From 71283c58c9188b2056642a014289aa6c467dc12e Mon Sep 17 00:00:00 2001 From: dcastelaosua Date: Tue, 22 Feb 2022 05:49:26 +0100 Subject: [PATCH 01/18] set credentials for Munin and Glowroot set credentials for Munin and Glowroot --- setup/configs/glowroot-admin.json | 3 ++- setup/containers/munin_monitor_postsetup | 19 +++++++++++++-- setup/create_containers.sh | 2 +- setup/delete_all.sh | 5 ++++ setup/etc/.credentials.json | 3 +++ setup/parse_config.sh | 2 ++ setup/service/dhis2-create-instance | 6 +++++ setup/service/dhis2-delete-instance | 4 ++++ setup/service/dhis2-setCredential | 30 ++++++++++++++++++++++++ 9 files changed, 70 insertions(+), 4 deletions(-) create mode 100644 setup/etc/.credentials.json create mode 100644 setup/service/dhis2-setCredential diff --git a/setup/configs/glowroot-admin.json b/setup/configs/glowroot-admin.json index 0bd6e9f..920509e 100644 --- a/setup/configs/glowroot-admin.json +++ b/setup/configs/glowroot-admin.json @@ -1,7 +1,8 @@ { "users": [ { - "username": "anonymous", + "username": "admin", + "password": "PASSWORD", "roles": [ "Administrator" ] diff --git a/setup/containers/munin_monitor_postsetup b/setup/containers/munin_monitor_postsetup index b62f9fd..d46d62c 100755 --- a/setup/containers/munin_monitor_postsetup +++ b/setup/containers/munin_monitor_postsetup @@ -1,5 +1,12 @@ source parse_config.sh +#Set Credentials for Munin +dhis2-setCredential munin admin + +MUNIN_PASSWD=$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .password') +MUNIN_USERNAME==$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .username') +htpasswd -b -c /tmp/.htpasswd ${MUNIN_USERNAME} ${MUNIN_PASSWD} + if [[ $PROXY == "nginx" ]]; then #if proxy is nginx ; @@ -7,6 +14,8 @@ then # Proxy pass to servlet container location /munin { + auth_basic "Basic Auth"; + auth_basic_user_file "/etc/nginx/.htpasswd"; proxy_pass http://${MUNIN_IP}/munin; proxy_redirect off; proxy_set_header Host \$host; @@ -30,7 +39,8 @@ then } EOF lxc file push /tmp/munin.conf proxy/etc/nginx/upstream/munin.conf - rm /tmp/munin.conf + lxc file push /tmp/.htpasswd proxy/etc/nginx/.htpasswd + rm /tmp/munin.conf /tmp/.htpasswd lxc exec proxy -- service nginx reload elif [[ $PROXY == "apache2" ]]; @@ -38,12 +48,17 @@ then #if proxy is apache2 ; cat < /tmp/munin - Require all granted + AuthType Basic + AuthName "Restricted Content" + AuthUserFile /etc/apache2/.htpasswd + Require ${MUNIN_USERNAME} ProxyPass "http://${MUNIN_IP}/munin" ProxyPassReverse "http://${MUNIN_IP}/munin" EOF lxc file push /tmp/munin proxy/etc/apache2/upstream/munin + lxc file push /tmp/.htpasswd proxy/etc/apache2/.htpasswd + rm /tmp/munin /tmp/.htpasswd lxc exec proxy -- service apache2 reload else echo "Error: Proxy type not supported" diff --git a/setup/create_containers.sh b/setup/create_containers.sh index 88b6218..f283ff6 100755 --- a/setup/create_containers.sh +++ b/setup/create_containers.sh @@ -26,7 +26,7 @@ fi ufw allow in on lxdbr0 sudo ufw allow out on lxdbr0 -apt-get -y install unzip auditd jq +apt-get -y install unzip auditd jq apache2-utils # Parse json config file source parse_config.sh diff --git a/setup/delete_all.sh b/setup/delete_all.sh index b438b28..a6bd035 100755 --- a/setup/delete_all.sh +++ b/setup/delete_all.sh @@ -1,5 +1,7 @@ #!/usr/bin/env bash +CREDENTIALS_FILE=/usr/local/etc/dhis/.credentials.json + echo "Are you really sure you want to delete all containers" select yn in "Yes" "No"; do case $yn in @@ -8,6 +10,9 @@ select yn in "Yes" "No"; do esac done +#Remove all credentials +jq 'del(.credentials[])' ${CREDENTIALS_FILE} > ${CREDENTIALS_FILE}.tmp && mv ${CREDENTIALS_FILE}.tmp ${CREDENTIALS_FILE} + for c in $( sudo lxc list --format csv -c n); do echo "Deleting $c" lxc delete --force $c diff --git a/setup/etc/.credentials.json b/setup/etc/.credentials.json new file mode 100644 index 0000000..3566b5b --- /dev/null +++ b/setup/etc/.credentials.json @@ -0,0 +1,3 @@ +{ + "credentials": [] +} \ No newline at end of file diff --git a/setup/parse_config.sh b/setup/parse_config.sh index 83ab6d1..0ac8054 100755 --- a/setup/parse_config.sh +++ b/setup/parse_config.sh @@ -16,6 +16,8 @@ PROXY_IP=$(echo $CONFIG | jq -r '.containers[] | select(.name=="proxy") | .ip') MUNIN_IP=$(echo $CONFIG | jq -r '.containers[] | select(.name=="monitor") | .ip') ENCDEVICE=$(echo $CONFIG | jq -r .encrypted_device) ENVIRONMENT=$(echo $CONFIG |jq ".environment") +CREDENTIALS_FILE="/usr/local/etc/dhis/.credentials.json" + if [[ ! $ENVIRONMENT == "null" ]]; then ENVVARS=$(echo $ENVIRONMENT | jq -c "to_entries[]") fi diff --git a/setup/service/dhis2-create-instance b/setup/service/dhis2-create-instance index 6910f21..cd022a5 100755 --- a/setup/service/dhis2-create-instance +++ b/setup/service/dhis2-create-instance @@ -11,6 +11,7 @@ PROG=`basename $0` CREATEDB=true TOMCAT_SETUP=/usr/local/etc/dhis/tomcat_setup GLOWROOT_SETUP=/usr/local/etc/dhis/glowroot-admin.json +CREDENTIALS_FILE=/usr/local/etc/dhis/.credentials.json APM=$(cat /usr/local/etc/dhis/containers.json| jq -r .apm) PROXY=$(cat /usr/local/etc/dhis/containers.json| jq -r .proxy) @@ -164,11 +165,16 @@ fi if [[ $APM == "glowroot" ]]; then + #Set credentials for glowroot + dhis2-setCredential ${NAME}-glowroot admin + GLOWROOT_PASSWD=$(cat ${CREDENTIALS_FILE} | jq -r --arg name $NAME-glowroot '.credentials[] | select(.name==$name) | .password') + GLOWROOT_USERNAME==$(cat ${CREDENTIALS_FILE} | jq -r --arg name $NAME-glowroot '.credentials[] | select(.name==$name) | .username') sed -r '/glowroot.jar/ s/..(.