MediaWiki Backup And Restore: Difference between revisions
(41 intermediate revisions by the same user not shown) | |||
Line 233: | Line 233: | ||
Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe" | Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe" | ||
# | |||
# Provide server status information | |||
# | |||
#<Location /server-status> | |||
# SetHandler server-status | |||
# | |||
# AuthType Basic | |||
# AuthName "NST WUI: System Management" | |||
# AuthUserFile "/etc/nst/httpd/conf/htuser.nst" | |||
# require valid-user | |||
#</Location> | |||
# | |||
# Provide server information | |||
# | |||
#<Location /server-info> | |||
# SetHandler server-info | |||
# | |||
# AuthType Basic | |||
# AuthName "NST WUI: System Management" | |||
# AuthUserFile "/etc/nst/httpd/conf/htuser.nst" | |||
# require valid-user | |||
#</Location> | |||
* Start these services and then check the NST Wiki. | * Start these services and then check the NST Wiki. | ||
[root@probe-p3p1 ~]# systemctl start httpd.service | [root@probe-p3p1 ~]# systemctl start httpd.service | ||
[root@probe-p3p1 ~]# systemctl restart php-fpm.service | [root@probe-p3p1 ~]# systemctl restart php-fpm.service | ||
[root@probe-p3p1 ~]# | |||
[root@probe-p3p1 ~]# firefox http://127.0.0.1/nstwiki | [root@probe-p3p1 ~]# firefox http://127.0.0.1/nstwiki | ||
[root@probe-p3p1 ~]# | [root@probe-p3p1 ~]# | ||
Line 248: | Line 273: | ||
* Review the ''/etc/httpd/conf/httpd.conf'' file. | * Review the ''/etc/httpd/conf/httpd.conf'' file. | ||
* Review your mediawiki configuration file under the ''/etc/httpd/conf.d'' directory (''nstwiki.conf''). | * Review your mediawiki configuration file under the ''/etc/httpd/conf.d'' directory (''nstwiki.conf''). | ||
=== Default Font Size === | |||
To change the global font size for all NST Wiki pages do the following. | |||
* Search for "'''MediaWiki:Common.css'''" | |||
* Add the following CSS entry: | |||
body { font-size: 9pt; } | |||
== No Logging: NST Wiki == | |||
The Apache Web server can produce copious amounts of logging. Use these steps to disable "'''httpd'''" logging: Stop the web service, comment out the following lines in these configuration files, remove the log files and restart the web service. | |||
* Stop the Apache Web server: | |||
systemctl stop httpd.service; | |||
* In file: "'''/etc/httpd/conf/http.conf'''" comment out line: | |||
# CustomLog "logs/access_log" combined | |||
* In file: "'''/etc/httpd/conf.d/nstwiki.conf'''" comment out line: | |||
#CustomLog logs/deflate_log deflate | |||
* Location of "'''httpd'''" logs: | |||
[root@nst-wiki40 conf.d]# ls -al /var/log/httpd/; | |||
total 2896604 | |||
drwx------. 1 root root 144 Jul 18 20:00 . | |||
drwxr-xr-x. 1 root root 862 Jul 29 18:20 .. | |||
-rw-r--r-- 1 root root 2072902834 Aug 13 10:46 access_log | |||
-rw-r--r-- 1 root root 889980229 Aug 13 10:46 deflate_log | |||
-rw-r--r-- 1 root root 402944 Aug 13 10:46 error_log | |||
-rw-r--r-- 1 root root 1291618 Jul 4 10:57 ssl_access_log | |||
-rw-r--r-- 1 root root 48143 Jul 3 18:52 ssl_error_log | |||
-rw-r--r-- 1 root root 1486615 Jul 4 10:57 ssl_request_log | |||
* Remove the "'''access_log'''" and "'''deflate_log'''" log files: | |||
rm "/var/log/httpd/access_log"; | |||
rm "/var/log/httpd/deflate_log"; | |||
* Restart the Apache Web server: | |||
systemctl start httpd.service; | |||
== Certbot - HTTPS TLS Certificates == | |||
=== Certbot Overview === | |||
[https://github.com/certbot/certbot Certbot] is part of [https://www.eff.org/ EFF]'s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server. | |||
=== Certbot Installation On NST Wiki - Tips & Modifications === | |||
