diff --git a/docs/guides/cms/cloud_server_using_nextcloud.md b/docs/guides/cms/cloud_server_using_nextcloud.md
index 5d78f5ce72..3eb2980dd9 100644
--- a/docs/guides/cms/cloud_server_using_nextcloud.md
+++ b/docs/guides/cms/cloud_server_using_nextcloud.md
@@ -2,7 +2,10 @@
title: Cloud Server Using Nextcloud
author: Steven Spencer
contributors: Ezequiel Bruni
-update: Jan-16-2022
+tested with: 8.5
+tags:
+ - cloud
+ - nextcloud
---
# Cloud Server Using Nextcloud
@@ -32,7 +35,7 @@ There are several steps here that are the same regardless of which install metho
## Nextcloud - Module Method
-Why use the Nextcloud module? After enabling the module we can then install Nextcloud, which will download nearly all of the dependencies for you. You will still have to install your database of choice (mariadb, postgresql, or sqlite) but your web platform will be handled by the Nextcloud packages, as well as any back-end scripts. The downside to this particular method is that you lose control over where you want Nextcloud to install.
+Why use the Nextcloud module? After enabling the module we can then install Nextcloud, which will download nearly all of the dependencies for you. You will still have to install your database of choice (mariadb, postgresql, or sqlite) but your web platform will be handled by the Nextcloud packages, as well as any back-end scripts. The downside to this particular method is that you lose control over where you want Nextcloud to install.
When operating a bunch of servers or containers with web applications on them, a Systems Administrator would prefer to look for things in the same spot, not try to keep up with where package 'A' installed itself as opposed to package 'B'.
@@ -149,7 +152,7 @@ We also need a special empty file so that we can install Nextcloud. This file re
#### Configuring PHP
-We need to set the timezone for PHP. To do this, open up php.ini with your test editor of choice:
+We need to set the timezone for PHP. To do this, open up php.ini with your text editor of choice:
`vi /etc/php.ini`
@@ -219,7 +222,7 @@ Once you have all this, click `Finish Setup` and you should be up and running.
### Notes for the Systems Administrator
-As noted earlier, if using the module install for Nextcloud, Nextcloud is going to put things where it thinks they should be, not where the Systems Administrator might go looking for them. For this reason, as part of the setup steps, I recommend that a README.txt file be created in each location where the Systems Administrator would logically look.
+As noted earlier, if using the module install for Nextcloud, Nextcloud is going to put things where it thinks they should be, not where the Systems Administrator might go looking for them. For this reason, as part of the setup steps, I recommend that a README.txt file be created in each location where the Systems Administrator would logically look.
I came from an environment where we used `/etc/httpd/sites-enabled` for configuration files (see the alternate install steps for more) and put our web files in `/var/www/sub-domains/[site_name]/html`. If I were to use the module install of Nextcloud, then, I would want to put a README.txt file in both locations.
@@ -374,7 +377,7 @@ There are a couple of things that we want to do differently than the defaults th
Now cross your fingers and click "Finish Setup".
-The browser window will refresh for a bit and then usually not reload the site. Enter your URL in the browser window again and you should be confronted with the default first pages.
+The browser window will refresh for a bit and then usually not reload the site. Enter your URL in the browser window again and you should be confronted with the default first pages.
Your administrative user is already (or should be) logged in at this point, and there are several informational pages designed to get you up to speed. The "Dashboard" is what users will see when they first login. The administrative user can now create other users, install other applications and many other tasks.
diff --git a/docs/guides/cms/dokuwiki_server.md b/docs/guides/cms/dokuwiki_server.md
index 85527a71f1..e19018b3f1 100644
--- a/docs/guides/cms/dokuwiki_server.md
+++ b/docs/guides/cms/dokuwiki_server.md
@@ -1,8 +1,18 @@
+---
+title: DokuWiki
+author: Steven Spencer
+contributors: Ezequiel Bruni
+tested with: 8.5
+tags:
+ - wiki
+ - documentation
+---
+
# DokuWiki Server
-# Prerequisites And Assumptions
+## Prerequisites And Assumptions
-* A Rocky Linux instance installed on a server, container, or virtual machine.
+* A Rocky Linux instance installed on a server, container, or virtual machine.
* Comfort with modifying configuration files from the command line with an editor (our examples here will use _vi_, but you can substitute your favorite editor)
* Some knowledge about web applications and setup.
* Our example will use the [Apache Sites Enabled](../web/apache-sites-enabled.md) for setup, so it is a good idea to review that routine if you plan on following along.
@@ -10,16 +20,14 @@
* We will assume throughout this document that you are the root user or can get there with _sudo_.
* We are assuming a fresh install of the OS, however that is **NOT** a requirement.
-# Introduction
+## Introduction
-Documentation can take many forms in an organization. Having a repository that you can reference for that documentation is invaluable. A wiki (which means _quick_ in Hawaiian), is a way to keep documentation, process notes, corporate knowledge bases, and even code examples, in a centralized location. IT professionals who maintain a wiki, even secretly, have a built-in insurance policy against forgetting an obscure routine.
+Documentation can take many forms in an organization. Having a repository that you can reference for that documentation is invaluable. A wiki (which means _quick_ in Hawaiian), is a way to keep documentation, process notes, corporate knowledge bases, and even code examples, in a centralized location. IT professionals who maintain a wiki, even secretly, have a built-in insurance policy against forgetting an obscure routine.
-DokuWiki is a mature, fast, wiki that runs without a database, has built in security features, and is relatively easy to deploy. For more information on what DokuWiki can do, check out their [web page](https://www.dokuwiki.org/dokuwiki).
+DokuWiki is a mature, fast, wiki that runs without a database, has built in security features, and is relatively easy to deploy. For more information on what DokuWiki can do, check out their [web page](https://www.dokuwiki.org/dokuwiki).
DokuWiki is just one of many wiki's available, though it's a pretty good one. One big pro is that DokuWiki is relatively lightweight and can run on a server that is already running other services, provided you have space and memory available.
-# Installation
-
## Installing Dependencies
The minimum PHP version for DokuWiki is now 7.2, which is exactly what Rocky Linux 8 comes with. We are specifying packages here that may already be installed:
@@ -77,7 +85,7 @@ That configuration file should look something like this:
Note that the "AllowOverride All" above, allows the .htaccess (directory specific security) file to work.
-Go ahead an link the configuration file into sites-enabled, but don't start web services as yet:
+Go ahead and link the configuration file into sites-enabled, but don't start web services as yet:
`ln -s /etc/httpd/sites-available/com.yourdomain.wiki-doc /etc/httpd/sites-enabled/`
@@ -93,7 +101,7 @@ In your server, change to the root directory.
