From 1aebf76c85ecadda9241bdf515750caa8164213c Mon Sep 17 00:00:00 2001
From: David Luevano Alvarado
My setup is exposed to the public, and as always is heavily based on previous entries as described in Prerequisites. Descriptions on setting up MariaDB (preferred MySQL replacement for Arch) and PHP are written in this entry as this is the first time I’ve needed them.
+Everything here is performed in arch btw and all commands should be run as root unless stated otherwise.
+If you want to expose to a (sub)domain, then similar to my early tutorial entries (specially the website for the reverse proxy plus certificates):
+nginx
for the reverse proxy.certbot
for the SSL certificates.yay
to install AUR packages.privatebin
and yourls
(or whatever you want to call them).MariaDB is a drop-in replacement of MySQL.
+Install the mariadb
package:
pacman -S mariadb
+
+Before starting/enabling the systemd service run:
+mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
+
+start
/enable
the mariadb.service
:
systemctl start mariadb.service
+systemctl enable mariadb.service
+
+Run and follow the secure installation script before proceding any further:
+mariadb-secure-installation
+
+Change the binding address so the service listens on localhost
only by modifying /etc/my.cnf.d/server.cnf
:
[mariadb]
+bind-address = localhost
+
+To use mariadb
simply run the command and it will try to login with the corresponding linux user running it. The general login command is:
mariadb -u <username> -p <database_name>
+
+The database_name
is optional. It will prompt a password input field.
Using mariadb
as root, create users with their respective database if needed with the following queries:
MariaDB> CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>';
+MariaDB> CREATE DATABASE <database_name>;
+MariaDB> GRANT ALL PRIVILEGES ON <database_name>.* TO '<username>'@'localhost';
+MariaDB> quit
+
+The database_name
will depend on how YOURLS and PrivateBin are configured, that is if the services use a separate database and/or table prefixes are used.
PHP is a general-purpose scripting language that is usually used for web development, which was supposed to be ass for a long time but it seems to be a misconseption from the old times.
+Install the php
, php-fpm
, php-gd
packages:
pacman -S php php-fpm php-gd
+
+start
/enable
the php-fpm.service
:
systemctl start php-fpm.service
+systemctl enable php-fpm.service
+
+Only showing changes needed, main config file is located at /etc/php/php.ini
, or drop-in files can be placed at /etc/php/conf.d/
instead.
Set timezone (list of timezones):
+date.timezone = Europe/Berlin
+
+Enable the gd
and mysql
extensions:
extension=gd
+extension=pdo_mysql
+extension=mysqli
+
+Create a PHP specific config that can be reusable at /etc/nginx/php_fastcgi.conf
:
location ~ \.php$ {
+ # required for yourls
+ add_header Access-Control-Allow-Origin $http_origin;
+
+ # 404
+ try_files $fastcgi_script_name =404;
+
+ # default fastcgi_params
+ include fastcgi_params;
+
+ # fastcgi settings
+ fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+ fastcgi_index index.php;
+ fastcgi_buffers 8 16k;
+ fastcgi_buffer_size 32k;
+
+ # fastcgi params
+ fastcgi_param DOCUMENT_ROOT $realpath_root;
+ fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+ #fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
+}
+
+This then can be imported by any server
directive that needs it.
YOURLS is a self-hosted URL shortener that is supported by PrivateBin.
+Install from the AUR with yay
:
yay -S yourls
+
+Create a new user and database as described in MariaDB: Create users/databases.
+The default configuration file is self explanatory, it is located at /etc/webapps/yourls/config.php
.
Set the user/database YOURLS will use and either create a cookie or get one from URL provided. It is important to change the $yours_user_passwords
variable, YOURLS will hash the passwords on login so it is not stored in plaintext. Password hashing can be disabled with:
define( 'YOURLS_NO_HASH_PASSWORD', true );
+
+I also changed the “shortening method” to 62
to include more characters:
define( 'YOURLS_URL_CONVERT', 62 );
+
+Lastly, the $yourls_reserved_URL
variable will need more blacklisted words depending on the use-case. YOURLS_SITE
needs to match whatever is set in nginx
.
Create a yourls.conf
at the usual sites-<available/enabled>
path for nginx
:
server {
+ listen 80;
+ root /usr/share/webapps/yourls/;
+ server_name short.yourdomain.com;
+ index index.php;
+
+ location / {
+ try_files $uri $uri/ /yourls-loader.php$is_args$args;
+ }
+
+ include /etc/nginx/php_fastcgi.conf;
+}
+
+Make sure the following header is included in the php
‘s nginx
location block described in YOURLS: Nginx:
add_header Access-Control-Allow-Origin $http_origin;
+
+Create/extend the certificate by running:
+certbot --nginx
+
+Restart the nginx
service for changes to take effect:
systemctl restart nginx.service
+
+PrivateBin is a minimalist self-hosted alternative to pastebin.
+Install from the AUR with yay
:
yay -S privatebin
+
+Create a new user and database as described in MariaDB: Create users/databases.
+This heavily depends on personal preference, all defaults are fine. Make a copy of the sample config template:
+cp /etc/webapps/privatebin/conf.sample.php /etc/webapps/privatebin/conf.php
+
+The most important changes needed are basepath
according to the privatebin
URL and the [model]
and [model_options]
to use MySQL instead of plain filesystem files:
[model]
+; example of DB configuration for MySQL
+class = Database
+[model_options]
+dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+tbl = "privatebin_" ; table prefix
+usr = "privatebin"
+pwd = "<password>"
+opt[12] = true ; PDO::ATTR_PERSISTENT
+
+Any other [model]
or [model_options]
needs to be commented out (for example, the default filesystem setting).
I recommend creating a separate user for privatebin
in yourls
by modifying the $yours_user_passwords
variable in yourls
config file. Then login with this user and get the signature
from the “Tools” section in the admin page, for more: YOURLS: Passwordless API.
For a “private” yourls
installation (that needs username/pasword), set urlshortener
:
urlshortener = "https://short.example.com/yourls-api.php?signature=xxxxxxxxxx&action=shorturl&format=json&url="
+
+Note that this will expose the signature
in the HTTP requests and anybody with the signature can use it to shorten external URLs.
To deny access to some bots/crawlers, PrivateBin provides a sample .htaccess
, which is used in Apache. We need an Nginx version, which I found here.
Add the following at the beginning of the http
block of the /etc/nginx/nginx.conf
file:
http {
+ map $http_user_agent $pastebin_badagent {
+ ~*bot 1;
+ ~*spider 1;
+ ~*crawl 1;
+ ~https?:// 1;
+ WhatsApp 1;
+ SkypeUriPreview 1;
+ facebookexternalhit 1;
+ }
+
+ #...
+}
+
+Create a privatebin.conf
at the usual sites-<available/enabled>
path for nginx
:
server {
+ listen 80;
+ root //usr/share/webapps/privatebin/;
+ server_name bin.yourdomain.com;
+ index index.php;
+
+ if ($pastebin_badagent) {
+ return 403;
+ }
+
+ location / {
+ try_files $uri $uri/ /index.php$is_args$args;
+ }
+
+ include /etc/nginx/php_fastcgi.conf;
+}
+
+Create/extend the certificate by running:
+certbot --nginx
+
+Restart the nginx
service for changes to take effect:
systemctl restart nginx.service
+
]]>
+