This section goes through various steps to install certbot on an NST system for the NST Wiki web service ([https://en.wikipedia.org/wiki/Apache_HTTP_Server Apache - HTTPD]). It can be a bit tricky. | |||
==== DNF Install Required Packages ==== | |||
dnf install certbot python3-certbot python3-certbot-apache; | |||
==== Fedora Python Code Modification (NST 40) ==== | |||
Insert this hack into the python code: "'''/usr/lib/python3.12/site-packages/certbot_apache/_internal/entrypoint.py'''" for Fedora OS identification. Verify if it has been fixed in a newer version before using the hack. | |||
Before hack: | |||
os_name, os_version = util.get_os_info() | |||
os_name = os_name.lower() | |||
override_class = None | |||
# Special case for older Fedora versions | |||
After hack: | |||
os_name, os_version = util.get_os_info() | |||
os_name = os_name.lower() | |||
override_class = None | |||
> os_name = 'fedora' | |||
> os_version = '40' | |||
# Special case for older Fedora versions | |||
==== Create an Apache VirtualHost Configuration File ==== | |||
Certbot requires an Apache VirtualHost configuration file using port: 80. Add this file: "'''certbot.conf'''" to the Apache configuration directory: "'''/etc/httpd/conf.d'''" | |||
[root@nst-wiki40 conf.d]# cat /etc/httpd/conf.d/certbot.conf; | |||
<VirtualHost *:80> | |||
ServerName wiki.networksecuritytoolkit.org | |||
ServerAlias *.networksecuritytoolkit.org | |||
DocumentRoot /var/nst/mediawiki | |||
RewriteEngine on | |||
RewriteCond %{SERVER_NAME} =*.networksecuritytoolkit.org [OR] | |||
RewriteCond %{SERVER_NAME} =wiki.networksecuritytoolkit.org | |||
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] | |||
</VirtualHost> | |||
==== Restart the Apache Web Service ==== | |||
Make sure the Apache Web services is restarted: | |||
[root@nst-wiki40 scripts]# systemctl restart httpd.service php-fpm.service; | |||
==== Certbot Configuration ==== | |||
This section will list the certbot apache plugin options used for configuration on and NST system. | |||
* Certbot apache plugin options: | |||
[root@nst-wiki40 ~]# certbot --help apache | |||
usage: | |||
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... | |||
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, | |||
it will attempt to use a webserver both for obtaining and installing the | |||
certificate. | |||
options: | |||
-h, --help show this help message and exit | |||
-c CONFIG_FILE, --config CONFIG_FILE | |||
path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini) | |||
apache: | |||
Apache Web Server plugin | |||
--apache-enmod APACHE_ENMOD | |||
Path to the Apache 'a2enmod' binary (default: None) | |||
--apache-dismod APACHE_DISMOD | |||
Path to the Apache 'a2dismod' binary (default: None) | |||
--apache-le-vhost-ext APACHE_LE_VHOST_EXT | |||
SSL vhost configuration extension (default: -le-ssl.conf) | |||
--apache-server-root APACHE_SERVER_ROOT | |||
Apache server root directory (default: /etc/httpd) | |||
--apache-vhost-root APACHE_VHOST_ROOT | |||
Apache server VirtualHost configuration root (default: None) | |||
--apache-logs-root APACHE_LOGS_ROOT | |||
Apache server logs directory (default: /var/log/httpd) | |||
--apache-challenge-location APACHE_CHALLENGE_LOCATION | |||
Directory path for challenge configuration (default: /etc/httpd/conf.d) | |||
--apache-handle-modules APACHE_HANDLE_MODULES | |||
Let installer handle enabling required modules for you (Only Ubuntu/Debian currently) (default: False) | |||
--apache-handle-sites APACHE_HANDLE_SITES | |||
Let installer handle enabling sites for you (Only Ubuntu/Debian currently) (default: False) | |||
--apache-ctl APACHE_CTL | |||
Full path to Apache control script (default: httpd) | |||
