 +
 +  * mkdir /home/synapse/ssl
 +  * chown synapse:synapse /home/synapse/ssl
 +  * chmod 770 /home/synapse/ssl
 +  * usermod -G synapse letsencrypt
  
 <file|/etc/nginx/sites-enabled/erfurt.chat> <file|/etc/nginx/sites-enabled/erfurt.chat>
Zeile 1697: Zeile 1689:
   }   }
   root /var/www/erfurt.chat;   root /var/www/erfurt.chat;
 +
 +  client_max_body_size 32m;
  
   location /_matrix {   location /_matrix {
Zeile 1704: Zeile 1698:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   # add_header Strict-Transport-Security "max-age=31536000";   # add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  # add_header X-Content-Type-Options nosniff; +  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem;   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem;
   ssl_dhparam /etc/ssl/erfurt.chat/dhparam.pem;   ssl_dhparam /etc/ssl/erfurt.chat/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;
  
Zeile 1770: Zeile 1754:
 <file|/home/synapse/.synapse/homeserver.yaml> <file|/home/synapse/.synapse/homeserver.yaml>
 --- homeserver.yaml.orig 2017-06-05 12:56:46.729514635 +0200 --- homeserver.yaml.orig 2017-06-05 12:56:46.729514635 +0200
-+++ homeserver.yaml 2017-06-05 14:00:36.981444634 +0200 ++++ homeserver.yaml 2018-04-17 13:40:25.760622831 +0200 
-@@ -120,7 +120,7 @@ +@@ -4,10 +4,10 @@ 
-   For when matrix traffic passes through loadbalancer that unwraps TLS+ # autogenerates on launch with your own SSL certificate + key pair 
-   port8008 + # if you like.  Any required intermediary certificates can be 
-     tlsfalse + # appended after the primary certificate in hierarchical order. 
-   bind_addresses: ['0.0.0.0'] +-tls_certificate_path: "/home/synapse/.synapse/erfurt.chat.tls.crt" 
-   bind_addresses: ['127.0.0.1']++tls_certificate_path: "/home/synapse/ssl/fullchain.pem" 
 + 
 + # PEM encoded private key for TLS 
 +-tls_private_key_path: "/home/synapse/.synapse/erfurt.chat.tls.key" 
 ++tls_private_key_path: "/home/synapse/ssl/privkey.pem" 
 + 
 + # PEM dh parameters for ephemeral keys 
 + tls_dh_params_path: "/home/synapse/.synapse/erfurt.chat.tls.dh" 
 +@@ -50,7 +50,7 @@ 
 + pid_file: /home/synapse/.synapse/homeserver.pid 
 + 
 + Whether to serve a web client from the HTTP/HTTPS root resource. 
 +-web_client: True 
 ++web_client: False 
 + 
 + # The root directory to server for the above web client. 
 + # If left undefined, synapse will serve the matrix-angular-sdk web client
 +@@ -59,7 +59,7 @@ 
 + # web_client_location"/path/to/web/root" 
 + 
 + # The public-facing base URL for the client API (not including _matrix/...) 
 +-# public_baseurlhttps://example.com:8448/ 
 ++public_baseurl: https://erfurt.chat:8448/ 
 + 
 + # Set the soft limit on the number of file descriptors synapse can use 
 + # Zero is used to indicate synapse should set the soft limit to the 
 +@@ -71,7 +71,9 @@ 
 + 
 + # Set the limit on the returned events in the timeline in the get 
 + # and sync operations. The default value is -1, means no upper limit. 
 +-# filter_timeline_limit: 5000 
 +
 ++## activated by maddi 
 ++filter_timeline_limit: 500 
 + 
 + # List of ports that Synapse should listen on, their purpose and their 
 + # configuration. 
 +@@ -85,11 +87,11 @@ 
 +     # Local addresses to listen on. 
 +     # This will listen on all IPv4 addresses by default. 
 +     bind_addresses: 
 +-      - '0.0.0.0' 
 +     #'0.0.0.0' 
 +       # Uncomment to listen on all IPv6 interfaces 
 +       # N.B: On at least Linux this will also listen on all IPv4 
 +       # addresses, so you will need to comment out the line above. 
 +-      # - '::' 
 ++      - '::' 
 + 
 +     # This is a 'http' listener, allows us to specify 'resources'.
      type: http      type: http
-  +@@ -123,7 +125,7 @@ 
-     x_forwarded: false +     bind_addresses: ['0.0.0.0'
-@@ -231,7 +231,7 @@+     type: http 
