% Post configuration du serveur chiffré # Sécurité ## Installation des mises à jour de sécurité automatiques ```bash sudo apt-get install unattended-upgrades ``` ## Installation de fail2ban ```bash sudo apt install fail2ban ``` # Docker ## Procédure Voir cette page: [Install Docker Engine on Debian | Docker Documentation](https://docs.docker.com/engine/install/debian/) # Installation Moodle ## Préparation Voir [Tutorial - Moodle installation on Nginx - Step by step](https://techexpert.tips/moodle/moodle-installation-nginx/) ```bash sudo apt-get install nginx graphviz aspell ghostscript clamav git mlocate mariadb-server mariadb-client php-fpm php-cli php-mysql php-mbstring php-xmlrpc php-zip php-gd php-xml php-bcmath php-ldap php-pspell php-curl php-intl php-soap sudo updatedb locate php.ini sudo nano /etc/php/7.4/fpm/php.ini sudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.original sudo nano /etc/php/7.4/fpm/pool.d/www.conf ``` ```bash ``` ## Lets Encrypt ```bash sudo apt install certbot python3-certbot-nginx sudo ufw allow http sudo ufw allow https sudo certbot certonly --nginx -d moodle.aezi.fr ``` ## MariaDB ```bash sudo mysql -u root -p ``` ```bash CREATE DATABASE moodle DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; CREATE USER 'moodle'@'localhost' IDENTIFIED BY 'GESTIONNAIRE_MDP'; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER ON moodle.* TO moodle@localhost; quit; ``` ## Installation Moodle Après la dernière phase d'installation ça bloque ``` Erreur Ce site est en phase de mise à jour. Veuillez réessayer plus tard ``` Je lance donc depuis le répertoire /var/www/moodle/moodle la commande suivante (source: [Moodle en français: Ce site est en phase de mise à jour. Veuillez essayer plus tard. ](https://moodle.org/mod/forum/discuss.php?d=210499)): ```bash sudo -u www-data php admin/cli/upgrade.php --non-interactive ``` Fichier /etc/php/7.4/fpm/php.ini ``` [PHP] engine = On short_open_tag = Off precision = 14 output_buffering = 4096 zlib.output_compression = Off implicit_flush = Off unserialize_callback_func = serialize_precision = -1 disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, disable_classes = zend.enable_gc = On zend.exception_ignore_args = On expose_php = Off max_execution_time = 300 max_input_time = 300 max_input_vars = 5000 memory_limit = 256M error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT display_errors = Off display_startup_errors = Off log_errors = On log_errors_max_len = 1024 ignore_repeated_errors = Off ignore_repeated_source = Off report_memleaks = On variables_order = "GPCS" request_order = "GP" register_argc_argv = Off auto_globals_jit = On post_max_size = 32M auto_prepend_file = auto_append_file = default_mimetype = "text/html" default_charset = "UTF-8" doc_root = user_dir = enable_dl = Off file_uploads = On upload_max_filesize = 2M max_file_uploads = 20 allow_url_fopen = On allow_url_include = Off default_socket_timeout = 60 [CLI Server] cli_server.color = On [Date] date.timezone =Europe/Paris [Pdo_mysql] pdo_mysql.default_socket= [Phar] [mail function] SMTP = localhost smtp_port = 25 mail.add_x_header = Off [ODBC] odbc.allow_persistent = On odbc.check_persistent = On odbc.max_persistent = -1 odbc.max_links = -1 odbc.defaultlrl = 4096 odbc.defaultbinmode = 1 [MySQLi] mysqli.max_persistent = -1 mysqli.allow_persistent = On mysqli.max_links = -1 mysqli.default_port = 3306 mysqli.default_socket = mysqli.default_host = mysqli.default_user = mysqli.default_pw = mysqli.reconnect = Off [mysqlnd] mysqlnd.collect_statistics = On mysqlnd.collect_memory_statistics = Off [OCI8] [PostgreSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0 [bcmath] bcmath.scale = 0 [Session] session.save_handler = files session.use_strict_mode = 0 session.use_cookies = 1 session.use_only_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.cookie_httponly = session.cookie_samesite = session.serialize_handler = php session.gc_probability = 0 session.gc_divisor = 1000 session.gc_maxlifetime = 1440 session.referer_check = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0 session.sid_length = 26 session.trans_sid_tags = "a=href,area=href,frame=src,form=" session.sid_bits_per_character = 5 [Assertion] zend.assertions = -1 [Tidy] tidy.clean_output = Off [soap] soap.wsdl_cache_enabled=1 soap.wsdl_cache_dir="/tmp" soap.wsdl_cache_ttl=86400 soap.wsdl_cache_limit = 5 [ldap] ldap.max_links = -1 ``` ---aoff ```bash sudo nano /etc/php/7.4/fpm/php.ini sudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.original sudo nano /etc/php/7.4/fpm/pool.d/www.conf less /etc/nginx/sites-enabled/default sudo certbot sudo apt search certbot sudo apt install certbot ping moodle.aezi.fr sudo systemctl status nginx less /etc/nginx/sites-enabled/default sudo nginx -s reload less /etc/nginx/sites-enabled/default ll /var/www/html sudo ufw sudo iptables -L sudo su - sudo ufw allow http sudo ufw allow https sudo ufw status sudo certbot-auto certonly --nginx -d www.aezi.fr sudo certbot certonly --nginx -d www.aezi.fr sudo apt install certbot-nginx sudo apt search certbot sudo apt install python3-certbot-nginx sudo certbot certonly --nginx -d www.aezi.fr sudo certbot certonly --nginx -d moodle.aezi.fr history sudo nano /etc/nginx/sites-available/moodle.aezi.fr sudo mkdir -p /var/www/moodle/ /var/www/moodle/data/ cd /var/www/moodle/ cd - ll tar xzf moodle-latest-400.tgz -C /var/www/moodle/4.0.4+ sudo mkdir /var/www/moodle/4.0.4+ sudo tar xzf moodle-latest-400.tgz -C /var/www/moodle/4.0.4+ sudo tar xf moodle-latest-400.tgz -C /var/www/moodle/4.0.4+ file moodle-latest-400.tgz sudo apt search file sudo apt install file file moodle-latest-400.tgz rm moodle-latest-400.tgz wget https://download.moodle.org/stable400/moodle-latest-400.tgz sudo tar xf moodle-latest-400.tgz -C /var/www/moodle/4.0.4+ cd /var/www/moodle/ ll sudo ln -s 4.0.4+/ site sudo nano /etc/nginx/sites-available/moodle.aezi.fr ll /etc/letsencrypt/live/aezi.fr/fullchain.pem; sudo ls -ll /etc/letsencrypt/live/aezi.fr/fullchain.pem; sudo ls -ll /etc/letsencrypt/live/ ll /etc/letsencrypt/live/moodle.aezi.fr/fullchain.pem; sudo ls -ll /etc/letsencrypt/live/moodle.aezi.fr/fullchain.pem; sudo nano /etc/nginx/sites-available/moodle.aezi.fr sudo nginx -t cd /etc/nginx/sites-enabled/ sudo ln -s ../sites-available/moodle.aezi.fr sudo nginx -t cd sudo systemctl status sudo systemctl php-fpm restart sudo systemctl restart php-fpm sudo service php-fpm restart sudo service php7.4-fpm restart sudo nginx -s reload sudo systemctl restart nginx sudo apt install acl sudo setfacl -R -m u:www-data:rwX /var/www/moodle/ sudo setfacl -d -R -m u:www-data:rwX /var/www/moodle/ getfacl /var/www/moodle sudo chown www-data:www-data -R /var/www/moodle/ ll /var/www/moodle/ sudo mysql -u root -p sudo nano /etc/nginx/sites-available/moodle.aezi.fr ll /var/www/moodle/site/ ll /var/www/moodle/site/moodle sudo nano /etc/nginx/sites-available/moodle.aezi.fr sudo nginx -s reload cd /var/www/moodle/ ll rm site sudo rm site sudo mv data moodledata sudo rm site ll sudo mv 4.0.4+/ site sudo mv site/moodle/ . ll ll site rmdir site sudo rmdir site sudo nano /etc/nginx/sites-available/moodle.aezi.fr ll sudo nano /etc/nginx/sites-available/moodle.aezi.fr sudo nginx -s reload sudo nano /etc/php/7.4/fpm/php.ini sudo service php-fpm restart sudo service php7.4-fpm restart top less /var/log/nginx/access.log sudo less /var/log/nginx/access.log sudo less /var/log/nginx/error.log.log sudo less /var/log/nginx/error.log sudo nano /etc/php/7.4/fpm/php.ini top sudo -u www-data php admin/cli/upgrade.php --non-interactive cd moodle ll sudo -u www-data php admin/cli/upgrade.php --non-interactive top sudo -u www-data php admin/cli/upgrade.php --non-interactive top history | awk '{$1=""; print}' ```