Installation de Rocket.Chat.
I/ Serveur Gandi IaaS : hacklab.
Distribution : Debian 9 CPU : 1 RAM : 1 Go Nom du disque système : sysdiskhl01 Taille : 15 Go Nom (Hostname) : serverhl01 Identifiant administrateur : admin
II/ Configuration.
1/ Connexion sur le serveur.
util01@station02:~$ ssh admin@217.70.191.106 admin@217.70.191.106's password: Linux serverhl01 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 ... admin@serverhl01:~$
2/ Passage sous l’utilisateur d’administration.
admin@serverhl01:~$ su Password: root@serverhl01:/home/admin#
3/ Mise-à-jour du système.
root@serverhl01:/home/admin# apt-get update && apt-get upgrade
4/ Installation des paquets de base.
root@serverhl01:/home/admin# apt-get install mc vim htop screen
5/ Installation des locales.
Ouvrir :
/etc/locale.gen
Chercher et décommenter :
# fr_FR ISO-8859-1 # fr_FR.UTF-8 UTF-8
Actions :
root@serverhl01:/home/admin# locale-gen root@serverhl01:/home/admin# export LANGUAGE=fr_FR.UTF-8 root@serverhl01:/home/admin# export LANG=fr_FR.UTF-8 root@serverhl01:/home/admin# export LC_ALL=fr_FR.UTF-8
6/ Installation de LXC.
root@serverhl01:/home/admin# apt install lxc xz-utils bridge-utils dnsmasq-base iptables debootstrap
7/ Configuration du bridge.
Ouvrir :
/etc/lxc/default.conf
Chercher :
lxc.network.type = empty
Remplacer par :
lxc.network.type = veth lxc.network.link = lxcbr0 lxc.network.flags = up lxc.network.hwaddr = 00:16:3e:xx:xx:xx
Créer :
/etc/default/lxc-net
Ajouter :
USE_LXC_BRIDGE="true"
8/ Redémarrer le serveur ‘lxc-net’.
root@serverhl01:/home/admin# systemctl restart lxc-net
9/ Afficher le statut du serveur LXC.
root@serverhl01:/home/admin# systemctl status lxc-net
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2019-08-13 21:37:20 CEST; 27s ago
Process: 20296 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0
Main PID: 20296 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
Memory: 820.0K
CPU: 67ms
CGroup: /system.slice/lxc-net.service
└─20354 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dn
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: started, version 2.76 cachesize 150
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: compile time options: IPv6 GNU-getopt DBus i18n ID
Aug 13 21:37:20 serverhl01 dnsmasq-dhcp[20354]: DHCP, IP range 10.0.3.2 -- 10.0.3.254, lease
Aug 13 21:37:20 serverhl01 dnsmasq-dhcp[20354]: DHCP, sockets bound exclusively to interface
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: reading /etc/resolv.conf
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: using nameserver 155.133.136.131#53
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: using nameserver 155.133.136.130#53
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: using nameserver 2001:4b98:dc5:255::129#53
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: read /etc/hosts - 5 addresses
Aug 13 21:37:20 serverhl01 systemd[1]: Started LXC network bridge setup.
root@serverhl01:/home/admin#
10/ Vérification.
root@serverhl01:/home/admin# ip -4 -o a show lxcbr0 3: lxcbr0 inet 10.0.3.1/24 scope global lxcbr0\ valid_lft forever preferred_lft forever root@serverhl01:/home/admin#
11/ Création d’une machine virtuelle Debian 9.
root@serverhl01:/home/admin# lxc-create -n rocketchat -t debian -- -r stretch debootstrap is /usr/sbin/debootstrap Checking cache download in /var/cache/lxc/debian/rootfs-stretch-amd64 ... Downloading debian minimal ... I: Retrieving InRelease I: Retrieving Release ... libseccomp2 libssl1.0.2 libstdc++6 libwrap0 openssh-client openssh-sftp-server procps systemd systemd-sysv ucf I: Checking component main on http://httpredir.debian.org/debian... I: Retrieving libacl1 2.2.52-3+b1 ... Current default time zone: 'Etc/UTC' Local time is now: Tue Aug 13 19:49:08 UTC 2019. Universal Time is now: Tue Aug 13 19:49:08 UTC 2019. root@serverhl01:/home/admin#
12/ Démarrer la machine virtuelle ‘rocketchat‘.