*)/\1/' /usr/local/etc/dhis/tomcat_default > /tmp/tomcat9 lxc file push /tmp/tomcat9 $NAME/etc/default/tomcat9 lxc exec $NAME -- wget -P /opt https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-0.13.6-dist.zip lxc exec $NAME -- unzip -o /opt/glowroot-0.13.6-dist.zip -d /opt sed "s/XXXX/${NAME}/" $GLOWROOT_SETUP > /tmp/glowroot-admin.json + sed -i "s/PASSWORD/${GLOWROOT_PASSWD}/" /tmp/glowroot-admin.json lxc file push /tmp/glowroot-admin.json $NAME/opt/glowroot/admin.json lxc exec $NAME -- chown -R tomcat.tomcat /opt/ lxc exec $NAME ufw allow proto tcp from $PROXY_IP to any port 4000 diff --git a/setup/service/dhis2-delete-instance b/setup/service/dhis2-delete-instance index 7ba657f..3e146b9 100755 --- a/setup/service/dhis2-delete-instance +++ b/setup/service/dhis2-delete-instance @@ -11,6 +11,7 @@ PROG=`basename $0` APM=$(cat /usr/local/etc/dhis/containers.json| jq -r .apm) PROXY=$(cat /usr/local/etc/dhis/containers.json| jq -r .proxy) +CREDENTIALS_FILE="/usr/local/etc/dhis/.credentials.json" ############################################################### usage() { @@ -66,5 +67,8 @@ lxc delete $NAME lxc exec ${DBCONTAINER} -- dropdb $NAME lxc exec ${DBCONTAINER} -- dropuser $NAME +#Remove glowroot credentials +jq --arg name $NAME-glowroot 'del(.credentials[] | select(.name == $name))' ${CREDENTIALS_FILE} > ${CREDENTIALS_FILE}.tmp && mv ${CREDENTIALS_FILE}.tmp ${CREDENTIALS_FILE} + sudo sed -i "/.* $N$/d" /etc/hosts diff --git a/setup/service/dhis2-setCredential b/setup/service/dhis2-setCredential new file mode 100644 index 0000000..be1773c --- /dev/null +++ b/setup/service/dhis2-setCredential @@ -0,0 +1,30 @@ +#!/bin/env bash + +CREDENTIALS_FILE=/usr/local/etc/dhis/.credentials.json +SERVICE=$1 +USERNAME=$2 + +echo "SET ${SERVICE} CREDENTIALS" +echo "==============================" +echo "Do you want to add the password for the user ${USERNAME} in the service ${SERVICE}? (If not, password will be generated randomly)" +select yn in "Yes" "No"; do + case $yn in + Yes ) + echo + echo "Please insert a password:" + read PASSWD + #echo $PASSWD + break;; + No ) + PASSWD=$(openssl rand -base64 12) + #echo "Password: ${PASSWD}" + break;; + esac +done + +#Save credentials +jq --arg service $SERVICE --arg username $USERNAME --arg password $PASSWD '.credentials[.credentials | length] |= . + {"name": $service,"username": $username,"password": $password}' ${CREDENTIALS_FILE} > ${CREDENTIALS_FILE}.tmp && mv ${CREDENTIALS_FILE}.tmp ${CREDENTIALS_FILE} +echo "Credentials saved to ${CREDENTIALS_FILE}" +echo "Service: ${SERVICE}" +echo "Username: ${USERNAME}" +echo "Password: ${PASSWD}" From fab52bf80bff58d057ed479b12f62a9e484cf881 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Feb 2022 04:52:10 +0000 Subject: [PATCH 02/18] set credentials for Munin and Glowroot --- setup/service/dhis2-setCredential | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 setup/service/dhis2-setCredential diff --git a/setup/service/dhis2-setCredential b/setup/service/dhis2-setCredential old mode 100644 new mode 100755 From ff16a136d77a2bda7f620f0a0e8d678ae2098e8a Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Feb 2022 05:09:32 +0000 Subject: [PATCH 03/18] set credentials for Munin and Glowroot --- setup/configs/containers.json | 29 +++++++++++++++++++++++++++++ setup/install_scripts.sh | 3 +++ 2 files changed, 32 insertions(+) create mode 100755 setup/configs/containers.json diff --git a/setup/configs/containers.json b/setup/configs/containers.json new file mode 100755 index 0000000..9057cc9 --- /dev/null +++ b/setup/configs/containers.json @@ -0,0 +1,29 @@ +{ + "fqdn":"dhis2tools.solidlines.io", + "email": "daniel.castelao@solidlines.io", + "environment": { + "TZ": "Africa/Accra" + }, + "network": "192.168.0.1/24", + "monitoring": "munin", + "apm": "glowroot", + "proxy": "nginx", + "containers": [ + { + "name": "proxy", + "ip": "192.168.0.2", + "type": "nginx_proxy" + }, + { + "name": "postgres", + "ip": "192.168.0.20", + "type": "postgres" + }, + { + "name": "monitor", + "ip": "192.168.0.30", + "type": "munin_monitor" + } + ] +} + diff --git a/setup/install_scripts.sh b/setup/install_scripts.sh index d7c5d82..07e8e8d 100755 --- a/setup/install_scripts.sh +++ b/setup/install_scripts.sh @@ -31,6 +31,9 @@ for FILE in $(find etc/*); do fi done +# copy credentials file +cp etc/.credentials.json /usr/local/etc/dhis/ + # copy glowroot-admin.json to /usr/local/etc/dhis/ if [ -f configs/glowroot-admin.json ]; then From 4dc31b03e3b5f65df56b2fe933828d70a67d3785 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Feb 2022 05:10:33 +0000 Subject: [PATCH 04/18] set credentials for Munin and Glowroot --- setup/configs/containers.json | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100755 setup/configs/containers.json diff --git a/setup/configs/containers.json b/setup/configs/containers.json deleted file mode 100755 index 9057cc9..0000000 --- a/setup/configs/containers.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "fqdn":"dhis2tools.solidlines.io", - "email": "daniel.castelao@solidlines.io", - "environment": { - "TZ": "Africa/Accra" - }, - "network": "192.168.0.1/24", - "monitoring": "munin", - "apm": "glowroot", - "proxy": "nginx", - "containers": [ - { - "name": "proxy", - "ip": "192.168.0.2", - "type": "nginx_proxy" - }, - { - "name": "postgres", - "ip": "192.168.0.20", - "type": "postgres" - }, - { - "name": "monitor", - "ip": "192.168.0.30", - "type": "munin_monitor" - } - ] -} - From 7f643fb158ff01f9ba652bbe8ea1f9f099f91836 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Feb 2022 12:47:51 +0000 Subject: [PATCH 05/18] set credentials for Munin and Glowroot --- setup/configs/glowroot-admin.json | 2 +- setup/containers/munin_monitor | 3 ++- setup/containers/munin_monitor_postsetup | 30 ++++++++++++------------ setup/service/dhis2-create-instance | 10 +++++--- setup/service/dhis2-setCredential | 1 + 5 files changed, 26 insertions(+), 20 deletions(-) diff --git a/setup/configs/glowroot-admin.json b/setup/configs/glowroot-admin.json index 920509e..c331498 100644 --- a/setup/configs/glowroot-admin.json +++ b/setup/configs/glowroot-admin.json @@ -2,7 +2,7 @@ "users": [ { "username": "admin", - "password": "PASSWORD", + "passwordHash": "PASSWORD", "roles": [ "Administrator" ] diff --git a/setup/containers/munin_monitor b/setup/containers/munin_monitor