Instalación Riot Debian 10 CT detrás de proxy apache

adduser ugit
  • Actualizamos el sistema
apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
apt-get check && apt-get install -fy && apt-get autoremove && apt-get autoclean && apt-get clean
  • Creamos los dominios públicos e internos
riot.siua.ac.cr
chat.siua.ac.cr
matrix.siua.ac.cr

Proxy

  • Mandamos a crear los certificados
  • Creamos
nano /etc/apache2/sites-available/chat.siua.ac.cr.conf
  • Contenido:
NameVirtualHost 181.193.87.6:80

<VirtualHost 181.193.87.6:80>

        #************************************************************************
        #******************* DATOS DEL SITIO WEB ********************************
        #************************************************************************
        ServerName chat.siua.ac.cr
        ServerAlias www.chat.siua.ac.cr
        ErrorLog /var/log/apache2/chat_80.siua.ac.cr-error.log
        CustomLog /var/log/apache2/chat_80.siua.ac.cr-access.log common

        #************************************************************************
        #********************** DATOS DEL WEBMASTER *****************************
        #************************************************************************
        ServerAdmin interuniversitariadealajuela@gmail.com
        Header add Author "Unidad de Gestion e Innovacion Tecnologica"

        #************************************************************************
        #************************** DATOS DEL REDIRECCIONAMIENTO ****************
        #************************************************************************

</VirtualHost>
  • Creamos
nano /etc/apache2/sites-available/riot.siua.ac.cr.conf
  • Contenido
NameVirtualHost 181.193.87.6:80

<VirtualHost 181.193.87.6:80>

        #************************************************************************
        #******************* DATOS DEL SITIO WEB ********************************
        #************************************************************************
        ServerName riot.siua.ac.cr
        ServerAlias www.riot.siua.ac.cr
        ErrorLog /var/log/apache2/riot_80.siua.ac.cr-error.log
        CustomLog /var/log/apache2/riot_80.siua.ac.cr-access.log common

        #************************************************************************
        #********************** DATOS DEL WEBMASTER *****************************
        #************************************************************************
        ServerAdmin interuniversitariadealajuela@gmail.com
        Header add Author "Unidad de Gestion e Innovacion Tecnologica"

        #************************************************************************
        #************************** DATOS DEL REDIRECCIONAMIENTO ****************
        #************************************************************************

</VirtualHost>
  • Creamos
nano /etc/apache2/sites-available/matrix.siua.ac.cr.conf
  • Contenido
NameVirtualHost 181.193.87.6:80

<VirtualHost 181.193.87.6:80>

        #************************************************************************
        #******************* DATOS DEL SITIO WEB ********************************
        #************************************************************************
        ServerName matrix.siua.ac.cr
        ServerAlias www.matrix.siua.ac.cr
        ErrorLog /var/log/apache2/matrix_80.siua.ac.cr-error.log
        CustomLog /var/log/apache2/matrix_80.siua.ac.cr-access.log common

        #************************************************************************
        #********************** DATOS DEL WEBMASTER *****************************
        #************************************************************************
        ServerAdmin interuniversitariadealajuela@gmail.com
        Header add Author "Unidad de Gestion e Innovacion Tecnologica"

        #************************************************************************
        #************************** DATOS DEL REDIRECCIONAMIENTO ****************
        #************************************************************************

</VirtualHost>
  • Habilitamos los sitios
a2ensite chat.siua.ac.cr.conf
a2ensite riot.siua.ac.cr.conf
a2ensite matrix.siua.ac.cr.conf
systemctl reload apache2
  • Mandamos a crear los certificados
certbot --installer apache
  • Todos en uno solo
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 24 25 71 72 106 107
  • Ahora modificamos los archivos para crear proxy pass
  • Abrimos
nano /etc/apache2/sites-available/chat.siua.ac.cr-le-ssl.conf
  • Modificamos
<IfModule mod_ssl.c>
	<VirtualHost 181.193.87.6:443>