`cd /root`
-Now that we have our environment ready to go, let's get the latest stable version of DokuWiki. You can find this by going to [the download page](https://download.dokuwiki.org/) and on the left-hand side of the page under "Version" you will see "Stable (Recommended) (direct link)."
+Now that we have our environment ready to go, let's get the latest stable version of DokuWiki. You can find this by going to [the download page](https://download.dokuwiki.org/) and on the left-hand side of the page under "Version" you will see "Stable (Recommended) (direct link)."
Right-click on the "(direct link)" portion of this and copy the link address. In the console of your DokuWiki server, type "wget" and a space and then paste in your copied link in the terminal. You should get something like this:
@@ -112,7 +120,7 @@ dokuwiki-2020-07-29/inc/lang/fr/draft.txt
dokuwiki-2020-07-29/inc/lang/fr/recent.txt
... (more below)
```
-We don't want that leading named directory when we decompress the archive, so we are going to use some options with tar to exclude it. The first option is the "--strip-components=1" which removes that leading directory.
+We don't want that leading named directory when we decompress the archive, so we are going to use some options with tar to exclude it. The first option is the "--strip-components=1" which removes that leading directory.
The second option is the "-C" option, and that tells tar where we want the archive to be decompressed to. So decompress the archive with this command:
@@ -120,7 +128,7 @@ The second option is the "-C" option, and that tells tar where we want the archi
Once we have executed this command, all of DokuWiki should be in our _DocumentRoot_.
-We need to make a copy of the _.htaccess.dist_ file that came with DokuWiki and keep the old one there too, in case we need to revert to the original in the future.
+We need to make a copy of the _.htaccess.dist_ file that came with DokuWiki and keep the old one there too, in case we need to revert to the original in the future.
In the process, we will be changing the name of this file to simply _.htaccess_ which is what _apache_ will be looking for. To do this:
@@ -132,7 +140,7 @@ Now we need to change ownership of the new directory and its files to the _apach
## Setting Up DNS Or /etc/hosts
-Before you'll be able to access the DokuWiki interface, you'll need to set name resolution for this site. For testing purposes, you can use your _/etc/hosts_ file.
+Before you'll be able to access the DokuWiki interface, you'll need to set name resolution for this site. For testing purposes, you can use your _/etc/hosts_ file.
In this example, let's assume that DokuWiki will be running on a private IPv4 address of 10.56.233.179. Let's also assume that you are modifying the _/etc/hosts_ file on a Linux workstation. To do this, run:
@@ -198,15 +206,15 @@ Either should work if you set your hosts file as above. This will bring you to t
Your wiki is now ready for you to add content.
-# Securing DokuWiki
+## Securing DokuWiki
Besides the ACL policy that you just created, consider:
-## Your Firewall
+### Your Firewall
-Before you call everything done, you need to think about security. First, you should be running a firewall on the server. We will assume that you are using _iptables_ and have [Enabled _iptables_](../security/enabling_iptables_firewall.md), but if you want to use _firewalld_ instead, simply modify your _firewalld_ rules accordingly.
+Before you call everything done, you need to think about security. First, you should be running a firewall on the server. We will assume that you are using _iptables_ and have [Enabled _iptables_](../security/enabling_iptables_firewall.md), but if you want to use _firewalld_ instead, simply modify your _firewalld_ rules accordingly.
-Instead of everyone having access to the wiki, we are going to assume that anyone on the 10.0.0.0/8 network is on your private Local Area Network, and that those are the only people who need access to the site. A simple _iptables_ firewall script for this is down below.
+Instead of everyone having access to the wiki, we are going to assume that anyone on the 10.0.0.0/8 network is on your private Local Area Network, and that those are the only people who need access to the site. A simple _iptables_ firewall script for this is down below.
Please note that you may need other rules for other services on this server, and that this example only takes into account the web services.
@@ -244,11 +252,10 @@ Then execute the script:
This will execute the rules and save them so that they will be reloaded on the next start of _iptables_ or on boot.
-## SSL
+### SSL
For the best security, you should consider using an SSL so that all web traffic is encrypted. You can purchase an SSL from an SSL provider or use [Let's Encrypt](../security/generating_ssl_keys_lets_encrypt.md)
-# Conclusion
+## Conclusion
Whether you need to document processes, company policies, program code, or something else, a wiki is a great way to get that done. DokuWiki is a product that is secure, flexible, easy to use, relatively easy to install and deploy, and is a stable project that has been around for many years.
-
diff --git a/docs/guides/desktop/mate_installation.md b/docs/guides/desktop/mate_installation.md
index da3637a526..58dc2d626c 100644
--- a/docs/guides/desktop/mate_installation.md
+++ b/docs/guides/desktop/mate_installation.md
@@ -1,3 +1,13 @@
+---
+title: MATE Desktop
+author: unknown
+contributors: Steven Spencer
+tested with: 8.5
+tags:
+ - mate
+ - desktop
+---
+
# MATE Desktop Environment
The MATE desktop environment was created to fork and continue GNOME2 in the wake of the somewhat negative reception that GNOME3 received when introduced. MATE has a loyal set of followers, who immediately install it on their OS of choice. MATE can be installed on many flavors of Linux, including Rocky Linux.
@@ -77,4 +87,4 @@ You should end up with a login prompt in the MATE GUI, and when you login, you w
## Conclusion
-Some people are not satisfied with the newer GNOME implementations or are a lot of users who simply prefer the older MATE GNOME 2 look and feel. For those people, getting MATE installed in Rocky Linux will provide a nice, stable alternative.
+Some people are not satisfied with the newer GNOME implementations or simply prefer the older MATE GNOME 2 look and feel. For those people, getting MATE installed in Rocky Linux will provide a nice, stable alternative.
diff --git a/docs/guides/dns/private_dns_server_using_bind.md b/docs/guides/dns/private_dns_server_using_bind.md
index 10b05cd999..da71edab55 100644
--- a/docs/guides/dns/private_dns_server_using_bind.md
+++ b/docs/guides/dns/private_dns_server_using_bind.md
@@ -1,5 +1,11 @@
---
title: Bind Private DNS Server
+author: Steven Spencer
+contributors: Ezequiel Bruni
+tested with: 8.5
+tags:
+ - dns
+ - bind
---
# Private DNS Server Using Bind
@@ -136,7 +142,7 @@ devel IN A 192.168.1.15
Add as many hosts as you need to the bottom of the file along with their IP addresses and then save your changes.
-Next, we need a reverse file to map our hostname to the IP address, In this case, the only part of the IP that you need is the last octet (in an IPv4 address each number separated by a comma, is an octet) of the host and then the PTR and hostname.