index 0f13c8f..75e65d4 100755 --- a/setup/containers/munin_monitor +++ b/setup/containers/munin_monitor @@ -34,7 +34,8 @@ fi sed -i '/tmpldir/s/^#//' $MUNINCONF # Fix up Apache2 - perl -pi -e "s|Require local|Require all granted|sig" $MUNINA2CONF + #perl -pi -e "s|Require local|Require all granted|sig" $MUNINA2CONF + perl -pi -e "s|Require local|AuthUserFile /etc/munin/.htpasswd\n Authtype Basic\n AuthName \"Munin\"\n Require valid-user\n Options FollowSymLinks SymLinksIfOwnerMatch|sig" $MUNINA2CONF ln -s $MUNINA2CONF /etc/apache2/conf-available/munin.conf > /dev/null 2>&1 a2enconf munin.conf diff --git a/setup/containers/munin_monitor_postsetup b/setup/containers/munin_monitor_postsetup index d46d62c..d1283ad 100755 --- a/setup/containers/munin_monitor_postsetup +++ b/setup/containers/munin_monitor_postsetup @@ -1,11 +1,18 @@ source parse_config.sh -#Set Credentials for Munin -dhis2-setCredential munin admin +if [[ $(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin")') == "" ]]; +then + #Set Credentials for Munin if does not exist + dhis2-setCredential munin admin -MUNIN_PASSWD=$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .password') -MUNIN_USERNAME==$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .username') -htpasswd -b -c /tmp/.htpasswd ${MUNIN_USERNAME} ${MUNIN_PASSWD} + MUNIN_PASSWD=$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .password') + MUNIN_USERNAME=$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .username') + htpasswd -b -c /tmp/.htpasswd ${MUNIN_USERNAME} ${MUNIN_PASSWD} + lxc file push /tmp/.htpasswd monitor/etc/munin/.htpasswd + lxc exec monitor -- chmod 644 /etc/munin/.htpasswd + lxc exec monitor -- service apache2 restart + rm /tmp/.htpasswd +fi if [[ $PROXY == "nginx" ]]; then @@ -14,8 +21,6 @@ then # Proxy pass to servlet container location /munin { - auth_basic "Basic Auth"; - auth_basic_user_file "/etc/nginx/.htpasswd"; proxy_pass http://${MUNIN_IP}/munin; proxy_redirect off; proxy_set_header Host \$host; @@ -39,8 +44,7 @@ then } EOF lxc file push /tmp/munin.conf proxy/etc/nginx/upstream/munin.conf - lxc file push /tmp/.htpasswd proxy/etc/nginx/.htpasswd - rm /tmp/munin.conf /tmp/.htpasswd + rm /tmp/munin.conf lxc exec proxy -- service nginx reload elif [[ $PROXY == "apache2" ]]; @@ -48,20 +52,16 @@ then #if proxy is apache2 ; cat < /tmp/munin - AuthType Basic - AuthName "Restricted Content" - AuthUserFile /etc/apache2/.htpasswd - Require ${MUNIN_USERNAME} ProxyPass "http://${MUNIN_IP}/munin" ProxyPassReverse "http://${MUNIN_IP}/munin" EOF lxc file push /tmp/munin proxy/etc/apache2/upstream/munin - lxc file push /tmp/.htpasswd proxy/etc/apache2/.htpasswd - rm /tmp/munin /tmp/.htpasswd + rm /tmp/munin lxc exec proxy -- service apache2 reload else echo "Error: Proxy type not supported" exit 1 fi + diff --git a/setup/service/dhis2-create-instance b/setup/service/dhis2-create-instance index cd022a5..568464d 100755 --- a/setup/service/dhis2-create-instance +++ b/setup/service/dhis2-create-instance @@ -173,14 +173,18 @@ then lxc file push /tmp/tomcat9 $NAME/etc/default/tomcat9 lxc exec $NAME -- wget -P /opt https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-0.13.6-dist.zip lxc exec $NAME -- unzip -o /opt/glowroot-0.13.6-dist.zip -d /opt - sed "s/XXXX/${NAME}/" $GLOWROOT_SETUP > /tmp/glowroot-admin.json - sed -i "s/PASSWORD/${GLOWROOT_PASSWD}/" /tmp/glowroot-admin.json + #Encrypt glowroot password + wget -P /tmp https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-central-0.13.6-dist.zip + unzip -o /tmp/glowroot-central-0.13.6-dist.zip -d /tmp + GLOWROOT_PASSWD_ENC=$(java -jar /tmp/glowroot-central/glowroot-central.jar hash-password $GLOWROOT_PASSWD) + jq --arg context /${NAME}-glowroot '.web.contextPath=$context' $GLOWROOT_SETUP > /tmp/glowroot-admin.json.tmp + jq --arg passwordHash $GLOWROOT_PASSWD_ENC '.users[].passwordHash=$passwordHash' /tmp/glowroot-admin.json.tmp > /tmp/glowroot-admin.json lxc file push /tmp/glowroot-admin.json $NAME/opt/glowroot/admin.json lxc exec $NAME -- chown -R tomcat.tomcat /opt/ lxc exec $NAME ufw allow proto tcp from $PROXY_IP to any port 4000 rm /tmp/tomcat9 - rm /tmp/glowroot-admin.json + rm -rf /tmp/glowroot* else lxc file push /usr/local/etc/dhis/tomcat_default $NAME/etc/default/tomcat9 fi diff --git a/setup/service/dhis2-setCredential b/setup/service/dhis2-setCredential index be1773c..ef531b6 100755 --- a/setup/service/dhis2-setCredential +++ b/setup/service/dhis2-setCredential @@ -28,3 +28,4 @@ echo "Credentials saved to ${CREDENTIALS_FILE}" echo "Service: ${SERVICE}" echo "Username: ${USERNAME}" echo "Password: ${PASSWD}" +sleep 15 From 1cbd7005d0950b2edfd7b215a4a608cdedebf198 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Feb 2022 13:49:40 +0000 Subject: [PATCH 06/18] fixed issue when deploying a war file with option f --- setup/service/dhis2-deploy-war | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/service/dhis2-deploy-war b/setup/service/dhis2-deploy-war index 88ae7ac..248d6f9 100755 --- a/setup/service/dhis2-deploy-war +++ b/setup/service/dhis2-deploy-war @@ -21,7 +21,7 @@ usage() { echo " -h, --help Display this help message" } -while getopts :l:fh opt; +while getopts :l:f:h opt; do case $opt in f) From 2e80cccc036db183816b41d9a688f5b5fb0354a2 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 2 Mar 2022 13:00:43 +0000 Subject: [PATCH 07/18] dhis2-set-credential service --- setup/configs/opt | 29 ++++++++ setup/containers/munin_monitor_postsetup | 14 +--- setup/service/dhis2-create-instance | 18 +---- setup/service/dhis2-deploy-war | 4 +- setup/service/dhis2-set-credential | 95 ++++++++++++++++++++++++ setup/service/dhis2-setCredential | 31 -------- 6 files changed, 133 insertions(+), 58 deletions(-) create mode 100755 setup/configs/opt create mode 100755 setup/service/dhis2-set-credential delete mode 100755 setup/service/dhis2-setCredential diff --git a/setup/configs/opt b/setup/configs/opt new file