		#************************************************************************
		#******************* DATOS DEL SITIO WEB ********************************
		#************************************************************************
		ServerName chat.siua.ac.cr
		ServerAlias www.chat.siua.ac.cr
		ErrorLog /var/log/apache2/chat_443.siua.ac.cr-error.log
		CustomLog /var/log/apache2/chat_443.siua.ac.cr-access.log common

		#************************************************************************
		#********************** DATOS DEL WEBMASTER *****************************
		#************************************************************************
		ServerAdmin interuniversitariadealajuela@gmail.com
		Header add Author "Unidad de Gestion e Innovacion Tecnologica"

		#************************************************************************
		#********************* DATOS DEL REDIRECCIONAMIENTO *********************
		#************************************************************************
		ProxyPreserveHost On
		ProxyRequests off
		SSLProxyEngine on
		ProxyPass / https://10.20.200.77/
		ProxyPassReverse / https://10.20.200.77/


		#************************************************************************
		#********************** DATOS DEL CERTIFICADO ***************************
		#************************************************************************
		Include /etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/matrix.siua.ac.cr/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/matrix.siua.ac.cr/privkey.pem
	</VirtualHost>
</IfModule>
  • Abrimos
nano /etc/apache2/sites-available/riot.siua.ac.cr-le-ssl.conf
  • Modificamos
<IfModule mod_ssl.c>
	<VirtualHost 181.193.87.6:443>

		#************************************************************************
		#******************* DATOS DEL SITIO WEB ********************************
		#************************************************************************
		ServerName riot.siua.ac.cr
		ServerAlias www.riot.siua.ac.cr
		ErrorLog /var/log/apache2/riot_443.siua.ac.cr-error.log
		CustomLog /var/log/apache2/riot_443.siua.ac.cr-access.log common

		#************************************************************************
		#********************** DATOS DEL WEBMASTER *****************************
		#************************************************************************
		ServerAdmin interuniversitariadealajuela@gmail.com
		Header add Author "Unidad de Gestion e Innovacion Tecnologica"

		#************************************************************************
		#********************* DATOS DEL REDIRECCIONAMIENTO *********************
		#************************************************************************
		ProxyPreserveHost On
		ProxyRequests off
		SSLProxyEngine on
		ProxyPass / https://10.20.200.77/
		ProxyPassReverse / https://10.20.200.77/


		#************************************************************************
		#********************** DATOS DEL CERTIFICADO ***************************
		#************************************************************************
		Include /etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/matrix.siua.ac.cr/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/matrix.siua.ac.cr/privkey.pem
	</VirtualHost>
</IfModule>
  • Abrimos
nano /etc/apache2/sites-available/matrix.siua.ac.cr-le-ssl.conf
  • Modificamos
<IfModule mod_ssl.c>
	<VirtualHost 181.193.87.6:443>

		#************************************************************************
		#******************* DATOS DEL SITIO WEB ********************************
		#************************************************************************
		ServerName matrix.siua.ac.cr
		ServerAlias www.matrix.siua.ac.cr
		ErrorLog /var/log/apache2/matrix_443.siua.ac.cr-error.log
		CustomLog /var/log/apache2/matrix_443.siua.ac.cr-access.log common

		#************************************************************************
		#********************** DATOS DEL WEBMASTER *****************************
		#************************************************************************
		ServerAdmin interuniversitariadealajuela@gmail.com
		Header add Author "Unidad de Gestion e Innovacion Tecnologica"

		#************************************************************************
		#********************* DATOS DEL REDIRECCIONAMIENTO *********************
		#************************************************************************
		ProxyPreserveHost On
		ProxyRequests off
		SSLProxyEngine on
		ProxyPass / https://10.20.200.77/
		ProxyPassReverse / https://10.20.200.77/


		#************************************************************************
		#********************** DATOS DEL CERTIFICADO ***************************
		#************************************************************************
		Include /etc/letsencrypt/options-ssl-apache.conf
		SSLCertificateFile /etc/letsencrypt/live/matrix.siua.ac.cr/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/matrix.siua.ac.cr/privkey.pem
	</VirtualHost>
</IfModule>
  • Recargamos el servicio
systemctl reload apache2

