Install Nginx, MySQL, PHP LEMP Stack on Debian 8

Update, upgrade Debian and install Nginx

#sudo apt-get update && sudo apt-get dist-upgrade
#sudo apt-get install nginx

Configure UFW firewall to allow Nginx services

#sudo apt-get install ufw
#sudo ufw enable
#sudo ufw allow 'Nginx HTTP'
#sudo ufw allow ssh
#sudo ufw status

You should see allowed services (Nginx, SSH, etc) in the displayed output:

Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)

Test the Nginx web server on browser http://server_domain_or_IP

Install MySQL , Follow the instructions, choose Y

#sudo apt-get install mysql-server
#sudo mysql_secure_installation

Install PHP for Processing

Since Nginx does not contain native PHP processing like some other web servers, we will need to install fpm, which stands for “fastCGI process manager”. We will tell Nginx to pass PHP requests to this software for processing.  Open /etc/apt/sources.list in your text editor:

#sudo vim/etc/apt/sources.list

Append the contrib and non-free repositories at /etc/apt/sources.list

deb http://cloudfront.debian.net/debian jessie main contrib non-free
deb http://security.debian.org/ jessie/updates main contrib non-free
deb http://cloudfront.debian.net/debian jessie-updates main contrib non-free
#sudo apt-get update
#sudo apt-get install php5-fpm php5-mysql

** Choose additional PHP Extension to install as follows

#apt-get -y install php5-mysqlnd php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-intl php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Secure PHP components

#sudo vim /etc/php5/fpm/php.ini

Uncomment cgi.fix_pathinfo and change conditions to “0”

cgi.fix_pathinfo=0

Restart our PHP processor by typing:

#sudo systemctl restart php5-fpm
#/etc/init.d/php5-fpm restart

Configure Nginx to Use the PHP Processor

Open the default Nginx server block configuration file by typing:

#sudo vim /etc/nginx/sites-available/default

Currently, with the comments removed, the Nginx default server block file looks like this:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }
}

We need to make some changes to this file for our site.

  • First, we need to add index.php as the first value of our index directive so that files named index.php are served, if available, when a directory is requested.
  • We can modify the server_name directive to point to our server’s domain name or public IP address.
  • For the actual PHP processing, we just need to uncomment a segment of the file that handles PHP requests. This will be the location ~\.php$ location block, the included fastcgi-php.confsnippet, and the socket associated with php-fpm.
  • We will also uncomment the location block dealing with .htaccess files. Nginx doesn’t process these files. If any of these files happen to find their way into the document root, they should not be served to visitors.
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
    index index.php index.html index.htm index.nginx-debian.html;

    server_name your_server_ip;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}

Test your configuration file for syntax errors by typing:

#sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If any errors are reported, go back and recheck your file before continuing.

When ready, reload Nginx to make the necessary changes:

#sudo systemctl reload nginx

Create a PHP File phpinfo() to Test Configuration

#vim /var/www/html/info.php

Open at browser http://server_domain_or_IP/info.php

Install WordPress on Apache Server

Update, Upgrade the System

#apt-get update -y && apt-get upgrade -y

Install ZIP and UNZIP

#apt-get install zip -y && apt-get install unzip -y

Enable VIM Copy Paste

#apt-get install vim -y

Please create the following file: /etc/vim/vimrc.local

#vim /etc/vim/vimrc.local
" This file loads the default vim options at the beginning and prevents
" that they are being loaded again later. All other options that will be set,
" are added, or overwrite the default settings. Add as many options as you
" whish at the end of this file.

" Load the defaults
source $VIMRUNTIME/defaults.vim

" Prevent the defaults from being loaded again later, if the user doesn't
" have a local vimrc (~/.vimrc)
let skip_defaults_vim = 1
" Set more options (overwrites settings from /usr/share/vim/vim80/defaults.vim)
" Add as many options as you whish

" Set the mouse mode to 'r'
if has('mouse')
set mouse=r
endif

" Toggle paste/nopaste automatically when copy/paste with right click in insert mode:
let &t_SI .= "\<Esc>[?2004h"
let &t_EI .= "\<Esc>[?2004l"

inoremap <special> <expr> <Esc>[200~ XTermPasteBegin()

function! XTermPasteBegin()
set pastetoggle=<Esc>[201~
set paste
return ""
endfunction

