User Tools

Site Tools


freebsd_nginx_backuppc

freebsd + nginx + backuppc

My current installation is inside JAIL, inside freenas.
Not going to discuss on setting up jail etc., this topic mainly focused on quick installation once your JAIL is setup.

Installation

Installing packages required.

pkg install nginx
pkg install rrdtool
pkg install fcgiwrap

I've built backuppc4, because i needed to choose more options than default.
But you can install using command

cd /usr/ports/sysutils/backuppc4/
make config # Select options you want to install
make -j4
make install

Configuration

Backuppc

Enable backuppc daemon

sysrc backuppc_enable=YES

FCGI

Running Nginx going to use fcgiwrap package instead of CGI. Enable wrapper in rc.conf.

/etc/rc.conf
fcgiwrap_enable="YES"
fcgiwrap_profiles="main"
fcgiwrap_socket_owner="www"
fcgiwrap_main_socket="unix:/var/run/fcgiwrap/fcgiwrap.socket"
fcgiwrap_main_user="backuppc"

NGINX

Enable nginx after system reboot and allow it to run.

sysrc nginx_enable=YES

Configuring nginx to work with fcgiwrap.

/usr/local/etc/nginx/nginx.conf
worker_processes  1;
 
events {
    worker_connections  1024;
}
 
http {
    include       mime.types;
    default_type  application/octet-stream;
 
    sendfile        on;
 
    keepalive_timeout  65;
 
    gzip  on;
 
    server {
        listen       80;
        server_name  <hostname>;
 
        return 302 https://<hostname>$request_uri;
 
    }
 
    server {
        listen       443 ssl http2;  
        server_name  <hostname>;
 
        ssl on;
        ssl_certificate      /usr/local/etc/nginx/ssl/<domain>.crt;
        ssl_certificate_key  /usr/local/etc/nginx/ssl/<domain>.key;
        ssl_trusted_certificate /usr/local/etc/nginx/ssl/<domain>.ca;
 
        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;
 
        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify off;
 
        # modern configuration. tweak to your needs.
        ssl_protocols TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers on;
 
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
 
        add_header Strict-Transport-Security max-age=63072000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
 
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }
 
        access_log  /var/log/nginx/backuppc.access.log;
        error_log   /var/log/nginx/backuppc.error.log;
 
        location / {
          auth_basic "Backup";
          auth_basic_user_file /usr/local/etc/nginx/backuppc.users;
          root /usr/local/www;
          return 302 http://<hostname>/cgi-bin/BackupPC_Admin;
          index BackupPC.html;
        }
 
        location /backuppc {
           alias /usr/local/www/backuppc;
           index BackupPC.html;
        }
 
        #location ~\.cgi$ {
        location ~ ^/cgi-bin/BackupPC_Admin(/|$) {
          auth_basic "Backup";
          auth_basic_user_file /usr/local/etc/nginx/backuppc.users;
          gzip off;
          include /usr/local/etc/nginx/fastcgi_params;
          fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.socket;
 
          fastcgi_param REMOTE_ADDR     $remote_addr;
          fastcgi_param REMOTE_USER     $remote_user;
          fastcgi_param SCRIPT_FILENAME /usr/local/www/cgi-bin/BackupPC_Admin;
        }
 
        location ~ /\.ht {
            deny  all;
        }
    }
}

Outgoing Mail

In order to send notice and mail from backuppc i configured sendonly mail 'ssmtp'.

installation:

pkg install ssmtp

Configuration: This is simple but few points to remember:

  1. It does not use /etc/aliases
  2. change your mail configuration
  3. You have to configure your aliases in `/usr/local/etc/ssmtp/revaliases`
  4. mail command does not read these aliases
/usr/local/etc/ssmtp/revaliases
# Alias look like this
root:k2patel@hotmail.com:smtp.k2patel.in
/usr/local/etc/ssmtp/ssmtp.conf
# This is simplified version of my configuraiton
root=k2patel@hotmail.com
mailhub=smtp.k2patel.in
rewriteDomain=backup.k2patel.in
hostname=_HOSTNAME_
/etc/mail/mailer.conf
# this is what my mailer.conf file looks like
sendmail	/usr/local/sbin/ssmtp
send-mail	/usr/local/sbin/ssmtp
mailq		/usr/local/sbin/ssmtp
newaliases	/usr/local/sbin/ssmtp
hoststat	/usr/bin/true
purgestat	/usr/bin/true
/etc/mail.rc
# this change does not require, unless you want to send email using mail command and want aliases to work
set append dot save ask crt
ignore Received Message-Id Resent-Message-Id Status Mail-From Return-Path Via
alias root backup@k2patel.in

Troubleshooting

  1. If there is any issue related to fcgiwrap
    1. Check permission of '/var/run/fcgiwrap/fcgiwrap.socket', it should be owned by 'www'.
  2. Creating user for nginx '/usr/local/etc/nginx/backuppc.users'
    1. openssl passwd -apr1
freebsd_nginx_backuppc.txt · Last modified: 2017/07/21 16:28 by k2patel