Obsidian-MBPM4
26ce03c6bc
Affected files: .obsidian/plugins/text-extractor/cache/e43841d46b66e6b5f5c8c4667078b649.json .obsidian/workspace.json 99 Work/0 OneSec/OneSecNotes/10 Projects/OneSecServer/OneSec Server.md Attachments/Pasted image 20250922115441.png
25 KiB
25 KiB
We host the server at netcup - Germany, a company that offers VPS. The IP address of our server is 37.120.177.0.
Organisation
Access
The following is the access data to access the server through ssh (part of my ~/.ssh/config file):
Host netcup
HostName v2202204173997187481.hotsrv.de
User root
IdentityFile ~/.ssh/netcup_osd_claudio
Setup
Vinnie, Dannick's Friend, helped me with the setup. I leave the bash history and the zsh history files here as a reference. !bash_history_netcup
I have installed zsh and oh-my-zsh to make the interaction easier
in the cli-history files above you can see how the project got updated, but basically update the project files on a local machine, test everything, push it to gitlab. Then access the server, pull the changes, checkout to the correct version and restart the docker container:
docker compose -f docker-compose.dev.yml down docker compose -f docker-compose.dev.yml up -d --build --force-recreate
Structure
The main folder is called osd_apps, which hosts the web-apps that we're running. We use nginx as a reverse proxy to serve the different web-apps and Docker to run the apps in an appropriate container.
We also use certbot (installed through snap) to keep the certifiates up to date.
The OneSec - FlightReview is hosted at the website testlogs.onesec.com. The authentication is done through a nginx configuration. The credentials can be found on the specified article.
6tunnel
6Tunnel is used to create a translation service for Dannicks NAS. Basically the server (which has a static IPV4 address) forwards requests to a IPV6-address (Dannicks NAS). See history files above for the commands. And make sure that the firewall (ufw) allows the correct ports (32400 in Dannicks case).
Nginx
Nginx is used as a reverse proxy server, that checks incoming traffic and routes it to the correct interface on the server. We can configure it, such that any traffic coming from a certain URI (e.g. testlogs.onesec.com) is rerouted to the localhost:5006. And on this interface we are running a docker container, which hosts the web-app. This means that any traffic coming from testlogs.onesec.com is directed towards the web-app and any other traffic (from the IP for instance) is routed to /var/www/http and a static content is served (default nginx stuff). If another app is added we can have an additional port for that as explained in this article.
Certbot
Certbot is a tool that manages certificates for our webserver. It has a really good integration with nginx. Some more info can be found here. Especially the cron-job for the autorenewal is handy. But cerbot also has a automated way of handling this, as can be seen in the instruction set by digital ocean. Compared to the instructions on the blog article, on our server we've used the following command:
sudo certbot --nginx -d testlogs.onesec.com
Docker
Docker is used to isolate multiple web-apps that are running. A few important things are listed here:
- use the
-dor--detachoption to let it run in the background even if the terminal is disconnected. This ensures that the webapp is running when the setup process is finished.
WebApps
PX4 - Flight Review
A customized version of the official PX4 flight review app is hosted there.
How to add a new WebApp?
- Go to namecheap.com, login and add a new A-record.!
you can see that for the subdomain foxglove and testlogs we have an A-Record 1 to forward to our VPS server (37.120.177.0). Once this is done all traffic gets forwarded to our VPS server where we need to handle it. - Access the servers command line through SSH (see instructions above).
