How To Secure Website using free SSL with Let’s Encrypt

Introduction

Tutorial ini akan menunjukkan cara untuk mengatur sertifikat TLS / SSL pada Debian 8 server yang menjalankan Nginx sebagai forwarder webserver. Artikel ini juga akan menjelaskan bagaimana  mengotomatisasi proses perpanjangan sertifikat menggunakan cron job.

Sertifikat SSL digunakan dalam webserver untuk mengenkripsi lalu lintas antara server dan client, memberikan keamanan ekstra bagi pengguna untuk mengakses aplikasi. Artikel ini akan menjelaskan cara mudah untuk mendapatkan dan menginstal sertifikat terpercaya secara gratis.

Prerequisites

Dalam rangka untuk menyelesaikan panduan ini, Anda akan perlu :

  • Debian 8 server dengan non-root sudo user
  • Nginx sebagai server Proxy/forwarder.
  • Apache sebagai webserver.
  • WordPress sebagai aplikasi cms

Step 1 — Install Let’s Encrypt Client

Let’s encrypt menyediakan berbagai cara untuk menginstall, dalam artikel ini akan menjelaskan cara install yang paling mudah yaitu dengan mengclone dari repositorynya let’s encrypt, lakukan cara seperti dibawah ini :

$ sudo apt-install git
$ cd /opt
$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto certonly --manual -d widianto.org -d www.widianto.org

Dalam menjalankan perintah diatas akan menghasilkan dua hal yaitu :

  1. kode validasi, kode ini diperlukan untuk validasi bahwa ssl yang digenerate benar untuk domain widianto.org
  2. File cert .pem, file yang dibutuhkan oleh nginx, yg disimpan di /etc/letsencrypt/live/, dari 5 files di atas, hanya dua files yang dibutuhkan oleh nginx yaitu fullchain2.pem dan privkey2.pem

Step 2 — Configure Vhost Nginx

Ada dua hal yang akan dikonfigurasi di vhost nginx yaitu konfigurasi :

[1] Kode Validasi, kode validasi akan didapat saat anda menjalankan perintah diatas, tampilannya kurang lebih seperti ini :

=========================================================================

Make sure your web server displays the following content at
http://widianto.org/.well-known/acme-challenge/0yrmsg00ZoTN4-sif0ahtNmEs85nAEw4Eu6P9r79lZk before continuing:

0yrmsg00ZoTN4-sif0ahtNmEs85nAEw4Eu6P9r79lZk.4c6Dt_ds9cv8qL-8Vs47I8zsNjtU4JhyQeQV_zuxzmw

If you don’t have HTTP server configured, you can run the following
command on the target server (as root):

========================================================================

Yang perlu anda perhatikan adalah baris warna merah, itu adalah kode validasi yang akan di cek oleh letsencrypt, Kemudian tambahkan  di vhost nginx, seperti dibawah ini :

    location /.well-known/acme-challenge/0yrmsg00ZoTN4-sif0ahtNmEs85nAEw4Eu6P9r79lZk {
        add_header Content-Type text/plain;
        return 200 "0yrmsg00ZoTN4-sif0ahtNmEs85nAEw4Eu6P9r79lZk.4c6Dt_ds9cv8qL-8Vs47I8zsNjtU4JhyQeQV_zuxzmw";
        }

[2] File cert .pem, file yang dibutuhkan oleh nginx, yg disimpan di /etc/letsencrypt/live/, dari 5 files di atas, hanya dua files yang dibutuhkan oleh nginx yaitu fullchain2.pem dan privkey2.pem

ssl on;
ssl_certificate /etc/letsencrypt/live/jamparing-asih.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jamparing-asih.com/privkey.pem;

Script vhost lengkapnya seperti dibawah ini :

upstream www.widianto.org {
    server 172.16.10.11;
}
server {
    listen      80;
    server_name widianto.org www.widianto.org;
    return 301 https://widianto.org$request_uri;
}
server {
    listen	443;
    server_name www.widianto.org;
    ssl on;
    ssl_certificate     /etc/letsencrypt/live/widianto.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/widianto.org/privkey.pem;
    return 301 https://widianto.org$request_uri;
}
server {
    	listen      443;
    	server_name widianto.org;
    	access_log  /var/log/nginx/widian.top/access.log;
    	error_log   /var/log/nginx/widian.top/error.log;
    	ssl on;
    	ssl_certificate     /etc/letsencrypt/live/widianto.org/fullchain.pem;
    	ssl_certificate_key /etc/letsencrypt/live/widianto.org/privkey.pem;
	add_header Strict-Transport-Security "max-age=31536000";
	location /.well-known/acme-challenge/0yrmsg00ZoTN4-sif0ahtNmEs85nAEw4Eu6P9r79lZk {
		add_header Content-Type text/plain;
		return 200 "0yrmsg00ZoTN4-sif0ahtNmEs85nAEw4Eu6P9r79lZk.4c6Dt_ds9cv8qL-8Vs47I8zsNjtU4JhyQeQV_zuxzmw";
		}
    location /stats {
          stub_status on;
          access_log   off;
        }
    location / {
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto https;
	proxy_pass  http://www.widianto.org;
    }
}

Kemudian agar hasil konfigurasi mengalami perubahan, jangan lupa untuk me-reload nginx.

