RFC and ICANN Compliance
- CoCCA supports all the RFC’s required by the Internet Corporation for Assigned Name and Numbers - the peak body for co-ordination of the Internet naming and numbering system (ICANN). Compliant with standards in Specifications 6 and 10 of the ICANN base agreement.
- List of supported RFCs
- Anycast DNS using PCH Anycast. Additional Anycast using AfriNIC or LAC TLD also recommened - depending on region and TLD manager preference.
- Support for WHMCS.
- European GDPR Compliant.
Infrastructure
WHMCS module
WHMCS v8+ required. Simplifed install and configuration, support for premium domains and DNSSEC.
Changelog
Prerequisites - Updated September 2024
- Ubuntu Server LTS 24.04.X LTS (server install, basic - no GUI or other options), 16GB RAM, 8 core, 120GB HDD
- Latest postgreSQL 17, JDK 1.8 (8.0.432+6), Resin 4.0.67
- Tips
Basics:
- sudo apt update && sudo apt upgrade -y
- sudo apt install zip unzip
- sudo touch /etc/cloud/cloud-init.disabled
- sudo apt purge cloud-init -y
- sudo rm -Rf /etc/cloud
- sudo systemctl disable --now unattended-upgrades
- sudo apt remove unattended-upgrades
- sudo apt install bind9 bind9utils bind9-doc -y
- sudo apt install dnsutils
- sudo apt install whois
- sudo apt install yamllint
- sudo apt-get install ttf-mscorefonts-installer
- sudo apt-get install fontconfig
- sudo fc-cache -f -v
- sudo apt install build-essential checkinstall zlib1g-dev -y
- sudo apt-get install libssl-dev
- sudo timedatectl set-timezone UTC
- sudo timedatectl set-ntp on
- sudo apt update && sudo apt upgrade -y
- sudo apt autoremove
- sed -i 's/# set linenumbers/set linenumbers/g' /etc/nanorc
Basic Security
Ubunutu firewall basic configuration, handy commands:
- sudo ufw enable | disable
- sudo ufw status numbered ( see rules )
- sudo ufw delete X ( delete a rule by number )
- sudo ufw reload ( after rule changes )
sudo ufw allow from [trusted IP] to any port 22 ( if sshd is on non-standard port use that port ) sudo ufw allow 53/tcp comment 'Open port DNS tcp port 53' sudo ufw allow 53/udp comment 'Open port DNS udp port 53' sudo ufw allow from any to any port 80 sudo ufw allow from any to any port 443 sudo ufw allow from any to any port 700 |
Use fail2ban to protect against brute force/dictionary ssh attacks and mal-formed http requests. - tutorial
sudo apt install fail2ban |
Basic sshd refinements. (we recommend using ssh keys tutorial)
sudo nano /etc/ssh/sshd_config |
Protocol 2 Port XXX ( change port, config ufw to allow the selected port ) ListenAddress x.x.x.x ( if multiple IP, bind to one IP ) LogLevel VERBOSE AllowUsers user_1 user_2 ( list logins that are allowed to ssh ) LoginGraceTime 30 PermitRootLogin no MaxAuthTries 3 HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no AllowTcpForwarding no X11Forwarding no ClientAliveInterval 300 ClientAliveCountMax 0 MaxStartups 2 |
PostgreSQL
Installation Instructions: https://www.postgresql.org/download/linux/ubuntu/
Create the file repository configuration:
sudo apt install -y postgresql-common |
sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh |
Update the package lists:
sudo apt-get update sudo apt-get -y install postgresql-17 |
File to edit when tuning PG:
sudo nano /etc/postgresql/17/main/postgresql.conf |
Set password for user "postgres" and create empty db to import backup.
sudo -u postgres psql postgres \password postgres ( enter desired password when prompted ) CREATE database registry; \q (to exit the posgreSQL command interface ) |
Edit pg_hba.conf to force password confirmation for postgres commands Look for --- "Database administrative login by Unix domain socket", replace "peer" with "md5"
sudo nano /etc/postgresql/17/main/pg_hba.conf |
Restart PG for changes to take effect:
sudo pg_ctlcluster 17 main restart |
Import CoCCA database from a pg binary backup:
pg_restore -U postgres -Fc -d registry < CoCCA-Backup.dump |
Java
Install Java JDK 1.8
sudo mkdir /usr/lib/jvm cd /usr/lib/jvm Direct from Adoptium https://adoptium.net sudo wget --inet4-only https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u442-b06/OpenJDK8U-jdk_x64_linux_hotspot_8u442b06.tar.gz --no-check-certificate Extract download sudo tar -xvzf OpenJDK8U-jdk_x64_linux_hotspot_8u442b06.tar.gz |
Append the following command to open the environment variables file.
sudo nano /etc/environment
JAVA_HOME="/usr/lib/jvm/jdk8u442-b06" |
Run from command line.
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk8u442-b06/bin/java" 0 sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk8u442-b06/bin/javac" 0 sudo update-alternatives --set java /usr/lib/jvm/jdk8u442-b06/bin/java sudo update-alternatives --set javac /usr/lib/jvm/jdk8u442-b06/bin/javac |
Check Version
java -version sudo update-alternatives --config java sudo update-alternatives --display java |
Resin
The http server used with CoCCA https://caucho.com
Before installing resin, install the JDK.
