Changelog

Infrastructure

WHMCS module

WHMCS v8+ required. Simplifed install and configuration, support for premium domains and DNSSEC.

Prerequisites - Updated September 2024

  • Ubuntu Server LTS 24.04.X LTS (server install, basic - no GUI or other options), 16GB RAM, 8 core, 120GB HDD
  • Latest postgreSQL 17, JDK 1.8 (8.0.432+6), Resin 4.0.67
  • Tips

Basics:

  • sudo apt update && sudo apt upgrade -y
  • sudo apt install zip unzip
  • sudo touch /etc/cloud/cloud-init.disabled
  • sudo apt purge cloud-init -y
  • sudo rm -Rf /etc/cloud
  • sudo systemctl disable --now unattended-upgrades
  • sudo apt remove unattended-upgrades
  • sudo apt install bind9 bind9utils bind9-doc -y
  • sudo apt install dnsutils
  • sudo apt install whois
  • sudo apt install yamllint
  • sudo apt-get install ttf-mscorefonts-installer
  • sudo apt-get install fontconfig
  • sudo fc-cache -f -v
  • sudo apt install build-essential checkinstall zlib1g-dev -y
  • sudo apt-get install libssl-dev
  • sudo timedatectl set-timezone UTC
  • sudo timedatectl set-ntp on
  • sudo apt update && sudo apt upgrade -y
  • sudo apt autoremove
  • sed -i 's/# set linenumbers/set linenumbers/g' /etc/nanorc

Java

Install Java JDK 1.8

sudo mkdir /usr/lib/jvm
cd /usr/lib/jvm
Direct from Adoptium https://adoptium.net
sudo wget --inet4-only https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u462-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u462b08.tar.gz --no-check-certificate
Extract download
sudo tar -xvzf OpenJDK8U-jdk_x64_linux_hotspot_8u462b08.tar.gz

Append the following command to open the environment variables file.

sudo nano /etc/environment
JAVA_HOME="/usr/lib/jvm/jdk8u462-b08"

Run from command line.

sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk8u462-b08/bin/java" 0
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk8u462-b08/bin/javac" 0
sudo update-alternatives --set java /usr/lib/jvm/jdk8u462-b08/bin/java
sudo update-alternatives --set javac /usr/lib/jvm/jdk8u462-b08/bin/javac

Check Version

java -version
sudo update-alternatives --config java
sudo update-alternatives --display java


Basic Security

Ubunutu firewall basic configuration, handy commands:

  • sudo ufw enable | disable
  • sudo ufw status numbered ( see rules )
  • sudo ufw delete X ( delete a rule by number )
  • sudo ufw reload ( after rule changes )
sudo ufw allow from [trusted IP] to any port 22 ( if sshd is on non-standard port use that port )
sudo ufw allow 53/tcp comment 'Open port DNS tcp port 53'
sudo ufw allow 53/udp comment 'Open port DNS udp port 53'
sudo ufw allow from any to any port 80
sudo ufw allow from any to any port 443
sudo ufw allow from [trusted IP] to any port 700

Use fail2ban to protect against brute force/dictionary ssh attacks and mal-formed http requests. - tutorial

sudo apt install fail2ban

Basic sshd refinements. (we recommend using ssh keys tutorial)

sudo nano /etc/ssh/sshd_config

Protocol 2
Port XXX ( change port, config ufw to allow the selected port )
ListenAddress x.x.x.x ( if multiple IP, bind to one IP )
LogLevel VERBOSE
AllowUsers user_1 user_2 ( list logins that are allowed to ssh )
LoginGraceTime 30
PermitRootLogin no
MaxAuthTries 3
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
AllowTcpForwarding no
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 0
MaxStartups 2

sudo systemctl restart ssh

Java Security file

sudo nano /usr/lib/jvm/jdk8u462-b08/jre/lib/security/java.security

In the jdk security file - section "jdk.tls.disabledAlgorithms" change the "DH Key Size < 1024" to "DH Key Size < 2048"

PostgreSQL

Installation Instructions: https://www.postgresql.org/download/linux/ubuntu/

Create the file repository configuration:

sudo apt install -y postgresql-common
sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh

Update the package lists:

sudo apt-get update

sudo apt-get -y install postgresql-17
Tune postgresql: https://pgtune.leopard.in.ua/

File to edit when tuning PG:

sudo nano /etc/postgresql/17/main/postgresql.conf

Set password for user "postgres" and create empty db to import backup.

sudo -u postgres psql postgres
\password postgres ( enter desired password when prompted )
CREATE database registry;
\q (to exit the posgreSQL command interface )

Edit pg_hba.conf to force password confirmation for postgres commands
Look for --- "Database administrative login by Unix domain socket", replace "peer" with "md5"

sudo nano /etc/postgresql/17/main/pg_hba.conf

Restart PG for changes to take effect:

sudo pg_ctlcluster 17 main restart

Import CoCCA database from a pg binary backup:

pg_restore -U postgres -Fc -d registry < CoCCA-Backup.dump


Resin

The http server used with CoCCA https://caucho.com

Before installing resin, install the JDK.