$ nginx -t
$ service nginx reload

Step 3 — Setup Auto renewal

Let’s Encrypt berlaku selama 90 hari, tapi disarankan agar memperbarui sertifikat setiap 60 hari untuk memungkinkan margin kesalahan. dan Let’s Encrypt memiliki script yang secara otomatis memeriksa sertifikat dan akan memperbaharui  jika kadaluarsa sertifikat kurang dari 30 hari.

Untuk kebutuhan ini maka diperlukan script otomatis yang akan dijalankan setiap minggu, lakukan perintah seperti dibawah ini :

$ crontab-e

Lalu masukan script seperti dibawah ini :

30 2 * * 1 /opt/letsencrypt/certbot-auto renew >> /var/log/le-renew.log

save & exit. Ini akan membuat tugas cron baru yang akan mengeksekusi letsencrypt-auto renew perintah setiap Senin pukul 2:30 am. Output yang dihasilkan oleh perintah akan disalurkan ke file log yang terletak di /var/log/le-renewal.log.

Show database, table and indexes size on PostgreSQL

Many times I have needed show how spaces is used on my databases, tables or indexes. Here I will try to explain in a concise and simple way to obtain this useful information.

Show database size

The simples way to show a database size, is executing this query:

SELECT pg_size_pretty(pg_database_size('dbname'));

pg_database_size function returns a size in bytes and pg_size_pretty put this value on more readable by humans.

This is a possible result of this query:

dbname=> SELECT pg_size_pretty(pg_database_size('dbname'));
 pg_size_pretty
----------------
 76 MB
(1 row)

Show relation size

There are two ways to view a relation size. Relation as is, is a table or index on postgresql.

Show table size, without indexes:

dbname=> select pg_size_pretty(pg_relation_size('cities_region'));
 pg_size_pretty
----------------
 4224 kB
(1 row)

Show table size with indexes:

dbname=> select pg_size_pretty(pg_total_relation_size('cities_region'));
 pg_size_pretty
----------------
 18 MB
(1 row)

With same way, you can show index size:

dbname=> select pg_size_pretty(pg_relation_size('cities_region_name'));
 pg_size_pretty
----------------
 1688 kB
(1 row)

Show list of biggest relations on your database

Query thats shows last ten with their corresponding size.

SELECT relname AS "relation", pg_size_pretty(pg_relation_size(C.oid)) AS "size"
  FROM pg_class C LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace)
  WHERE nspname NOT IN ('pg_catalog', 'information_schema')
  ORDER BY pg_relation_size(C.oid) DESC
  LIMIT 10;

This query output includes indexes and tables.

Exameple output:

dbname=> SELECT relname AS "relation", pg_size_pretty(pg_relation_size(C.oid)) AS "size"
dbname->   FROM pg_class C LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace)
dbname->   WHERE nspname NOT IN ('pg_catalog', 'information_schema')
dbname->   ORDER BY pg_relation_size(C.oid) DESC
dbname->   LIMIT 10;
                   relation                   |  size
----------------------------------------------+---------
 cities_region                                | 4224 kB
 cities_city                                  | 3848 kB
 cities_city_region_id_name_key               | 1888 kB
 cities_region_name_like                      | 1768 kB
 cities_region_slug_like                      | 1760 kB
 cities_region_slug                           | 1744 kB
 django_session                               | 1736 kB
 cities_region_name                           | 1688 kB
 cities_city_country_id_401060b88e5285df_uniq | 1432 kB
 cities_region_geoname_id_key                 | 1384 kB
(10 rows)

Also, this is a query thats shows last five tables with their corresponding size including indexes:

SELECT relname AS "relation",
    pg_size_pretty(pg_total_relation_size(C.oid)) AS "total_size"
  FROM pg_class C
  LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace)
  WHERE nspname NOT IN ('pg_catalog', 'information_schema')
    AND C.relkind <> 'i'
    AND nspname !~ '^pg_toast'
  ORDER BY pg_total_relation_size(C.oid) DESC
  LIMIT 5;

