Create TOC

2020년 7월 30일

Oracle Cloud VM 설정

VM instance 만들기

오라클 클라우드에서 평생 무료로 VPS 사용하기를 따라서 만들면 된다.

도메인 설정

컴퓨트 - 인스턴스에서 만든 인스턴스를 선택하고 공용 IP 주소를 확인해서 도메인 설정에 이용한다.

쉘 변경

$ sudo apt install zsh
$ sudo chsh -s /bin/zsh ubuntu

docker 환경 구성

$ sudo apt install docker-compose
$ sudo usermod -aG docker $USER

Let's Enctrypt 인증서 발급

방화벽 설정

컴퓨트 - 인스턴스에서 만든 인스턴스를 선택하고 기본 VNIC - 서브넷 - 보안 목록에서 사용 중인 보안 목록을 선택한 후, 수신 규칙 추가를 통해서 80 포트에 대한 수신 규칙을 추가한다.

인증서 발급

$ docker run -it --rm --name certbot -v '/etc/letsencrypt:/etc/letsencrypt' -p 80:80 certbot/certbot certonly --agree-tos --no-eff-email --standalone --preferred-challenges http -d 도메인

인증서 갱신

매번 컨테이너를 생성/삭제하기 귀찮아서 docker-compose를 사용했다.

아래와 같이 docker-compose.yml파일을 만든다.

version: "3"

services:
    certbot:
        container_name: certbot
        image: certbot/certbot
        ports:
            - "80:80/tcp"
        entrypoint: certbot renew
        volumes:
            - '/etc/letsencrypt:/etc/letsencrypt'

아래 명령으로 컨테이너를 실행한다.

$ docker-compose up

문제가 없다면 crontab에 등록해서 적당히 실행시켜 둔다

0 0 */2 * * docker-compose -f /home/ubuntu/docker/certbot/docker-compose.yml up

2020년 7월 20일

Docker/Caddy 를 이용한 reverse proxy 설정

Caddy를 이용한 reverse proxy 설정을 기록한다. 인증서는 따로 /etc/letsencrypt에 갱신하기 때문에 그 인증서를 그대로 사용하게 설정했다.

bitwarden

https://mydomain.net:1234 -> bitwarden

docker-compose.yml


version: "3"

services:
    bitwarden:
        container_name: bitwarden
        image: bitwardenrs/server:raspberry
        environment:
            - WEBSOCKET_ENABLED=true
            - ./bitwarden_data:/data
        restart: unless-stopped
    caddy-bitwarden:
        container_name: caddy-bitwarden
        image: caddy
        ports:
            - '1234:1234/tcp'
        environment:
            - ACME_AGREE=false
            - DOMAIN=mydomain.net
            - CADDY_PORT=1234
            - REDIRECT_URL=bitwarden:80
        volumes:
            - ./Caddyfile:/etc/caddy/Caddyfile:ro
            - /etc/letsencrypt:/etc/letsencrypt:ro
        restart: unless-stopped

Caddyfile

{$DOMAIN}:{$CADDY_PORT} {
	tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem

	header / {
		Strict-Transport-Security "max-age=15768000;"
		X-XSS-Protection "1; mode=block"
		X-Frame-Options "DENY"
		X-Robots-Tag "none"
	}

	# The negotiation endpoint is also proxied to Rocket
	reverse_proxy /notifications/hub/negotiate bitwarden:80

	# Notifications redirected to the websockets server
	reverse_proxy /notifications/hub bitwarden:3012

	# Proxy the Root directory to Rocket
	reverse_proxy /* {$REDIRECT_URL}
}

nextcloud

https://mydomain.net:1234 -> php-fpm(nextcloud)

docker-compose.yml

version: '3.1'

