This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
freebsd_nginx_backuppc [2017/07/11 15:58] k2patel [FCGI] |
freebsd_nginx_backuppc [2018/04/04 02:39] k2patel [Backuppc] |
||
---|---|---|---|
Line 4: | Line 4: | ||
Not going to discuss on setting up jail etc., this topic mainly focused on quick installation once your JAIL is setup. | Not going to discuss on setting up jail etc., this topic mainly focused on quick installation once your JAIL is setup. | ||
- | ==== Installation ==== | + | Note: For Linux RHEL Based installation look ([[https://wiki.k2patel.in/doku.php?id=centos_nginx_backuppc4.x | here ]]) |
+ | ===== Installation ===== | ||
Installing packages required.\\ | Installing packages required.\\ | ||
Line 13: | Line 14: | ||
</code> | </code> | ||
- | I've built backuppc4, because i needed to choose more options than default. | + | I've built backuppc4, because i needed to choose more options than default.\\ |
+ | But you can install using command | ||
<code bash> | <code bash> | ||
cd /usr/ports/sysutils/backuppc4/ | cd /usr/ports/sysutils/backuppc4/ | ||
Line 21: | Line 23: | ||
</code> | </code> | ||
- | ==== Configuration ==== | + | ===== Configuration ===== |
- | ===== Backuppc ===== | + | ==== Backuppc ==== |
Enable backuppc daemon | Enable backuppc daemon | ||
<code bash> | <code bash> | ||
Line 28: | Line 30: | ||
</code> | </code> | ||
- | ===== FCGI ===== | + | Configure backuppc for first time |
+ | <code bash> | ||
+ | /usr/local/etc/backuppc/update.sh | ||
+ | </code> | ||
+ | ==== FCGI ==== | ||
Running Nginx going to use fcgiwrap package instead of CGI. | Running Nginx going to use fcgiwrap package instead of CGI. | ||
Enable wrapper in rc.conf. | Enable wrapper in rc.conf. | ||
Line 38: | Line 44: | ||
fcgiwrap_main_user="backuppc" | fcgiwrap_main_user="backuppc" | ||
</code> | </code> | ||
+ | |||
+ | ==== NGINX ==== | ||
+ | Enable nginx after system reboot and allow it to run. | ||
+ | <code bash> | ||
+ | sysrc nginx_enable=YES | ||
+ | </code> | ||
+ | |||
+ | Configuring nginx to work with fcgiwrap. | ||
+ | <WRAP prewrap> | ||
+ | <code bash /usr/local/etc/nginx/nginx.conf> | ||
+ | worker_processes 1; | ||
+ | |||
+ | events { | ||
+ | worker_connections 1024; | ||
+ | } | ||
+ | |||
+ | http { | ||
+ | include mime.types; | ||
+ | default_type application/octet-stream; | ||
+ | |||
+ | sendfile on; | ||
+ | |||
+ | keepalive_timeout 65; | ||
+ | |||
+ | gzip on; | ||
+ | |||
+ | server { | ||
+ | listen 80; | ||
+ | server_name <hostname>; | ||
+ | |||
+ | return 302 https://<hostname>$request_uri; | ||
+ | |||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 443 ssl http2; | ||
+ | server_name <hostname>; | ||
+ | |||
+ | ssl on; | ||
+ | ssl_certificate /usr/local/etc/nginx/ssl/<domain>.crt; | ||
+ | ssl_certificate_key /usr/local/etc/nginx/ssl/<domain>.key; | ||
+ | ssl_trusted_certificate /usr/local/etc/nginx/ssl/<domain>.ca; | ||
+ | |||
+ | # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | ||
+ | add_header Strict-Transport-Security max-age=15768000; | ||
+ | |||
+ | # OCSP Stapling --- | ||
+ | # fetch OCSP records from URL in ssl_certificate and cache them | ||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify off; | ||
+ | |||
+ | # modern configuration. tweak to your needs. | ||
+ | ssl_protocols TLSv1.2; | ||
+ | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | |||
+ | ssl_session_timeout 1d; | ||
+ | ssl_session_cache shared:SSL:50m; | ||