INSTALL APACHE2

#apt-get install apache2 -y

Replace “AllowOverride None” to “AllowOverride All”

#vim /etc/apache2/apache2.conf

Activate rewrite, headers and expires

#a2enmod rewrite
#a2enmod headers
#a2enmod expires

Install MariaDB

#apt install mariadb-server -y
#mysql_secure_installation

CREATE DATABASE wordpress

#mysql -u root -p
MariaDB [(none)]> CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
Query OK, 1 row affected (0.002 sec)

Create and grant user wordpress

MariaDB [(none)]> GRANT ALL ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.000 sec)

Installing Additional PHP Extensions

#apt install php libapache2-mod-php php-mysql -y
#apt install php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip -y

Download wordpress files on /var/www/html or /var/www/ folder depend on the Operating System (Deb 8, Deb 7)

#cd /var/www/html
#apt install curl
#apt install wget
#curl -O https://wordpress.org/latest.tar.gz
#wget --no-check-certificate http://wordpress.org/latest.zip

Extract the wordpress files in the /var/www/html directory:

#tar xzvf latest.tar.gz
#unzip latest.zip

Move all extracted folder files to /var/www/html/

#cd /var/www/html/
#mv * /var/www/html/wordpress/* /var/www/html/
#rm -rf /var/www/html/wordpress/

Create UPGRADE and UPLOADS directory so that WordPress won’t run into permissions issues when trying to do this on its own following an update and uploads to its software:

#mkdir -p /var/www/html/wp-content/upgrade
#mkdir -p /var/www/html/wp-content/uploads

Set the user, group ownership and permissions for the directory:

#chown -R www-data:www-data /var/www/html

Next we will run two find commands to set the correct permissions on the WordPress directories and files

#find /var/www/html/ -type d -exec chmod 750 {} \;
#find /var/www/html/ -type f -exec chmod 640 {} \;

Installing via browser http://ipaddress and follow the instruction

Google webmaster sitemap xml namespace error

Google webmaster sitemap xml namespace error

Change the opening <urlset> tag to look like the following

<urlset xmlns="https://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://www.google.com/schemas/sitemap/0.9 https://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd" xmlns:image="https://www.google.com/schemas/sitemap-image/1.1">

Force non www and https and vice-versa with .htaccess

Force non www and https and vice-versa with .htaccess

Redirect web from www to non-www and from HTTP to HTTPS with .htaccess.

http://example.com
http://www.example.com
redirect to
https://example.com

Insert following code at the top of .htaccess

# pass the default character set
AddDefaultCharset utf-8

Options All -Indexes
Options +FollowSymlinks
RewriteEngine On
# NOW WWW HTTPS
#RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

If the default URL to be www.example.com

# pass the default character set
AddDefaultCharset utf-8

Options All -Indexes
Options +FollowSymlinks
RewriteEngine On
# NOW WWW HTTPS
#RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]

How it works

RewriteEngine On

The first line enables the Apache runtime rewriting engine, required to perform the redirect. You may have already enabled it in a previous config in the same file. If that’s the case, you can skip that line.

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]

These two lines are are the redirect conditions, they are used to determine if the request should be redirected. Because the conditions are joined with an [OR], if any of those two conditions returns true, Apache will execute the rewrite rule (the redirect).

The first condition determines if the request is using a non-HTTPS URL. The second condition determines if the request is using the www URL. Notice that I used www\. and not www., because the pattern is a regular expression and the . dot has a special meaning here, hence it must be escaped.

RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]

The forth line is a convenient line I used to avoid referending the hostname directly in the URL. It matches the HOST of the incoming request, and decomposes it into www part (if any), and rest of the hostname. We’ll reference it later with %1 in the RewriteRule.

If you know the host name in advance, you may improve the rule by inlining the URL and skipping this condition (see later).

RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]

The RewriteRule is the heart of the redirect. With this line we tell Apache to redirect any request to a new URL, composed by:

https://www.
%1: the reference to the non-www part of the host
%{REQUEST_URI}: the URI of the request, without the hostname

All these tokens are joined together, and represents the final redirect URI. Finally, we append 3 flags:

NE to not escape special characters
R=301 to use the HTTP 301 redirect status

L to stop processing other rules, and redirect immediately

Remarks

As I’ve already mentioned, my example uses an extra RewriteCond line to extract the host name, and avoid to inline the hostname in the rule. If you feel this is a performance penalty for you, you can inline the host directly in the rule:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]

Origin article from https://simonecarletti.com/blog/2016/08/redirect-domain-http-https-www-apache/

Admin Prestashop cannot login after migration

Unable login to Admin Prestashop after migration to another server

Try to resolve with following step by step but no success (https://stackoverflow.com/questions/11335073/prestashop-cant-login-in-admin)

  • Clear your browser cache and your cookies
  • Try using Firefox instead of Chrome (which seems have some unexpected problems)
  • Check PS_SHOP_DOMAIN and PS_SHOP_DOMAIN_SSL in ps_configuration table
  • Manually clear smarty cache : remove all files from tools/smarty/compile and tools/smarty/cache
  • Disable the IP check in classes/Cookie.php (this can causes many issues with dynamics IP) : in isLoggedBack(), remove or comment the fourth condition :
AND (!isset($this->_content['remote_addr']) OR $this->_content['remote_addr'] == ip2long(Tools::getRemoteAddr()) OR !Configuration::get('PS_COOKIE_CHECKIP'))
  • Make the expire time shorter for cookies (IE can have issues with longest time cookies) : in classes/Cookie.php constructor,
set : $this->_expire = isset($expire) ? (int)($expire) : (time() + 3600);
instead of $this->_expire = isset($expire) ? (int)($expire) : (time() + 1728000);

Another Solutions

Find last error log

#tail -f /var/log/apache2/error.log
#
.............................
[Tue Dec 26 06:46:40.753880 2017] [:error] [pid 3816] [client 100.1.10.22:43351] PHP Fatal error: Call to undefined function mcrypt_encrypt() in /var/www/html/classes/Rijndael.php on line 50
..............................

Solutions
Install php_mcrypt

On Windows

#;extension=php_mcrypt.dll to extension=php_mcrypt.dll
then restart your apache server

On Redhat

##yum install php55-mcrypt

//if php5.5

##yum install php-mcrypt

//if less than 5.4

##service httpd restart

//if apache 2.4

##/etc/init.d/httpd restart

//if apache 2.2 or less

On Ubuntu

##apt-get install php5-mcrypt
##service apache2 restart

Install SSL Certificate Apache Debian 7

Apache Server, Apache2 mod_rewrite module and OpenSSL has been installed by default on Debian 7

Check OpenSSL  version

#openssl version

OpenSSL 1.0.1t  3 May 2016

Create SSL directory

#mkdir -p /etc/apache2/ssl
#cd /etc/apache2/ssl

Generate a pair of private key and public Certificate Signing Request (CSR)

#openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr

*** change myserver with domain name (example.com)

This creates a two files, myserver.key and myserver.csr. Enter details into your CSR, let the challenge password empty

Generating a 2048 bit RSA private key
.......................+++
.........+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:New South Wales
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Pty Ltd
Organizational Unit Name (eg, section) []:Web SSL Security
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

done!
#ls -la /etc/apache2/ssl
-rw-r--r-- 1 root root 1123 Nov 18 18:23 example.com.csr
-rw-r--r-- 1 root root 1704 Nov 18 18:23 example.com.key

To create CRT and CA Bundle file log in to website where you buy the SSL Cert, vim example.com.csr and paste to their form to generate both CRT and CA Bundle files

Vim example.com.csr, paste to the panel where we buy the SSL Cert to generate CRT file. Follow their step then wait around 5 minutes for activation, with an email from Comodo Security Services  including Cert, CA file on attachment, once received, then download all the Cert, CA files then upload to your server at directory /etc/apache2/ssl.

cd /etc/apache2/ssl

Upload all the Cert, CA files to directory /etc/apache2/ssl above

Replace every of “AllowOverride None” with “AllowOverride all”, then insert SSL configuration to default-ssl

SKIP and jump to the SSL test on Qualys SSL Labs Rating A Configuration
Below instruction are outdated, better move to the SSL test Qualys Labs Configuration

#vim /etc/apache2/sites-available/default-ssl
SSLEngine on

#take from https://www.apachelounge.com/viewtopic.php?t=7474

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder On

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA25$

SSLProxyProtocol +TLSv1.2 -SSLv2 -SSLv3

SSLCertificateFile /etc/apache2/ssl/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/example.com.ca-bundle