--apache-bin APACHE_BIN | |||
Full path to apache2/httpd binary (default: None) | |||
* Run Certbot configuration using the apache plugin: | |||
certbot --apache --apache-server-root /etc/httpd --apache-bin /usr/sbin/apachectl; | |||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | |||
Which names would you like to activate HTTPS for? | |||
We recommend selecting either all domains, or all domains in a VirtualHost/server block. | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
1: wiki.networksecuritytoolkit.org | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
Select the appropriate numbers separated by commas and/or spaces, or leave input | |||
blank to select all options shown (Enter 'c' to cancel): 1 | |||
==== Crontab - Certificate Updates ==== | |||
Add the following line to the crontab file: "'''/etc/crontab'''" for '''certbot''' to attempt to renew the NST Wiki certificate ('''***Note''': Both ports 80 and 443 must be accessible from the Internet for renewal to properly update.): | |||
[root@nst-wiki40 ~]# cat /etc/crontab | |||
SHELL=/bin/bash | |||
PATH=/sbin:/bin:/usr/sbin:/usr/bin | |||
MAILTO=root | |||
# For details see man 4 crontabs | |||
# Example of job definition: | |||
# .---------------- minute (0 - 59) | |||
# | .------------- hour (0 - 23) | |||
# | | .---------- day of month (1 - 31) | |||
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... | |||
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat | |||
# | | | | | | |||
# * * * * * user-name command to be executed | |||
0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q | |||
=== Backup Scripts === | |||
Listing of NST Wiki backup scripts: | |||
[root@nst-wiki40 scripts]# ls -al /var/nst/backup/scripts | |||
total 224 | |||
drwxr-xr-x 1 root root 398 Jul 5 15:36 . | |||
drwxr-xr-x 1 root root 32 Oct 25 2011 .. | |||
-rw-r--r-- 1 root root 0 Feb 28 2007 backup_exclude | |||
-rwxr-xr-x 1 root root 1177 Jul 5 15:36 backup_nstwiki_configs | |||
-rwxr-xr-x 1 root root 2217 Nov 7 2016 create_nstwiki_archive | |||
-rw-r----- 1 root root 36 Feb 28 2007 credentials.cifs | |||
-rwxr-xr-x 1 root root 552 Aug 21 2019 cron_run_nstwiki_archive | |||
-rwxr-xr-x 1 root root 1672 Oct 21 2009 nstwiki_mysql_backup | |||
-rw------- 1 root root 185200 Aug 21 2019 restore-notes.pdf | |||
-rwxr-xr-x 1 root root 2066 Jul 3 14:35 run_nstwiki_archive | |||
-rw-r--r-- 1 root root 1480 Aug 28 2006 time.bash | |||
-rwxr-xr-x 1 root root 2110 Nov 29 2014 transfer_nstwiki_archive | |||
-rw-r--r-- 1 root root 5568 Mar 3 2007 verbose.bash | |||
=== Cron: NST Wiki Daily Backups === | |||
Add the following links for NST Wiki daily backups: | |||
[root@nst-wiki40 scripts]# ls -al /etc/cron.daily/ | |||
total 48 | |||
drwxr-xr-x. 1 root root 158 Jul 5 12:42 . | |||
drwxr-xr-x. 1 root root 7814 Jul 4 11:05 .. | |||
lrwxrwxrwx 1 root root 48 Jul 5 12:40 cron_run_nstwiki_arche -> /var/nst/backup/scripts/cron_run_nstwiki_archive | |||
-rwxr-xr-x 1 root root 25571 Jun 19 22:42 google-chrome-beta | |||
-rwxr-xr-x. 1 root root 1749 Jan 25 19:00 rkhunter | |||
lrwxrwxrwx 1 root root 27 Jul 5 12:42 run_nstwiki_stats -> /root/bin/run_nstwiki_stats | |||
-rwxr-xr-x. 1 root root 536 Jan 26 19:00 tripwire-check |
Latest revision as of 10:25, 7 October 2024
Backup
The system which contains the NST WIKI performs nightly backups. The compressed back up files under the /var/nst/nstwiki_archive directory.
The /var/nst/nstwiki_archive directory is then mirrored at external locations.
The following items are backed up:
- The SQL database associated with the Wiki.
- The configuration files associated with the Wiki.
- The media files (images) associated with the Wiki.