+Next, we need a reverse file to map our hostname to the IP address, In this case, the only part of the IP that you need is the last octet (in an IPv4 address each number separated by a period, is an octet) of the host and then the PTR and hostname.
`vi /var/named/ourdomain.lan.rev`
@@ -244,7 +250,7 @@ TYPE=Ethernet
MTU=
```
-We want to substitute in our new DNS server for the primary (DNS1) and then move each of the other DNS servers down one so that it like this:
+We want to substitute in our new DNS server for the primary (DNS1) and then move each of the other DNS servers down one so that it is like this:
```
DEVICE=eth0
diff --git a/docs/guides/editors/micro.md b/docs/guides/editors/micro.md
index ae29bca170..cee54e565d 100644
--- a/docs/guides/editors/micro.md
+++ b/docs/guides/editors/micro.md
@@ -3,6 +3,10 @@ title: micro
author: Ezequiel Bruni
contributors: Steven Spencer
tested version: 8.5
+tags:
+ - editor
+ - editors
+ - micro
---
# Install micro on Rocky Linux
@@ -46,7 +50,7 @@ Next, you’ll need the installer from *micro*’s website. The following comman
curl https://getmic.ro | bash
```
-To install the app system-wide (and so you can just type “micro” to open up the app), you can run the script as root inside of `/usr/bin/`. However, if you want to check the it out first and be careful about it, you can install the *micro* to any folder you want, and then move the app later with:
+To install the app system-wide (and so you can just type “micro” to open up the app), you can run the script as root inside of `/usr/bin/`. However, if you want to check it out first and be careful about it, you can install the *micro* to any folder you want, and then move the app later with:
```bash
sudo mv micro /usr/bin/
diff --git a/docs/guides/file_sharing/secure_ftp_server_vsftpd.md b/docs/guides/file_sharing/secure_ftp_server_vsftpd.md
index be062faba4..9cc680f033 100644
--- a/docs/guides/file_sharing/secure_ftp_server_vsftpd.md
+++ b/docs/guides/file_sharing/secure_ftp_server_vsftpd.md
@@ -1,3 +1,14 @@
+---
+title: Secure FTP Server - vsftpd
+author: Steven Spencer
+contributors: Ezequiel Bruni
+tested with: 8.5
+tags:
+ - security
+ - ftp
+ - vsftpd
+---
+
# Secure FTP Server - vsftpd
## Prerequisites
@@ -7,11 +18,11 @@
* An understanding of PAM, as well as _openssl_ commands is helpful.
* All commands are run as the root user or sudo
-## Introduction
+## Introduction
-_vsftpd_ is the Very Secure FTP Daemon (FTP being the file transfer protocol). It has been available for many years now, and is actually the default FTP daemon in Rocky Linux, as well as many other Linux distributions.
+_vsftpd_ is the Very Secure FTP Daemon (FTP being the file transfer protocol). It has been available for many years now, and is actually the default FTP daemon in Rocky Linux, as well as many other Linux distributions.
-_vsftpd_ allows for the use of virtual users with pluggable authentication modules (PAM). These virtual users don't exist in the system, and have no other permissions except to use FTP. This means that if a virtual user gets compromised, the person with those credentials would have no other permissions once they gained access. Using this setup is very secure indeed, but does require a bit of extra work.
+_vsftpd_ allows for the use of virtual users with pluggable authentication modules (PAM). These virtual users don't exist in the system, and have no other permissions except to use FTP. This means that if a virtual user gets compromised, the person with those credentials would have no other permissions once they gained access. Using this setup is very secure indeed, but does require a bit of extra work.
## Installing vsftpd
@@ -21,7 +32,7 @@ We also need to make sure _openssl_ is installed. If you are running a web serve
You will also want to enable the vsftpd service:
-`systemctl enable vsftpd`
+`systemctl enable vsftpd`
But _don't start the service just yet._
@@ -69,7 +80,7 @@ nopriv_user=vsftpd
guest_username=vsftpd
```
-We need to add a section near the bottom of the file to force passwords sent over the internet to be encrypted. We need _openssl_ installed and we will need to create the certificate file for this as well.
+We need to add a section near the bottom of the file to force passwords sent over the internet to be encrypted. We need _openssl_ installed and we will need to create the certificate file for this as well.
Start by adding these lines at the bottom of the file:
@@ -92,19 +103,19 @@ Now save your configuration. (That's `SHIFT:wq` if using _vi_.)
## Setting Up The RSA Certificate
-We need to create the _vsftpd_ RSA certificate file. The author generally figures that a server is good for 4 or 5 years, so set the number of days for this certificate based on the number of years you believe you'll have the server up and running on this hardware.
+We need to create the _vsftpd_ RSA certificate file. The author generally figures that a server is good for 4 or 5 years, so set the number of days for this certificate based on the number of years you believe you'll have the server up and running on this hardware.
Edit the number of days as you see fit, and then use the below format of the command to create the certificate and private key files:
`openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem`
-Like all certificate creation processes, this will start a script that will ask you for some information. This is not a difficult process. Many fields can be left blank.
+Like all certificate creation processes, this will start a script that will ask you for some information. This is not a difficult process. Many fields can be left blank.
The first field is the country code field, fill this one in with your country two letter code:
`Country Name (2 letter code) [XX]:`
-Next comes the state or province, fill this in by typing the whole name, not the abbreviation:
+Next comes the state or province, fill this in by typing the whole name, not the abbreviation:
`State or Province Name (full name) []:`
@@ -147,7 +158,7 @@ Now navigate to the configuration directory for _vsftpd_:
`cd /etc/vsftpd`
-We need to create a new password database that will be used to authenticate our virtual users. We need to create a file to read the virtual users and passwords from that will create the database.
+We need to create a new password database that will be used to authenticate our virtual users. We need to create a file to read the virtual users and passwords from. This will create the database.
In the future, when adding new users, we will want to duplicate this process as well:
@@ -191,7 +202,7 @@ When adding new users, simply use _vi_ to create a new vusers.txt file, and re-r
## Setting Up PAM
-_vsftpd_ installs a default pam file when you install the package. We are going to replace this with our own content, so **always** make a backup copy of the old file first.
+_vsftpd_ installs a default pam file when you install the package. We are going to replace this with our own content, so **always** make a backup copy of the old file first.
Make a directory for your backup file in /root:
@@ -219,7 +230,7 @@ This will enable login for your virtual users defined in `vsftpd-virtual-user.db
## Setting Up The Virtual User's Configuration
-Each virtual user has their own configuration file, which specifies their own local_root directory. This local root must be owned by the user "vsftpd" and the group "nogroup".