Enable SSL Module

Ensure that the Apache SSL module is enabled, and enable default-ssl configuration:
‘default-ssl’ can be replaced by the real site name you set up in /etc/apache2/sites-available/

#cd /etc/apache2/ssl

Enable SSL

#a2enmod ssl

Disable SSL

#a2dismod ssl

Apply SSL Module to Site

#a2ensite default-ssl

Disable SSL Module to Site

#a2dissite default-ssl

To activate the new configuration, you need to run:

#service apache2 reload

 

Debian 8 Install PHP5 Mariadb-Server Apache

Update and Upgrade the system then error occurred

#apt update -y && apt dist-upgrade -y
E: Release file for http://cloudfront.debian.net/debian/dists/jessie-backports/InRelease is expired (invalid since 487d 11h 2min 2s). Updates for this repository will not be applied

Solutions: Add this to the command: -o Acquire::Check-Valid-Until=false

#sudo apt-get -o Acquire::Check-Valid-Until=false update
#sudo apt-get -o Acquire::Check-Valid-Until=false dist-upgrade
#apt-get install -y software-properties-common

Then Reboot

Install the Apache2, Mariadb-Server, PHP5

#apt-get install apache2

Enable and load mod_rewrite Apache2 on Debian 8

#a2enmod rewrite

Then open and edit /etc/apache2/apache2.conf find

Options Indexes FollowSymLinks
AllowOverride All
Require all granted

Replace “AllowOverride None” to “AllowOverride all”

Enable Apache2 mod_headers & mod_expires on

To increase PageSpeed: Leverage browser caching.

enable mod_headers:

#a2enmod headers

enable mod_expires:

#a2enmod expires

Then restart Apache server to make these changes effective

#service apache2 restart

Install PHP 5

#apt-get install php5 && apt-get install php-pear && apt-get install php5-mysql && apt-get install php5-gd

If success then next install Mariadb-Server, if error below occurred, please follow instruction as follows;

Package php5 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'php5' has no installation candidate

Execute the following commands to install the required packages, then import packages signing key. After that configure PPA for the PHP packages

#apt install ca-certificates apt-transport-https
#wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
#echo "deb https://packages.sury.org/php/ stretch main" | tee /etc/apt/sources.list.d/php.list

Installing PHP 5.6

Execute the following commands for installing PHP 5.6

#apt update
#apt install php5.6
#apt-get install php5.6-cli php5.6-common php5.6-curl php5.6-mbstring php5.6-mysql php5.6-xml php5.6-gd

Finish up by restarting apache:

#service apache2 restart

Test the php working or not

Create new php file at /var/www/html

#vim info.php

write

<?php phpinfo(); ?>

Open browser http://localhost/info.php

Install Mariadb-Server

#apt-get install mariadb-server
#mysql_secure_installation

Install OpenVPN Server on Debian 8

Requirements to install OpenVPN on Debian 8

  • Update and upgrade Debian 8 #apt-get update -y && apt-get upgrade -y
  • TUN/TAP must ENABLE at VPS control panel/client area
  • Do not reboot until OpenVPN clients added and successfully started, otherwise have to start from beginning
  • Install and Configure iptables Firewall below
  • Check if Universal TUN/TAP device driver exist on Kernel
#grep tun /var/log/kern.log
May  1 03:42:53 ubuntu16 kernel: [    1.147941] tun: Universal TUN/TAP device driver, 1.6
May  1 03:42:53 ubuntu16 kernel: [    1.149404] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>

First find the public network interface (eth0, venet0, wlp11s0, etc)

#ifconfig
eth0      Link encap:Ethernet  HWaddr 05:54:51:9f:cd:5a
          inet addr:120.x.x.x  Bcast:120.x.x.x  Mask:255.255.255.0

Public interface is “eth0”. Then runfollowing iptables v4 rules below

/sbin/iptables -F && /sbin/iptables -X \
&& /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP \
&& /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP \
&& /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP \
&& /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT \
&& /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT \
&& /sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT \
&& /sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT \
&& /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT \
&& /sbin/iptables -A INPUT -i tun0 -j ACCEPT \
&& /sbin/iptables -A FORWARD -i tun0 -j ACCEPT \
&& /sbin/iptables -A OUTPUT -o tun0 -j ACCEPT \
&& /sbin/iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT \
&& /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT \
&& /sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE \
&& /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT \
&& /sbin/iptables -P OUTPUT ACCEPT \
&& /sbin/iptables -P INPUT DROP
apt-get install iptables-persistent