mode 100755 index 0000000..8a7853e --- /dev/null +++ b/setup/configs/opt @@ -0,0 +1,29 @@ +{ + "fqdn":"dhis2tools.solidlines.io", + "email": "daniel.castelao@solidlines.io", + "environment": { + "TZ": "Africa/Accra" + }, + "network": "192.168.0.1/24", + "monitoring": "munin", + "apm": "glowroot", + "proxy": "apache2", + "containers": [ + { + "name": "proxy", + "ip": "192.168.0.2", + "type": "apache_proxy" + }, + { + "name": "postgres", + "ip": "192.168.0.20", + "type": "postgres" + }, + { + "name": "monitor", + "ip": "192.168.0.30", + "type": "munin_monitor" + } + ] +} + diff --git a/setup/containers/munin_monitor_postsetup b/setup/containers/munin_monitor_postsetup index d1283ad..9266867 100755 --- a/setup/containers/munin_monitor_postsetup +++ b/setup/containers/munin_monitor_postsetup @@ -1,17 +1,9 @@ source parse_config.sh -if [[ $(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin")') == "" ]]; +# Check if monitor container already exists +if [[ ! $(lxc list -c n -f csv | grep 'monitor') ]]; then - #Set Credentials for Munin if does not exist - dhis2-setCredential munin admin - - MUNIN_PASSWD=$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .password') - MUNIN_USERNAME=$(cat ${CREDENTIALS_FILE} | jq -r '.credentials[] | select(.name=="munin") | .username') - htpasswd -b -c /tmp/.htpasswd ${MUNIN_USERNAME} ${MUNIN_PASSWD} - lxc file push /tmp/.htpasswd monitor/etc/munin/.htpasswd - lxc exec monitor -- chmod 644 /etc/munin/.htpasswd - lxc exec monitor -- service apache2 restart - rm /tmp/.htpasswd + dhis2-set-credential monitor fi if [[ $PROXY == "nginx" ]]; diff --git a/setup/service/dhis2-create-instance b/setup/service/dhis2-create-instance index 568464d..3e2cc38 100755 --- a/setup/service/dhis2-create-instance +++ b/setup/service/dhis2-create-instance @@ -10,8 +10,6 @@ PROG=`basename $0` CREATEDB=true TOMCAT_SETUP=/usr/local/etc/dhis/tomcat_setup -GLOWROOT_SETUP=/usr/local/etc/dhis/glowroot-admin.json -CREDENTIALS_FILE=/usr/local/etc/dhis/.credentials.json APM=$(cat /usr/local/etc/dhis/containers.json| jq -r .apm) PROXY=$(cat /usr/local/etc/dhis/containers.json| jq -r .proxy) @@ -165,26 +163,18 @@ fi if [[ $APM == "glowroot" ]]; then - #Set credentials for glowroot - dhis2-setCredential ${NAME}-glowroot admin - GLOWROOT_PASSWD=$(cat ${CREDENTIALS_FILE} | jq -r --arg name $NAME-glowroot '.credentials[] | select(.name==$name) | .password') - GLOWROOT_USERNAME==$(cat ${CREDENTIALS_FILE} | jq -r --arg name $NAME-glowroot '.credentials[] | select(.name==$name) | .username') sed -r '/glowroot.jar/ s/..(.*)/\1/' /usr/local/etc/dhis/tomcat_default > /tmp/tomcat9 lxc file push /tmp/tomcat9 $NAME/etc/default/tomcat9 lxc exec $NAME -- wget -P /opt https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-0.13.6-dist.zip lxc exec $NAME -- unzip -o /opt/glowroot-0.13.6-dist.zip -d /opt - #Encrypt glowroot password - wget -P /tmp https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-central-0.13.6-dist.zip - unzip -o /tmp/glowroot-central-0.13.6-dist.zip -d /tmp - GLOWROOT_PASSWD_ENC=$(java -jar /tmp/glowroot-central/glowroot-central.jar hash-password $GLOWROOT_PASSWD) - jq --arg context /${NAME}-glowroot '.web.contextPath=$context' $GLOWROOT_SETUP > /tmp/glowroot-admin.json.tmp - jq --arg passwordHash $GLOWROOT_PASSWD_ENC '.users[].passwordHash=$passwordHash' /tmp/glowroot-admin.json.tmp > /tmp/glowroot-admin.json - lxc file push /tmp/glowroot-admin.json $NAME/opt/glowroot/admin.json lxc exec $NAME -- chown -R tomcat.tomcat /opt/ + + #Set credentials for glowroot + dhis2-set-credential ${NAME} + lxc exec $NAME ufw allow proto tcp from $PROXY_IP to any port 4000 rm /tmp/tomcat9 - rm -rf /tmp/glowroot* else lxc file push /usr/local/etc/dhis/tomcat_default $NAME/etc/default/tomcat9 fi diff --git a/setup/service/dhis2-deploy-war b/setup/service/dhis2-deploy-war index 248d6f9..0f614ba 100755 --- a/setup/service/dhis2-deploy-war +++ b/setup/service/dhis2-deploy-war @@ -52,8 +52,8 @@ fi INSTANCE=$1 # download war file if we don't have it -test -f $TEMPWAR || wget -O $TEMPWAR $SOURCE || exit 1 -unzip -t -q $TEMPWAR || { echo "Corrupt war file: $TEMPWAR"; exit 1; } +test -f $TEMPWAR || wget -O $TEMPWAR $SOURCE || { rm $TEMPWAR; exit 1; } +unzip -t -q $TEMPWAR || { echo "Corrupt war file: $TEMPWAR"; rm $TEMPWAR; exit 1; } lxc exec $1 -- service tomcat9 stop # give it a chance to shutdown diff --git a/setup/service/dhis2-set-credential b/setup/service/dhis2-set-credential new file mode 100755 index 0000000..9c2dd93 --- /dev/null +++ b/setup/service/dhis2-set-credential @@ -0,0 +1,95 @@ +#!/bin/env bash + +SERVICE=$1 +PARENT=$(ps -o command= -p "$PPID" | awk '{print $2}') +VALID_SERVICES=$(lxc list -c n -f csv | grep -v 'postgres\|proxy' | tr '\n' ' ') + +# Help text for this script +function usage { + echo "Set credential for munin or glowroot" + echo + echo "usage: dhis2-set-credential " + echo " Valid services are: ${VALID_SERVICES}" + echo +} + +# Check Service +if [[ $SERVICE == "" ]]; +then + usage + exit 1 +fi + +SERVICES=$(lxc list -c n -f csv) +IS_VALID_SERVICE=$(echo ${SERVICES} | grep ${SERVICE}) + +if [[ $IS_VALID_SERVICE == "" ]]; +then + echo "[ERROR] Service ${SERVICE} not found!" + echo "Valid services are: ${VALID_SERVICES}" + exit 1 +else + echo "[INFO] Service ${SERVICE} found" + echo "SET ${SERVICE} CREDENTIALS" + echo "==============================" + echo "Do you want to add the password manually for the user admin in the service ${SERVICE}? (If not, password will be generated randomly)" + select yn in "Yes" "No"; do + case $yn in + Yes ) + echo + echo "Please insert a password:" + read PASSWD + break;; + No ) + PASSWD=$(openssl rand -hex 12) + break;; + esac + done + + if [[ $SERVICE == "monitor" ]]; + then + htpasswd -b -c /tmp/.htpasswd admin ${PASSWD} + lxc file push /tmp/.htpasswd monitor/etc/munin/.htpasswd + lxc exec monitor -- chmod 644 /etc/munin/.htpasswd + lxc exec monitor -- service apache2 