+Each virtual user has their own configuration file, which specifies their own local_root directory. This local root must be owned by the user "vsftpd" and the group "nogroup".
Remember that this was set up in the [Setting Up Virtual Users section above.](#virtualusers) To change the ownership for the directory, simply type this at the command line:
@@ -243,14 +254,14 @@ Once all of this is completed, start the _vsftpd_ service and then test your use
### Testing vsftpd
-You can test your setup using the command line on a machine and test access to the machine using FTP. That said, the easiest way to test is to test with an FTP client, such as [FileZilla](https://filezilla-project.org/).
+You can test your setup using the command line on a machine and test access to the machine using FTP. That said, the easiest way to test is to test with an FTP client, such as [FileZilla](https://filezilla-project.org/).
-When you test with a virtual user to the server running _vsftpd_, you should get an SSL certificate trust message. This trust message is saying to the person using the FTP client that the server uses a certificate and asks them to approve the certificate before continuing. Once connected as a virtual user, you should be able to place files in the "local_root" folder that we setup for that user.
+When you test with a virtual user to the server running _vsftpd_, you should get an SSL certificate trust message. This trust message is saying to the person using the FTP client that the server uses a certificate and asks them to approve the certificate before continuing. Once connected as a virtual user, you should be able to place files in the "local_root" folder that we setup for that user.
If you are unable to upload a file, then you may need to go back and make sure that each of the above steps is completed. For instance, it could be that the ownership permissions for the "local_root" have not been set to the "vsftpd" user and the "nogroup" group.
## Conclusion
-_vsftpd_ is a popular and common ftp server and can be set up as a stand alone server, or as part of an [Apache Hardened Web Server](../web/apache_hardened_webserver/index.md). If set up to use virtual users and a certificate, it is quite secure.
+_vsftpd_ is a popular and common ftp server and can be set up as a stand alone server, or as part of an [Apache Hardened Web Server](../web/apache_hardened_webserver/index.md). If set up to use virtual users and a certificate, it is quite secure.
While there are quite a number of steps to setting up _vsftpd_ as outlined in this document, taking the extra time to set it up correctly will ensure that your server is as secure as it can be.
diff --git a/docs/guides/network/basic_network_configuration.md b/docs/guides/network/basic_network_configuration.md
index 5203fae4ec..f0f8ead7bf 100644
--- a/docs/guides/network/basic_network_configuration.md
+++ b/docs/guides/network/basic_network_configuration.md
@@ -1,5 +1,12 @@
---
title: Networking Configuration
+author: unknown
+contributors: Steven Spencer
+tested with: 8.5
+tags:
+ - networking
+ - configuration
+ - network
---
# Networking configuration
@@ -7,10 +14,10 @@ title: Networking Configuration
## Prerequisites
* A certain amount of comfort operating from the command line
-* Elevated or administrative privileges on the system (For example root, sudo and so on)
+* Elevated or administrative privileges on the system (For example root, `sudo` and so on)
* Optional: familiarity with networking concepts
-# Introduction
+## Introduction
Nowadays a computer without network connectivity is almost useless by itself. Whether you need to update the packages on a server or simply browse external Websites from your laptop - you will need network access!
@@ -20,39 +27,44 @@ This guide aims to provide Rocky Linux users the basic knowledge on how to setup
At the user level, the networking stack is managed by *NetworkManager*. This tool runs as a service, and you can check its state with the following command:
- systemctl status NetworkManager
+```
+systemctl status NetworkManager
+```
### Configuration files
NetworkManager simply applies a configuration read from the files found in `/etc/sysconfig/network-scripts/ifcfg-`.
-Each network interface has its configuration file. The following example in the default configuration for a server:
-
- TYPE=Ethernet
- PROXY_METHOD=none
- BROWSER_ONLY=no
- BOOTPROTO=none
- DEFROUTE=yes
- IPV4_FAILURE_FATAL=no
- IPV6INIT=no
- NAME=ens18
- UUID=74c5ccee-c1f4-4f45-883f-fc4f765a8477
- DEVICE=ens18
- ONBOOT=yes
- IPADDR=192.168.0.1
- PREFIX=24
- GATEWAY=192.168.0.254
- DNS1=192.168.0.254
- DNS2=1.1.1.1
- IPV6_DISABLED=yes
+Each network interface has its configuration file. The following shows an example for the default configuration of a server:
+
+```bash
+TYPE=Ethernet
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=none
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=no
+NAME=ens18
+UUID=74c5ccee-c1f4-4f45-883f-fc4f765a8477
+DEVICE=ens18
+ONBOOT=yes
+IPADDR=192.168.0.1
+PREFIX=24
+GATEWAY=192.168.0.254
+DNS1=192.168.0.254
+DNS2=1.1.1.1
+IPV6_DISABLED=yes
+```
The interface's name is **ens18** so this file's name will be `/etc/sysconfig/network-scripts/ifcfg-ens18`.
-**Tips:**
-There are a few ways or mechanisms by which systems can be assigned their IP configuration information. The 2 most common methods are - **Static IP configuration** scheme and **Dynamic IP configuration** scheme.
+!!! hint "**Tips:**"
-The static IP configuration scheme is very popular on server class systems or networks.
+ There are a few ways or mechanisms by which systems can be assigned their IP configuration information. The two most common methods are - **Static IP configuration** scheme and **Dynamic IP configuration** scheme.
-The dynamic IP approach is popular on home and office networks - or workstation and desktop class systems. The dynamic scheme usually needs _something_ extra that is locally available that can supply proper IP configuration information to requesting workstations and desktops. This _something_ is called the Dynamic Host Configuration Protocol (DHCP).
+ The static IP configuration scheme is very popular on server class systems or networks.
+
+ The dynamic IP approach is popular on home and office networks - or workstation and desktop class systems. The dynamic scheme usually needs _something_ extra that is locally available that can supply proper IP configuration information to requesting workstations and desktops. This _something_ is called the Dynamic Host Configuration Protocol (DHCP).
Very often, home/office users don't have to worry or know about DHCP. This is because the somebody or something else is automagically taking care of that in the background. The only thing that the end user needs to do is to physically or wirelessly connect to the right network (and of course make sure that their systems are powered on)!
