Installing rTorrent/rutorrent under nginx

Start with a fresh and updated install of Debian Jessie.

# apt-get update && apt-get dist-upgrade

Then install some packages:

# apt-get install nginx rtorrent php5-fpm php5-cli curl git-core

Then create a new user, so that you don’t act silly and run everything under root.
(I use a dedicated vm, so I already had a user created during the install phase.)

Nginx-config:
# editor /etc/nginx/sites-enabled/default

upstream php-handler {
server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name download.internal.local;
fastcgi_buffers 64 4K;
root /var/www/html;
index index.html;
error_page 404 /index.html;
location /RPC2 {
include scgi_params;
scgi_pass unix:/tmp/rpc.socket;
}
location ~ ^/(conf|share|\.ht|db_structure\.xml|README) {
deny all;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf|svg)$ {
expires 30d;
access_log off;
}
}

Save the file, dont bother restart nginx.

Now to autostart rTorrent on each boot:

# editor /lib/systemd/system/rtorrent.service

[Unit]
 Description=rTorrent
 After=network.target

[Service]
 User=CHANGEME
 Group=users
 Type=forking
 KillMode=none
 Restart=always
 ExecStart=/usr/bin/screen -d -m -fa -S rtorrent /usr/bin/rtorrent
 ExecStop=/usr/bin/killall -w -s 2 /usr/bin/rtorrent
 WorkingDirectory=%h

[Install]
 WantedBy=multi-user.target

Change User to the username you allocated, save and close the file, and enable the service:
# systemctl enable rtorrent

 

Change context to the defined user;
# su -l <username>
Create the session-directory:
$ mkdir .session

Create config for rTorrent
$ editor .rtorrent.rc

download_rate = 1248
 upload_rate = 256
 directory = /mnt/
 session = /home/CHANGEME/.session
 port_range = 9500-9500
 port_random = yes
 encryption=allow_incoming,try_outgoing,enable_retry
 dht = disable
 set_dht_port = 9501
 peer_exchange = yes
 scgi_local = /tmp/rpc.socket
 schedule = chmod,0,0,"execute=chmod,777,/tmp/rpc.socket"
 encoding_list = UTF-8
 system.method.set_key =
 execute = {sh,-c,/usr/bin/php /var/www/html/php/initplugins.php &}

Consider changing directory, port-ranges and rates to your needs.
Save and close the file.

Change to web-directory, and checkout ruTorrent.

# cd /var/www/html/

# git clone https://github.com/Novik/ruTorrent .
(if this complains that the dir is not empty, do “# rm index.nginx-debian.html” first.)

When done, reconfigure ruTorrent for socket-communication:
# editor conf/config.php

Comment out $scgi_port and $scgi_host.
Add:

$scgi_port = 0;
$scgi_host = "unix:///tmp/rpc.socket";

Also fill in the path to curl ( /usr/bin/curl ).
I also change topDirectory to the dir my downloads should go, makes for easier browsing. (remember the trailing /)

Fix some permission issues,
# chown -R www-data share/

Save and close the file, technically ruTorrent/rTorrent works now – but all plugins are enabled which will generate some errors, and they are technically not needed.

# sed 's/ user-defined/ no/g' conf/plugins.ini -i

#editor conf/plugins.ini
Enable the plugins you want by typing in the following:

[loadavg]
enabled = yes

This enables the loadavg-plugin. (remove the ‘\’, for some reason wordpress

Reboot the case, and remember to open firewall. (by following this guide, that will be tcp/80, tcp/9500, and tcp/9501.

ZFS mount not automounting after boot

If you zfsonlinux-mount doesn’t mount on debian jessie, it might be because of a race-condition.