Migrate from Nginx to Caddy
[!Info] Nginx Config
❯ sudo nginx -T | tee ~/nginx-full.conf
grep -R "server_name" /etc/nginx/sites-enabled -n || true
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
#root /var/www/html;
# Add index.php to the list if you are using PHP
#index index.html index.htm index.nginx-debian.html;
server_name _;
# auth_basic "Restricted Content";
# auth_basic_user_file /etc/nginx/.htpasswd;
#location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
#}
#
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
return 444;
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
#server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
#root /var/www/html;
# Add index.php to the list if you are using PHP
#index index.html index.htm index.nginx-debian.html;
# server_name flightlogs.onesec.com; # managed by Certbot
# auth_basic "Restricted Content";
# auth_basic_user_file /etc/nginx/.htpasswd;
#location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
#}
#
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# return 444;
# listen [::]:443 ssl; # managed by Certbot
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/flightlogs.onesec.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/flightlogs.onesec.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#}
#server {
# if ($host = flightlogs.onesec.com) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
# listen 80 ;
# listen [::]:80 ;
# server_name flightlogs.onesec.com;
# return 404; # managed by Certbot
#}
# configuration file /etc/nginx/sites-enabled/dev.onesecdelivery.com:
server {
server_name dev.onesecdelivery.com;
root /var/www/dev;
index index.html;
location / {
try_files $uri $uri/ =404;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dev.onesecdelivery.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dev.onesecdelivery.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = dev.onesecdelivery.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name dev.onesecdelivery.com;
listen 80;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# configuration file /etc/nginx/sites-enabled/flight_review:
#server {
# listen 80 default_server;
# return 403;
#}
#server {
# listen 443 default_server;
# return 403;
#}
server {
server_name testlogs.onesec.com;
proxy_connect_timeout 180s;
proxy_read_timeout 180s;
proxy_send_timeout 180s;
charset utf-8;
client_max_body_size 100M;
location / {
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; #:$server_port;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:5006;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/testlogs.onesec.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/testlogs.onesec.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = testlogs.onesec.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name testlogs.onesec.com;
return 404; # managed by Certbot
}
#server {
# if ($host = testlogs.onesec.com) {
# return 301 https://$host$request_uri;
# } # managed by Certbot
# listen 80;
# listen [::]:80;
# server_name 37.120.177.0;
# return 404; # managed by Certbot
#}
# server { listen 37.120.177.0:5006; return 301 https://testlogs.onesec.com; }
# server { listen 37.120.177.0:5006; return 301 https://testlogs.onesec.com; }
# server {
# listen 5006 default_server;
# listen [::]:5006 default_server;
#
# return 444;
# }
# configuration file /etc/nginx/sites-enabled/flight_review_test:
server {
server_name flightlogs.onesec.com;
proxy_connect_timeout 180s;
proxy_read_timeout 180s;
proxy_send_timeout 180s;
charset utf-8;
client_max_body_size 150M;
location / {
proxy_pass http://localhost:5007/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/flightlogs.onesec.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/flightlogs.onesec.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = flightlogs.onesec.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name flightlogs.onesec.com;
listen 80;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/foxglove:
server {
server_name foxglove.onesec.com;
location / {
proxy_pass http://localhost:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/foxglove.onesec.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/foxglove.onesec.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = foxglove.onesec.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name foxglove.onesec.com;
listen 80;
return 404; # managed by Certbot
}
/etc/nginx/sites-enabled/flight_review_test:3: server_name flightlogs.onesec.com;
/etc/nginx/sites-enabled/flight_review_test:43: server_name flightlogs.onesec.com;
/etc/nginx/sites-enabled/flight_review:13: server_name testlogs.onesec.com;
/etc/nginx/sites-enabled/flight_review:52: server_name testlogs.onesec.com;
/etc/nginx/sites-enabled/flight_review:67:# server_name 37.120.177.0;
/etc/nginx/sites-enabled/dev.onesecdelivery.com:3: server_name dev.onesecdelivery.com;
/etc/nginx/sites-enabled/dev.onesecdelivery.com:30: server_name dev.onesecdelivery.com;
/etc/nginx/sites-enabled/foxglove:3: server_name foxglove.onesec.com;
/etc/nginx/sites-enabled/foxglove:36: server_name foxglove.onesec.com;
/etc/nginx/sites-enabled/default:46: server_name _;
/etc/nginx/sites-enabled/default:89:# server_name example.com;
/etc/nginx/sites-enabled/default:121: # server_name flightlogs.onesec.com; # managed by Certbot
/etc/nginx/sites-enabled/default:170: # server_name flightlogs.onesec.com;
Configuration file '/etc/systemd/resolved.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** resolved.conf (Y/I/N/O/D/Z) [default=N] ? d
--- /etc/systemd/resolved.conf 2022-04-19 08:55:09.981114632 +0200
+++ /etc/systemd/resolved.conf.dpkg-new 2025-06-26 02:44:53.000000000 +0200
@@ -12,13 +12,19 @@
# See resolved.conf(5) for details
[Resolve]
-DNS=46.38.225.230 46.38.252.230 2a03:4000:8000::fce6 2a03:4000:0:1::e1e6
+# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
+# Cloudflare: 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
+# Google: 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
+# Quad9: 9.9.9.9 2620:fe::fe
+#DNS=
#FallbackDNS=
#Domains=
-LLMNR=no
-MulticastDNS=no
-DNSSEC=allow-downgrade
-DNSOverTLS=no
-Cache=yes
-DNSStubListener=yes
-ReadEtcHosts=yes
+#DNSSEC=no
+#DNSOverTLS=no
+#MulticastDNS=yes
+#LLMNR=yes
+#Cache=yes
+#DNSStubListener=yes
+#DNSStubListenerExtra=
+#ReadEtcHosts=yes
+#ResolveUnicastSingleLabel=no
Configuration file '/etc/systemd/resolved.conf'
!
Footnotes
-
An A record maps a domain name to the IP address (Version 4) of the computer hosting the domain. An A record uses a domain name to find the IP address of a computer connected to the internet. The A in A record stands for Address. ↩︎