root@serverhl01:/home/admin# lxc-start -n rocketchat
13/ Vérification.
root@serverhl01:/home/admin# lxc-ls --fancy NAME STATE AUTOSTART GROUPS IPV4 IPV6 rocketchat RUNNING 0 - 10.0.3.245 - root@serverhl01:/home/admin#
14/ S’attacher au conteneur ‘rocketchat‘.
root@serverhl01:/home/admin# lxc-attach -n rocketchat root@rocketchat:/#
15/ Test.
root@rocketchat:/# apt install iputils-ping root@rocketchat:/# ping -c 1 google.fr PING google.fr (172.217.19.195) 56(84) bytes of data. 64 bytes from ams16s31-in-f3.1e100.net (172.217.19.195): icmp_seq=1 ttl=55 time=14.0 ms --- google.fr ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 14.060/14.060/14.060/0.000 ms root@rocketchat:/#
16/ Sortir de la machine virtuelle.
root@rocketchat:/# exit exit root@serverhl01:/home/admin#
17/ Activer une adresse statique pour la machine virtuelle.
Créer :
/etc/lxc/dhcp.conf
Ajouter :
dhcp-host=rocketchat,10.0.3.11
Ouvrir :
/etc/default/lxc-net
Ajouter à la fin :
LXC_DHCP_CONFILE=/etc/lxc/dhcp.conf
18/ Redémarrer le service LXC.
root@serverhl01:/home/admin# systemctl restart lxc-net
19/ Redémarrer le conteneur ‘rocketchat‘.
root@serverhl01:/home/admin# lxc-stop -n rocketchat && lxc-start -n rocketchat
20/ Vérification.
root@serverhl01:/home/admin# lxc-ls --fancy NAME STATE AUTOSTART GROUPS IPV4 IPV6 rocketchat RUNNING 0 - 10.0.3.11 - root@serverhl01:/home/admin#
21/ Attacher le conteneur ‘rocketchat‘.
root@serverhl01:/home/admin# lxc-attach -n rocketchat root@rocketchat:/#
22/ Installation des paquets de base.
root@rocketchat:/# apt-get install mc vim htop screen
23/ Configuration des locales.
Ouvrir :
/etc/locale.gen
Chercher et décommenter :
# fr_FR ISO-8859-1 # fr_FR.UTF-8 UTF-8
Actions :
root@rocketchat:/# locale-gen root@rocketchat:/# export LANGUAGE=fr_FR.UTF-8 root@rocketchat:/# export LANG=fr_FR.UTF-8 root@rocketchat:/# export LC_ALL=fr_FR.UTF-8
24/ Sortir du conteneur.
root@rocketchat:/# exit exit root@serverhl01:/home/admin#
25/ Faire un snapshot.
root@serverhl01:/home/admin# lxc-stop -n rocketchat
root@serverhl01:/home/admin# lxc-snapshot -n rocketchat lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3407 Snapshot of directory-backed container requested. lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3408 Making a copy-clone. If you do want snapshots, then lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3409 please create an aufs or overlayfs clone first, snapshot that lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3410 and keep the original container pristine.
root@serverhl01:/home/admin# lxc-start -n rocketchat
root@serverhl01:/home/admin# lxc-snapshot -L -n rocketchat snap0 (/var/lib/lxc/rocketchat/snaps) 2019:08:13 22:16:33 root@serverhl01:/home/admin#
III/ Installation de RocketChat.