@@ -82,40 +94,50 @@ To get proper name resolution, the following parameters must be set:
To apply the network configuration, the `nmcli` command can be used:
- nmcli connection up ens18
+```
+nmcli connection up ens18
+```
To get the connection state, simply use:
- nmcli connection show
+```
+nmcli connection show
+```
You can also use the `ifup` and `ifdown` commands to bring the interface up and down (they are simple wrappers around `nmcli`):
- ifup ens18
- ifdown ens18
+```
+ifup ens18
+ifdown ens18
+```
### Checking configuration
You can check that the configuration has been correctly applied with the following `nmcli` command:
- nmcli device show ens18
+```
+nmcli device show ens18
+```
which should give you the following output:
- GENERAL.DEVICE: ens18
- GENERAL.TYPE: ethernet
- GENERAL.HWADDR: 6E:86:C0:4E:15:DB
- GENERAL.MTU: 1500
- GENERAL.STATE: 100 (connecté)
- GENERAL.CONNECTION: ens18
- GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
- WIRED-PROPERTIES.CARRIER: marche
- IP4.ADDRESS[1]: 192.168.0.1/24
- IP4.GATEWAY: 192.168.0.254
- IP4.ROUTE[1]: dst = 192.168.0.0/24, nh = 0.0.0.0, mt = 100
- IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.0.254, mt = 100
- IP4.DNS[1]: 192.168.0.254
- IP4.DNS[2]: 1.1.1.1
- IP6.GATEWAY: --
+```
+GENERAL.DEVICE: ens18
+GENERAL.TYPE: ethernet
+GENERAL.HWADDR: 6E:86:C0:4E:15:DB
+GENERAL.MTU: 1500
+GENERAL.STATE: 100 (connecté)
+GENERAL.CONNECTION: ens18
+GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
+WIRED-PROPERTIES.CARRIER: marche
+IP4.ADDRESS[1]: 192.168.0.1/24
+IP4.GATEWAY: 192.168.0.254
+IP4.ROUTE[1]: dst = 192.168.0.0/24, nh = 0.0.0.0, mt = 100
+IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.0.254, mt = 100
+IP4.DNS[1]: 192.168.0.254
+IP4.DNS[2]: 1.1.1.1
+IP6.GATEWAY: --
+```
## Using ip utility
@@ -132,11 +154,14 @@ In this example, we will assume the following parameters:
To see the detailed state of all interfaces, use
- ip a
+```
+ip a
+```
+
+!!! hint "**Pro tips:**"
-**Pro tips:**
-* use the `-c` flag to get a more readable coloured output: `ip -c a`.
-* `ip` accepts abbreviation so `ip a`, `ip addr` and `ip address` are equivalent
+ * use the `-c` flag to get a more readable coloured output: `ip -c a`.
+ * `ip` accepts abbreviation so `ip a`, `ip addr` and `ip address` are equivalent
### Bring interface up or down
@@ -146,22 +171,30 @@ To bring the *ens19* interface up, simply use `ip link set ens19 up` and to brin
The command to be used is of the form:
- ip addr add dev
+```
+ip addr add dev
+```
To assign the above example parameters, we will use:
- ip a add 192.168.20.10/24 dev ens19
+```
+ip a add 192.168.20.10/24 dev ens19
+```
Then, checking the result with:
- ip a show dev ens19
+```
+ip a show dev ens19
+```
will output:
+```
3: ens19: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 4a:f2:f5:b6:aa:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.20.10/24 scope global ens19
valid_lft forever preferred_lft forever
+```
Our interface is up and configured, but is still lacking something!
@@ -169,27 +202,35 @@ Our interface is up and configured, but is still lacking something!
To add the *ens19* interface our new example IP address, use the following command:
- ifcfg ens19 add 192.168.20.10/24
+```
+ifcfg ens19 add 192.168.20.10/24
+```
To remove the address:
- ifcfg ens19 del 192.168.20.10/24
-
+```
+ifcfg ens19 del 192.168.20.10/24
+```
To completely disable IP addressing on this interface:
- ifcfg ens19 stop
-
+```
+ifcfg ens19 stop
+```
*Note that this does not bring the interface down, it simply unassigns all IP addresses from the interface.*
### Gateway configuration
Now that the interface has an address, we have to set its default route, this can be done with:
- ip route add default via 192.168.20.254 dev ens19
+```
+ip route add default via 192.168.20.254 dev ens19
+```
The kernel routing table can be displayed with
+```
ip route
+```
or `ip r` for short.
@@ -199,10 +240,13 @@ At this point, you should have your network interface up and properly configured
By *pinging* another IP address in the same network (we will use `192.168.20.42` as an example):
- ping -c3 192.168.20.42
+```
+ping -c3 192.168.20.42
+```
This command will issue 3 *pings* (known as ICMP request) and wait for a reply. If everything went fine, you should get this output:
+```
PING 192.168.20.42 (192.168.20.42) 56(84) bytes of data.
64 bytes from 192.168.20.42: icmp_seq=1 ttl=64 time=1.07 ms
64 bytes from 192.168.20.42: icmp_seq=2 ttl=64 time=0.915 ms
@@ -211,21 +255,30 @@ This command will issue 3 *pings* (known as ICMP request) and wait for a reply.
--- 192.168.20.42 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 0.850/0.946/1.074/0.097 ms
+```
Then, to make sure your routing configuration is fine, try to *ping* a external host, such as this well known public DNS resolver:
- ping -c3 8.8.8.8
+```
+ping -c3 8.8.8.8
+```
If your machine has several network interface and you want to make ICMP request via a specific interface, you can use the `-I` flag:
- ping -I ens19 -c3 192.168.20.42
+```
+ping -I ens19 -c3 192.168.20.42
+```
It is now time to make sure that DNS resolution is working correctly. As a reminder, DNS resolution is a mechanism used to convert human friendly machine names into their IP addresses and the other way round (reverse DNS).
If the `/etc/resolv.conf` file indicates a reachable DNS server, then the following should work:
- host rockylinux.org
+```
+host rockylinux.org
+```
The result should be:
- rockylinux.org has address 76.76.21.21
+```
+rockylinux.org has address 76.76.21.21
+```
diff --git a/docs/guides/security/generating_ssl_keys_lets_encrypt.md b/docs/guides/security/generating_ssl_keys_lets_encrypt.md
index e2ea752044..6895b5e588 100644
--- a/docs/guides/security/generating_ssl_keys_lets_encrypt.md
+++ b/docs/guides/security/generating_ssl_keys_lets_encrypt.md
@@ -2,7 +2,11 @@
title: Generating SSL Keys - Let's Encrypt
author: Steven Spencer
contributors: wsoyinka, Antoine Le Morvan, Ezequiel Bruni
-update: 28-Feb-2022
+tested with: 8.5
+tags:
+ - security
+ - ssl
+ - cerbot
---
# Generating SSL Keys - Let's Encrypt
@@ -16,13 +20,13 @@ update: 28-Feb-2022
* Familiarity with _ssh_ (secure shell) and the ability to access your server with _ssh_
* All commands assume that you are either the root user or that you have used _sudo_ to gain root access.
