freeradiantbunny

How to install freeradiantbunny.

      version 3 (2019-12-29)
      version 4 (2021-06-16)
      version 5 (2022-01-28)
      version 6 (2022-07-11)
      version 7 (2022-07-20)
      version 8 (2023-11-07)

Note 1 of 2: We are building a webserver on a hosted operating system in a datacenter. So, note that the whole process is based up the hosting service (Digital Ocean) and note their "droplet" creation instructions: docs.digitalocean.com/products/droplets/how-to/

Note 2 of 2: Before starting this How-To, have your domain registered and ready. The How-To below will ask you for 5 pieces of information:

1. a hostname for your droplet ([hostname]) such as "ubuntu-amd-nyc3-01" or "mydroplet"
2. a domain name ([domain-name]) such as freeradiantbunny.org,
3. a three-letter identifier ([domain-tli]) as an alias for the domain,
4. a username ( [username]) to be created on the new server,
5. a database username ( [database-username]) to be created on the database management system, and
6. a database name ( [database-name]) to be created on the database management system.
7. a password for the database name ([database-password]) to be created on the database management system.
8. a port number ([port-number]) this is the data channel between nginx webserver and the freeradiantbunny application in rust (i.e., the executable file with the file name of freeradiantbunny).

Here we go. This presumes you have logged-in to digitalocean.com and have read the documentation on how to create a droplet. Now, let's create a droplet and install a webserver on it.

Part 1. Create the droplet.

Here we create a virtual server using the on-demand services of the hosting provider digialocean.com. A "droplet" is just a fancy name for a Linux server that will host our webserver.

Go to digitalocean.com website and login. You may need your phone for authentication.
  

Click on "Create" button and (from the dropdown menu) select "Droplets".
  

Then on the webpage select the details of the droplet, using the following to guide your choices.
  

YMMV. The technology changes frequment, so choose according to your needs. In general, select:
  

* select Ubuntu version
  

* select plan: (such as Basic)
  

* select the CPU (such as 1 GB size / 1 cpu / 25 GB NVMe SSDs / 1000 GB transfer)
  

* select datacenter (such as New York 3)
  

* VPC network will have a default (such as (default-nyc3 DEFAULT)
  

* select Authentication "SSH Keys" and do checkboxes (or upload a new SSH key)
  

* optionally select monitoring
  

* input a hostname: example: "[hostname]"
  

* add a tag: such as  "droplet"
  

* if necessary, select a project
  

Then when the selections are done and double-checked, click "Create droplet" button.
  

Go the "Droplets" section of the digitalocean.com website and wait for you droplet to be created. Once it is completed, you will see the IP address of the newly-created droplet.
    

Well, Part 1 is completed. Below, are the main information technology topics that were covered in this part. The infotech is listed in light-blue boxes, and will be at the end of each section, for reference and further study.

Part 2. Login to droplet using ssh.

Welcome to Part 2, where we use a command=line interface (a shell, like the Bash Shell) to login and interact with our droplet's Linux server.

After the droplet is created, navigate on the digitalocean.com webpage that lists your droplets and copy the [ip-address] of the droplet you just created.


Use ssh to login into the website. Open a Terminal and ssh to root@[ip-address] using command below:
$ssh root@[ip-address]
At this point you should have a connection via ssh to your new droplet.

This part may have been quick. Hopefully it was quick.

Part 3. Set up the [username] that will run the webserver.

The webserver needs a user account on the Linux system, so that the person maintaining the server can login and set-up and maintain the webserver. This implies a security system for the sysadmin.

The [username] string serves as the name of the user' account on the server.

This will be the one and only time that the root account is directly accessed via the login. From now on, the server that will host the webserver should be accessed by this user account being created.

Use the following sysadmin commands.

Next, you will use the root user to create a new user that will be the user account used for the droplet. (And the root user will be disabled.)
  

Create the user with the following set of commands:
  

#adduser [username]
  

Next, check to see if the new user account is exists:
  

$id [username]
  

Next, add to sudo group (so the new user has access to sudo command):
  

#usermod -aG sudo [username]
  

Next, check that the user is a member of the sudo group:
  

#id [username]
  

Next, login to the user account to test it:
  

#su - [username]
  

Next, confirm that you are logged in a user:
  

$whoami
  

Next, set up ssh (secure shell) so that you can login into the droplet without a password.
  

First, create a directory with correct permissions:
  

$mkdir .ssh
  

$chmod 700 .ssh
  

Then: use sudo command to cp (copy) root's .ssh/authorized_keys to the new user's .ssh/authoried_keys. Afterward, you may have to change the owner and group of the file with chown command. Finally, fix the permissions.
  

Do the following sysadmin-type commands:
  

$sudo cp /root/.ssh/authorized_keys /home/[username]/.ssh/
  

$sudo chown [username].[username] .ssh/authorized_keys
  

$chmod 600 .ssh/authorized_keys
  

Next, restart the ssh service to enable changes:
  

$sudo service ssh restart
  

Next, everything should be set up for how, so exit the username account and then exit the root account, which effectively logging off the virtual server.
  