restart + rm /tmp/.htpasswd + echo "Credentials have been set" + echo "=========================" + echo "Service: monitor (munin)" + echo "Username: admin" + echo "Password: ${PASSWD}" + else + echo "Instance ${SERVICE} will be restarted. Are you sure do you want to continue?" + select yn in "Yes" "No"; do + case $yn in + Yes ) + break;; + No ) + exit 1;; + esac + done + #Hash glowroot password + GLOWROOT_SETUP=/usr/local/etc/dhis/glowroot-admin.json + wget -P /tmp https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-central-0.13.6-dist.zip + unzip -q -o /tmp/glowroot-central-0.13.6-dist.zip -d /tmp + GLOWROOT_PASSWD_ENC=$(java -jar /tmp/glowroot-central/glowroot-central.jar hash-password $PASSWD) + jq --arg context /${SERVICE}-glowroot '.web.contextPath=$context' $GLOWROOT_SETUP > /tmp/glowroot-admin.json.tmp + jq --arg passwordHash $GLOWROOT_PASSWD_ENC '.users[].passwordHash=$passwordHash' /tmp/glowroot-admin.json.tmp > /tmp/glowroot-admin.json + lxc file push /tmp/glowroot-admin.json $SERVICE/opt/glowroot/admin.json + lxc exec $SERVICE -- chown -R tomcat.tomcat /opt/ + rm -rf /tmp/glowroot-central* /tmp/glowroot-admin.json* + + # Check if user wants to set credential + if [[ $PARENT == "" ]]; + then + lxc exec $SERVICE -- service tomcat9 restart + fi + echo "Credentials have been set:" + echo "=========================" + echo "Instance: ${SERVICE}" + echo "Service: ${SERVICE}-glowroot" + echo "Username: admin" + echo "Password: ${PASSWD}" + fi +fi + diff --git a/setup/service/dhis2-setCredential b/setup/service/dhis2-setCredential deleted file mode 100755 index ef531b6..0000000 --- a/setup/service/dhis2-setCredential +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/env bash - -CREDENTIALS_FILE=/usr/local/etc/dhis/.credentials.json -SERVICE=$1 -USERNAME=$2 - -echo "SET ${SERVICE} CREDENTIALS" -echo "==============================" -echo "Do you want to add the password for the user ${USERNAME} in the service ${SERVICE}? (If not, password will be generated randomly)" -select yn in "Yes" "No"; do - case $yn in - Yes ) - echo - echo "Please insert a password:" - read PASSWD - #echo $PASSWD - break;; - No ) - PASSWD=$(openssl rand -base64 12) - #echo "Password: ${PASSWD}" - break;; - esac -done - -#Save credentials -jq --arg service $SERVICE --arg username $USERNAME --arg password $PASSWD '.credentials[.credentials | length] |= . + {"name": $service,"username": $username,"password": $password}' ${CREDENTIALS_FILE} > ${CREDENTIALS_FILE}.tmp && mv ${CREDENTIALS_FILE}.tmp ${CREDENTIALS_FILE} -echo "Credentials saved to ${CREDENTIALS_FILE}" -echo "Service: ${SERVICE}" -echo "Username: ${USERNAME}" -echo "Password: ${PASSWD}" -sleep 15 From 150435c4985526541b86f7f7ca8778099e6ec498 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 2 Mar 2022 13:01:43 +0000 Subject: [PATCH 08/18] dhis2-set-credential service --- setup/configs/opt | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100755 setup/configs/opt diff --git a/setup/configs/opt b/setup/configs/opt deleted file mode 100755 index 8a7853e..0000000 --- a/setup/configs/opt +++ /dev/null @@ -1,29 +0,0 @@ -{ - "fqdn":"dhis2tools.solidlines.io", - "email": "daniel.castelao@solidlines.io", - "environment": { - "TZ": "Africa/Accra" - }, - "network": "192.168.0.1/24", - "monitoring": "munin", - "apm": "glowroot", - "proxy": "apache2", - "containers": [ - { - "name": "proxy", - "ip": "192.168.0.2", - "type": "apache_proxy" - }, - { - "name": "postgres", - "ip": "192.168.0.20", - "type": "postgres" - }, - { - "name": "monitor", - "ip": "192.168.0.30", - "type": "munin_monitor" - } - ] -} - From 01b18e69feee64c3cb32ac8ec392cc90558121cd Mon Sep 17 00:00:00 2001 From: root Date: Wed, 2 Mar 2022 17:30:08 +0000 Subject: [PATCH 09/18] dhis2-set-credential service --- setup/service/dhis2-create-instance | 2 ++ setup/service/dhis2-set-credential | 33 +++++++++++++++++------------ 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/setup/service/dhis2-create-instance b/setup/service/dhis2-create-instance index 3e2cc38..aca7d30 100755 --- a/setup/service/dhis2-create-instance +++ b/setup/service/dhis2-create-instance @@ -10,6 +10,7 @@ PROG=`basename $0` CREATEDB=true TOMCAT_SETUP=/usr/local/etc/dhis/tomcat_setup +GLOWROOT_SETUP=/usr/local/etc/dhis/glowroot-admin.json APM=$(cat /usr/local/etc/dhis/containers.json| jq -r .apm) PROXY=$(cat /usr/local/etc/dhis/containers.json| jq -r .proxy) @@ -167,6 +168,7 @@ then lxc file push /tmp/tomcat9 $NAME/etc/default/tomcat9 lxc exec $NAME -- wget -P /opt https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-0.13.6-dist.zip lxc exec $NAME -- unzip -o /opt/glowroot-0.13.6-dist.zip -d /opt + lxc file push $GLOWROOT_SETUP $NAME/opt/glowroot/admin.json lxc exec $NAME -- chown -R tomcat.tomcat /opt/ #Set credentials for glowroot diff --git a/setup/service/dhis2-set-credential b/setup/service/dhis2-set-credential index 9c2dd93..bc5ec27 100755 --- a/setup/service/dhis2-set-credential +++ b/setup/service/dhis2-set-credential @@ -59,25 +59,30 @@ else echo "Username: admin" echo "Password: ${PASSWD}" else - echo "Instance ${SERVICE} will be restarted. Are you sure do you want to continue?" - select yn in "Yes" "No"; do - case $yn in - Yes ) - break;; - No ) - exit 1;; - esac - done + # Check if user wants to set credential + if [[ $PARENT == "" ]]; + then + echo "Instance ${SERVICE} will be restarted. Are you sure do you want to continue?" + select yn in "Yes" "No"; do + case $yn in + Yes ) + break;; + No ) + exit 1;; + esac + done + fi + #Hash glowroot password - GLOWROOT_SETUP=/usr/local/etc/dhis/glowroot-admin.json wget -P /tmp https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-central-0.13.6-dist.zip unzip -q -o /tmp/glowroot-central-0.13.6-dist.zip -d /tmp + lxc file pull $SERVICE/opt/glowroot/admin.json /tmp/admin.json GLOWROOT_PASSWD_ENC=$(java -jar /tmp/glowroot-central/glowroot-central.jar hash-password $PASSWD) - jq --arg