Add NAT rules at iptables, set permanenty by add iptables rules to rc.local

#nano /etc/rc.local

Inser iptables rules below (above exit 0)

/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Enable Packet Forwarding

Tell the server to forward traffic from client services out to internet, edit /etc/sysctl.conf, uncomment net.ipv4.ip_forward, then restart server

#vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
#/etc/init.d/networking restart

Install OpenVPN server  and easy-RSA for encryption

#apt-get install openvpn easy-rsa

Configure OpenVPN server configuration

Extracted conf file to /etc/openvpn/server.conf  (Keep name server.conf)

#gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
#vim /etc/openvpn/server.conf

Secure server with higher-level encryption to dh2048.pem

# dh dh1024.pem
dh dh2048.pem

Adjust the Port and Protocol
By default port 1194 UDP protocol, change to TCP and change the explicit-exit-notify directive’s value from 1 to 0. Otherwise TCP will cause errors

#vim /etc/openvpn/server.conf
port 1194
proto tcp
explicit-exit-notify 0

Redirect all traffic to the proper location. Uncomment push “redirect-gateway def1 bypass-dhcp” so the VPN server passes on clients’ web traffic

push "redirect-gateway def1 bypass-dhcp"

Set the server to use OpenDNS for DNS resolution to prevent DNS requests from leaking outside the VPN connection. Uncomment push “dhcp-option DNS 208.67.222.222” and push “dhcp-option DNS 208.67.220.220”.

# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Define permissions in server.conf to user nobody and group nogroup:

# non-Windows systems.
user nobody
group nogroup

Configure and Build the Certificate Authority

OpenVPN uses certificates to encrypt traffic. Setup and generate our own Certificate Authority (CA). OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. We will use Easy RSA’s scripts to do this.

First copy over the Easy-RSA generation scripts.

#cp -r /usr/share/easy-rsa/ /etc/openvpn

Then, create a directory to house the key.

#mkdir /etc/openvpn/easy-rsa/keys

Next, we will set parameters for our certificate.

#vim /etc/openvpn/easy-rsa/vars

The variables can changed according to our preference.

export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="Dallas"
export KEY_ORG="My Company Name"
export KEY_EMAIL="[email protected]"
export KEY_OU="MYOrganizationalUnit"

In the same vars file, also edit this one line shown below.

For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.

Below, in the same file, we will specify the correct certificate. Look for the line, right after the previously modified block that reads.
Change “export KEY_NAME” default value of EasyRSA to your desired server name. This tutorial will use the name “server”

# X509 Subject Field
export KEY_NAME="server"

Next, we will generate the Diffie-Helman parameters using a built-in OpenSSL tool called dhparam. The -out flag specifies where to save the new parameters.

#openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Our certificate is now generated, and it’s time to generate a key.

First, we will switch into the easy-rsa directory.

#cd /etc/openvpn/easy-rsa

Now, we can begin setting up the CA itself. First, initialize the Public Key Infrastructure (PKI). Pay attention to the dot (.) and space in front of ./vars command. That signifies the current working directory (source).

#. ./vars

The following warning will be printed. Do not worry, as the directory specified in the warning is empty. NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys.
Next, we’ll clear all other keys that may interfere with our installation.

#./clean-all

Finally, we will build the CA using an OpenSSL command. This command will prompt you for a confirmation of “Distinguished Name” variables that were entered earlier. Press ENTER to accept existing values.

#./build-ca

Press ENTER to pass each prompt (all values has been set in vars file)

The Certificate Authority is now setup.

ERROR ON DEBIAN 9 ./build-ca

grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x

SOLUTIONS –>  #ln -s openssl-1.0.0.cnf openssl.cnf

Generate a Certificate and Key for the Server

Still working from /etc/openvpn/easy-rsa, build your key with the server name specified earlier as KEY_NAME in your configuration file.

#cd /etc/openvpn/easy-rsa
#./build-key-server server

Again, output will ask for confirmation of the Distinguished Name. Hit ENTER to accept defined, default values. This time, there will be two additional prompts.