Recomended : Create a host name for your instance with an A record to match the server IP
cd /opt
sudo wget --inet4-only http://caucho.com/download/resin-4.0.67.tar.gz --no-check-certificate
tar -vzxf resin-4.0.67.tar.gz
cd resin-4.0.67
./configure --enable-64bit --prefix=/opt/resin/ --with-resin-root=/opt/resin --with-resin-log=/opt/resin/log --with-resin-conf=/opt/resin/conf sudo make && sudo make install |
Post Install Configuration: Download the CoCCA lab jks from CoCCA ( needed for EPP and https ).
cd /opt/resin/conf/keys/ Contact CoCCA |
Download the latest CoCCA ROOT.war file
cd /opt/resin/webapps/ Contact CoCCA |
Get postgreSQL jdbc driver
cd /opt/resin/lib/ wget --inet4-only https://jdbc.postgresql.org/download/postgresql-42.7.7.jar --no-check-certificate |
Rename default resin.xml and download resin config file for CoCCA:
cd /opt/resin/conf mv resin.xml resin.backup |
Edit default resin config file:
- replace default IPs with 127.0.0.1 or server private IPs if you use NAT ( line 28 and 42 )
- replace default host registry.example.tld with your host name (line 75 and 83 ).
- insert postgreql password you created in postgesql section above ( line 92 )
sudo nano /opt/resin/conf/resin.xml |
Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.
/etc/init.d/resin stop | start | restart |
Go to your host name URL- https://registry.example.tld ( or https://ipaddress - will take ±15-20 seconds to load )
letsencrypt
Optional The CoCCA lab jks downloaded above will enable https connections but with a browser warning. If you want a free https certificate to match your host name, we suggest https://letsencrypt.org
sudo apt install certbot |
Stop resin webserver to release port 80 and 443 temporarily.
/etc/init.d/resin stop |
Request a new certificate
sudo certbot certonly --standalone |
Create p12 (one long srting/command)
openssl pkcs12 -export -name sslcertificate -in /etc/letsencrypt/live/registry.example.tld/fullchain.pem -inkey /etc/letsencrypt/live/registry.example.tld/privkey.pem -out registry.example.tld.p12 |
Create Java keystore and import p12 (one long string/command):
/usr/lib/jvm/jdk8u442-b06/bin/keytool -importkeystore -destkeystore registry.example.tld.jks -srckeystore registry.example.tld.p12 -srcstoretype pkcs12 -alias sslcertificate |
Move newly created jks to the resin keys folder
mv registry.example.tld.jks /opt/resin/conf/keys/registry.example.tld.jks |
Edit resin config file to enable new http certificate:
sudo nano /opt/resin/conf/resin.xml |
Add the path, jks file name and password for the custom jks created above (lines 45 & 46)
Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.
/etc/init.d/resin stop | start | restart |
NGINX proxy
To improve security install nginx as a reverse proxy.
sudo apt update sudo apt install nginx systemctl status nginx sudo nano /etc/nginx/sites-available/registry.nic.tld |
When creating or edting the config files, replace "registry.nic.tld" with whatever host name is appropriate for your registry. Paste and then edit the content below.
# HTTP redirect server { listen 80; # listen [::]:80; server_name registry.nic.tld; location / { return 301 https://registry.nic.tld$request_uri; } } # HTTPS server { listen 443 ssl; #listen [::]:443 ssl; keepalive_timeout 300s; proxy_read_timeout 300s; send_timeout 300s; ssl_certificate /etc/letsencrypt/live/registry.nic.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/registry.nic.tld/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; server_name registry.nic.tld; location / { proxy_pass https://127.0.0.1:8443; include proxy_params; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header Permissions-Policy "interest-cohort=()" always; # . files location ~ /\.(?!well-known) { deny all; } } } |
Save and exit, with nano you can do this by hitting CTRL+O then CTRL+X.
Next, enable this configuration file by creating a link from it to the sites-enabled directory that Nginx reads at startup:
sudo ln -s /etc/nginx/sites-available/registry.nic.tld /etc/nginx/sites-enabled/ |
NGINX uses the default linked configuration file. Creating a reverse proxy requires creating and linking a custom file. To avoid any potential conflicts, use the following command:
sudo unlink /etc/nginx/sites-enabled/default |
To configure NGINX to launch on reboot automatically, enable the service with:
sudo systemctl enable nginx |
Create a non-root user
sudo useradd -m -d /opt/nginxuser -U -s /bin/false nginxuser |
Grant nginxuser Necessary Permissions
sudo chown -R nginxuser:nginxuser /var/log/nginx sudo chown -R nginxuser:nginxuser /var/lib/nginx |
Now, Open the Nginx configuration file in a text editor.
sudo nano /etc/nginx/nginx.conf |
Within the configuration file, locate the user directive (top of the conf file), and set it to the non-root user you created.
|
Save and exit, with nano you can do this by hitting CTRL+O then CTRL+X.
Test the Configuration
sudo nginx -t |
Edit resin.xml config file /opt/resin/conf/resin.xml
Change listen IPs to 127.0.0.1 and ::1 ( if you use Ipv6 )
Change ports from 80 and 443 to 8080 and 8443
sudo nano /opt/resin/conf/resin.xml |
/etc/init.d/resin stop | start |
sudo systemctl stop | start nginx |
Check the process using the following command to ensure that Nginx is running with the non-root user.
ps aux | grep nginx |