Fedora 31 Server Edition filesystem permissions changed to 777
-
Thanks for your reply. It is scary.
-
@scottalanmiller What means the line with IP 217.131.28.231
-
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
@scottalanmiller What means the line with IP 217.131.28.231
That field, the first one, is the IP address of the browser making a request. Try accessing your own site from a public IP that you know, and then look for that IP in the log to see how it works. But that first field is just the requesting public IP field.
-
Is it safe to remove Letsencrypt certificates by deleting certificate files and so
dnf remove certbot httpd php-fpm mariadband try again reinstall? Or does certificate files stored on Letsencrypt servers and synced next time a certificate is generated by same email-address and domain?
-
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
Is it safe to remove Letsencrypt certificates by deleting certificate files and so
dnf remove certbot httpd php-fpm mariadband try again reinstall? Or does certificate files stored on Letsencrypt servers and synced next time a certificate is generated by same email-address and domain?
It's pretty safe, but better if you make a copy, just in case.
-
@scottalanmiller said in Fedora 31 Server Edition filesystem permissions changed to 777:
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
Is it safe to remove Letsencrypt certificates by deleting certificate files and so
dnf remove certbot httpd php-fpm mariadband try again reinstall? Or does certificate files stored on Letsencrypt servers and synced next time a certificate is generated by same email-address and domain?
It's pretty safe, but better if you make a copy, just in case.
If you request a new cert in the same name, you will simply get a new cert.
Nothing is saved by Let's Encrypt. Now obviously, they have the old record, and you will get a renewal notice at 30 days out. But you just ignore it. -
Any thoughts about using Nginx rather than Apache?
-
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
Any thoughts about using Nginx rather than Apache?
Nextcloud still defaults their builds to Apache. so i use Apache.
That said, all of my instances are sitting behind a separate Nginx Reverse Proxy.
-
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
Any thoughts about using Nginx rather than Apache?
I would stick to Apache. Use what the devs use. Nginx is great for the reverse proxy in front of it all, if you want.
-
@JaredBusch said in Fedora 31 Server Edition filesystem permissions changed to 777:
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
Any thoughts about using Nginx rather than Apache?
Nextcloud still defaults their builds to Apache. so i use Apache.
That said, all of my instances are sitting behind a separate Nginx Reverse Proxy.
Same here.
-
Is it possible that Nextcloud has to be installed before creating certificates?
Because, when I installed Nextcloud 11(?) on Fedora Server 26 I did first installing everything, apache, php-fpm, mysql, nextcloud followed by created self-signed certificates. After that, I did creating certificates from Letsencrypt with certbot but this happened not with Fedora Server 26. It happened later.
Fedora Server 31 is the first installation after all releases that I have to reinstall (did just updating between all releases) and the one and only thing I did in a different way was the order of creating certificates and installing Nextcloud. I did creating of certificates before installing Nextcloud. -
@JaredBusch I never understood why to use Nginx as reverse proxy
What's the meaning with it? -
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
@JaredBusch I never understood why to use Nginx as reverse proxy
What's the meaning with it?A reverse proxy allows you to have multiple websites on the same port behind 1 IP address. This also generally means multiple servers behind the proxy as well - as if all websites were on a single http service, that service could likely determine itself which webservice to give the packets to.
-
@Dashrender said in Fedora 31 Server Edition filesystem permissions changed to 777:
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
@JaredBusch I never understood why to use Nginx as reverse proxy
What's the meaning with it?A reverse proxy allows you to have multiple websites on the same port behind 1 IP address. This also generally means multiple servers behind the proxy as well - as if all websites were on a single http service, that service could likely determine itself which webservice to give the packets to.
This is correct. Specifically, I have a server in a colo. I have a single IP available to me.
So ports 80/443 on that IP are directed to the Nginx Reverse Proxy. Nginx handles sending the inbound FQDN to the right backend servers.
https://domain.com = 12.45.67.89 https://nc.domain.com = 12.45.67.89 https://blog.domain.com = 12.45.67.89How do you make all of that work? With a Reverse Proxy. Nginx is much better at that than Apache.
Nginx is listening on 12.45.67.89:80 and 12.45.67.89:443
When something comes in, it reads the FQDN out of the HTTP headers and sends it on to the correct backend IP.domain.com = 10.1.2.3 nc.domain.com = 10.1.2.4 blog.domain.com = 10.1.2.5 -
THANK YOU @JaredBusch and @Dashrender for this good explanation. That was the easiest understandable explanation I have heard for a long time.
I'll try my luck again. Thanks again guys.
-
Don't know if it was said, but a reverse proxy is also a front end that handles your SSL in many cases.
-
Finally, I got it! Nextcloud is up and running. It was litt of a mess.
1st of all the error
[ssl:warn] AH01909: woti.dedyn.io:443:0 server certificate does NOT include an ID which matches the server namewas hard to figure out, but finally I found it in a .json file from Letsencrypt and as well in the localhost.crt.
When I installed Fedora I choosed woti as hostname. But just woti does not work as hostname while creating Letsencrypt certs. It has to be woti.domain.xxx. So I used my domain but I did not changed my hostname while creating my Letsencrypt certs. That's why I got an ID which not matched the servername.
I needed to create new certs.2nd suddenly comes up a SELinux error about no access to /nextcloud/data. I needed to "Allow httpd to unified"
3th the tutorial I followed https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-centos-8/ gaves me just redirection errors. I do not why. I had to use my old config files from c-rieger.com. I'll try again later.
Maybe I can post my conf files her and you guys can take a look?4th I used APCu as memcache before. Now I had installed Redis but I did not changed it in the Nextcloud config file. That was the reason for internal server error. Redis gives me some warnings in the redis.log. I need to check this.
-
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
Finally, I got it! Nextcloud is up and running. It was litt of a mess.
NC 18 just released.
-
Yeah I know. Next step
Btw. @scottalanmiller I saw you are using fail2ban in your script.
But is there no configuration necassery?
You're just using "systemctl enable fail2ban" and "systemctl start fail2ban" or is it obsolete to use fail2ban? -
@Woti said in Fedora 31 Server Edition filesystem permissions changed to 777:
But is there no configuration necassery?
You're just using "systemctl enable fail2ban" and "systemctl start fail2ban" or is it obsolete to use fail2ban?For basic SSH protection, yes, that simple.