 

Use this fix:
https://github.com/zfsonlinux/pkg-zfs/issues/205#issuecomment-215974042

Running ot-recorder (OwnTracks) from systemd

# editor /lib/systemd/system/ot-recorder.service

[Unit]
Description=OwnTracks-Recorder
After=network.target

[Service]
EnvironmentFile=/etc/mosquitto/environment
ExecStart=/usr/local/sbin/ot-recorder -H localhost -p 8883 –norec –http-host <localip> –clientid <username> “owntracks/#”
Restart=always
KillMode=process

[Install]
WantedBy=multi-user.target

# editor /etc/mosquitto/environment

OTR_CAFILE=”/etc/ca.crt”
OTR_PASS=”<Password>”

Zabbix 3.0 under Debian Jessie, with nginx

I wanted to try Zabbix, after reading some posts about it being good – I’m starting to get tired of Nagios, and I really dont like that they dont have native Debian packages – not even from own repo.

… However, Zabbix is not very well documented to install, and especially not with nginx!
This post is now updated with instructions for Zabbix 3.0.

 

Here goes, my first draft:
https://www.zabbix.com/documentation/3.0/manual/installation/install_from_packages#debianubuntu

Copy link for Jessie, then do:

# wget <paste>

# dpkg -i zabbix-release*.deb

# apt-get install zabbix-frontend-php nginx-light php5-fpm zabbix-server-mysql php5-mysql

# mysql_secure_installation

#  mysql -u root -p
Create database, then setup user and passwords:
CREATE DATABASE zabbix character set utf8 collate utf8_bin;
CREATE USER ‘zabbix’@’localhost’ IDENTIFIED BY ‘password’;
GRANT ALL PRIVILEGES ON zabbix.* TO ‘zabbix’@’localhost’ IDENTIFIED BY ‘password’;
QUIT;

Create tables and stuff in sql.
# zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql -uzabbix -p zabbix

Nginx-config:
# cp /etc/nginx/sites-available/default /etc/nginx/sites-available/orig.default
# echo “” > /etc/nginx/sites-enabled/default
# editor /etc/nginx/sites-enabled/default
“upstream php-handler {
server unix:/var/run/php5-fpm.sock;
}

server {
location / {
root /usr/share/zabbix;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/share/zabbix;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
include fastcgi_params;
}
}
”

# editor /etc/php5/fpm/php.ini
Search and replace prompted values (from webpage), then restart php
post_max_size = 16M
max_execution_time = 300
max_input_time = 300
date.timezone = Europe/Copenhagen
always_populate_raw_post_data = -1

# systemctl restart php5-fpm
# systemctl restart nginx

Open up tcp/10051 and tcp/80, and connect to tcp/80 using a standard web-browser.
Default username/password is Admin/zabbix.
(that’s a capital A.)

Enjoy and stuff.

Using systemd with Domoticz

I wanted to switch from old sysvinit to systemd, I’m starting to like systemd more and more, and I had some issues with Domoticz segfault’ing on me. (I’m always running latest git, so I can hardly blame them.)

What I had to do follows:

Remove the old sysvinit-scripts:
:~# update-rc.d domoticz remove

Move the old init-script away, just in case.
:~# mv /etc/init.d/domoticz ./domoticzinit

Create the new systemd.service, adjust as needed.

:~# editor /lib/systemd/system/domoticz.service

[Unit]
Description=Domoticz Home Automation
After=network.target

[Service]
ExecStart=/home/domo/domoticz/domoticz -daemon -www 8080 -sslwww 443
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target

Enable the new service

:~# systemctl enable domoticz.service

Reboot to verify, or do what makes you confident that this works as intended.

:~# systemctl status domoticz.service

Rejoice, and delete the old init-script.

:~# rm ./domoticzinit

MotionPie Cam in Domoticz with Motion detection

I wanted to try setting up my Raspberry Pi-camera, and I wanted to integrate it with Domoticz.

I did some manual labor for setting up a dedicated IP-cam from scratch, but after searching around I found MotionPie ( https://github.com/ccrisan/motionPie ).
No point re-inventing the wheel, so I loaded it up according to the installation manual, and got it up network-wise.