 + 
 +-    x_forwarded: false 
 ++    x_forwarded: True 
 + 
 +     resources: 
 +       - names: [client, webclient] 
 +@@ -141,14 +143,18 @@ 
 + # Database configuration 
 + database: 
 +   # The database engine name 
 +-  name: "sqlite3" 
 ++  name: "psycopg2" 
 +   # Arguments to pass to the engine 
 +   args: 
 +-    # Path to the database 
 +-    database: "/home/synapse/.synapse/homeserver.db" 
 ++    #user: synapse 
 ++    database: synapse 
 ++    #host: localhost 
 ++    #password: 
 ++    cp_min: 5 
 ++    cp_max: 25 
 + 
 + # Number of events to cache in memory. 
 +-event_cache_size: "10K" 
 ++event_cache_size: "1K" 
 + 
 + 
 + 
 +@@ -156,7 +162,7 @@ 
 + verbose:
 + 
 + # File to write logging to. Ignored if log_config is specified. 
 +-log_file: "/home/synapse/.synapse/homeserver.log" 
 ++log_file: "/home/synapse/.synapse/log/homeserver.log" 
 + 
 + # A yaml python logging config file 
 + log_config: "/home/synapse/.synapse/erfurt.chat.log.config" 
 +@@ -171,7 +177,9 @@ 
 + rc_message_burst_count: 10.0 
 + 
 + # The federation window size in milliseconds 
 +-federation_rc_window_size: 1000 
 ++## edit by maddi 
 ++# federation_rc_window_size: 2000 
 ++federation_rc_window_size: 2000 
 + 
 + # The number of federation requests from a single server in a window 
 + # before the server will delay processing the request. 
 +@@ -183,14 +191,19 @@ 
 + 
 + # The maximum number of concurrent federation requests allowed 
 + # from a single server 
 +-federation_rc_reject_limit: 50 
 ++## edit by maddi 
 ++# federation_rc_reject_limit: 50 
 ++federation_rc_reject_limit: 10 
 + 
 + # The number of federation requests to concurrently process from a 
 + # single server 
 +-federation_rc_concurrent:
 +
 +
 +
 ++#federation_rc_concurrent:
 ++## edit by maddi 
 ++federation_rc_concurrent:
 +
 ++## add by maddi 
 ++federation_domain_whitelist: ['erfurt.chat','matrix.ffggrz.de','bau-ha.us','zner0l.de','byteschmeisser.de'
 +
 + # Directory where uploaded images and attachments are stored. 
 + media_store_path: "/home/synapse/.synapse/media_store" 
 + 
 +@@ -231,7 +244,7 @@
  # Is the preview URL API enabled?  If enabled, you *must* specify  # Is the preview URL API enabled?  If enabled, you *must* specify
  # an explicit url_preview_ip_range_blacklist of IPs that the spider is  # an explicit url_preview_ip_range_blacklist of IPs that the spider is
Zeile 1786: Zeile 1894:
 -url_preview_enabled: False -url_preview_enabled: False
 +url_preview_enabled: True +url_preview_enabled: True
- +
  # List of IP address CIDR ranges that the URL preview spider is denied  # List of IP address CIDR ranges that the URL preview spider is denied
  # from accessing.  There are no defaults: you must explicitly  # from accessing.  There are no defaults: you must explicitly
-@@ -241,14 +241,14 @@+@@ -241,14 +254,14 @@
  # synapse to issue arbitrary GET requests to your internal services,  # synapse to issue arbitrary GET requests to your internal services,
  # causing serious security issues.  # causing serious security issues.
Zeile 1812: Zeile 1920:
  # to access even if they are specified in url_preview_ip_range_blacklist.  # to access even if they are specified in url_preview_ip_range_blacklist.
  # This is useful for specifying exceptions to wide-ranging blacklisted  # This is useful for specifying exceptions to wide-ranging blacklisted
-@@ -322,10 +322,10 @@+@@ -322,10 +335,10 @@
  ## Turn ##  ## Turn ##
- +
  # The public URIs of the TURN server to give to clients  # The public URIs of the TURN server to give to clients
 -turn_uris: [] -turn_uris: []
 +turn_uris: [ "turn:erfurt.chat:3478?transport=udp", "turn:erfurt.chat:3478?transport=tcp" ] +turn_uris: [ "turn:erfurt.chat:3478?transport=udp", "turn:erfurt.chat:3478?transport=tcp" ]
- +