This is a posible output:

dbname=> SELECT relname AS "relation",
dbname->     pg_size_pretty(pg_total_relation_size(C.oid)) AS "total_size"
dbname->   FROM pg_class C
dbname->   LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace)
dbname->   WHERE nspname NOT IN ('pg_catalog', 'information_schema')
dbname->     AND C.relkind <> 'i'
dbname->     AND nspname !~ '^pg_toast'
dbname->   ORDER BY pg_total_relation_size(C.oid) DESC
dbname->   LIMIT 5;
    relation     | total_size
-----------------+------------
 cities_region   | 18 MB
 cities_city     | 17 MB
 auth_user       | 3048 kB
 django_session  | 3024 kB
 profile_profile | 3016 kB
(5 rows)

Source:
https://www.niwi.nz/2013/02/17/postgresql-database-table-indexes-size/

RancherOs Installation

To install RancherOS on your ESXi server, first of all, download rancheros ISO image from its website here

1. Create new Virtual Machine for RancherOS

On ESXi, create a new Virtual Machine with at least 1GB memory. After you created appliance, upload rancheros.iso to your ESXi datastore and set CD/DVD rom to use it.

2. Start rancheros

Once you clicked start button, the OS will boot up rapidly and prompt for login. Now rancheros is running in your RAM, you can login with credential rancher/rancher. Anything you change now will not be saved after you reboot. What we need is a docker ready OS so we need to install Rancher OS to our disk.

3. Prepare your cloud-config.yml

Before we install rancheros to our hard disk, you need to setup cloud-config first.

You also need to generate a new SSH key for cloud-config.yml file by following this article

Add your public key to cloud-config.yml file like following:

This is for rancher os first boot configuration after installation, you can use your private key to connect this host.

Next, we are going to configure network before installation. Following is an example, you need to configure DNS, IP address of interface and default gateway.

#cloud-config
ssh_authorized_keys:
 - ssh-rsa AAAAB3NzaCURHZlGvtcq4bZXxkl wid@voxteneo.asia
hostname: rancheros-cd01
rancher:
  network:
    dns:
      nameservers:
      - 202.150.128.65
    interfaces:
      eth*:
        dhcp: false
      eth0:
        address: 202.150.132.121/28
        gateway: 202.150.132.113
        mtu: 1500

Make sure you only have one ethernet interface, current rancher os installer has problem when configuring multiple NICs.

At last, you need to put your cloud-config.yml to rancher os. After you login, configure a accessible temporary IP address and default gateway on eth0, then scp your cloud-config.yml to it.

Following is an example

On RancherOS, configure IP and default gateway

$ sudo ip addr add 10.138.103.63/24 dev eth0
$ sudo route add default gw 10.138.103.254

On your local machine, copy your cloud-config.yml to RancherOS via SCP or other method.

4. Install

You should be all set if you done everything right in previous steps. Now we can call installer to initiate installation.

$ ros install -c cloud-config.yml -d /dev/sda --append "rancher.password=rancher"

Installer will download rancher/os to your system and format /dev/sda.

At last, installer will prompt for reboot, after manual reboot you can configure own rancher os now.

 

Source :
http://drinkey.github.io/docker/2015/07/05/rancheros-installation-guide/

How to add DKIM record on zimbra 8.7

Step 1. Modify DKIM generator

a. Edit (as root) script file /opt/zimbra/libexec/zmdkimkeyutil and replace all ‘2048’ occurrences with ‘1024’.
This will allow creation of DKIM key with length 1024 and set it as default value.

nano /opt/zimbra/libexec/zmdkimkeyutil

replace all 3 ‘2048’ occurrences with ‘1024’ and then save and exit

Step 2. generate a new DKIM, replace example.com with your domain. Please note you’ll need to generate a DKIM for each domain

switch to zimbra user : su – zimbra

/opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

Step 3. Retrieving the stored DKIM data for your domain – replace example.com with your domain
as zimbra user run command below;

/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com

zimbra@example.com:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
DKIM Data added to LDAP for domain example.com with selector 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
Public key to enter into DNS:
0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT “v=DKIM1;=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ
/6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB” ; —– DKIM 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com

Step 4.
highlight and copy: 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey

highlight and copy: v=DKIM1; k=rsa;

highlight and copy: p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ

Step 5. verify DKIM key using this link http://dkimcore.org/tools/keycheck.html

Step 6.

– login to your DNS web portal
– create new TXT entry

– add the 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey in the hostname field

– add the public DKIM key into destination / target field
v=DKIM1; k=rsa; P=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