Here is an example of using rsync to download a copy of the back up files:
[nst@nst30-repo ~]$ rsync -avhP nstwiki:/var/nst/nstwiki_archive backup/nst30-repo receiving incremental file list nstwiki_archive/ nstwiki_archive/nstwiki_conf_archive0.tgz 117.14M 100% 3.94MB/s 0:00:28 (xfr#1, to-chk=1/3) nstwiki_archive/nstwiki_media_archive0.tgz 694.91M 100% 3.99MB/s 0:02:46 (xfr#2, to-chk=0/3) sent 66 bytes received 812.24M bytes 4.13M bytes/sec total size is 812.05M speedup is 1.00 [nst@nst30-repo ~]$ ls -l backup/nst30-repo/nstwiki_archive total 793020 -rw-r--r-- 1 nst nst 117138773 Aug 21 05:34 nstwiki_conf_archive0.tgz -rw-r--r-- 1 nst nst 694906230 Aug 21 05:34 nstwiki_media_archive0.tgz [nst@nst30-repo ~]$
Restore/Move
If you need to restore the NST Wiki or need to relocate the NST Wiki to another machine, use the following strategy:
- Set up MediaWiki on the other machine by following the instructions on the MediaWiki page.
- Stop the httpd service.
- Stop the mysqld service.
- Transfer and install from the back up archives.
- Start the mysqld service.
- Run any new MediaWiki database upgrade scripts (if you are moving to a newer version of MediaWiki).
- Update your LocalSettings.php file.
- Start the httpd service.
Set Up MediaWiki
If you are moving the NST Wiki to a new machine, you will need to set up MediaWiki on the new machine:
- Before setting up MediaWiki, review the LocalSettings.php file as you will likely want to match some of the settings (if you don't it's not the end of the world - but if you take the time now it might save you some tweaks later).
- See the MediaWiki page for details on setting up MediaWiki on a NST system.
- Install the EmbedVideo media extension.
Stop Services
Stop the httpd and mysqld services as shown below (use service instead of systemctl if you are on a older system):
[root@probe-p3p1 ~]# systemctl stop httpd.service [root@probe-p3p1 ~]# systemctl stop mysqld.service [root@probe-p3p1 ~]#
Transfer And Extract The Backup Archives
Get a copy of the NST Wiki backup files from the directory /var/nst/nstwiki_archive directory and transfer them to your /tmp directory:
[root@probe-p3p1 ~]# rsync -rp nstwiki:/tmp/nstwiki_archive /tmp/ root@nstwiki's password: [root@probe-p3p1 ~]# ls -l /tmp/nstwiki_archive total 198476 -rw-r--r-- 1 root root 66375294 Oct 22 18:32 nstwiki_conf_archive0.tgz -rw-r--r-- 1 root root 126201929 Oct 22 18:32 nstwiki_media_archive0.tgz [root@probe-p3p1 ~]#
Extract the contents of the nstwiki_conf_archive0.tgz file to the /var/nst/backup directory:
[root@probe-p3p1 ~]# install -d /var/nst/backup [root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_conf_archive0.tgz -C /var/nst/backup/ . [root@probe-p3p1 ~]#
Create and initialize the /var/nst/mediawiki directory:
[root@probe-p3p1 ~]# install -d /var/nst/mediawiki [root@probe-p3p1 ~]# mw-createinstance /var/nst/mediawiki [root@probe-p3p1 ~]#
Extract the contents of the nstwiki_media_archive0.tgz file to the directory where your MediaWiki files live.
[root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_media_archive0.tgz -C /var/nst/mediawiki [root@probe-p3p1 ~]#
Add a sym-link to the images directory under /usr/share/mediawiki (still not sure why this is required). Also, you may need to edit/save each NST WIKI page if thumbnails are not being created automatically.