-# Introduction
+## Introduction
-One of the most popular ways to secure a web site, currently, is using Let's Encrypt SSL certificates, which are also free.
+One of the most popular ways to secure a web site, currently, is using Let's Encrypt SSL certificates, which are also free.
These are actual certificates, not self-signed or snake oil, etc., so they are great for a low-budget security solution. This document will walk you through the process of installing and using Let's Encrypt certificates on a Rocky Linux web server.
-## Installation
+## Installation
To do the next steps, use _ssh_ to log into your server. If your server's fully qualified DNS name was www.myhost.com, then you would use:
@@ -71,9 +75,9 @@ You can always install both server modules if necessary, of course.
## Getting The Let's Encrypt Certificate for the Apache Server
-There are two ways to retrieve your Let's Encrypt certificate, either using the command to modify the http configuration file for you, or to just retrieve the certificate. If you are using the procedure for a multi-site setup suggested for one or more sites in the procedure [Apache Web Server Multi-Site Setup](../web/apache-sites-enabled.md), then you will only want to retrieve your certificate.
+There are two ways to retrieve your Let's Encrypt certificate, either using the command to modify the http configuration file for you, or to just retrieve the certificate. If you are using the procedure for a multi-site setup suggested for one or more sites in the procedure [Apache Web Server Multi-Site Setup](../web/apache-sites-enabled.md), then you will only want to retrieve your certificate.
-We are assuming that you **are** using this procedure so we will only retrieve the certificate. If you are running a standalone web server using the default configuration, you can retrieve the certificate and modify the configuration file in one step using:
+We are assuming that you **are** using this procedure so we will only retrieve the certificate. If you are running a standalone web server using the default configuration, you can retrieve the certificate and modify the configuration file in one step using:
```bash
certbot --apache
@@ -102,7 +106,7 @@ Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-(Y)es/(N)o:
+(Y)es/(N)o:
```
The next is a request to share your email with the Electronic Frontier Foundation. Answer 'Y' or 'N' as is your preference:
@@ -115,7 +119,7 @@ partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-(Y)es/(N)o:
+(Y)es/(N)o:
```
The next prompt asks you which domain you want the certificate for. It should display a domain in the listing based on your running web server. If so, enter the number next to the domain that you are getting the certificate for. In this case there is only one option ('1'):
@@ -126,7 +130,7 @@ Which names would you like to activate HTTPS for?
1: yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
-blank to select all options shown (Enter 'c' to cancel):
+blank to select all options shown (Enter 'c' to cancel):
```
If all goes well, you should receive the following message:
@@ -156,18 +160,18 @@ IMPORTANT NOTES:
## The Site Configuration - https
-Applying the configuration file to our site is slightly different than if we were using a purchased SSL certificate from another provider (and if we didn't let certbot do it automatically).
+Applying the configuration file to our site is slightly different than if we were using a purchased SSL certificate from another provider (and if we didn't let certbot do it automatically).
The certificate and chain file are included in a single PEM (Privacy Enhanced Mail) file. This is a common format for all certificate files now, so even though it has "Mail" in the reference, it is just a type of certificate file. To illustrate the configuration file, we will show it in it's entirety and then describe what is happening:
```
- ServerName www.yourdomain.com
+ ServerName www.yourdomain.com
ServerAdmin username@rockylinux.org
Redirect / https://www.yourdomain.com/
- ServerName www.yourdomain.com
+ ServerName www.yourdomain.com
ServerAdmin username@rockylinux.org
DocumentRoot /var/www/sub-domains/com.yourdomain.www/html
DirectoryIndex index.php index.htm index.html
@@ -205,7 +209,7 @@ Here's what's happening above. You may want to review the [Apache Web Server Mul
* Even though port 80 (standard http) is listening, we are redirecting all traffic to port 443 (https)
* SSLEngine on - simply says to use SSL
* SSLProtocol all -SSLv2 -SSLv3 -TLSv1 - says to use all available protocols, except those that have been found to have vulnerabilities. You should research periodically which protocols are currently acceptable for use.
-* SSLHonorCipherOrder on - this deals with the next line that regarding the cipher suites, and says to deal with them in the order that they are given. This is another area where you should review the cipher suites that you want to include periodically
+* SSLHonorCipherOrder on - this deals with the next line regarding the cipher suites, and says to deal with them in the order that they are given. This is another area where you should review the cipher suites that you want to include periodically
* SSLCertificateFile - this is the PEM file, that contains the site certificate **AND** the intermediate certificate. We still need the 'SSLCertificateChainFile' line in our configuration, but it will simply specify the same PEM file again.
* SSLCertificateKeyFile - the PEM file for the private key, generated with the _certbot_ request.
* SSLCertificateChainFile - the certificate from your certificate provider, often called the intermediate certificate, in this case exactly like the 'SSLCertificateFile' location above.
@@ -236,7 +240,7 @@ The rest of the text you'll see is awful similar to what's above. The results wi
```
server {
server_name yourwebsite.com;
-
+
listen 80;
listen [::]:80;
@@ -260,7 +264,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/yourwebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
+
location / {
root /usr/share/nginx/html;
index index.html index.htm;
@@ -314,7 +318,7 @@ new certificate deployed with reload of apache server; fullchain is
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Congratulations, all simulated renewals succeeded:
+Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```
@@ -331,8 +335,8 @@ Which gives you a list of processes, one of which will be for _certbot_:
Sat 2021-04-03 07:12:00 UTC 14h left n/a n/a snap.certbot.renew.timer snap.certbot.renew.service
```
-# Conclusions
+## Conclusions
-Let's Encrypt SSL certificates are yet another option for securing your web site with an SSL. Once installed, the system provides automatic renewal of certificates and will encrypt traffic to your web site.
+Let's Encrypt SSL certificates are yet another option for securing your web site with an SSL. Once installed, the system provides automatic renewal of certificates and will encrypt traffic to your web site.
-It should be noted that Let's Encrypt certificates are used for standard DV (Domain Validation) certificates. They cannot be used for OV (Organization Validation) or EV (Extended Validation) certificates.