  # The shared secret used to compute passwords for the TURN server  # The shared secret used to compute passwords for the TURN server
 -turn_shared_secret: "YOUR_SHARED_SECRET" -turn_shared_secret: "YOUR_SHARED_SECRET"
-+turn_shared_secret: "$$$$SECRET$$$$" ++turn_shared_secret: "$$$SECRET$$$" 
- +
  # The Username and password if the TURN server needs them and  # The Username and password if the TURN server needs them and
  # does not use a token  # does not use a token
-@@ -346,7 +346,7 @@+@@ -346,7 +359,7 @@
  ## Registration ##  ## Registration ##
- +
  # Enable registration for new users.  # Enable registration for new users.
 -enable_registration: False -enable_registration: False
 +enable_registration: True +enable_registration: True
- +
  # If set, allows registration by anyone who also has the shared  # If set, allows registration by anyone who also has the shared
  # secret, even if registration is otherwise disabled.  # secret, even if registration is otherwise disabled.
-@@ -360,7 +360,7 @@+@@ -360,7 +373,7 @@
  # Allows users to register as guests without a password/email/etc, and  # Allows users to register as guests without a password/email/etc, and
  # participate in rooms hosted on this server which have been made  # participate in rooms hosted on this server which have been made
Zeile 1840: Zeile 1948:
 -allow_guest_access: False -allow_guest_access: False
 +allow_guest_access: True +allow_guest_access: True
- +
  # The list of identity servers trusted to verify third party  # The list of identity servers trusted to verify third party
  # identifiers by this server.  # identifiers by this server.
-@@ -461,7 +461,8 @@+@@ -388,7 +401,9 @@ 
 + 
 + 
 + # A list of application service config file to use 
 +-app_service_config_files: [] 
 ++#app_service_config_files: [ "ircbridge_registration.yaml"
 ++## deactivated by maddi 
 ++app_service_config_files: [ ] 
 + 
 + 
 + macaroon_secret_key: "$$$SECRET$$$" 
 +@@ -402,7 +417,7 @@ 
 + signing_key_path: "/home/synapse/.synapse/erfurt.chat.signing.key" 
 + 
 + # The keys that the server used to sign messages with but won't use 
 +-# to sign new messages. E.g. it has lost its private key 
 ++# to sign new messages. dE.g. it has lost its private key 
 + old_signing_keys: {} 
 + #  "ed25519:auto": 
 + #    # Base64 encoded public key 
 +@@ -461,7 +476,8 @@
     enabled: true     enabled: true
     # Uncomment and change to a secret random string for extra security.     # Uncomment and change to a secret random string for extra security.
     # DO NOT CHANGE THIS AFTER INITIAL SETUP!     # DO NOT CHANGE THIS AFTER INITIAL SETUP!
 -   #pepper: "" -   #pepper: ""
-+   pepper: "$$$$SECRET$$$$" ++   pepper: "$$$SECRET$$$" 
-  ++ 
-  + 
-  + 
-@@ -473,20 +474,20 @@+ 
 +@@ -473,20 +489,20 @@
  # If your SMTP server requires authentication, the optional smtp_user &  # If your SMTP server requires authentication, the optional smtp_user &
  # smtp_pass variables should be used  # smtp_pass variables should be used
Zeile 1875: Zeile 2004:
 +   smtp_port: 587 +   smtp_port: 587
 +   smtp_user: "synapse@erfurt.chat" +   smtp_user: "synapse@erfurt.chat"
-+   smtp_pass: "$$$$SECRET$$$$"++   smtp_pass: "$$$SECRET$$$"
 +   require_transport_security: True +   require_transport_security: True
 +   notif_from: "Your Friendly %(app)s Home Server <noreply@erfurt.chat>" +   notif_from: "Your Friendly %(app)s Home Server <noreply@erfurt.chat>"
 +   app_name: Matrix +   app_name: Matrix
-+   template_dir: res/templates++   template_dir: /home/synapse/.synapse/res/templates/
 +   notif_template_html: notif_mail.html +   notif_template_html: notif_mail.html
 +   notif_template_text: notif_mail.txt +   notif_template_text: notif_mail.txt
Zeile 1885: Zeile 2014:
 +   riot_base_url: "https://erfurt.chat/riot" +   riot_base_url: "https://erfurt.chat/riot"
  