$exit
  

#exit
  

Now, test that you can ssh into the new account on the droplet (virtual server).
  

$ssh [username]@[ip-address]
  

That concludes the steps of Part 3. Here are the subjects of knowledge from this part that are up for to study sessions.

Part 4. Update the system software.

Our Linux system yearns for the most updated software packages, so let's go through the steps of updating the software on our virtual server.

    
Login to the droplet, to prepare to update and upgrade the system software.
  

$ssh [username]@[ip-address]
  

Use the apt-get package manager to install software on the droplet Linux system.
  

$sudo apt-get update
  

$sudo apt-get upgrade	

End of Part 4 without much fanfare. But, do not let the wonder of managing the versions of the software on the system with such ease. Perhaps, we choose our Linux distribution according to the merits of the package manager.

Part 5. Install text editor.

You might skip this lesson. Your favorite text editor may already be installed. I happen to enjoy emacs. Here is an optional next step. If you already have a text editor installed, you can skip this part.

Install a text editor.
  

$sudo apt-get install emacs

End of Part 5. We finish by asking: Do you know your editor shortcuts?

Part 6. Install the static website.

Next, add public_[domain-tli] files. These are the files that are the static webpages of the site.

Note, hopefully there is a backup of the file. In this example the directory was named public_[domain-tli]. If this is a new website, a public_[domain-tli] site will have to be created with html, css, and images.

Next, change the ownerships so that the nginx has permission to access the directory. Use the following command:


$ls public_[domain-tli]


$ls public_[domain-tli]/index.html

Part 7. Set up the nginx webserver for static webpages.

It is time to install the webserver. Use nginx for this example.

$sudo apt-get install nginx

Here are some helpful nginx commands. The first set sets up a new nginx config file. Or, you might have a backup nginx config file that you want to install (which is not described here).

Create a new nginx config file.


$sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/[domain-name]


Modify the newly created config file. Edit the file and specify the root directive to the path to the static website in the [user-name] account. For example, /home/[user-name]/public_[domain-tli].


$sudo emacs /etc/nginx/sites-avilable/[domain-name]


Linking the config file.


$cd /etc/nginx/sites-enabled


$sudo ln -s ../site-available/[domain-name] [domain-name]


$sudo rm /etc/nginx/sites-enabled/default


Test the config file.


$sudo nginx -t


Load the updated config file into the running nginx system.


$sudo systemctl reload nginx


Set-up the system so that it starts the nginx system at boot.


$sudo systemctl enable nginx


$sudo systemctl status nginx


The log files for nginx may be useful.


tail /var/log/nginx/access.log


tail /var/log/nginx/error.log

In Part 6, a static website was installed as the default website for the nginx to serve up upon requests.

Open a browser and input the [ip-address] and see if you can see nginx serve up a file.

Setting up a webserver is good fun. That is Part 7. Set some time aside to study nginx.

Part 8. Set up the firewall using ufw.

$sudo ufw allow OpenSSH


$sudo ufw allow http


$sudo ufw allow https


$sudo ufw enable


$sudo ufw status

Part 9. Edit DNS records.

Back on your account with digitalocean.com, the hosting service being used in this example, find the control panel of the droplet, and navigate your droplet's webpage until you locate the DNS records for [domain-name] and edit your DNS records so that the DNS resolves the [domain-name] to point to the [ip-address] of the droplet.

Here are some more detailed instructions, described in the lines below.

Use the browser to see if the http://[domain-name] will find the webserver.

Go to digitalocean.com control panel. Navigate to the "Networking" webpage.

Click on the given droplet and then under DNS records find the "A" record and use the "More" dropdown menu to select "Edit record".

Then, on the DNS records page, change "A" records value to the the droplet.

[If there are no DNS records, the records will have to be creatd. See page that shows the working DNS stuff for digitalocean.]

Next, make sure the digitalocean DNS records for this domain have an A record that points to the correct IP Address.

Part 10. Set up the domain's nameservers.

Deal with the registrar of the [domain-name] and make sure the domain's nameservers point to the nameservers of the droplet.

Note: There may be situations where you need to go to the registrar of the domain_name and change where the nameservers point and make sure that the nameservers point to digitalocean nameservers.

That was the end of Part 10. The World Wide Web and the Internet are modern marvels.

Part 11. Install the SSL Certification so that the website has https.

There may not be an easy way to deal with SSL Certificates, but the technology has become standard. This is a new easy way to create and install SSL Certificate.

Go to letsencrypt and find the certbot. See: https://certbot.eff.org/.

Select server and system in dropdowns and use the following instructions:

Select from dropdowns about webserver (nginx) and system (Ubuntu 20).
  

This document assumes that snapd is already installed.
  

$sudo snap install core;
  

$sudo snap refresh core;
  

$sudo snap install --classic certbot
  

Prepare certbot command:
  

$sudo ln -s /snap/bin/certbot /usr/bin/certbot
  

Get certificate and edit nginx config:
  

$sudo certbot --nginx
  

Now, configure system to automatically renew certificate:
  

$sudo certbot renew --dry-run
  

Use a browser and confirm that it worked by identifying the ssl certification padlock and display.

