Documentation for the bugzh.eu.org Network Infrastructure

This documentation covers the elements constituting the architecture implemented on this server, how to install them and how to improve them according to needs.

Table of Contents

• DNS
• Web Server
• HTTPS Certificate
• OpenVPN
• System Administration

_____________________________________________________

DNS with Bind9

Bind9 documentation

Bind9 Installation

On Ubuntu/Debian :

sudo apt update
sudo apt install bind9

Bind9 Configuration

BIND9 configuration is primarily done in the /etc/bind/named.conf file and its associated zone files.

After making changes, the bind9 service needs to be restarted:

sudo systemctl restart bind9.service

You can also verify that it has restarted correctly with:

systemctl status bind9.service

1. Basic Configuration

The /etc/bind/named.conf.options file configures basic options such as allowed IP addresses to query the DNS server. It can also contain the IP addresses of slave DNS servers to which a zone transfer (AXFR) is made.

options {
    directory "/var/cache/bind";

    forwarders {
	 0.0.0.0;
	};

    dnssec-validation auto;

	listen-on-v6 { any; };
	allow-transfer {"none";};
	allow-recursion {"none";};
	recursion no;
};

To check the configuration, you can use:

named-checkconf

2. Zone Configuration

The named.conf.local file contains the list of registered zones on the DNS. Each zone contains the domain name, the type of zone (master/slave), and the location of the file configuring the zone (in our case /etc/bind/db.bugzh.eu.org).

zone "bugzh.eu.org" {
      type master;
      file "/etc/bind/db.bugzh.eu.org";
      allow-query { any; };
};

Now, if we open /etc/bind/db.bugzh.eu.org:

$TTL 86400
@	IN	SOA	ns0.bugzh.eu.org. gurvan.ledireach.bugzh.eu.org. (
			202401172       ; Serial
			3600            ; Refresh
			1800            ; Retry
			1209600         ; Expire
			86400 )         ; Negative Cache TTL

@	IN	NS		ns0
@	IN	A		158.101.174.158

ns0	IN	A		158.101.174.158
www	IN	A		158.101.174.158 ; could have been a CNAME, but not to the SOA.

server	IN	CNAME		ns0

This file contains the current DNS configuration (last updated: 18/01/2024). Simply add records as needed.

Useful Records

Here is a list of possible records:

A Record

An A record is a type of DNS record that associates a domain name with an IPv4 address. A DNS resolver uses A records to find the IPv4 address associated with a domain name, allowing web browsers and other applications to connect to servers on the Internet.

An A record typically consists of the following parts:

• name : the domain name to which the record applies.
• ttl : the time-to-live value for the record, determining how long other DNS servers and clients should cache the record before requesting an update.
• class : the DNS class (usually IN for Internet).
• type : the DNS record type, always A.
• address : the IPv4 address associated with the domain name.

Here is an example A record:

example.com. 3600 IN A 158.101.174.158

AAAA Record

A variation of the A record, it maps an IPv6 address to a hostname.

www    IN    AAAA    ::1

CNAME (Canonical Name) Record

It allows creating an alias pointing to another record within the current domain or an external domain. It is possible to create a CNAME record pointing to another CNAME record, but this practice doubles the number of queries, so it is not recommended.

mail    IN    CNAME  www
ftp     IN    CNAME  ftp.domain.tld.
www     IN    A      158.101.158.174

MX (Mail Exchange) Record

The MX record points to a mail server. This record must point obligatorily to an A or AAAA record and not a CNAME record.

It is also possible to set a priority on each record to specify the email server to query first. If this server is unavailable, the server with the closest priority will be queried instead.

         IN    MX  10  mail1
         IN    MX  50  mail2
mail1    IN    A       158.101.174.158
mail2    IN    A       101.158.158.174

NS (Name Server) Record

It defines the DNS servers of the domain.

      IN    NS    domain.org.
ns    IN    A     158.101.174.158

To check the zone configuration, you can use:

named-checkzone bugzh.eu.org ./db.bugzh.eu.org. 

Slave configuration

First, the master server must be configured to allow zone transfer. You must add the allow-transfer option in the zone definitions of the /etc/bind/named.conf.local file:

zone "bugzh.slave" {
             type master;
             file "/etc/bind/db.bugzh.slave";
             allow-transfer { 132.145.242.13; };
        };

Then, on the slave server, you must install the BIND9 package, in the same way as for the master server. Edit the /etc/bind/named.conf.local file, and add the following lines for the zone:

zone "bugzh.slave" {
             type slave;
             file "/var/cache/bind/db.bugzh.slave";
             masters { 158.101.174.158; };
        };

_____________________________________________________

Web Server with Apache2

Apache Documentation

Apache2 Installation

On Ubuntu/Debian :

sudo apt update
sudo apt install apache2

Start the Apache Service

After installation, start the Apache service and enable it to start automatically on system boot:

sudo systemctl start apache2
sudo systemctl enable apache2

Configure iptables Firewall

Use iptables to allow incoming traffic on port 80 for Apache:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo netfilter-persistent save

Verify the Installation

Open a web browser and navigate to your server’s IP address. You should see the default Apache page, indicating that the server is running correctly.

Make sure to check the official Apache documentation for advanced configurations and customization options: Apache Documentation.

Apache2 Configuration

In /etc/apache2/ we have:

• apache2.conf: contains the general configuration
• ports.conf: indicates the ports used by Apache
• mods-enabled/*.conf: contains the configurations for the different modules
• sites-enabled/*.conf: contains configurations for virtualhosts

The 2 most important folders are /etc/apache2/sites-available/ and /etc/apache2/sites-enable/. sites-available/ contains the configuration files for each web page that we set up and contains, among other things, the path to the code of our site (here: /var/www/bugzh/html). sites-enable/ contains symbolic links to the code of our websites (here /var/www/bugzh/html) These files also contain the Virtualhosts, which allows you to manage several web trees simultaneously if desired.