 +
 + # password_providers:
 </file> </file>
  
 +<file|/home/synapse/.synapse/erfurt.chat.log.config>
 +
 +version: 1
 +
 +formatters:
 +  precise:
 +   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
 +
 +filters:
 +  context:
 +    (): synapse.util.logcontext.LoggingContextFilter
 +    request: ""
 +
 +handlers:
 +  file:
 +    class: logging.handlers.RotatingFileHandler
 +    formatter: precise
 +    filename: /home/synapse/.synapse/log/homeserver.log
 +    maxBytes: 104857600
 +    backupCount: 10
 +    filters: [context]
 +  console:
 +    class: logging.StreamHandler
 +    formatter: precise
 +    filters: [context]
 +
 +loggers:
 +    synapse:
 +        level: INFO
 +
 +    synapse.storage.SQL:
 +        # beware: increasing this to DEBUG will make synapse log sensitive
 +        # information such as access tokens.
 +        level: INFO
 +
 +root:
 +    level: INFO
 +    handlers: [file]
 +#    handlers: [file, console]
 +</file>
 <file|/etc/systemd/system/synapse.service> <file|/etc/systemd/system/synapse.service>
 [Unit] [Unit]
Zeile 1927: Zeile 2098:
 </file> </file>
  
-=== Matrix IRC Bridge ===+==== Matrix IRC Bridge ====
  
   * curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -   * curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
Zeile 2305: Zeile 2476:
 </file> </file>
  
 +  * matrix-appservice-irc -r -f ircbridge_registration.yaml -u "http://erfurt.chat:9999" -c ircbridge_config.yaml -l ircbridge
   * systemctl enable matrix-irc-bridge.service   * systemctl enable matrix-irc-bridge.service
   * systemctl start matrix-irc-bridge.service   * systemctl start matrix-irc-bridge.service
  
-=== Externe Synapse Dokumentation ===+==== Upgrade zu Postgres ==== 
 +  * wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add - 
 +  * echo deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main > /etc/apt/sources.list.d/pgdg.list 
 +  * apt update 
 +  * apt install postgresql-10 postgresql-client-10 libpq-dev 
 +  * sudo -u postgres createuser -e  synapse 
 +  * sudo -u postgres psql -c "CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse_user;" 
 +  * service synapse stop 
 +  * cp -a /home/synapse/.synapse/homeserver.db{,.snapshot} 
 +  * cp -a /home/synapse/.synapse/homeserver{,-postgres}.yaml 
 + 
 +<file|/home/synapse/.synapse/homeserver-postgres.yaml> 
 +[...] 
 + 
 +# Database configuration 
 +database: 
 +  # The database engine name 
 +  name: "psycopg2" 
 +  # Arguments to pass to the engine 
 +  args: 
 +    database: synapse 
 +    cp_min: 5  
 +    cp_max: 25 
 +     
 +[...] 
 +</file> 
 + 
 +  * service synapse start 
 +  * sudo -u synapse bash 
 +  * source ~/.synapse/bin/activate 
 +  * pip install psycopg2 
 +  * cd ~/.synapse 
 +  * synapse_port_db --sqlite-database homeserver.db.snapshot --postgres-config homeserver-postgres.yaml 
 +  * (as root) service synapse stop 
 +  * synapse_port_db --sqlite-database homeserver.db --postgres-config homeserver-postgres.yaml 
 +  * mv homeserver.yaml{,.old-sqlite} 
 +  * mv homeserver{-postgres,}.yaml 
 +  * mv homeserver.db{,.unused} 
 +  * exit 
 +  * service synapse start 
 + 
 + 
 +Es wurde https://github.com/matrix-org/synapse/pull/3099 mit eingspielt. 
 + 
 +==== Externe Synapse Dokumentation ====
   * https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation   * https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation
   * https://github.com/matrix-org/synapse/blob/master/README.rst#setting-up-federation   * https://github.com/matrix-org/synapse/blob/master/README.rst#setting-up-federation
   * https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.rst   * https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.rst
-==== users.bytespeicher.org ====+===== users.bytespeicher.org =====
  
 <file|/etc/nginx/sites-available/users.bytespeicher.org> <file|/etc/nginx/sites-available/users.bytespeicher.org>
Zeile 2335: Zeile 2551:
 </file> </file>
  
-===== Datensicherung =====+====== Datensicherung ======
  
 Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user:mape2k]] und einen Server von [[user:mkzero]]: Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user:mape2k]] und einen Server von [[user:mkzero]]:
Zeile 2461: Zeile 2677:
 30 2   * * *   root    HOME=/root && duply mkzero-backup backup 30 2   * * *   root    HOME=/root && duply mkzero-backup backup
 </file> </file>
 +
 +====== Postfächer und Forward-Konten ======
 +
 +Als Mailserver wird Postfix eingesetzt. 
 +Aliase für Forwarding-Postfächer werden in der Datei ''/etc/postfix/virtual gepeichert.'' Änderungen werden erst durch Ausführen von ''postmap /etc/postfix/virtual'' übernommen.
 +
 +[mehr Dokumentation nötig…] 
 +
 +
 +=====  Postfach anlegen ====
 +
 +mit ''doveadm pw -s ssha'' Passwort erzeugen.
 +
 +Passwort-Hash mit FQDN-Mail in /etc/dovecot/users eintragen
 +
 +
 +in den mail-ordner Wechsel und Postfach-Ordner anlegen und Besitzer sowie Rechte anpassen
 +
 +
 +''chown vmail:vmail postfach''
 +
 +''chmod 700 postfach''
 +
 +''systemctl restart dovecot''
 +
 +
 +
 +
  • dienste/bytecluster0001.1496680875.txt.gz
  • Zuletzt geändert: 05.06.2017 18:41
  • von mape2k