A challenge password []:
An optional company name []:

Both should be left blank, so just press ENTER to pass through.
Two additional queries at the end require a positive (y) response:

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]
You will then be prompted with the following, indicating success.
Output
Write out database with 1 new entries
Data Base Updated

Move the Server Certificates and Keys
We will now copy the certificate and key to /etc/openvpn, as OpenVPN will search in that directory for the server’s CA, certificate, and key.

#cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

You can verify the copy was successful with:

#ls -la /etc/openvpn

You should see the certificate and key files (server.crt,server.key,ca.crt)
At this point, the OpenVPN server is ready to go. Start it and check the status.

#service openvpn start

Check if openvpn successfully with ifconfig and tun0 interface exist

#ifconfig
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ERROR DEBIAN 9 WARNING: cannot stat file ‘ta.key’: No such file or directory (errno=2)

systemctl status openvpn@server
Jun 30 19:43:38 debian-s-1vcpu-1gb-sgp1-01 systemd[1]: Starting OpenVPN connection to server...
Jun 30 19:43:38 debian-s-1vcpu-1gb-sgp1-01 ovpn-server[2595]: WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)

SOLUTIONS edit /etc/openvpn/server.conf, comment “tls-auth ta.key 0”

#vim /etc/openvpn/server.conf
# The second parameter should be '0'
# on the server and '1' on the clients.
#tls-auth ta.key 0 # This file is secret
#systemctl restart openvpn@server
systemctl status openvpn@server

Generate Certificates and Keys for Clients

In this step, we use the server’s CA to generate certificates and keys for each client device which will be connecting to the VPN.

Client Key and Certificate Building

It’s ideal for each client connecting to the VPN to have its own unique certificate and key. Note: By default, OpenVPN does not allow simultaneous connections to the server from clients using the same certificate and key. (See duplicate-cn in /etc/openvpn/server.conf.).

To create separate authentication credentials for each device, you should complete this step for each device, change the name client1 to client2, etc

#cd /etc/openvpn/easy-rsa
#./build-key client1

You’ll be asked to change or confirm the Distinguished Name variables, which should be left blank, just press ENTER to accept the defaults.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As before, these two confirmations at the end of the build process require a (y) response:

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

You will then receive the following output, confirming successful key build.

Write out database with 1 new entries.
Data Base Updated

Then, we’ll copy the generated key to the Easy-RSA keys directory that we created earlier. Note that we change the extension from .conf to .ovpn. This is to match convention.

#cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1.ovpn

You can repeat this section again for each client, replacing client1 with the appropriate client name throughout.

Note: The name of your duplicated client1.ovpn doesn’t need to be related to the client device. The client-side OpenVPN application will use the filename as an identifier for the VPN connection itself. Instead, you should duplicate client1.ovpn to whatever you want the VPN’s name tag to be in your operating system. For example: work.ovpn will be identified as work, school.ovpn as school, etc.

We need to modify each client file to include the IP address of the OpenVPN server so it knows what to connect to. Open client1.ovpn, and edit “remote your_server_ip 1194” to “remote  192.168.0.1 1194”

#vim /etc/openvpn/easy-rsa/keys/client1.ovpn
# to load balance between the servers.
remote 192.168.0.1 1194

Next, uncomment “user nobody and group nogroup” by deleting #. Note: This doesn’t apply to Windows so you can skip it.

# Downgrade privileges after initialization (non-Windows only)
user nobody
group no group

Protocol

port 1194
proto tcp
explicit-exit-notify 0

Comment tls-auth ta.key 1

# If a tls-auth key is used on the server
# then every client must also have the key.
# tls-auth ta.key 1

Creating a Unified OpenVPN Profile for Client Devices

There are several methods for managing the client files but the easiest uses a unified profile. This is created by modifying the client1.ovpn template file to include the server’s Certificate Authority, and the client’s certificate and its key. Once merged, only the single client1.ovpn profile needs to be imported into the client’s OpenVPN application.

The area given below needs the three lines shown to be commented out so we can instead include the certificate and key directly in the client1.ovpn file. It should look like this when done:

#vim /etc/openvpn/easy-rsa/keys/client1.ovpn
# SSL/TLS parms.
# . . .
;ca ca.crt
;cert client.crt
;key client.key

Save the changes and exit. We will add the certificates by code.

First, add the Certificate Authority.

