Advanced Configuration on Ubuntu

Johannes Wilm edited this page Nov 12, 2018 · 11 revisions

(Tested with Ubuntu 16.04/18.04)

To start, follow the simple install instructions. This makes you be able to run Fidus Writer for testing purposes on port 8000. To get this setup to be more stable, follow these instructions.

We assume here that you install everythign using the user ubuntu and that you put the fiduswriter- folder in your home folder (so the path is /home/ubuntu/fiduswriter). Adjust these instructions as needed.

Automatic restart of server

  1. To get Fidus Writer to start automatically, install system, install supervisor:

    sudo apt-get install supervisor

  2. Create a bash script to automatically start Fidus Writer in its virtual environment:

    /home/ubuntu/run_fiduswriter.sh:

     #!/bin/bash
     source /home/ubuntu/venv/bin/activate
     /home/ubuntu/fiduswriter/manage.py runserver $1
    
  3. Make the script executable:

    chmod +x /home/ubuntu/run_fiduswriter.sh

  4. Create a supervisor configuraton file for fidus writer:

    /etc/supervisor/conf.d/fidus.conf:

     [program:tornado-80]
     command=/home/ubuntu/run_fiduswriter.sh 8000
     stderr_logfile = /home/ubuntu/tornado-stderr.log
     stdout_logfile = /home/ubuntu/tornado-stdout.log
    
  5. Restart supervisor:

    sudo service supervisor restart

Now Fidus Writer should always run on port 8000. You can try to kill it and see whether supervisor starts a new instance by running:

> `sudo killall python`

Proxy Fidus Writer on port 80 using nginx

  1. Install nginx:

    sudo apt-get install nginx

  2. Add a configuration file for fidus, where [SERVER_ADDRESS] is the address of your server:

    /etc/nginx/sites-available/fidus:

     server {
         listen 80;
         server_name [SERVER_ADDRESS];
         location / {
             proxy_pass http://127.0.0.1:8000;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
              # WebSocket support (nginx 1.4)
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
         }
    
     }
    
  3. Create a link inside of /etc/nginx/sites-enabled/:

    sudo ln -s /etc/nginx/sites-available/fidus /etc/nginx/sites-enabled/fidus

  4. Restart nginx:

    sudo service nginx restart

Serve static files with never-expire headers on NGINX.

  1. In the configuration.py file in your fiduswriter folder, specify where static files are to be collected:

     STATIC_ROOT = '/home/fidus/django-static/'
    
  2. Run this every time you update the sources after transpiling them:

    ./manage.py collectstatic

  3. In /etc/nginx/sites-available/fidus add information directives to serve the static files directly with a never expire header:

     location /static/ {
         alias /home/fidus/django-static/;
         expires max;
     }
    
  4. Restart NGINX:

    sudo service nginx restart

Proxy over Https using a free certificate from letsencrypt

  1. Install letsencrypt:

    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

  2. Create a dir for letsencrypt:

    mkdir /home/ubuntu/letsencrypt

  3. Change your nginx configuration to be able to receive letsencrypt requests:

    /etc/nginx/sites-available/fidus:

     server {
         listen 80;
         server_name [SERVER_ADDRESS];
    
         location /.well-known/acme-challenge {
             root /home/ubuntu/letsencrypt;
         }
    
         location / {
             proxy_pass http://127.0.0.1:8000;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
    
             # WebSocket support (nginx 1.4)
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
         }
    
     }
    
  4. Restart nginx:

    sudo service nginx restart

  5. Set a locale temporarily (due to bug in Ubuntu 16.04)

    export LC_ALL="C"

  6. Initiate certification process/installation:

    sudo /opt/letsencrypt/letsencrypt-auto certonly

    Choose: Place files in webroot directory (webroot) -> [SERVER_ADDRESS] -> Enter a new web root -> /home/ubuntu/letsencrypt

  7. Start crontab editor:

    sudo crontab -e

  8. In the editor, add lines for getting new certificate and restarting nginx:

     30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew --webroot-path /home/ubuntu/letsencrypt >> /var/log/le-renew.log
     35 2 * * 1 /etc/init.d/nginx reload
    
  9. Change nginx configuration file:

    /etc/nginx/sites-available/fidus:

     server {
         listen 443;
         server_name [SERVER_ADDRESS];
    
         ssl on;
         ssl_certificate /etc/letsencrypt/live/[SERVER_ADDRESS]/fullchain.pem;
         ssl_certificate_key /etc/letsencrypt/live/[SERVER_ADDRESS]/privkey.pem;
    
         location /.well-known/acme-challenge {
             root /home/ubuntu/letsencrypt;
         }
    
         location / {
             proxy_pass http://127.0.0.1:8000;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
    
             # WebSocket support (nginx 1.4)
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
         }
    
     }
    
     server {
         listen 80;
         server_name [SERVER_ADDRESS];
         return 301 https://$host$request_uri;
     }
    
  10. Restart nginx:

    sudo service nginx restart

Adding Two factor authentication to the admin page

  1. Within the virtualenv, add the relevant python pages:
pip install django-otp 
pip install qrcode 
  1. In configuration.py, add this to INSTALLED_APPS:
   'django_otp',
   'django_otp.plugins.otp_totp',
  1. Also add this code to configuration.py:
try:
    MIDDLEWARE
except NameError:
    MIDDLEWARE = ()

MIDDLEWARE += (
   'django.contrib.auth.middleware.AuthenticationMiddleware',
   'django_otp.middleware.OTPMiddleware'
)

OTP_TOTP_ISSUER = 'Fidus Writer' # Add your own organization here
  1. Create a file local_settings.py and add this content to it:
from django.contrib.admin.apps import AdminConfig

class FidusConfig(AdminConfig):
    default_site = 'django_otp.admin.OTPAdminSite'
  1. Run:
./manage.py migrate
  1. Restart Fidus Writer.

  2. Log into the admin interface. Unter "TOTP devices" click add and create an entry for your Google Authenticator.

  3. Scan the qrcode that appears on the screen with your phone.

  4. In configuration.py, add to INSTALLED_APPS:

'local_settings.FidusConfig',
  1. Below the INSTALLED_APPS section, add this in configuration.py:
INSTALLED_APPS.remove('django.contrib.admin')
  1. Restart Fidus Writer.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.