context /${SERVICE}-glowroot '.web.contextPath=$context' $GLOWROOT_SETUP > /tmp/glowroot-admin.json.tmp - jq --arg passwordHash $GLOWROOT_PASSWD_ENC '.users[].passwordHash=$passwordHash' /tmp/glowroot-admin.json.tmp > /tmp/glowroot-admin.json - lxc file push /tmp/glowroot-admin.json $SERVICE/opt/glowroot/admin.json + jq --arg context /${SERVICE}-glowroot '.web.contextPath=$context' /tmp/admin.json > /tmp/admin.json.tmp + jq --arg passwordHash $GLOWROOT_PASSWD_ENC '.users |= map(if .username=="admin" then .passwordHash=$passwordHash else . end)' /tmp/admin.json.tmp > /tmp/admin.json + lxc file push /tmp/admin.json $SERVICE/opt/glowroot/admin.json lxc exec $SERVICE -- chown -R tomcat.tomcat /opt/ - rm -rf /tmp/glowroot-central* /tmp/glowroot-admin.json* + rm -rf /tmp/glowroot-central* /tmp/admin.json* # Check if user wants to set credential if [[ $PARENT == "" ]]; From 368b982734d4ae4fe6daf29baee1332fa1513890 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 3 Mar 2022 18:35:03 +0000 Subject: [PATCH 10/18] dhis2-set-credential --- docs/dhis2-set-credential.md | 56 ++++++++++++++++++++++++++++++ setup/service/dhis2-set-credential | 2 ++ 2 files changed, 58 insertions(+) create mode 100755 docs/dhis2-set-credential.md diff --git a/docs/dhis2-set-credential.md b/docs/dhis2-set-credential.md new file mode 100755 index 0000000..1630622 --- /dev/null +++ b/docs/dhis2-set-credential.md @@ -0,0 +1,56 @@ +#dhis2-set-credential +Security of the servers and services is a priority. We need to set username and password credentials for the munin monitoring service and the Glowroot APM tool on each instance we have created to prevent unwanted users from accessing sensitive or critical data. +Credentials will be set once we install the monitor container or a DHIS2 instance with Glowroot APM or can be reset by the user later. + +##Automatic execution +The dhis2-set-credential service will run once the monitor container is installed or when a DHIS2 instance with Glowroot APM is created. The user will be prompted to type in the desired password and otherwise it will be randomly generated. +``` +SET CREDENTIALS +==================== +Do you want to add the password manually for the user admin in the service ? (If not, password will be generated randomly) +1) Yes +2) No +``` + +Password will be shown to the user +``` +Credentials have been set +================= +Service: monitor (munin) +Username: admin +Password: XXXXX +``` + +##Manual execution +The user will be able to reset the password of a service by running the service script dhis2-set-credentials. +``` +usage: dhis2-set-credential + Valid services are: +``` + +The user will be prompted to type in the desired password and otherwise it will be randomly generated and password will be shown to the user. +``` +SET CREDENTIALS +==================== +Do you want to add the password manually for the user admin in the service ? (If not, password will be generated randomly) +1) Yes +2) No +``` + +``` +Credentials have been set +================= +Instance: hmis +Service: hmis-glowroot +Username: admin +Password: XXXXX +``` + +If the user wants to reset a Glowroot APM password, he will be notified that in order to set the password, the instance will be restarted and he will be prompted for confirmation. Otherwise, the password will not be set. +``` +Instance hmis will be restarted. Are you sure do you want to continue? +1) Yes +2) No +``` + +This procedure will only change the admin password. The rest of roles or users created will remain. diff --git a/setup/service/dhis2-set-credential b/setup/service/dhis2-set-credential index bc5ec27..0c53353 100755 --- a/setup/service/dhis2-set-credential +++ b/setup/service/dhis2-set-credential @@ -68,6 +68,8 @@ else Yes ) break;; No ) + echo + echo "Password has not been set" exit 1;; esac done From aebcd9e7607054abd32005e3d7102ea8557ef3eb Mon Sep 17 00:00:00 2001 From: root Date: Fri, 4 Mar 2022 15:47:43 +0000 Subject: [PATCH 11/18] dhis2-set-credential service --- docs/dhis2-set-credential.md | 6 +++--- setup/containers/munin_monitor | 1 + setup/containers/munin_monitor_postsetup | 8 ++++++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/dhis2-set-credential.md b/docs/dhis2-set-credential.md index 1630622..e862d88 100755 --- a/docs/dhis2-set-credential.md +++ b/docs/dhis2-set-credential.md @@ -1,8 +1,8 @@ -#dhis2-set-credential +# dhis2-set-credential Security of the servers and services is a priority. We need to set username and password credentials for the munin monitoring service and the Glowroot APM tool on each instance we have created to prevent unwanted users from accessing sensitive or critical data. Credentials will be set once we install the monitor container or a DHIS2 instance with Glowroot APM or can be reset by the user later. -##Automatic execution +## Automatic execution The dhis2-set-credential service will run once the monitor container is installed or when a DHIS2 instance with Glowroot APM is created. The user will be prompted to type in the desired password and otherwise it will be randomly generated. ``` SET CREDENTIALS @@ -21,7 +21,7 @@ Username: admin Password: XXXXX ``` -##Manual execution +## Manual execution The user will be able to reset the password of a service by running the service script dhis2-set-credentials. ``` usage: dhis2-set-credential diff --git a/setup/containers/munin_monitor b/setup/containers/munin_monitor index 75e65d4..ec2889f 100755 --- a/setup/containers/munin_monitor +++ b/setup/containers/munin_monitor @@ -37,6 +37,7 @@ fi #perl -pi -e "s|Require local|Require all granted|sig" $MUNINA2CONF perl -pi -e "s|Require local|AuthUserFile /etc/munin/.htpasswd\n Authtype Basic\n AuthName \"Munin\"\n Require valid-user\n Options FollowSymLinks SymLinksIfOwnerMatch|sig" $MUNINA2CONF ln -s $MUNINA2CONF /etc/apache2/conf-available/munin.conf > /dev/null 2>&1 + touch /etc/munin/.htpasswd a2enconf munin.conf #Also