#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn

Second, add the certificate.

#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#cat /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn

Third and finally, add the key.

#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client1.ovpn
#echo '' >> /etc/openvpn/easy-rsa/keys/client1.ovpn

We now have a unified client profile. Using scp, you can then copy the client1.ovpn file to your second system.

Open and edit client1.ovpn with notepad

add <ca></ca><cert></cert><key></key> on each ca, crt and key (bottom)

Download client1.ovpn, on use OpenVPN app to connect by import the client1.ovpn

Add new open vpn client

#cd /etc/openvpn/easy-rsa
#./build-key newclient
#cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/newclient.ovpn

and follow the instructions until  open and edit newclient.ovpn

add <ca></ca><cert></cert><key></key> on each ca, crt and key (bottom)

Another way to Transferring Certificates and Keys to Client Devices

Recall from the steps above that we created the client certificates and keys, and that they are stored on the OpenVPN server in the /etc/openvpn/easy-rsa/keys directory.

For each client we need to transfer the client certificate, key, and profile template files to a folder on our local computer or another client device.

In this example, our client1 device requires its certificate and key, located on the server in:

  • /etc/openvpn/easy-rsa/keys/client1.crt
  • /etc/openvpn/easy-rsa/keys/client1.key

The ca.crt and client1.ovpn files are the same for all clients. Download these two files as well; note that the ca.crt file is in a different directory than the others.

  • /etc/openvpn/easy-rsa/keys/client1.ovpn
  • /etc/openvpn/ca.crt

While the exact applications used to accomplish this transfer will depend on your choice and device’s operating system, you want the application to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client’s VPN authentication files over an encrypted connection.

Here is an example SCP command using our client1 example. It places the file client1.key into the Downloads directory on the local computer.

scp root@your-server-ip:/etc/openvpn/easy-rsa/keys/client1.key Downloads/

At the end of this section, make sure you have these four files on your client device:

  • client1.crt
  • client1.key
  • client1.ovpn
  • ca.crt

ERROR

After installation test client to connect at first time, connect success but can’t browsing Internet, try restart server then connect client again

bisa ping ip address tapi tidak bisa ping name ie google.com <– Cek NAT apakah sudah benear2

ERROR AGEMENT: >STATE:1540202737,WAIT,,,,,,

Check firewall apakah port 1194 udah di open

Port (1194) di openvpn server.conf  HARUS SAMA dengan di client1.ovpn

Pilihan TCP atau UDP yang di pakai openvpn server.conf  HARUS SAMA di client1.ovpn

Fix prestashop search module not working

How to fix prestashop search module not working

Search
No results found for your search “Product ABC”

Check php error from terminal console

#tail -f /var/log/apache2/error.log
..........................................................
[Sun Jun 04 05:19:28 2017] [error] [client 192.168.1.10] PHP Warning: preg_replace(): Compilation failed: disallowed Unicode code point (>= 0xd800 && <= 0xdfff) at offset 1829 in /var/www/classes/Search.php on line 84, referer: http://myprestashopweb.com/admin55/index.php?tab=AdminSearchConf&token=a20b3bdcb31d9a2bdcc064e53eb8487d&conf=4
..........................................................

Solutions;

Open and edit file Search.php (classes/Search.php)

vim /var/www/classes/Search.php

Find line 56:

'\x{a806}\x{a80b}\x{a823}-\x{a82b}\x{d800}-\x{f8ff}\x{fb1e}\x{fb29}\x{fd3e}'

Solve it by replace to;

'\x{a806}\x{a80b}\x{a823}-\x{a82b}\x{e000}-\x{f8ff}\x{fb1e}\x{fb29}\x{fd3e}'

Or only replaced;

d800 to e000

Save and restart apache

Then go to administrator -> preferences -> search
Click
-> Add missing products to index and
-> Re-build entire index.
Save

Enable Apache2 mod_headers and mod_expires on Debian 7

Enable Apache2 mod_headers & mod_expires on

To increase PageSpeed: Leverage browser caching.

enable mod_headers:

#a2enmod headers
Enabling module headers
To activate the new configuration, you need to run:
service apache2 restart

enable mod_expires:

#a2enmod expires
Enabling module expires
To activate the new configuration, you need to run:
service apache2 restart

Then restart Apache server to make these changes effective

#service apache2 restart