+ | ssl_session_tickets off; | ||
+ | |||
+ | add_header Strict-Transport-Security max-age=63072000; | ||
+ | add_header X-Frame-Options DENY; | ||
+ | add_header X-Content-Type-Options nosniff; | ||
+ | |||
+ | error_page 500 502 503 504 /50x.html; | ||
+ | location = /50x.html { | ||
+ | root /usr/local/www/nginx-dist; | ||
+ | } | ||
+ | |||
+ | access_log /var/log/nginx/backuppc.access.log; | ||
+ | error_log /var/log/nginx/backuppc.error.log; | ||
+ | |||
+ | location / { | ||
+ | auth_basic "Backup"; | ||
+ | auth_basic_user_file /usr/local/etc/nginx/backuppc.users; | ||
+ | root /usr/local/www; | ||
+ | return 302 http://<hostname>/cgi-bin/BackupPC_Admin; | ||
+ | index BackupPC.html; | ||
+ | } | ||
+ | |||
+ | location /backuppc { | ||
+ | alias /usr/local/www/backuppc; | ||
+ | index BackupPC.html; | ||
+ | } | ||
+ | |||
+ | #location ~\.cgi$ { | ||
+ | location ~ ^/cgi-bin/BackupPC_Admin(/|$) { | ||
+ | auth_basic "Backup"; | ||
+ | auth_basic_user_file /usr/local/etc/nginx/backuppc.users; | ||
+ | gzip off; | ||
+ | include /usr/local/etc/nginx/fastcgi_params; | ||
+ | fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.socket; | ||
+ | |||
+ | fastcgi_param REMOTE_ADDR $remote_addr; | ||
+ | fastcgi_param REMOTE_USER $remote_user; | ||
+ | fastcgi_param SCRIPT_FILENAME /usr/local/www/cgi-bin/BackupPC_Admin; | ||
+ | } | ||
+ | |||
+ | location ~ /\.ht { | ||
+ | deny all; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | </code> | ||
+ | </WRAP> | ||
+ | |||
+ | ===== Outgoing Mail ===== | ||
+ | In order to send notice and mail from backuppc i configured sendonly mail 'ssmtp'.\\ | ||
+ | |||
+ | **installation:** | ||
+ | <code bash> | ||
+ | pkg install ssmtp | ||
+ | </code> | ||
+ | |||
+ | **Configuration:** | ||
+ | This is simple but few points to remember: | ||
+ | - It does not use /etc/aliases | ||
+ | - change your mail configuration | ||
+ | - You have to configure your aliases in `/usr/local/etc/ssmtp/revaliases` | ||
+ | - mail command does not read these aliases | ||
+ | |||
+ | <code bash /usr/local/etc/ssmtp/revaliases (optional)> | ||
+ | # Alias look like this | ||
+ | root:k2patel@hotmail.com:smtp.k2patel.in | ||
+ | </code> | ||
+ | |||
+ | <code bash /usr/local/etc/ssmtp/ssmtp.conf> | ||
+ | # This is simplified version of my configuraiton | ||
+ | root=k2patel@hotmail.com | ||
+ | mailhub=smtp.k2patel.in | ||
+ | rewriteDomain=backup.k2patel.in | ||
+ | hostname=_HOSTNAME_ | ||
+ | </code> | ||
+ | |||
+ | <code bash /etc/mail/mailer.conf> | ||
+ | # this is what my mailer.conf file looks like | ||
+ | sendmail /usr/local/sbin/ssmtp | ||
+ | send-mail /usr/local/sbin/ssmtp | ||
+ | mailq /usr/local/sbin/ssmtp | ||
+ | newaliases /usr/local/sbin/ssmtp | ||
+ | hoststat /usr/bin/true | ||
+ | purgestat /usr/bin/true | ||
+ | </code> | ||
+ | |||
+ | <code bash /etc/mail.rc> | ||
+ | # this change does not require, unless you want to send email using mail command and want aliases to work | ||
+ | set append dot save ask crt | ||
+ | ignore Received Message-Id Resent-Message-Id Status Mail-From Return-Path Via | ||
+ | alias root backup@k2patel.in | ||
+ | </code> | ||
+ | ===== Troubleshooting ===== | ||
+ | - If there is any issue related to fcgiwrap | ||
+ | - Check permission of '/var/run/fcgiwrap/fcgiwrap.socket', it should be owned by 'www'. | ||
+ | - Creating user for nginx '/usr/local/etc/nginx/backuppc.users' | ||
+ | - openssl passwd -apr1 | ||
+ |