Secure Moodle on Raspberry Pi Model 2, Gentoo Linux and Nginx server
Hi,
I want to share my experiences when I installed Moodle on a Raspberry Pi Model 2 hardware, on which is running Gentoo Linux operating system and the Nginx web server. It can reach here: [1]
First I installed Gentoo Linux on my Raspberry Pi Model 2 hardware by following this guide: [2]
Then I installed and did setup Nginx web server by following these guids: [3] [4]
My nginx.config file is:
user nginx nginx; worker_processes 1; error_log /var/log/nginx/error_log info; events { worker_connections 1024; use epoll; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; client_max_body_size 15m; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 2k; request_pool_size 4k; gzip off; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 75 20; ignore_invalid_headers on; index index.html index.php; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.cspl.hu; root /var/www/localhost/htdocs; location = /KisTechTavOktKulcsosPicike.ico { log_not_found off; access_log off; } ssl_certificate /etc/ssl/certs/chained.pem; ssl_certificate_key /etc/ssl/private/domain.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S HA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA- AES256-SHA:DHE-RSA-AES128-SHA:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES: RSA+3DES:!MD5; ssl_session_cache shared:SSL:50m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_prefer_server_ciphers on; access_log /var/log/nginx/localhost.access_log main; error_log /var/log/nginx/localhost.error_log info; access_log /var/log/nginx/localhost.ssl_access_log main; error_log /var/log/nginx/localhost.ssl_error_log info; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; include fastcgi_params; include fastcgi.conf; } location /dataroot/ { internal; alias /var/www/localhost/moodle/; # ensure the path ends with / } location /moodlelib/ { internal; alias /var/www/localhost/htdocs/moodle/lib/; # ensure the path ends with / } location /moodlepix/ { internal; alias /var/www/localhost/htdocs/moodle/pix/; # ensure the path ends with / } location /moodletheme/ { internal; alias /var/www/localhost/htdocs/moodle/theme/; # ensure the path ends with / } } server { listen 80; listen [::]:80; server_name www.cspl.hu; return 301 https://$server_name$request_uri; } }
My fastcgi.config file is:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
My fastcgi_params file is:
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
I obtain a certificate from here: [5]
Finally I did followings, in that order:
- remove previous moodle installation with help of webapp-config:
-
webapp-config -C moodle 3.2.3 - ( I had installed 3.2.3 version of moodle prior to move my Moodle site from HTTP to HTTPS )
-
- remove the Gentoo moodle package with emerge
-
emerge --depclean www-apps/moodle
-
- uninstall, then install again webapp-config package because of ghost installs ( look here for this: [6]
-
emerge --unmerge app-admin/webapp-config
-
rm -rf /var/db/webapps/
-
emerge -a app-admin/webapp-config
-
dispatch-conf
- here I choose 'u' but then must to edit /etc/vhosts/webapp-config
-
vhost_server="nginx"
-
- install moodle package again ( but this one is a newer 3.3.1 version )
-
emerge -a www-apps/moodle
-
webapp-config -I moodle 3.3.1 - after installation I get message 'POST-INSTALL INSTRUCTIONS' in which is a guid how to proceed with Moodle site installation, eg. about mysql and postgresql databases, commands to run, etc.
-
- set up config.php file:
My config.php file is:
<?php unset($CFG); // Ignore this line global $CFG; // This is necessary here for PHPUnit execution $CFG = new stdClass(); $CFG->dbtype = 'pgsql'; // 'pgsql', 'mariadb', 'mysqli', 'mssql', 'sqlsrv' or 'oci' $CFG->dblibrary = 'native'; // 'native' only at the moment $CFG->dbhost = 'localhost'; // eg 'localhost' or 'db.isp.com' or IP $CFG->dbname = 'moodle'; // database name, eg moodle $CFG->dbuser = 'postgres'; // your database username $CFG->dbpass = 'secret_password'; // your database password $CFG->prefix = 'mdl_'; // prefix to use for all table names $CFG->dboptions = array( 'dbpersist' => false, // should persistent database connections be // used? set to 'false' for the most stable // setting, 'true' can improve performance // sometimes 'dbsocket' => '/var/run/postgresql/', // should connection via UNIX socket be used? // if you set it to 'true' or custom path // here set dbhost to 'localhost', // (please note mysql is always using socket // if dbhost is 'localhost' - if you need // local port connection use '127.0.0.1') 'dbport' => '', // the TCP port number to use when connecting // to the server. keep empty string for the // default port ); $CFG->wwwroot = 'https://www.cspl.hu/moodle'; $CFG->dataroot = '/var/www/localhost/moodle'; $CFG->directorypermissions = 02777; $CFG->admin = 'admin'; $CFG->slasharguments = true; $CFG->xsendfile = 'X-Accel-Redirect'; $CFG->xsendfilealiases = array( '/dataroot/' => $CFG->dataroot, '/moodlelib/' => '/var/www/localhost/htdocs/moodle/lib', '/moodlepix/' => '/var/www/localhost/htdocs/moodle/pix', '/moodletheme/' => '/var/www/localhost/htdocs/moodle/theme' ); require_once(dirname(__FILE__) . '/lib/setup.php'); // Do not edit ?>
Finally, I would like to thank those people who helped me: Matteo Scaramuccia, Ken Task, and many others too.
--Pál Csányi (talk) 04:01, 22 July 2017 (AWST)