Servidor Riot

  • Creamos una carpeta para guardar los certificados y le damos permisos
mkdir /certificados
mkdir /certificados/matrix.siua.ac.cr
chmod 777 -R /certificados/
  • Vamos a verificar que esta habilitado el poder conectarse al servidor web1 por ssh con root
  • Abrimos
nano /etc/ssh/sshd_config
  • Modificamos
---------------------
#Port 22
X
Port 44
---------------------
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

PROXY

  • Y comprobamos que podemos ingresar
ssh root@riot.siua.ac.cr -p 44
  • Pasamos los certificados
scp -P 44 -r /etc/letsencrypt/live/matrix.siua.ac.cr/fullchain.pem root@10.20.200.77:/certificados/matrix.siua.ac.cr/fullchain.pem 

scp -P 44 -r /etc/letsencrypt/live/matrix.siua.ac.cr/privkey.pem root@10.20.200.77:/certificados/matrix.siua.ac.cr/privkey.pem
  • Abrimos el archivo
nano /root/ssh-renew.sh
  • Y agregamos
#******************************************************************************************************************************
#***********************************               RIOT            ************************************************************
#******************************************************************************************************************************


printf "******************************************\n"
printf "**********         RIOT           ********\n"
printf "******************************************\n"
scp -P 44 -r /etc/letsencrypt/live/matrix.siua.ac.cr/fullchain.pem root@10.20.200.77:/certificados/matrix.siua.ac.cr/fullchain.pem 
scp -P 44 -r /etc/letsencrypt/live/matrix.siua.ac.cr/privkey.pem root@10.20.200.77:/certificados/matrix.siua.ac.cr/privkey.pem

#Reiniciar el servidor
ssh root@10.20.200.75 -p 44  /etc/init.d/apache2 reload

RIOT

  • Instalamos dependencias
sudo apt install sudo curl gpg gnupg
  • Instalamos servidor web nginx
apt install nginx -y
  • Creamos el arhivo
nano /etc/nginx/sites-available/chat.siua.ac.cr
  • Contenido (Redirrección del 80 a 443 y inclución de certificados)
server {
    listen 80;
    server_name chat.siua.ac.cr;
    return 301 https://$host$request_uri;
}
server{
    listen 443 ssl;
    server_name chat.siua.ac.cr;

    root /var/www/chat.siua.ac.cr;
    index index.html;
    location / {
               try_files $uri $uri/ =404;
    }
    ssl on;
    ssl_certificate /certificados/matrix.siua.ac.cr/fullchain.pem;
    ssl_certificate_key /certificados/matrix.siua.ac.cr/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;
}
  • Creamos el archivo
nano /etc/nginx/sites-available/matrix.siua.ac.cr
  • Contenido
server {
    listen 80;
    server_name matrix.siua.ac.cr;
    return 301 https://$host$request_uri;
}
server{
    listen 443 ssl;
    server_name matrix.siua.ac.cr;

    root /var/www/chat.siua.ac.cr;
    index index.html;
    location / {
               proxy_pass http://localhost:8008;
    }
    ssl on;
    ssl_certificate /certificados/matrix.siua.ac.cr/fullchain.pem;
    ssl_certificate_key /certificados/matrix.siua.ac.cr/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;
}

  • Creamos el archivo
nano /etc/nginx/sites-available/riot.siua.ac.cr
  • Contenido
server {
    listen 80;
    server_name riot.siua.ac.cr;
    return 301 https://$host$request_uri;
}
server{
    listen 443 ssl;
    server_name riot.siua.ac.cr;