1/ S’attacher au contenair ‘rocketchat’.
root@serverhl01:/home/admin# lxc-attach -n rocketchat
2/ Configuration du dépôt MongoDB.
root@rocketchat:/# apt-get install -y dirmngr && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
root@rocketchat:/# echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.0 main" | tee /etc/apt/sources.list.d/mongodb-org-4.0.list
root@rocketchat:/# apt-get -y update && apt-get install -y curl && curl -sL https://deb.nodesource.com/setup_8.x | bash -
3/ Installation de la base de données MongoDB.
root@rocketchat:/# apt-get install -y build-essential mongodb-org nodejs graphicsmagick
4/ Installation de module Nodejs.
root@rocketchat:/# npm install -g inherits n && n 8.11.4
5/ Téléchargement de l’archive du code source de Rocketchat.
root@rocketchat:/# curl -L https://releases.rocket.chat/latest/download -o /tmp/rocket.chat.tgz
6/ Installation de l’archive Rocketchat.
root@rocketchat:/# tar -xzf /tmp/rocket.chat.tgz -C /tmp
root@rocketchat:/# cd /tmp/
root@rocketchat:/tmp# mv bundle Rocket.Chat
root@rocketchat:/tmp# cd Rocket.Chat/
root@rocketchat:/tmp# cd Rocket.Chat/programs/server/
7/ Installation de Rocketchat.
root@rocketchat:/tmp/Rocket.Chat/programs/server# npm install
8/ Configuration des accès.
root@rocketchat:/tmp/Rocket.Chat/programs/server# cd
root@rocketchat:~# useradd -M rocketchat && usermod -L rocketchat
root@rocketchat:~# mv /tmp/Rocket.Chat/ /opt/Rocket.Chat
root@rocketchat:~# chown -R rocketchat:rocketchat /opt/Rocket.Chat
9/ Configuration du service Rocketchat.
root@rocketchat:~# cat << EOF | tee -a /lib/systemd/system/rocketchat.service
[Unit]
Description=The Rocket.Chat server
After=network.target remote-fs.target nss-lookup.target nginx.target mongod.target
[Service]
ExecStart=/usr/local/bin/node /opt/Rocket.Chat/main.js
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rocketchat
User=rocketchat
Environment=MONGO_URL=mongodb://localhost:27017/rocketchat?replicaSet=rs01 MONGO_OPLOG_URL=mongodb://localhost:27017/local?replicaSet=rs01 ROOT_URL=http://localhost:3000/ PORT=3000
[Install]
WantedBy=multi-user.target
EOF
Ouvir :
/lib/systemd/system/rocketchat.service
Chercher :
ROOT_URL=http://localhost:3000/
Remplacer par :
ROOT_URL=http://rocketchat.hacklab.fr:3000/
10/ Post-configuration.
root@rocketchat:~# sed -i "s/^# engine:/ engine: mmapv1/" /etc/mongod.conf root@rocketchat:~# sed -i "s/^#replication:/replication:\n replSetName: rs01/" /etc/mongod.conf
11/ Activer le service MongoDB.
root@rocketchat:~# systemctl enable mongod Created symlink /etc/systemd/system/multi-user.target.wants/mongod.service → /lib/systemd/system/mongod.service. root@rocketchat:~#
12/ Lancement du service MongoDB.
root@rocketchat:~# systemctl start mongod
13/ Vérification de la version.
root@rocketchat:~# mongo --eval "printjson(rs.initiate())" MongoDB shell version v4.0.12 ... root@rocketchat:~#
14/ Activer le service Rocketchat.
root@rocketchat:~# systemctl enable rocketchat Created symlink /etc/systemd/system/multi-user.target.wants/rocketchat.service → /lib/systemd/system/rocketchat.service. root@rocketchat:~#
15/ Lancement du service Rocketchat.
root@rocketchat:~# systemctl start rocketchat
16/ Vérification.
root@rocketchat:~# ps -aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND ... mongodb 6694 2.8 8.9 4112032 91068 ? Ssl 20:43 0:03 /usr/bin/mongod --config /etc/mongod.conf rocketc+ 6761 74.6 52.8 1835192 535744 ? Ssl 20:44 0:30 /usr/local/bin/node /opt/Rocket.Chat/main.js root@rocketchat:~#
17/ Sorti du conteneur.