Use the following website to confirm that the above worked: www.ssllabs.com/ssltest.

Part 12. Install postgresql database management server.

Install postgresql database management system.

Create a database on the postgresql database management system.
  

$sudo apt-get install postgresql
    

Create a user on the database management system. To manage the db system intially, the postgres database [user-name] will be used. In this example, the [user-name] is [database-username].

Here are the two commands that I use. The name of the database is [database-username].
  

$sudo su postgres
Note that the command-line prompt changes to "postgres". Enter psql commands.


It is hard to see what happens, so use the following command to see who the user currently are:


postgres$whoami


OUTPUT:


postgres


Enter the psql command:


psql


postgres=#CREATE DATABASE [database-username];


OUTPUT:


CREATE DATABASE


Remember to substitute [database-password] with your actual secret strong password.


CREATE USER [database-username] WITH ENCRYPTED PASSWORD '[database-password]';


OUTPUT:


GRANT


postgres=#GRANT ALL PRIVILEGES ON DATABASE [database-name] TO [database-username];


OUTPUT:


GRANT


Connect to the new database:


postgres=#\c [database-username]


postgres=#GRANT ALL ON SCHEMA public to [database-username];


OUTPUT:


GRANT


Now, check that the database exists by listing the databases.


postgres#\list


Also, test by connecting to the database and listing the tables.


postgres#\connect [database-name]


OUTPUT:


You are now connected to database "[database-name]" as user "postgres".


frb_stable#\d


OUTPUT:


Did not find any relations.


No tables! So, let's install the database schema and create some tables in our database.


This is OK for now, exit psql.


frb_stable#\q


Exit postgres user account.


postgres$exit

Very powerful stuff indeed. Database-backed website rule! Go rational databases!

Part 13. Insert freeradiantbunny tables into the database.

Now that a database management system is installed, it is time to add a database schema to via SQL statements, effectively adding an instance of a database.

Create a directory for database files.
  

$mkdir ~/db
  

$mkdir ~/db/[domain-tli]_db
  

$mkdir ~/db/[domain-tli]_db/backups
  

Edit the sql file so that it knows your database user.
  

Assumes a database schema: db_schema.sql

Note: In the db_schema.sql file, replace the string "YOUR_USERNAME_HERE" with your [database-username].

Install the schema into the [database-name] database as follows:

$psql [database-name] -U [database-username] < db_schema.sql 2> errors.txt
  

When the process is completed, you can read the errors.txt file for any problems that may need to be corrected.
  

$cat errors.txt
  

OUTPUT:
  

sql: error: FATAL:  Peer authentication failed for user "[database-username]"

To fix the "peer authentication" error, edit the postgresql config file and change the authentication protocol.

Note, the postgresql version may change, so if (n the path below) the "/15" directory does not exist, find out the new postgresql version and try that version.

sudo emacs /etc/postgresql/15/main/pg_hba.conf
  

On the given line below, change from 'peer' to 'md5'
  

# old
#local   all             all                   peer
  

# new
local    all             all                   md5
  

Now, restart the server so that the changes are used.
  

sudo systemctl restart postgresql
  

Add the following dot file to the home directory in order to automate the postgresql password.
  

Install ~/.pgpass
  

chmod 600 ~/.pgpass
  

Now, there should be tables to list.
  

$psql [database-name] -U [database-username]
  

List the relations (tables) in the database.
  

[database-name]#\dt
  

OUTPUT:
  

(A list of tables.)
  

For now, exit psql.
  

[database-name]#\q

Part 14. Set up daily database backups using perl scripts and cron scheduler.

Now, set up the system so that the database data is saved to a backup. Do this by installing a perl script that creates database backups.

      db_backup.pl
    

Set up a cron job so that the database is dumped once a day.

      $crontab -e
    

Note: see below for the text to add to the crontab:

0 2 * * * /home/[user-name]/db/[domain-tli]_db/db_backup.pl >> /home/[user-name]/logs/cron_db_backup_log.txt
    

Next: Install the file ~/db/[domain-tli]_db/db_backup.pl.

Next: Create this file with command: touch ~/logs/cron_db_backup_log.txt.

Next: so that the system when using cron is allowed to use a psql command add the following file.

On local system, update the names contained within:
$emacs ~/.pgpass
    

Part 14 helps reduce the risks of losing data, by setting up our system to automatically backup our database.

Part 22. Upload .bash_aliases file.

Find the bash_aliases on local machine (or backup) and upload.

Part 23. Reboot

When testing the system in the browser, it is prudent to test the rebooting of the system. So, reboot the system.

      $sudo poweroff
    

Go to the digitalocean panel for the droplet and power on the server.

Part 24. Test the Stack

Part 24 of the "How To Install freeradiantbunny" process is completed. This is a good time to reflect upon the applications in the stack. Next, is Part 25 where we consider the reverse proxy part of the technology stack.

Part 25: How to Install freeradiantbunny (version in Rust programming language)

last edited 2023-11-08.

[to docs home]