    root /var/www/riot.siua.ac.cr/riot;
    index index.html;
    location / {
               try_files $uri $uri/ =404;
    }
    ssl on;
    ssl_certificate /certificados/matrix.siua.ac.cr/fullchain.pem;
    ssl_certificate_key /certificados/matrix.siua.ac.cr/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;
}
  • Ahora para activar los sitios creamos un enlace simbolico a sitio enabled
ln -s /etc/nginx/sites-available/chat.siua.ac.cr /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/matrix.siua.ac.cr /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/riot.siua.ac.cr /etc/nginx/sites-enabled/
/etc/init.d/nginx reload
  • Ahora pasamos a instala Synapse
sudo apt install -y lsb-release wget apt-transport-https
sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" |
    sudo tee /etc/apt/sources.list.d/matrix-org.list
sudo apt update
sudo apt install matrix-synapse-py3
  • Cuando nos pide el nombre del servidor
  • Enviar reporte
  • Ahora si ejecutamos
ps axuwf | grep -i python
  • Podemos ver que el servicio esta corriendo
root     20345  0.0  0.0   3080   884 pts/2    S+   18:12   0:00          \_ grep -i python
root     18382  0.0  1.9 248076 20228 ?        Ssl  16:56   0:01 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
matrix-+ 20213  0.0  7.8 124404 82104 ?        Ds   18:11   0:01 /opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse
  • ahora ingresamos a www
cd /var/www
  • Creamos un directorio
mkdir chat.siua.ac.cr
  • Ingresamos al directrio
cd chat.siua.ac.cr
  • Creamos el directorio
mkdir -p /var/www/chat.siua.ac.cr/.well-known/matrix
  • Ingresamos al directorio
cd /var/www/chat.siua.ac.cr/.well-known/matrix
  • Ahora creamos el archivo
echo '{ "m.server": "matrix.siua.ac.cr.:443" }' > server
  • Ahora probamos que sirva
curl -L https://chat.siua.ac.cr/.well-known/matrix/server
  • Retorna
{ "m.server": "matrix.siua.ac.cr.:443" }

Riot-instalación

  • Creamos el directorio de instalación
mkdir -p /var/www/riot.siua.ac.cr
wget https://github.com/vector-im/riot-web/releases/download/v1.6.0/riot-v1.6.0.tar.gz
  • Obtenemos tambien la key
wget https://github.com/vector-im/riot-web/releases/download/v1.6.0/riot-v1.6.0.tar.gz.asc
  • Ahorita si verificamos la key
gpg --verify riot-v1.6.0.tar.gz.asc
  • resultado (Nos dice que no se puede verificar)
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: assuming signed data in 'riot-v1.6.0.tar.gz'
gpg: Signature made Tue May  5 10:37:32 2020 UTC
gpg:                using RSA key 5EA7E0F70461A3BCBEBE4D5EF6151806032026F9
gpg:                issuer "releases@riot.im"
gpg: Can't check signature: No public key
  • Por lo tanto ejecutamos
# grab the signing key for the riot releases repository, ideally from a keyserver...
gpg --keyserver keyserver.ubuntu.com --search-keys releases@riot.im
  • Resultado
gpg: data source: http://162.213.33.8:11371
(1)	Riot Releases <releases@riot.im>
	  4096 bit RSA key 74692659BDA3D940, created: 2019-04-15
Keys 1-1 of 1 for "releases@riot.im".  Enter number(s), N)ext, or Q)uit > 1
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 74692659BDA3D940: public key "Riot Releases <releases@riot.im>" imported
gpg: Total number processed: 1
gpg:               imported: 1
  • Ahora obtenemos la llave
# ...and/or you can grab or cross-check the signing key from packages.riot.im
wget https://packages.riot.im/riot-release-key.asc
gpg --import riot-release-key.asc
  • Ahora si volvemos a verificar
gpg --verify riot-v1.6.0.tar.gz.asc
  • Resultado
gpg: assuming signed data in 'riot-v1.6.0.tar.gz'
gpg: Signature made Tue May  5 10:37:32 2020 UTC
gpg:                using RSA key 5EA7E0F70461A3BCBEBE4D5EF6151806032026F9
gpg:                issuer "releases@riot.im"
gpg: Good signature from "Riot Releases <releases@riot.im>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A878 CDF6 6CF4 A9B4 807C  EBE5 7469 2659 BDA3 D940
     Subkey fingerprint: 5EA7 E0F7 0461 A3BC BEBE  4D5E F615 1806 0320 26F9
  • Ahora descomprimimos el programa
tar -xzvf riot-v1.6.0.tar.gz
  • Creamos un enlace simbolico
ln -s riot-v1.6.0 riot
  • Cambiamos de dueño
chown www-data:www-data -R riot
  • Ingresamos al directorio
cd riot
  • Copiamos la configuración de ejemplo
cp config.sample.json config.json
  • Lo abrimos
nano config.json
  • Modificamos
------------------------
"base_url": "https://matrix-client.matrix.org",
X
"base_url": "https://matrix.siua.ac.cr",
------------------------
"server_name": "matrix.org"
X
"server_name": "chat.siua.ac.cr"
------------------------
  • Ahora ingresamos a
cd /etc/matrix-synapse/
  • Abrimos el archivo
nano homeserver.yaml
  • Modificamos
#enable_registration: false
X
enable_registration: true
  • Reinicamos el servicio
systemctl restart matrix-synapse