add hosts as required to the config file diff --git a/setup/containers/munin_monitor_postsetup b/setup/containers/munin_monitor_postsetup index 9266867..2ed0f6e 100755 --- a/setup/containers/munin_monitor_postsetup +++ b/setup/containers/munin_monitor_postsetup @@ -1,9 +1,13 @@ source parse_config.sh # Check if monitor container already exists -if [[ ! $(lxc list -c n -f csv | grep 'monitor') ]]; +lxc file pull monitor/etc/munin/.htpasswd /tmp/.htpasswd +CHECK_HTPASSWD=$(cat /tmp/.htpasswd) +if [[ $CHECK_HTPASSWD == "" ]]; then dhis2-set-credential monitor +else + rm /tmp/.htpasswd fi if [[ $PROXY == "nginx" ]]; @@ -46,7 +50,7 @@ then ProxyPass "http://${MUNIN_IP}/munin" ProxyPassReverse "http://${MUNIN_IP}/munin" - + EOF lxc file push /tmp/munin proxy/etc/apache2/upstream/munin rm /tmp/munin From 77e677ccea647bb98b2676b0e4beb75b38644385 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 4 Mar 2022 16:11:54 +0000 Subject: [PATCH 12/18] dhis2-set-credential service --- docs/dhis2-set-credential.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/dhis2-set-credential.md b/docs/dhis2-set-credential.md index e862d88..6d9a5b4 100755 --- a/docs/dhis2-set-credential.md +++ b/docs/dhis2-set-credential.md @@ -11,7 +11,6 @@ Do you want to add the password manually for the user admin in the service Valid services are: ``` +For example, to change the Glowroot APM admin password for the *hmis* DHIS2 instance, the user has to run the command +``` +sudo dhis2-set-credential hmis +``` + The user will be prompted to type in the desired password and otherwise it will be randomly generated and password will be shown to the user. ``` -SET CREDENTIALS +SET hmis CREDENTIALS ==================== -Do you want to add the password manually for the user admin in the service ? (If not, password will be generated randomly) +Do you want to add the password manually for the user admin in the service hmis? (If not, password will be generated randomly) 1) Yes 2) No ``` From 6ee947ffbab39a9ec79f1f77ef16623c3efb7ad0 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 17 Jun 2022 05:59:51 +0000 Subject: [PATCH 13/18] Fix dhis2-set-credential when java is not installed --- setup/service/dhis2-set-credential | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/service/dhis2-set-credential b/setup/service/dhis2-set-credential index 0c53353..c0bd195 100755 --- a/setup/service/dhis2-set-credential +++ b/setup/service/dhis2-set-credential @@ -76,17 +76,17 @@ else fi #Hash glowroot password - wget -P /tmp https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-central-0.13.6-dist.zip - unzip -q -o /tmp/glowroot-central-0.13.6-dist.zip -d /tmp + lxc exec $SERVICE -- wget -P /tmp https://github.com/glowroot/glowroot/releases/download/v0.13.6/glowroot-central-0.13.6-dist.zip + lxc exec $SERVICE -- unzip -q -o /tmp/glowroot-central-0.13.6-dist.zip -d /tmp + GLOWROOT_PASSWD_ENC=$(lxc exec $SERVICE -- java -jar /tmp/glowroot-central/glowroot-central.jar hash-password $PASSWD) lxc file pull $SERVICE/opt/glowroot/admin.json /tmp/admin.json - GLOWROOT_PASSWD_ENC=$(java -jar /tmp/glowroot-central/glowroot-central.jar hash-password $PASSWD) jq --arg context /${SERVICE}-glowroot '.web.contextPath=$context' /tmp/admin.json > /tmp/admin.json.tmp jq --arg passwordHash $GLOWROOT_PASSWD_ENC '.users |= map(if .username=="admin" then .passwordHash=$passwordHash else . end)' /tmp/admin.json.tmp > /tmp/admin.json lxc file push /tmp/admin.json $SERVICE/opt/glowroot/admin.json lxc exec $SERVICE -- chown -R tomcat.tomcat /opt/ - rm -rf /tmp/glowroot-central* /tmp/admin.json* + lxc exec $SERVICE -- rm -rf /tmp/glowroot-central* + rm -rf /tmp/admin.json* - # Check if user wants to set credential if [[ $PARENT == "" ]]; then lxc exec $SERVICE -- service tomcat9 restart From dc5e26969e830136e6dd4313863bc8a7dd8affec Mon Sep 17 00:00:00 2001 From: root Date: Fri, 17 Jun 2022 08:10:14 +0000 Subject: [PATCH 14/18] Fix nginx configuration --- setup/containers/nginx_proxy_postsetup | 31 +++------------------- setup/service/dhis2-create-instance | 36 +++++++++++++++++--------- 2 files changed, 28 insertions(+), 39 deletions(-) diff --git a/setup/containers/nginx_proxy_postsetup b/setup/containers/nginx_proxy_postsetup index dc04365..ceb8a5c 100755 --- a/setup/containers/nginx_proxy_postsetup +++ b/setup/containers/nginx_proxy_postsetup @@ -15,14 +15,16 @@ echo "nginx setup running" # performance.conf #### cat < /tmp/performance.conf +server_tokens off; +large_client_header_buffers 2 1k; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 10; -send_timeout 10; +send_timeout 10; types_hash_max_size 2048; client_max_body_size 20M; -client_body_timeout 10; +client_body_timeout 10; client_header_timeout 10; EOF @@ -67,37 +69,12 @@ resolver 8.8.4.4 8.8.8.8 valid=300s ipv6=off; resolver_timeout 10s; EOF -#### -# security.conf -#### -cat < /tmp/security.conf -# Referrer Policy -add_header Referrer-Policy "no-referrer"; - -# Avoid clickjacking attack -add_header X-Frame-Options "SAMEORIGIN" always; - -# Enable Strict Transport Security (HSTS) for https; -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - -# Hide nginx server version -server_tokens off; - -# Protect against MIME sniffing vulnerabilities -add_header X-Content-Type-Options "nosniff" always; - -# X-XSS Protection -add_header X-XSS-Protection "1; mode=block" always; -EOF - lxc file push /tmp/performance.conf $NAME/etc/nginx/conf.d/performance.conf rm /tmp/performance.conf lxc file push /tmp/gzip.conf $NAME/etc/nginx/conf.d/gzip.conf rm /tmp/gzip.conf lxc file push /tmp/ssl.conf $NAME/etc/nginx/conf.d/ssl.conf rm /tmp/ssl.conf -lxc file push /tmp/security.conf $NAME/etc/nginx/conf.d/security.conf -rm /tmp/security.conf # Remove nginx references lxc exec $NAME -- sed -i "s/nginx/webserver/g" /usr/share/nginx/html/index.html diff --git a/setup/service/dhis2-create-instance b/setup/service/dhis2-create-instance index aca7d30..42eda45 