The following is needed to be configured in order for Domoticz to work:
IP Address: <ipaddress>
Port:<default-is-80>
Username:<blank>
Password:<blank>
ImageURL:picture/1/current/

If you create a dummy switch in Domoticz, you can have motionpie activate that switch using Motion Notifications:
Enable running of commands, and insert the following command:
curl ‘http://<IP-to-domoticz&gt;:8080/json.htm?type=command&param=switchlight&idx=<IDX>&switchcmd=On’
Where <IP-to-domoticz> is self-explanatory, and <IDX> is the ID-number for the switch.
Don’t forget to edit the switch so it’s a motion sensor, and set a custom off-delay.
MotionPie won’t trigger it “off” for you.

Restore MySQLdump –all-databases to other Debian-install

A backup using fex:

:~# /usr/bin/mysqldump –defaults-file=/etc/mysql/debian.cnf –events –all-databases > all.sql

(It’s supposed to be two -‘es before defaults-file, events and all-databases)

Can be restored easily on a new install using this commands:

:~# scp all.sql user@newserver: # To copy the backup to the new server.

On the new server:
:~# mysql -u root -p < all.sql

Exim4 LAN-relay on Debian Jessie with external smarthost

As part of a restructure at home I wanted to setup my router to be able to send email for all the servers on my LAN.
I tested it using Fastmail, but I know this will also work with Gmail. (I used the same setup when I had a gmail-account)

I did it like so:
:~# apt-get install exim4

:~# dpkg-reconfigure exim4-config

“Mail sent by smarthost; no local mail”

“System mail name: Home.Local”

IP-Address to listen on: Type in the LAN-IP of your router, or 0.0.0.0 if it’s entirely on a private/trusted LAN. (for example a standalone raspberry PI.)

“Other destinations for which mail is accepted: <leave blank>”

“Visible Domain name for local users: Home.Local”

IP-address or host name of the outgoing smarthost: This one depends on YOUR smarthost. Fastmail uses “mail.messagingengine.com::587”.

If you are lucky, you will get a prompt for, “Domains to relay mail for:” here, if that’s the case – Enter “*” and continue, otherwise we have to do something more.

Number-of-DNS-queries minimal, No.

Split configuration into small files, No.

If you were lucky, skip to configuring passwd.client, otherwise:

:~# editor /etc/exim4/update-exim4.conf.con
Fint and edit dc_relay_domains=” and add a *, so that it reads “dc_relay_domains=’*'”.
(Don’t just copy/paste that, quotes etc.)
Save the file, and re-run config to verify, then go ahead.

:~# editor /etc/exim4/passwd.client

And input using the following variables:
<servername>:<username>:<password>

For fastmail this equalls:
mail.messagingengine.com:leetuser@fastmail.com:leethax0rpassword
Save and restart exim using:

:~# systemctl restart exim4.service

Send a test-mail using:

:~# echo “testmail!” | mailx testmail@example.com

It should arrive!

Now for the clients in your LAN, the following should be done:

:~# apt-get install exim4

:~# dpkg-reconfigure exim4-config

“Mail sent by smarthost; no local mail”

“System mail name:” Leave as-is, should contain hostname+domain.

“IP-addresses to listen on for incoming SMTP connections:” Leave to something loopback-ish. (127.0.0.1, ::1)

“Other destinations for which mail is accepted:” Leave as-is.

“Visible domain name for local users:” Leave as-is.

“IP address or host name of the outgoing smarthost:” Enter the hostname/IP of the host created during the first part.

Number-of-DNS-queries minimal, No.

Split configuration into small files, No.

And then send a test-mail using the following command:

:~# echo “Testing mail via relay at <clock>” | mailx receiver@example.com

It can also be a good idea to update the mail-alias on the client.

:~# editor /etc/aliases

Replace the entry after root with a valid (and monitored) email, for example:
root: user+fileserver@example.com

Save the file, and you’re done.

Nginx, Jessie, StartSSL, and the quest for A+

CURRENTLY THIS ONLY GIVES A, NOT A+.
I don’t have time at the moment to fix it.

 

I like to keep things as secure as I can, and I also have my own webserver running at home.
I’m too cheap to actually pay for my SSL-certificate, so therefore I use StartSSL which offers one for free.
The signup-process is well documented elsewhere, note that they do require a phone number, but I have yet to be called or otherwise contacted by them.

