Saturday, 6 June 2015

Raspberry and arch linux

I got a raspberry Pi B+ and decided to turn it into a web server for the moment. I installed Arch-linux and have to say that it pretty much reminds me of Slackware although they are not the same.

By the way you can build your own case:
http://sixes.net/rdcHQ/rdchq-extra-credit-raspi-b/
However my own experience is that it wasn't quite what it should be ... if you really want something that lasts buy a case.

First thing you  have to do after you log in is to update the package repository:
pacman -Syu
pacman-db-upgrade

After this we can start installing packages:
pacman -S mc
pacman -S iptraf-ng
pacman -S nginx
pacman -S php php-fpm
pacman -S whois 
pacman -S dnsutils
pacman -S screen

To remove a package and its dependencies which are not required by any other installed package use:
pacman -Rs package_name

Let us enable nginx and php on boot:
systemctl enable nginx php-fpm

Then you might get the following error:
May 24 06:47:55 alarmpi systemd[1]: Starting A high performance web server .....
May 24 06:47:55 alarmpi nginx[19638]: 2015/05/24 06:47:55 [emerg] 19638#0: ...m)
May 24 06:47:55 alarmpi systemd[1]: nginx.service: control process exited, ...=1
May 24 06:47:55 alarmpi systemd[1]: Failed to start A high performance web ...r.
May 24 06:47:55 alarmpi systemd[1]: Unit nginx.service entered failed state.
May 24 06:47:55 alarmpi systemd[1]: nginx.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@alarmpi ~]# systemctl status nginx -l
* nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2015-05-24 06:47:55 MDT; 26s ago
  Process: 19638 ExecStart=/usr/bin/nginx -g pid /run/nginx.pid; error_log stderr; (code=exited, status=1/FAILURE)

The solution to this is:
In /boot/cmdline.txt, add rw just before rootwait also you might consider enabling ipv6 ipv6.disable=0 later ufw will need this.

Let's have a look at the web server configuration:
/etc/nginx/nginx.conf

#user html;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page   500 502 503 504  /50x.html;
       # location = /50x.html {
       #     root   /usr/share/nginx/html;
       # }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            root           /usr/share/nginx/html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

And now about the final touches. It seems that I had some issue with arch running php so after some research I found that  it was the "open_basedir" option in php.ini. You should point that parameter to your document root directory. It should be the same as the "root" option in this section:

cat /etc/php/php.ini
; open_basedir, if set, limits all file operations to the defined directory
; http://php.net/open-basedir
open_basedir =  /usr/share/nginx/html

After some analysis I found that there was some interest ;) in my Raspberry so I secured it with ufw:

ufw allow from <ip> to any port <port number>
ufw status
systemctl enable ufw

The numbers of your firewall rules can listed using:

ufw status numbered

To delete rules:
ufw delete ####
where #### is the number of your firewall rule.



Changing the local time: # ln -s /usr/share/zoneinfo/Europe/Minsk /etc/localtime


Other nice ideas please see the references. Cheers!

References: 
http://blog.tersmitten.nl/ufw-delete-firewall-rules-by-number.html
http://guides.webbynode.com/articles/security/ubuntu-ufw.html