services:
    nextcloud:
        image: nextcloud:fpm-alpine
        container_name: nextcloud
        environment:
            - TZ=Asia/Seoul
            - PUID=1001
            - PGID=1001
            - MYSQL_DATABASE=db이름
            - MYSQL_USER=mysql사용자이름
            - MYSQL_PASSWORD=mysql비밀번호
            - MYSQL_HOST=mysql서버주소
            - NEXTCLOUD_TRUSTED_DOMAINS=mydomain.net:1234
            - NEXTCLOUD_ADMIN_USER=nextcloud관리자이름
            - NEXTCLOUD_ADMIN_PASSWORD=nextcloud관리자비밀번호
        volumes:
            - ./nextcloud_html:/var/www/html
        restart: unless-stopped
    caddy-nextcloud:
        container_name: caddy-nextcloud
        image: caddy
        ports:
            - '1234:1234/tcp'
        environment:
            - ACME_AGREE=false
            - DOMAIN=mydomain.net
            - CADDY_PORT=1234
        volumes:
            - ./Caddyfile:/etc/caddy/Caddyfile:ro
            - ./nextcloud_html:/var/www/html:ro
            - /etc/letsencrypt:/etc/letsencrypt:ro
        restart: unless-stopped

Caddyfile

{$DOMAIN}:{$CADDY_PORT} {
	tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem

	header / {
		Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"
		Referrer-Policy "no-referrer"
		X-Content-Type-Options "nosniff"
		X-Download-Options "noopen"
		X-Frame-Options "SAMEORIGIN"
		X-Permitted-Cross-Domain-Policies "none"
		X-Robots-Tag "none"
		X-XSS-Protection "1; mode=block"
	}

	root * /var/www/html
	file_server

	php_fastcgi nextcloud:9000

	header /core/fonts {
		Cache-Control "max-age=604800"
	}

	@phpFiles {
		path_regexp phpfile ^/(remote|public|cron|core/ajax/update|status|ocs/v1|ocs/v2)\.php
	}
	rewrite @phpFiles {http.regexp.phpfile.0}

	# Service discovery via well-known
	redir /.well-known/carddav /remote.php/carddav 301
	redir /.well-known/caldav /remote.php/caldav 301

	@forbidden {
		path	/.htaccess
		path	/data/*
		path	/config/*
		path	/db_structure
		path	/.xml
		path	/README
		path	/3rdparty/*
		path	/lib/*
		path	/templates/*
		path	/occ
		path	/console.php
	}

	respond @forbidden 404
}

path 제거

{$DOMAIN}:{$CADDY_PORT}/foo/ -> 172.16.10.5:449/

Caddyfile

{$DOMAIN}:{$CADDY_PORT} {
	tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem

	header / {
		# Enable HTTP Strict Transport Security (HSTS)
		Strict-Transport-Security "max-age=15768000;"
		X-Frame-Options "DENY"
		X-Robots-Tag "none"
	}

	route /foo/* {
		uri strip_prefix /foo
		reverse_proxy 172.16.10.5:449
	}
}

path 변경

{$DOMAIN}:{$CADDY_PORT}/foo/ -> 172.16.10.5:449/bar/

Caddyfile

{$DOMAIN}:{$CADDY_PORT} {
	tls /etc/letsencrypt/live/{$DOMAIN}/fullchain.pem /etc/letsencrypt/live/{$DOMAIN}/privkey.pem

	header / {
		# Enable HTTP Strict Transport Security (HSTS)
		Strict-Transport-Security "max-age=15768000;"
		X-Frame-Options "DENY"
		X-Robots-Tag "none"
	}

	route /foo/* {
		uri replace /foo/ /bar/
		reverse_proxy 172.16.10.5:449
	}
}

Raspbian/Watchdog 설정

Raspberry pi에는 hardware watchdog timer가 있다. 이를 활용하면 문제가 발생했을 때 자동으로 재부팅시킬 수 있다.

watchdog timer가 있는지 확인안다.

$ dmesg | grep -i watchdog
[    0.399099] bcm2835-wdt bcm2835-wdt: Broadcom BCM2835 watchdog timer

/etc/systemd/system.conf 파일에서 RuntimeWatchdogSec 값과 ShutdownWatchdogSec 값을 바꾼다.

RuntimeWatchdogSec=15
RebootWatchdogSec=5min

재부팅 후 watchdog 설정이 적용된 것을 확인한다.

$ dmesg | grep -i watchdog
[    0.399099] bcm2835-wdt bcm2835-wdt: Broadcom BCM2835 watchdog timer
[    1.364292] systemd[1]: Hardware watchdog 'Broadcom BCM2835 Watchdog timer', version 0
[    1.364350] systemd[1]: Set hardware watchdog to 15s.