So, without further intro:
:~# mkdir -p /etc/nginx/ssl/csr && cd /etc/nginx/ssl/csr

:~# openssl genrsa -out private.key 4096

Remember that common name, CN, needs to be hostname of website you will use it for.
:~# openssl req -new -key private.key -out request.csr

Go to startssl.com, select the control panel, select authenticate, verify certificate if needed.
If you have verified your domain, go straight to “Certificates Wizard”, otherwise choose “Validations Wizard”, select “Domain Name Validation” and follow the wizard. When done, go back here and select “Certificates Wizard”.

Choose “Web Server SSL/TLS Certificate”, click Continue.

Under “Generate Private Key”, choose Skip, we are going to use the certificate we already created.

:/etc/nginx/ssl/csr# editor request.csr

Mark all the text, from the line containing BEGIN CERTIFICATE REQUEST to the line containing END CERTIFICATE REQUEST.
Paste the output into the field on Startssl-page, and press Continue.

Under “Certificate Request Received”, press Continue.

Under “Add Domains”, select the top domain you want to use with your ssl-certificate.
Note that you can only select domains validated the last 30 days, and that you select the top-domain even if you are going to use a sub-domain, press continue.
On the next screen you input the desired subdomain, you have to enter something.
You can for example input www here, the top-domain will be in the Alternate name anyway, so they will both validate. Press Continue.

Under “Ready Processing Certificate”, verify your settings and press Continue.

If you get an “Additional Check Required!”, it’s just a matter of waiting for an email.

When you get an email, go to your control panel on StartSSL, select “Tool Box” and press “Retrieve Certificate”.
Select the correct Certificate, and double check the expiry date, then press Continue.
Copy everything in the box.

:/etc/nginx/ssl/csr# editor signed.crt

Paste the contents from the box, and save the file.

:/etc/nginx/ssl/csr# wget https://www.startssl.com/certs/ca-sha2.pem
:/etc/nginx/ssl/csr# wget https://www.startssl.com/certs/sub.class1.server.ca.pem
:/etc/nginx/ssl/csr# cat sub.class1.server.ca.pem >> ca-sha2.pem
:/etc/nginx/ssl/csr# cat signed.crt ca-sha2.pem > hostname.crt
:/etc/nginx/ssl/csr# cp hostname.crt ../
:/etc/nginx/ssl/csr# cp private.key ../
:/etc/nginx/ssl/csr# cd ..
:/etc/nginx/ssl/csr# chmod -R 400 csr/
:/etc/nginx/ssl/csr# chmod 400 private.key
:/etc/nginx/ssl# openssl dhparam -out dhparams.pem 4096

Now this takes care of your certificate, and protects against logjam-attack.
But configuration is still needed, so here that is:

:/etc/nginx/ssl# editor /etc/nginx/sites-available/default

Make sure the following is configured:
listen 443 ssl spdy;  # Spdy is not mandatory, but it speeds up clients who support it.
server_name hostname;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/hostname.crt;
resolver 208.67.222.222 208.67.220.220 valid=300s; #OpenDNS DNS-IP’s, substitute with the servers local DNS-servers, or simply comment it out to let the server handle it itself. (It’s the server that does the requests, not the client.)
resolver_timeout 10s;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_certificate /etc/nginx/ssl/hostname.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
ssl_buffer_size 1400;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ‘AES256+EECDH:AES256+EDH:!aNULL’; #This will sacrifice some old clients, I don’t mind.
add_header Strict-Transport-Security max-age=15768000;
add_header X-Content-Type-Options nosniff;

Save the file, test config with:
:/etc/nginx/ssl# nginx -t
And if all is well, restart with:
:/etc/nginx/ssl# service nginx restart (I’m guessing a reload would also do though…)

Now go here and test:
https://www.ssllabs.com/ssltest/

As of 2015-07-08 this gave me A+.

Sources:
https://www.linode.com/docs/websites/nginx/startssl-wth-latest-nginx-debian-7
https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/
https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/