[root@probe-p3p1 ~]# mv /usr/share/mediawiki/images /usr/share/mediawiki/images.orig [root@probe-p3p1 ~]# ln /var/nst/mediawiki/images /usr/share/mediawiki/images [root@probe-p3p1 ~]#
Restore The NST Wiki Database
At this point you can start up the mysqld service and restore the most recent version of the NST Wiki backup. However, before you can restore using the SQL file you will need to drop the wikidb (or whatever you named your database) if it exists:
[root@probe-p3p1 ~]# systemctl start mysqld.service [root@probe-p3p1 ~]# mysql -h 127.0.0.1 --user=root --password Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.5.14 MySQL Community Server (GPL) Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> drop database wikidb; Query OK, 45 rows affected (0.15 sec) mysql> \q Bye [root@probe-p3p1 ~]#
At this point you can restore the NST Wiki database:
[root@probe-p3p1 ~]# gzip -dc < /var/nst/backup/db/nstwikidb.sql.gz | mysql -h 127.0.0.1 --user=root --password Enter password: [root@probe-p3p1 ~]#
Update The NST Wiki Database
If the location you are restoring the database to uses a newer version of MediaWiki, you will likely need to run the MediaWiki upgrade commands. Review the /usr/share/doc/mediawiki/UPGRADE file. Most likely you will need to run the following commands:
[root@probe-p3p1 ~]# cd /usr/share/mediawiki/maintenance/ [root@probe-p3p1 maintenance]# php update.php A copy of your installation's LocalSettings.php must exist and be readable in the source directory. [root@probe-p3p1 maintenance]# php update.php --conf /var/nst/mediawiki/LocalSettings.php MediaWiki 1.16.5 Updater Going to run database updates for wikidb Depending on the size of your database this may take a while! ... Lot's of output as database is updated ... Purging caches...done. Done. [root@probe-p3p1 maintenance]# cd [root@probe-p3p1 ~]#
Update LocalSettings.php
Before starting up the web server, you will want to review your LocalSettings.php file:
- Compare it with the back up you made earlier (/root/LocalSettings.php.working).
- Initially disable any extensions currently configured (you may need to install the extension modules before enabling).
- Review the contents of /usr/share/mediawiki/includes/DefaultSettings.php to see if there are any new settings you need to add.
[root@probe-p3p1 ~]# emacs -nw /var/nst/mediawiki/LocalSettings.php LocalSettings.php.working [root@probe-p3p1 ~]#
Also, for some reason a copy of the LocalSettings.php file also needs to be under the /usr/share/mediawiki (at least for MediaWiki 1.33 and Fedora 30 packaging).
[root@probe-p3p1 ~]# ln /var/nst/mediawiki/LocalSettings.php /usr/share/mediawiki/LocalSettings.php [root@probe-p3p1 ~]#
Restart The Web Service And Test
At this point you should be able to restart the web service and PHP engine and test your installation.
Notes:
- Make sure a php-fpm configuration file exists for the systemd httpd.service unit: "/etc/php-fpm.d/www.conf"
- NST Wiki uses a httpd configuration file: "/etc/httpd/conf.d/nstwiki.conf"
# # This is for the NST Wiki #DocumentRoot "/var/nst/mediawiki" #ServerName wiki.networksecuritytoolkit.org #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" #TransferLog logs/wiki_access_log #ErrorLog logs/wiki_error_log #LogLevel warn BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE # !no-gzip !gzip-only-text/html DeflateFilterNote Input input_info DeflateFilterNote Output output_info DeflateFilterNote Ratio ratio_info LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate CustomLog logs/deflate_log deflate # # NST Wiki entry point... <Directory "/var/nst/mediawiki"> DirectoryIndex index.php Options FollowSymLinks ExecCGI Require all granted AddOutputFilterByType DEFLATE text/html </Directory> # # IP tools areas (fetch public IP address via SHTML - requires Includes directive) <Directory "/var/nst/mediawiki/tools"> Options Includes Require all granted </Directory> Alias /nstwiki "/var/nst/mediawiki" # # NST Repo... <Directory "/var/nst/repo"> Options Indexes Require all granted </Directory> Alias /repo "/var/nst/repo" # # Icons for NST Repo dir listing... <Directory "/var/nst/mediawiki/icons"> Options Indexes MultiViews AllowOverride None </Directory> Alias /icons/ "/var/nst/mediawiki/icons/" <Directory "/usr/share/nst-webgl-globe"> Options -Indexes Require all granted </Directory> Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe" # # Provide server status information # #<Location /server-status> # SetHandler server-status # # AuthType Basic # AuthName "NST WUI: System Management" # AuthUserFile "/etc/nst/httpd/conf/htuser.nst" # require valid-user #</Location> # # Provide server information # #<Location /server-info> # SetHandler server-info # # AuthType Basic # AuthName "NST WUI: System Management" # AuthUserFile "/etc/nst/httpd/conf/htuser.nst" # require valid-user #</Location>
- Start these services and then check the NST Wiki.