+It should be noted that Let's Encrypt certificates are used for standard DV (Domain Validation) certificates. They cannot be used for OV (Organization Validation) or EV (Extended Validation) certificates.
diff --git a/docs/guides/security/ssh_public_private_keys.md b/docs/guides/security/ssh_public_private_keys.md
index 3fadad3f57..e87505acde 100644
--- a/docs/guides/security/ssh_public_private_keys.md
+++ b/docs/guides/security/ssh_public_private_keys.md
@@ -1,25 +1,38 @@
+---
+title: SSH Public and Private Key
+author: Steven Spencer
+contributors: Ezequiel Bruni
+tested with: 8.5
+tags:
+ - security
+ - ssh
+ - keygen
+---
+
# SSH Public and Private Key
## Prerequisites
* A certain amount of comfort operating from the command line
* Rocky Linux servers and/or workstations with *openssh* installed
- * Okay technically, this process whould work on any Linux system with openssh installed
-* Optional: familiarity with linux file and directory permissions
+ * Okay technically, this process should work on any Linux system with openssh installed
+* Optional: familiarity with Linux file and directory permissions
# Introduction
SSH is a protocol used to access one machine from another, usually via the command line. With SSH, you can run commands on remote computers and servers, send files, and generally manage everything you do from one place.
-When you are working with multiple Rocky Linux servers in multiple locations, or if you are just trying to save some time accessing these servers, you'll want to use an SSH public and private key pair. Key pairs basically make logging into remote machines and running commands easier.
+When you are working with multiple Rocky Linux servers in multiple locations, or if you are just trying to save some time accessing these servers, you'll want to use an SSH public and private key pair. Key pairs basically make logging into remote machines and running commands easier.
-This document will guide you through the process of creating the keys and setting up your servers for easy access, with said keys.
+This document will guide you through the process of creating the keys and setting up your servers for easy access with those keys.
-### Process For Generating Keys
+## Process For Generating Keys
The following commands are all executed from the command line on your Rocky Linux workstation:
-`ssh-keygen -t rsa`
+```
+ssh-keygen -t rsa
+```
Which will display the following:
@@ -45,27 +58,29 @@ ls -a .ssh/
. .. id_rsa id_rsa.pub
```
-Now we need to send the public key (id_rsa.pub) to every machine that we are going to be accessing... but before we do that, we need to make sure that we can SSH into the servers that we will be sending the key to. For our example, we are going to be using just three servers.
+Now we need to send the public key (id_rsa.pub) to every machine that we are going to be accessing... but before we do that, we need to make sure that we can SSH into the servers that we will be sending the key to. For our example, we are going to be using just three servers.
You can either access them via SSH by a DNS name or IP address, but for our example we are going to be using the DNS name. Our example servers are web, mail, and portal. For each server, we will attempt to SSH in (nerds love using SSH as a verb) and leave a terminal window open for each machine:
-`ssh -l root web.ourourdomain.com`
+`ssh -l root web.ourourdomain.com`
Assuming that we can login without trouble on all three machines, then the next step is to send our public key over to each server:
-`scp .ssh/id_rsa.pub root@web.ourourdomain.com:/root/`
+`scp .ssh/id_rsa.pub root@web.ourourdomain.com:/root/`
-Repeat this step with each of our three machines.
+Repeat this step with each of our three machines.
In each of the open terminal windows, you should now be able to see *id_rsa.pub* when you enter the following command:
-`ls -a | grep id_rsa.pub`
+`ls -a | grep id_rsa.pub`
If so, we are now ready to either create or append the *authorized_keys* file in each server's *.ssh* directory. On each of the servers, enter this command:
-`ls -a .ssh`
+`ls -a .ssh`
+
+!!! attention "Important!"
-**Important! Make sure you read everything below carefully. If you are not sure if you will break something, then make a backup copy of authorized_keys (if it exists) on each of the machines before continuing.**
+ Make sure you read everything below carefully. If you are not sure if you will break something, then make a backup copy of authorized_keys (if it exists) on each of the machines before continuing.
If there is no *authorized_keys* file listed, then we will create it by entering this command while in our _/root_ directory:
@@ -77,16 +92,13 @@ If _authorized_keys_ does exist, then we simply want to append our new public ke
Once the key has been either added to _authorized_keys_, or the _authorized_keys_ file has been created, try to SSH from your Rocky Linux workstation to the server again. You should not be prompted for a password.
-Once you have verified that you can SSH in without a password, remove the id_rsa.pub file from the _/root_ directory on each machine.
+Once you have verified that you can SSH in without a password, remove the id_rsa.pub file from the _/root_ directory on each machine.
`rm id_rsa.pub`
-### SSH Directory and authorized_keys Security
+## SSH Directory and authorized_keys Security
On each of your target machines, make sure that the following permissions are applied:
`chmod 700 .ssh/`
`chmod 600 .ssh/authorized_keys`
-
-
-
diff --git a/docs/guides/security/ssl_keys_https.md b/docs/guides/security/ssl_keys_https.md
index a0293c775c..2160523458 100644
--- a/docs/guides/security/ssl_keys_https.md
+++ b/docs/guides/security/ssl_keys_https.md
@@ -1,6 +1,17 @@
+---
+title: Generating SSL Keys
+author: Steven Spencer
+contributors: Ezequiel Bruni
+tested with: 8.5
+tags:
+ - security
+ - ssl
+ - openssl
+---
+
# Generating SSL Keys
-# Prerequisites
+## Prerequisites
* A workstation and a server running Rocky Linux (OK, Linux, but really, you want Rocky Linux, right?)
* _OpenSSL_ installed on the machine that you are going to be generating the private key and CSR, as well as on the server where you will eventually be installing your key and certificates
@@ -8,15 +19,15 @@
* Helpful: knowledge of SSL and OpenSSL commands
-# Introduction
+## Introduction
-Nearly every web site today _should_ be running with an SSL (secure socket layer) certificate. This procedure will guide you through generating the private key for your web site and then from this, generating the CSR (certificate signing request) that you will use to purchase your new certificate.
+Nearly every web site today _should_ be running with an SSL (secure socket layer) certificate. This procedure will guide you through generating the private key for your web site and then from this, generating the CSR (certificate signing request) that you will use to purchase your new certificate.
## Generate The Private Key
For the uninitiated, SSL private keys can have different sizes, measured in bits, which basically determines how hard they are to crack.
-As of 2021, the recommended private key size for a web site is still 2048 bits. You can go higher, but doubling the key size from 2048 bits to 4096 bits is only about 16% more secure, takes more space to store the key, causes higher CPU loads when the key is processed.
+As of 2021, the recommended private key size for a web site is still 2048 bits. You can go higher, but doubling the key size from 2048 bits to 4096 bits is only about 16% more secure, takes more space to store the key, and causes higher CPU loads when the key is processed.
This slows down your web site performance without gaining any significant security. Stick with the 2048 key size for now and always keep tabs on what is currently recommended.