The sites-available/ files can be modified by hand (with ’nano, ‘vim’, …), but for sites-enable/ you just need to do the command:

sudo a2ensite bugzh

Test and Apply Configuration

Once these modifications have been made, do not forget to reload the Apache configuration.

sudo apache2ctl configtest
sudo systemctl restart apache2

_____________________________________________________

HTTPS Certificate with Certbot

Certbot website The www.bugzh.eu.org certificate is signed by a third-party trusted authority in our case “Let’s Encrypt”.

One domain validation

To validate a single domain for a certificate, you must have already created the site configuration in HTTP. Certbot will take care of requesting the certificate from Let’s Encrypt and creating an identical site configuration in HTTPS, we don’t have to do anything on the Apache side. You will have the option to choose to redirect users from http to https.

To create the certificate, simply do:

certbot --apache

To take the modification into account, we reload Apache:

service apache2 reload

Subsequently, certificate renewals will be done with:

certbot renew

The Let’s Encrypt certificate is only valid for 3 months. It must therefore be renewed every 3 months. A ‘cron’ allows you to do this automatically, we check that it is present /etc/cron.d/certbot:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

Multi-domain validation

To validate a multi-domain certificate, you must specify these domains via certbot arguments. For renewal there is nothing to do, it follows the same procedure as a single domain.

You must manually execute:

certbot-auto --apache -d bugzh.eu.org -d www.bugzh.eu.org -d ...

The first domain is used as the primary domain, all others are used as secondary domains.

Our multi-domain certificate is installed directly in the Apache configuration by Certbot, all you need is a reload of the Apache configuration.

_____________________________________________________

OpenVPN with Nyr

openvpn-install Nyr github page

Installation of the server

The installation of OpenVPN can be quickly tedious. Happily, the Nyr user maintains a very easy-to-use automatic script on GitHub: https://github.com/Nyr/openvpn-install. The https://git.io/vpn URL is a shortcut to its script.

wget https://git.io/vpn -O openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh

At the first launch of the script you can choose to install OpenVPN.

Addition of a user

At the next launches of the script openvpn-install.sh, you can add or delete users. Each user will have his own key and his own customer certificate. A client connection .ovpn file will be generated.

Static IP for VPN clients

By default, customers who will connect will have a dynamic IP. However, it is possible to fix a static ip according to the name of the client. For example, the case of a client called ’laptop-client’ whose IP address is to be set at 10.8.0.100 within the VPN network.

First step, the creation of the configuration folder ccd:

sudo mkdir /etc/openvpn/server/ccd

Then it is necessary to configure the VPN server to use this folder. To do this, we’re going to modify the file. /etc/openvpn/server/server.conf with the control client-config-dir:

...
server 10.8.0.0 255.255.255.0
client-config-dir /etc/openvpn/server/ccd
...

Last step, it is necessary to create a configuration file with exactly the name of the client in the folder ccd. This is the contents of the file. /etc/openvpn/server/ccd/laptop-client:

ifconfig-push 10.8.0.100 255.255.255.0

Redirect only VPN traffic

By default, once the client is connected to the VPN: all its traffic (web, mail, etc.) will use our VPN server as an Internet gateway. Depending on the case, this is not desirable.

To disable this gateway focalionality, it is sufficient to comment or delete the following lines in the file: /etc/openvpn/server/server.conf:

# push "redirect-gateway def1 bypass-dhcp"
# push "dhcp-option DNS 1.1.1.1"
# push "dhcp-option DNS 1.0.0.1"

Installation of a Linux client

The installation is done simply via the packet openvpn:

sudo apt install openvpn

It will be necessary to recover on the client machine, the connection file .ovpn, in our desktop-client.ovpn.

Then there are two options:

• Manual connection to VPN
• Automatic connection to the VPN when launching the machine

Manual connection to VPN

sudo openvpn --client --config desktop-client.ovpn

It will be necessary to leave the terminal open so that the VPN connection remains active.

Automatic connection to the VPN

For automatic connection at the start of the service openvpn@clientsimply copy the file .ovpn in the file /etc/openvpn/client.conf.

sudo cp desktop-client.ovpn /etc/openvpn/client.conf

To disable the automatic launch of the service at the launch of the machine:

sudo update-rc.d -f openvpn remove

_____________________________________________________

System Administration with Webmin

Webmin Documentation Webmin is an online tool for administering one (or several via a cluster mechanism) Linux machine. It is used through a web browser.

Installation

For used Webmin various packets are necessary:

sudo apt update
sudo apt install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libwww-perl liblwp-protocol-https-perl

To get Webmin we can used automatic setup-repos.sh script to configure repositories on your RHEL or Debian derivative systems. It can be done in two easy steps:

curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
sh setup-repos.sh

Configuration

You can use your current username and password, but if you want to use the webmin “root” account, it will be inaccessible because it is disabled on Ubuntu. You must therefore change it by typing:

sudo /usr/share/webmin/changepass.pl /etc/webmin root your_password

[!] This command does not change the Ubuntu “root” password but only that of Webmin.

Now we restart webmin and we can used the web interface on 10000 port at IPaddress:10000

sudo service webmin restart

This tool is interesting if you do not have your private ssh key available to connect to the server for example because it gives access to a terminal directly from the web interface. It also allows you to see the available updates, have graphs on the state of the system. However, you must ensure that the passwords are strong enough (especially for privileged accounts).