[root@probe-p3p1 ~]# systemctl start httpd.service [root@probe-p3p1 ~]# systemctl restart php-fpm.service [root@probe-p3p1 ~]# [root@probe-p3p1 ~]# firefox http://127.0.0.1/nstwiki [root@probe-p3p1 ~]#
At this point you should be able to review the contents of the Wiki and determine what is broken (not working) and then try to figure out what you need to do in:
- Examine log files under the /var/log/httpd directory - they will often provide useful clues.
- The /var/nst/mediawiki/LocalSettings.php file (look for new values you might need to override in /usr/share/mediawiki/includes/DefaultSettings.php). Also, consider temporarily enabling the debug logging feature with:
# Uncomment to enable debug log file when trouble shooting $wgDebugLogFile = "/var/log/httpd/debug-wikidb.log";
- Review the /etc/httpd/conf/httpd.conf file.
- Review your mediawiki configuration file under the /etc/httpd/conf.d directory (nstwiki.conf).
Default Font Size
To change the global font size for all NST Wiki pages do the following.
- Search for "MediaWiki:Common.css"
- Add the following CSS entry:
body { font-size: 9pt; }
No Logging: NST Wiki
The Apache Web server can produce copious amounts of logging. Use these steps to disable "httpd" logging: Stop the web service, comment out the following lines in these configuration files, remove the log files and restart the web service.
- Stop the Apache Web server:
systemctl stop httpd.service;
- In file: "/etc/httpd/conf/http.conf" comment out line:
# CustomLog "logs/access_log" combined
- In file: "/etc/httpd/conf.d/nstwiki.conf" comment out line:
#CustomLog logs/deflate_log deflate
- Location of "httpd" logs:
[root@nst-wiki40 conf.d]# ls -al /var/log/httpd/; total 2896604 drwx------. 1 root root 144 Jul 18 20:00 . drwxr-xr-x. 1 root root 862 Jul 29 18:20 .. -rw-r--r-- 1 root root 2072902834 Aug 13 10:46 access_log -rw-r--r-- 1 root root 889980229 Aug 13 10:46 deflate_log -rw-r--r-- 1 root root 402944 Aug 13 10:46 error_log -rw-r--r-- 1 root root 1291618 Jul 4 10:57 ssl_access_log -rw-r--r-- 1 root root 48143 Jul 3 18:52 ssl_error_log -rw-r--r-- 1 root root 1486615 Jul 4 10:57 ssl_request_log
- Remove the "access_log" and "deflate_log" log files:
rm "/var/log/httpd/access_log"; rm "/var/log/httpd/deflate_log";
- Restart the Apache Web server:
systemctl start httpd.service;
Certbot - HTTPS TLS Certificates
Certbot Overview
Certbot is part of EFF's effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
Certbot Installation On NST Wiki - Tips & Modifications
This section goes through various steps to install certbot on an NST system for the NST Wiki web service (Apache - HTTPD). It can be a bit tricky.
DNF Install Required Packages
dnf install certbot python3-certbot python3-certbot-apache;
Fedora Python Code Modification (NST 40)
Insert this hack into the python code: "/usr/lib/python3.12/site-packages/certbot_apache/_internal/entrypoint.py" for Fedora OS identification. Verify if it has been fixed in a newer version before using the hack.
Before hack:
os_name, os_version = util.get_os_info() os_name = os_name.lower() override_class = None # Special case for older Fedora versions
After hack:
os_name, os_version = util.get_os_info() os_name = os_name.lower() override_class = None > os_name = 'fedora' > os_version = '40' # Special case for older Fedora versions
Create an Apache VirtualHost Configuration File
Certbot requires an Apache VirtualHost configuration file using port: 80. Add this file: "certbot.conf" to the Apache configuration directory: "/etc/httpd/conf.d"
[root@nst-wiki40 conf.d]# cat /etc/httpd/conf.d/certbot.conf; <VirtualHost *:80> ServerName wiki.networksecuritytoolkit.org ServerAlias *.networksecuritytoolkit.org DocumentRoot /var/nst/mediawiki RewriteEngine on RewriteCond %{SERVER_NAME} =*.networksecuritytoolkit.org [OR] RewriteCond %{SERVER_NAME} =wiki.networksecuritytoolkit.org RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>
Restart the Apache Web Service
Make sure the Apache Web services is restarted:
[root@nst-wiki40 scripts]# systemctl restart httpd.service php-fpm.service;
Certbot Configuration
This section will list the certbot apache plugin options used for configuration on and NST system.
