====== freebsd + nginx + backuppc ======

My current installation is inside JAIL, inside freenas.\\
Not going to discuss on setting up jail etc., this topic mainly focused on quick installation once your JAIL is setup.

Note: For Linux RHEL Based installation look ([[https://wiki.k2patel.in/doku.php?id=centos_nginx_backuppc4.x | here ]])
===== Installation =====
Installing packages required.\\

<code bash>
pkg install nginx
pkg install rrdtool
pkg install fcgiwrap
</code>

I've built backuppc4, because i needed to choose more options than default.\\
But you can install using command 
<code bash>
cd /usr/ports/sysutils/backuppc4/
make config # Select options you want to install
make -j4
make install
</code>

===== Configuration =====
==== Backuppc ====
Enable backuppc daemon
<code bash>
sysrc backuppc_enable=YES
</code>

Configure backuppc for first time
<code bash>
/usr/local/etc/backuppc/update.sh
</code>
==== FCGI ====
Running Nginx going to use fcgiwrap package instead of CGI.
Enable wrapper in rc.conf.
<code bash /etc/rc.conf>
fcgiwrap_enable="YES"
fcgiwrap_profiles="main"
fcgiwrap_socket_owner="www"
fcgiwrap_main_socket="unix:/var/run/fcgiwrap/fcgiwrap.socket"
fcgiwrap_main_user="backuppc"
</code>

==== NGINX ====
Enable nginx after system reboot and allow it to run.
<code bash>
sysrc nginx_enable=YES
</code>

Configuring nginx to work with fcgiwrap.
<WRAP prewrap>
<code bash /usr/local/etc/nginx/nginx.conf>
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    gzip  on;

    server {
        listen       80;
        server_name  <hostname>;

        return 302 https://<hostname>$request_uri;

    }

    server {
        listen       443 ssl http2;  
        server_name  <hostname>;

        ssl on;
        ssl_certificate      /usr/local/etc/nginx/ssl/<domain>.crt;
        ssl_certificate_key  /usr/local/etc/nginx/ssl/<domain>.key;
        ssl_trusted_certificate /usr/local/etc/nginx/ssl/<domain>.int.ca;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;

        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify off;

        # modern configuration. tweak to your needs.
        ssl_protocols TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers on;

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        add_header Strict-Transport-Security max-age=63072000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

        access_log  /var/log/nginx/backuppc.access.log;
        error_log   /var/log/nginx/backuppc.error.log;

        location / {
          auth_basic "Backup";
          auth_basic_user_file /usr/local/etc/nginx/backuppc.users;
          root /usr/local/www;
          return 302 http://<hostname>/cgi-bin/BackupPC_Admin;
          index BackupPC.html;
        }

        location /backuppc {
           alias /usr/local/www/backuppc;
           index BackupPC.html;
        }

        #location ~\.cgi$ {
        location ~ ^/cgi-bin/BackupPC_Admin(/|$) {
          auth_basic "Backup";
          auth_basic_user_file /usr/local/etc/nginx/backuppc.users;
          gzip off;
          include /usr/local/etc/nginx/fastcgi_params;
          fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.socket;

          fastcgi_param REMOTE_ADDR     $remote_addr;
          fastcgi_param REMOTE_USER     $remote_user;
          fastcgi_param SCRIPT_FILENAME /usr/local/www/cgi-bin/BackupPC_Admin;
        }

        location ~ /\.ht {
            deny  all;
        }
    }
}
</code>
</WRAP>

===== Outgoing Mail =====
In order to send notice and mail from backuppc i configured sendonly mail 'ssmtp'.\\

**installation:**
<code bash>
pkg install ssmtp
</code>

**Configuration:**
This is simple but few points to remember:
  - It does not use /etc/aliases
  - change your mail configuration
  - You have to configure your aliases in `/usr/local/etc/ssmtp/revaliases`
  - mail command does not read these aliases

<code bash /usr/local/etc/ssmtp/revaliases (optional)>
# Alias look like this
root:k2patel@hotmail.com:smtp.k2patel.in
</code>

<code bash /usr/local/etc/ssmtp/ssmtp.conf>
# This is simplified version of my configuraiton
root=k2patel@hotmail.com
mailhub=smtp.k2patel.in
rewriteDomain=backup.k2patel.in
hostname=_HOSTNAME_
</code>

<code bash /etc/mail/mailer.conf>
# this is what my mailer.conf file looks like
sendmail	/usr/local/sbin/ssmtp
send-mail	/usr/local/sbin/ssmtp
mailq		/usr/local/sbin/ssmtp
newaliases	/usr/local/sbin/ssmtp
hoststat	/usr/bin/true
purgestat	/usr/bin/true
</code>

<code bash /etc/mail.rc>
# this change does not require, unless you want to send email using mail command and want aliases to work
set append dot save ask crt
ignore Received Message-Id Resent-Message-Id Status Mail-From Return-Path Via
alias root backup@k2patel.in
</code>
===== Troubleshooting =====
  - If there is any issue related to fcgiwrap
      - Check permission of '/var/run/fcgiwrap/fcgiwrap.socket', it should be owned by 'www'.
  - Creating user for nginx '/usr/local/etc/nginx/backuppc.users'
      - openssl passwd -apr1