Computer System Administration
HW1 - Install FreeBSD/Ubuntu & WireGuard
HW2 - Shell script & System Info
HW3 - File Server & ZFS Backup
HW4&5 - Web Service & Firewall
The first step is to download and unpack the NGINX source code. Note that http/3 only support after patch 1.25.0
curl -O <https://nginx.org/download/nginx-1.25.0.tar.gz>
tar xzvf nginx-1.25.0.tar.gz
As well as quiche, the underlying implementation of HTTP/3 and QUIC:
git clone --recursive <https://github.com/cloudflare/quiche>
Cloning boringssl takes some time, please be patient.
Move boringssl out of quiche:
mv quiche/quiche/deps/boringssl .
an example view(quiche is not used from now on):
---build_nginx
|-nginx-1.25.0
|-quiche
|-boringssl
Build NGINX with HTTP/3 support enabled:
./configure --with-debug \\
--with-http_ssl_module \\
--with-http_v2_module \\
--with-http_v3_module \\
--with-cc-opt=-I../boringssl/include \\
--with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
After configuration, just do the same process as you build from source:
make
sudo make install
Check the version and config of your nginx:
sudo nginx -V
My screenshot of nginx version:
Add these lines in /etc/hosts:
10.113.{ID}.11 {ID}.cs.nycu # Virtual Hosts
10.113.200.1 ca.nasa.nycu # HTTPS & HTTP/2
In your nginx configuration file ( /usr/local/nginx/conf/nginx.conf if you don’t modify the settings during configuration):
http {
log_format agent_info '$remote_addr | $request | $http_user_agent is my Agent Info.';
server {
listen 80;
server_name 115.cs.nycu;
access_log /home/judge/log/access.log combined;
access_log /home/judge/log/compressed.log.gz agent_info;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
server_tokens off;
server_name_in_redirect off;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
return 301 https://$host$request_uri; # redirection
}
server {
listen 443 ssl http2; # HTTP/2 with HTTPS
server_name 115.cs.nycu;
ssl_certificate /root/.acme.sh/115.cs.nycu/fullchain.cer;
ssl_certificate_key /root/.acme.sh/115.cs.nycu/115.cs.nycu.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS
server_tokens off;
server_name_in_redirect off;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
location / {
root /home/judge/www/115.cs.nycu;
index index.html;
}
access_log /home/judge/log/access.log combined;
access_log /home/judge/log/compressed.log.gz agent_info;
}
server {
listen 3443 quic reuseport;
listen 3443 ssl http2;
server_name 115.cs.nycu;
ssl_certificate /home/judge/certificate/certificate.crt; # http3
ssl_certificate_key /home/judge/certificate/certificate.key; # http3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
location / {
root /home/judge/www/115.cs.nycu;
index index.html;
}
access_log /home/judge/log/access.log combined;
access_log /home/judge/log/compressed.log.gz agent_info;
}
server {
listen 80;
server_name 10.113.115.11;
location /private/ {
if ($host !~* ^\\d+\\.\\d+\\.\\d+\\.\\d+$) {
return 403;
}
allow 10.113.115.254;
allow 10.0.2.15;
allow 127.0.0.1;
deny all;
auth_basic "Authorized access only"; # Access Control
auth_basic_user_file /home/judge/allowed_users/htpasswd;
root /home/judge/www/10.113.115.11;
index private.html;
}
location / {
root /home/judge/www/10.113.115.11;
index index.html;
try_files $uri $uri/ =404;
}
access_log /home/judge/log/access.log combined;
access_log /usr/local/nginx/logs/access.log combined;
access_log /home/judge/log/compressed.log.gz agent_info;
}
access_log /home/judge/log/access.log combined;
access_log /home/judge/log/compressed.log.gz agent_info;
# ... the rest of original content
}
In index.html just put the content as in the slides.
@every_second judge logrotate /home/judge/log/judge-rotate.conf >/dev/null 2>&1
/home/judge/log/access.log {
size 150
rotate 3
compress
notifempty
nomail
missingok
create 0640 judge judge
sharedscripts
postrotate
/usr/bin/killall -HUP `cat /usr/local/nginx/logs/nginx.pid`
endscript
}
rootca.pem from the drive link in pdf./etc/ssl/certs, there should be several cert. files like xxx.0..pem file is at /home/judge (最後面那個是零不是O)sudo ln -s /home/judge/rootca.pem $(openssl x509 -hash -noout -in /home/judge/rootca.pem).0
openssl verify -CApath /etc/ssl/certs /home/judge/rootca.pem
Now you have to download ca client (e.g. certbot/step ca) (我後來是用 acme.sh ,但我有裝 step ca ,不知道是不是必要)
You can install acme.sh directly or use the standalone script:
git clone <https://github.com/acmesh-official/acme.sh.git>
cd acme.sh
./acme.sh --install
sudo acme.sh --issue --server <https://ca.nasa.nycu:9000/acme/acme/directory> -d 115.cs.nycu --standalone --force
rootca.pem 接在 fullchain.cer 後面,然後用上面的方法讓機器相信這些憑證(fullchain.cer)丟上去 judge 才過。<aside> 💡 憑證過了之後,後面的設定應該都在前面寫好了,所以應該就都會過了 (PHP 那部份我甚麼都沒做,但judge有過我就沒修了)!
</aside>
In the conf file, commented lines satisfied this requirements.
Handled at the line: proxy_hide_header
To generate user:passwd, use this command
htpasswd -c /path/to/htpasswd sa-admin
This will prompts you to enter new password for the user specified.
htpasswd