- Certbot apache plugin options:
[root@nst-wiki40 ~]# certbot --help apache usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. options: -h, --help show this help message and exit -c CONFIG_FILE, --config CONFIG_FILE path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini) apache: Apache Web Server plugin --apache-enmod APACHE_ENMOD Path to the Apache 'a2enmod' binary (default: None) --apache-dismod APACHE_DISMOD Path to the Apache 'a2dismod' binary (default: None) --apache-le-vhost-ext APACHE_LE_VHOST_EXT SSL vhost configuration extension (default: -le-ssl.conf) --apache-server-root APACHE_SERVER_ROOT Apache server root directory (default: /etc/httpd) --apache-vhost-root APACHE_VHOST_ROOT Apache server VirtualHost configuration root (default: None) --apache-logs-root APACHE_LOGS_ROOT Apache server logs directory (default: /var/log/httpd) --apache-challenge-location APACHE_CHALLENGE_LOCATION Directory path for challenge configuration (default: /etc/httpd/conf.d) --apache-handle-modules APACHE_HANDLE_MODULES Let installer handle enabling required modules for you (Only Ubuntu/Debian currently) (default: False) --apache-handle-sites APACHE_HANDLE_SITES Let installer handle enabling sites for you (Only Ubuntu/Debian currently) (default: False) --apache-ctl APACHE_CTL Full path to Apache control script (default: httpd) --apache-bin APACHE_BIN Full path to apache2/httpd binary (default: None)
- Run Certbot configuration using the apache plugin:
certbot --apache --apache-server-root /etc/httpd --apache-bin /usr/sbin/apachectl; Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? We recommend selecting either all domains, or all domains in a VirtualHost/server block. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: wiki.networksecuritytoolkit.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1
Crontab - Certificate Updates
Add the following line to the crontab file: "/etc/crontab" for certbot to attempt to renew the NST Wiki certificate (***Note: Both ports 80 and 443 must be accessible from the Internet for renewal to properly update.):
[root@nst-wiki40 ~]# cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q
Backup Scripts
Listing of NST Wiki backup scripts:
[root@nst-wiki40 scripts]# ls -al /var/nst/backup/scripts total 224 drwxr-xr-x 1 root root 398 Jul 5 15:36 . drwxr-xr-x 1 root root 32 Oct 25 2011 .. -rw-r--r-- 1 root root 0 Feb 28 2007 backup_exclude -rwxr-xr-x 1 root root 1177 Jul 5 15:36 backup_nstwiki_configs -rwxr-xr-x 1 root root 2217 Nov 7 2016 create_nstwiki_archive -rw-r----- 1 root root 36 Feb 28 2007 credentials.cifs -rwxr-xr-x 1 root root 552 Aug 21 2019 cron_run_nstwiki_archive -rwxr-xr-x 1 root root 1672 Oct 21 2009 nstwiki_mysql_backup -rw------- 1 root root 185200 Aug 21 2019 restore-notes.pdf -rwxr-xr-x 1 root root 2066 Jul 3 14:35 run_nstwiki_archive -rw-r--r-- 1 root root 1480 Aug 28 2006 time.bash -rwxr-xr-x 1 root root 2110 Nov 29 2014 transfer_nstwiki_archive -rw-r--r-- 1 root root 5568 Mar 3 2007 verbose.bash
Cron: NST Wiki Daily Backups
Add the following links for NST Wiki daily backups:
[root@nst-wiki40 scripts]# ls -al /etc/cron.daily/ total 48 drwxr-xr-x. 1 root root 158 Jul 5 12:42 . drwxr-xr-x. 1 root root 7814 Jul 4 11:05 .. lrwxrwxrwx 1 root root 48 Jul 5 12:40 cron_run_nstwiki_arche -> /var/nst/backup/scripts/cron_run_nstwiki_archive -rwxr-xr-x 1 root root 25571 Jun 19 22:42 google-chrome-beta -rwxr-xr-x. 1 root root 1749 Jan 25 19:00 rkhunter lrwxrwxrwx 1 root root 27 Jul 5 12:42 run_nstwiki_stats -> /root/bin/run_nstwiki_stats -rwxr-xr-x. 1 root root 536 Jan 26 19:00 tripwire-check