Recomended : Create a host name for your instance with an A record to match the server IP

cd /opt
sudo wget --inet4-only http://caucho.com/download/resin-4.0.67.tar.gz --no-check-certificate
tar -vzxf resin-4.0.67.tar.gz
cd resin-4.0.67
./configure --enable-64bit --prefix=/opt/resin/ --with-resin-root=/opt/resin --with-resin-log=/opt/resin/log --with-resin-conf=/opt/resin/conf
sudo make && sudo make install

Post Install Configuration:
Download the CoCCA lab jks from CoCCA ( needed for EPP and https ).

cd /opt/resin/conf/keys/
Contact CoCCA

Download the latest CoCCA ROOT.war file

cd /opt/resin/webapps/
Contact CoCCA

Get postgreSQL jdbc driver

cd /opt/resin/lib/
wget --inet4-only https://jdbc.postgresql.org/download/postgresql-42.7.7.jar --no-check-certificate

Rename default resin.xml and download resin config file for CoCCA:

cd /opt/resin/conf
mv resin.xml resin.backup

Edit default resin config file:

  • replace default IPs with 127.0.0.1 or server private IPs if you use NAT ( line 28 and 42 )
  • replace default host registry.example.tld with your host name (line 75 and 83 ).
  • insert postgreql password you created in postgesql section above ( line 92 )
sudo nano /opt/resin/conf/resin.xml

Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.

/etc/init.d/resin stop | start | restart

Go to your host name URL- https://registry.example.tld ( or https://ipaddress - will take ±15-20 seconds to load )


letsencrypt

Optional The CoCCA lab jks downloaded above will enable https connections but with a browser warning. If you want a free https certificate to match your host name, we suggest https://letsencrypt.org

sudo apt install certbot

Stop resin webserver to release port 80 and 443 temporarily.

/etc/init.d/resin stop

Request a new certificate

sudo certbot certonly --standalone

Create p12 (one long srting/command)

openssl pkcs12 -export -name sslcertificate -in /etc/letsencrypt/live/registry.example.tld/fullchain.pem -inkey /etc/letsencrypt/live/registry.example.tld/privkey.pem -out registry.example.tld.p12

Create Java keystore and import p12 (one long string/command):

/usr/lib/jvm/jdk8u462-b08/bin/keytool -importkeystore -destkeystore registry.example.tld.jks -srckeystore registry.example.tld.p12 -srcstoretype pkcs12 -alias sslcertificate

Move newly created jks to the resin keys folder

mv registry.example.tld.jks /opt/resin/conf/keys/registry.example.tld.jks

Edit resin config file to enable new http certificate:

sudo nano /opt/resin/conf/resin.xml

Add the path, jks file name and password for the custom jks created above (lines 45 & 46)

Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.

/etc/init.d/resin stop | start | restart


NGINX proxy

To improve security install nginx as a reverse proxy.

sudo apt update
sudo apt install nginx
systemctl status nginx

sudo nano /etc/nginx/sites-available/registry.nic.tld

When creating or edting the config files, replace "registry.nic.tld" with whatever host name is appropriate for your registry. Paste and then edit the content below.

# HTTP redirect
server {
listen 80;
# listen [::]:80;
server_name registry.nic.tld;
location / {
return 301 https://registry.nic.tld$request_uri;
}
}

# HTTPS
server {
listen 443 ssl;
#listen [::]:443 ssl;
keepalive_timeout 300s;
proxy_read_timeout 300s;
send_timeout 300s;

ssl_certificate /etc/letsencrypt/live/registry.nic.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/registry.nic.tld/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name registry.nic.tld;
location / {
proxy_pass https://127.0.0.1:8443;
include proxy_params;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Permissions-Policy "interest-cohort=()" always;

# . files
location ~ /\.(?!well-known) {
deny all;
}
}
}

Save and exit, with nano you can do this by hitting CTRL+O then CTRL+X.

Next, enable this configuration file by creating a link from it to the sites-enabled directory that Nginx reads at startup:

sudo ln -s /etc/nginx/sites-available/registry.nic.tld /etc/nginx/sites-enabled/

NGINX uses the default linked configuration file. Creating a reverse proxy requires creating and linking a custom file. To avoid any potential conflicts, use the following command:

sudo unlink /etc/nginx/sites-enabled/default

To configure NGINX to launch on reboot automatically, enable the service with:

sudo systemctl enable nginx

Create a non-root user

sudo useradd -m -d /opt/nginxuser -U -s /bin/false nginxuser

Grant nginxuser Necessary Permissions

sudo chown -R nginxuser:nginxuser /var/log/nginx
sudo chown -R nginxuser:nginxuser /var/lib/nginx

Now, Open the Nginx configuration file in a text editor.

sudo nano /etc/nginx/nginx.conf

Within the configuration file, locate the user directive (top of the conf file), and set it to the non-root user you created.

  • user nginxuser;
  • worker_connections 1024;
  • uncomment server_tokens off;

Save and exit, with nano you can do this by hitting CTRL+O then CTRL+X.

Test the Configuration

sudo nginx -t

Edit resin.xml config file /opt/resin/conf/resin.xml

Change listen IPs to 127.0.0.1 and ::1 ( if you use Ipv6 )

Change ports from 80 and 443 to 8080 and 8443

sudo nano /opt/resin/conf/resin.xml
/etc/init.d/resin stop | start
sudo systemctl stop | start nginx

Check the process using the following command to ensure that Nginx is running with the non-root user.

ps aux | grep nginx