root@rocketchat:~# exit exit root@serverhl01:/home/admin#
18/ Ajouter la régle iptable pour le port 3000.
root@serverhl01:/home/admin# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.11:3000
19/ Modification de la zone DNS du nom de domaine 'hacklab.fr'.
rocketchat.hacklab.fr. 10671 IN A 217.70.191.106
20/ Test.
http://rocketchat.hacklab.fr:3000/
21/ Liens.
https://rockstarninja.laboratoire-bidouille.dev/gandi-serveur-iaas-installation-de-lxc/
https://rocket.chat/docs/installation/manual-installation/debian/
IV/ Installation d'un reverse-proxy.
1/ Redirection des ports 80 et 443.
root@serverhl01:/home/admin# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.3.11:80 root@serverhl01:/home/admin# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.3.11:443
2/ S'attacher au conteneur 'rocketchat'.
root@serverhl01:/home/admin# lxc-attach -n rocketchat root@rocketchat:/#
3/ Installation de serveur web 'nginx'.
root@rocketchat:/# apt-get install nginx links
4/ Test.
root@rocketchat:/# links http://localhost/
5/ Configuration des dépôts pour Let's Encrypt.
Ouvrir :
/etc/apt/sources.list
Ajouter à la fin :
deb http://deb.debian.org/debian stretch-backports main contrib non-free deb-src http://deb.debian.org/debian stretch-backports main contrib non-free
Action :
root@rocketchat:/# apt update
6/ Installation du générateur de certificat Let's Encrypt.
root@rocketchat:/# apt-get install certbot python-certbot-nginx -t stretch-backports
7/ Génération d'un certificat Let's Encrypt.
root@rocketchat:/# certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: rocketchat.hacklab.fr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 ... Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default ... You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=rocketchat.hacklab.fr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ... root@rocketchat:/#
8/ Test.
https://rocketchat.hacklab.fr/
9/ Liens.
https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-debian-9/
https://certbot.eff.org/lets-encrypt/debianstretch-nginx.html
V/ Configuration de Nginx.
1/ Sauvegarde du fichier de configuration de Nginx.
root@rocketchat:/# cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak
2/ Reconfiguration de Nginx.
Ouvrir :
/etc/nginx/sites-available/default
Remplacer tout par :
upstream rocketchat_backend {
server 127.0.0.1:3000;
}
server {
listen 80;
server_name rocketchat.hacklab.fr;
return 301 https://rocketchat.hacklab.fr$request_uri;
}
server {
listen 443 ssl http2;
server_name rocketchat.hacklab.fr;
ssl_certificate /etc/letsencrypt/live/rocketchat.hacklab.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rocketchat.hacklab.fr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/rocketchat.hacklab.fr/chain.pem;
access_log /var/log/nginx/rocketchat.hacklab.fr-access.log;
error_log /var/log/nginx/rocketchat.hacklab.fr-error.log;
location / {
proxy_pass http://rocketchat_backend/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
3/ Redémarrer Nginx.
root@rocketchat:/# service nginx restart
4/ Suppression de la régle NAT pour le port 3000.
root@serverhl01:/home/admin# iptables -t nat --line-numbers -L Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- anywhere anywhere tcp dpt:3000 to:10.0.3.11:3000 2 DNAT tcp -- anywhere anywhere tcp dpt:http to:10.0.3.11:80 3 DNAT tcp -- anywhere anywhere tcp dpt:https to:10.0.3.11:443 ...
root@serverhl01:/home/admin# iptables -t nat -D PREROUTING 1
5/ Le serveur Rocketchat est maintenant accessible uniquement à l'adresse internet :
https://rocketchat.hacklab.fr/
6/ Liens.
https://technologyrss.com/how-to-setup-rocket-chat-ssl-configuration-using-letsencrypt-for-nginx/
https://rocket.chat/docs/installation/manual-installation/configuring-ssl-reverse-proxy/
Comments are closed, but trackbacks and pingbacks are open.