100755 --- a/setup/service/dhis2-create-instance +++ b/setup/service/dhis2-create-instance @@ -204,12 +204,18 @@ then proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; - proxy_hide_header X-Frame-Options; - proxy_hide_header Strict-Transport-Security; - proxy_hide_header X-Content-Type-Options; - proxy_hide_header X-XSS-protection; - proxy_hide_header X-Powered-By; - proxy_hide_header Server; + + # Enable Strict Transport Security (HSTS) for https + proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + # To mitigate the risk of clickjacking attacks + proxy_set_header X-Frame-Options "SAMEORIGIN"; + # To prevent drive-by download attacks where a user agent is sniffing content types in responses + proxy_set_header X-Content-Type-Options "nosniff"; + # To leverage browser-based protections against cross-site scripting + proxy_set_header X-Xss-Protection "1; mode=block"; + + proxy_hide_header X-Powered-By; + proxy_hide_header Server; proxy_connect_timeout 480s; proxy_read_timeout 480s; @@ -236,12 +242,18 @@ EOF proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; - proxy_hide_header X-Frame-Options; - proxy_hide_header Strict-Transport-Security; - proxy_hide_header X-Content-Type-Options; - proxy_hide_header X-XSS-protection; - proxy_hide_header X-Powered-By; - proxy_hide_header Server; + + # Enable Strict Transport Security (HSTS) for https + proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + # To mitigate the risk of clickjacking attacks + proxy_set_header X-Frame-Options "SAMEORIGIN"; + # To prevent drive-by download attacks where a user agent is sniffing content types in responses + proxy_set_header X-Content-Type-Options "nosniff"; + # To leverage browser-based protections against cross-site scripting + proxy_set_header X-Xss-Protection "1; mode=block"; + + proxy_hide_header X-Powered-By; + proxy_hide_header Server; proxy_connect_timeout 480s; proxy_read_timeout 480s; From 6794bf1df1062630f9c3fb1a954a66ab2c1d1284 Mon Sep 17 00:00:00 2001 From: Davide Barbato Date: Thu, 4 Aug 2022 12:15:43 +0200 Subject: [PATCH 15/18] Add sudo to commands --- setup/create_containers.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/create_containers.sh b/setup/create_containers.sh index f283ff6..ad183f0 100755 --- a/setup/create_containers.sh +++ b/setup/create_containers.sh @@ -23,10 +23,10 @@ if [[ $UFW_STATUS == "inactive" ]]; then fi # Make sure ufw is not blocking the lxd traffic -ufw allow in on lxdbr0 +sudo ufw allow in on lxdbr0 sudo ufw allow out on lxdbr0 -apt-get -y install unzip auditd jq apache2-utils +sudo apt-get -y install unzip auditd jq apache2-utils # Parse json config file source parse_config.sh From 2f5604eb3d971600e634965c882b967a8818529f Mon Sep 17 00:00:00 2001 From: Davide Barbato Date: Thu, 4 Aug 2022 12:16:29 +0200 Subject: [PATCH 16/18] Fix typo in comment --- setup/create_containers.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/create_containers.sh b/setup/create_containers.sh index ad183f0..fe83931 100755 --- a/setup/create_containers.sh +++ b/setup/create_containers.sh @@ -17,7 +17,7 @@ if [[ $UFW_STATUS == "inactive" ]]; then echo "It is required to NAT connections to the proxy container." echo "You just need to have a rule to allow ssh access. eg:" echo " sudo ufw limit 22/tcp" - echo "then, 'sudo enable ufw'" + echo "then, 'sudo ufw enable'" echo "Then you can try to run ./create_containers again" exit 1 fi From b02ed13747ac8e4c557164a68031d8ea249cdaf5 Mon Sep 17 00:00:00 2001 From: Davide Barbato Date: Thu, 4 Aug 2022 13:19:16 +0200 Subject: [PATCH 17/18] Add checks and better output on dhis2-restoredb --- setup/service/dhis2-restoredb | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/setup/service/dhis2-restoredb b/setup/service/dhis2-restoredb index 694fce0..9efe7f3 100755 --- a/setup/service/dhis2-restoredb +++ b/setup/service/dhis2-restoredb @@ -9,9 +9,9 @@ set -e -PROG=`basename $0` -BACKUPFILE=$1 -DB=$2 +PROG=$(basename "$0") +BACKUPFILE="$1" +DB="$2" usage() { echo "Usage: $PROG " @@ -21,10 +21,27 @@ usage() { echo " -h, --help Display this help message" } +[ -z "${BACKUPFILE}" ] || [ -z "${DB}" ] && usage && exit 1 -sudo lxc exec postgres dropdb $DB -sudo lxc exec postgres -- createdb -O $DB $DB -zcat $BACKUPFILE | grep -v 'ALTER .* OWNER' | sudo lxc exec postgres -- psql $DB -echo "REASSIGN OWNED BY root TO $DB" | sudo lxc exec postgres -- psql $DB +if [ `lxc exec "$DB" -- systemctl is-active tomcat9` = "active" ]; then + echo "Cannot restore database while tomcat is running." + echo "First stop it by running lxc exec $DB -- service tomcat9 stop" + exit 1 +fi + +echo "Dropping database $DB..." +sudo lxc exec postgres dropdb "$DB" + +echo "Recreating database..." +sudo lxc exec postgres -- createdb -O "$DB" "$DB" + +echo "Restoring data to database..." +zcat "${BACKUPFILE}" | grep -v 'ALTER .* OWNER' | sudo lxc exec postgres -- psql "$DB" +echo "REASSIGN OWNED BY root TO $DB" | sudo lxc exec postgres -- psql "$DB" + +if [ "$?" -eq 0 ]; then + echo "Done!" + echo "You can now restart tomcat by running lxc exec $DB -- service tomcat9 start" +fi From 770b0390c05025134cdd0fe8388f50f596fede8a Mon Sep 17 00:00:00 2001 From: Davide Barbato Date: Wed, 17 Aug 2022 19:09:11 +0200 Subject: [PATCH 18/18] Add a check for skipping creation of existing containers --- setup/create_containers.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/setup/create_containers.sh b/setup/create_containers.sh index fe83931..96f7889 100755 --- a/setup/create_containers.sh +++ b/setup/create_containers.sh @@ -45,6 +45,12 @@ for CONTAINER in $CONTAINERS; do IP=$(echo $CONTAINER | jq -r .ip) TYPE=$(echo $CONTAINER | jq -r .type) + container_exist=$(lxc list -c n | grep $NAME) + if ! [ -z "$container_exist" ]; then + echo "Container $NAME already exist, skipping" + continue + fi + echo "Creating $NAME of type $TYPE" lxc init ubuntu:$GUESTOS $NAME lxc network attach $LXDBR $NAME eth0 eth0