@@ -24,9 +35,9 @@ To start with, let's make sure that OpenSSL is installed on both your workstatio
`dnf install openssl`
-If it is not installed, your system will install it and any needed dependencies.
+If it is not installed, your system will install it and any needed dependencies.
-Our example domain is ourownwiki.com. Keep in mind that you would need to purchase and register your domain ahead of time. You can purchase domains through a number of "Registrars".
+Our example domain is ourownwiki.com. Keep in mind that you would need to purchase and register your domain ahead of time. You can purchase domains through a number of "Registrars".
If you are not running your own DNS (Domain Name System), you can often use the same providers for DNS hosting. DNS translates your named domain, to numbers (IP addresses, either IPv4 or IPv6) that the Internet can understand. These IP addresses will be where the web site is actually hosted.
@@ -41,7 +52,7 @@ Enter pass phrase for ourownwiki.com.key.pass:
Verifying - Enter pass phrase for ourownwiki.com.key.pass:
```
-Next, let's remove that passphrase. The reason for this is that if you don't remove it, each time your web server restarts and loads up your key, you will need to enter that passphrase.
+Next, let's remove that passphrase. The reason for this is that if you don't remove it, each time your web server restarts and loads up your key, you will need to enter that passphrase.
You might not even be around to enter it, or worse, might not have a console at the ready to enter it. Remove it now to avoid all of that:
@@ -55,9 +66,9 @@ Now that you have entered the passphrase a third time, it has been removed from
## Generate the CSR
-Next, we need to generate the CSR (certificate signing request) that we will use to purchase our certificate.
+Next, we need to generate the CSR (certificate signing request) that we will use to purchase our certificate.
-During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate.
+During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate.
One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://www.ourownwiki.com, then enter www.ourownwiki.com at this prompt:
@@ -66,11 +77,17 @@ One of the prompts will be for "Common Name (e.g., YOUR name)". It is important
This opens up a dialog:
`Country Name (2 letter code) [XX]:` enter the two character country code where your site resides, example "US"
+
`State or Province Name (full name) []:` enter the full official name of your state or province, example "Nebraska"
+
`Locality Name (eg, city) [Default City]:` enter the full city name, example "Omaha"
+
`Organization Name (eg, company) [Default Company Ltd]:` If you want, you can enter an organization that this domain is a part of, or just hit 'Enter' to skip.
+
`Organizational Unit Name (eg, section) []:` This would describe the division of the organization that your domain falls under. Again, you can just hit 'Enter' to skip.
+
`Common Name (eg, your name or your server's hostname) []:` Here, we have to enter our site hostname, example "www.ourownwiki.com"
+
`Email Address []:` This field is optional, you can decide to fill it out or just hit 'Enter' to skip.
Next, you will be asked to enter extra attributes which can be skipped by hitting 'Enter' through both:
@@ -82,11 +99,11 @@ A challenge password []:
An optional company name []:
```
-Now you should have generated your CSR.
+Now you should have generated your CSR.
## Purchasing The Certificate
-Each certificate vendor will have basically the same procedure. You purchase the SSL and term (1 or 2 years, etc.) and then you submit your CSR. To do this, you will need to use the `more` command, and then copy the contents of your CSR file.
+Each certificate vendor will have basically the same procedure. You purchase the SSL and term (1 or 2 years, etc.) and then you submit your CSR. To do this, you will need to use the `more` command, and then copy the contents of your CSR file.
`more ourownwiki.com.csr`
@@ -112,11 +129,10 @@ HFOltYOnfvz6tOEP39T/wMo=
-----END CERTIFICATE REQUEST-----
```
-You want to copy everything including the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" lines. Then paste these into the CSR field on the web site where you are purchasing the certificate.
+You want to copy everything including the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" lines. Then paste these into the CSR field on the web site where you are purchasing the certificate.
You may have to perform other verification steps, depending on ownership of the domain, the registrar you are using, etc., before your certificate is issued. When it is issued, it should be issued along with an intermediate certificate from the provider, which you will use in the configuration as well.
-# Conclusion
+## Conclusion
Generating all of the bits and pieces for the purchase of a web site certificate is not terribly difficult and can be performed by the systems administrator or web site administrator using the above procedure.
-
diff --git a/docs/guides/web/nginx-mainline.md b/docs/guides/web/nginx-mainline.md
index fc2ccfbf33..29bdde1192 100644
--- a/docs/guides/web/nginx-mainline.md
+++ b/docs/guides/web/nginx-mainline.md
@@ -3,7 +3,11 @@ title: Nginx
author: Ezequiel Bruni
contributors: Antoine Le Morvan, Steven Spencer
tested with: 8.5
+tags:
+ - nginx
+ - web
---
+
# How to Install the Latest Nginx on Rocky Linux
## Introduction
@@ -97,7 +101,7 @@ From there, you could just start dropping HTML files into the `/usr/share/nginx/
If you try to view a web page at your machine’s IP address or domain name from another computer, you’re probably going to get a big fat nothing. Well, that’ll be the case as long as you have a firewall up and running.
-Now to open up the necessary ports to actually see your web pages with `firewalld`, Rocky Linux’s default firewall with the `firewall-cmd` command. There are two ways to do it: the official way, and the manual way. *In this instance, the official way is best,* but you should know both for future reference.
+To open up the necessary ports so that you can actually "see" your web pages, we will use Rocky Linux's build-in firewall, `firewalld`. The `firewalld` command for doing this is `firewall-cmd`. There are two ways to do it: the official way, and the manual way. *In this instance, the official way is best,* but you should know both for future reference.
The official way opens up the firewall to the `http` service, which is of course the service that handles web pages. Just run this:
@@ -266,7 +270,7 @@ First, make sure that all files in the root folder are owned by the server user
sudo chown -R www:www /usr/share/nginx/html/www
```
-And then, to make sure that users who want to actually browse your website can actually see the pages, you should make you can run these commands (and yes, those semicolons matter):
+And then, to make sure that users who want to actually browse your website can actually see the pages, you should run these commands (and yes, those semicolons matter):
```bash
sudo find /usr/share/nginx/html/www -type d -exec chmod 555 "{}" \;
@@ -279,7 +283,7 @@ That basically gives everyone the right to look at files on the server, but not
As of now, our [guide to getting SSL certificates with certbot](../security/generating_ssl_keys_lets_encrypt.md) has been updated with some basic instructions for `nginx`. Go give that a look, as it has full instructions for installing certbot, as well as generating the certificates.
-The time is coming when browsers maight even just stop letting people see sites without certificates at all, so make sure you get one for every site.
+The time is coming when browsers might just stop letting people see sites without certificates at all, so make sure you get one for every site.
## Additional Configuration Options and Guides