Personalización

  • Abrimos
sftp://root@riot.siua.ac.cr:44/var/www/riot.siua.ac.cr/riot/index.html
  • Modificamos
<html lang="en"
X
<html lang="es"

<title>Riot</title>
X
<title>RIOT-SIUA</title>
  • Abrimos
sftp://root@riot.siua.ac.cr:44/var/www/riot.siua.ac.cr/riot/i18n/es.c364303.json
  • Modificamos
"Welcome to Riot.im": "Bienvenido a Riot.im",
X
"Welcome to Riot.im": "Bienvenido a RIOT-SIUA",

"Decentralised, encrypted chat &amp; collaboration powered by [matrix]": "Conversaciones cifradas y descentralizadas y colaboración con el poder de [matrix]",
X
"Decentralised, encrypted chat &amp; collaboration powered by [matrix]": "Servicio de chat cifrado ofrecido por la Sede Interuniversitaria de Alajuela y mantenido por la UGIT (Unidad de Gestión e Innovación Tecnológica)",

Integración con jitsi

  • Abrimos
nano /var/www/riot.siua.ac.cr/riot/config.json
  • modificamos
"preferredDomain": "jitsi.riot.im"
X
"preferredDomain": "conferencias.siua.ac.cr"

COTURN

  • Para configurar el cotrun de la siua, abrimos
nano /etc/matrix-synapse/homeserver.yaml
  • Configuramos
turn_uris: ["turn:coturn.siua.ac.cr:5349?transport=udp","turn:coturn.siua.ac.cr:5349?transport=tcp"]

# The shared secret used to compute passwords for the TURN server
#
turn_shared_secret: "8015f59d3f538060abcfef564d6dabfe379a6d12be76723df3b5b87ac4b4569e"

# The Username and password if the TURN server needs them and
# does not use a token
#
#turn_username: "TURNSERVER_USERNAME"
#turn_password: "TURNSERVER_PASSWORD"

# How long generated TURN credentials last
#
turn_user_lifetime: 86400000

# Whether guests should be allowed to use the TURN server.
# This defaults to True, otherwise VoIP will be unreliable for guests.
# However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA).
#
turn_allow_guests: true
  • Reinicamos el servicio
systemctl restart matrix-synapse

Instalación cliente Ubuntu/Debian

sudo apt install -y wget apt-transport-https
sudo wget -O /usr/share/keyrings/riot-im-archive-keyring.gpg https://packages.riot.im/debian/riot-im-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ default main" |
    sudo tee /etc/apt/sources.list.d/riot-im.list
sudo apt update
sudo apt install riot-desktop

base de datos

  • para loquearse en la base de datos
sudo -u matrix-synapse sqlite3 /var/lib/matrix-synapse/homeserver.db
  • para salir
.quit
  • Consultar usuario
SELECT * FROM users;
  • Consultar tablas
.tables
  • Convertirme en administrador
UPDATE users SET admin = 1 WHERE name = '@gmatamor:chat.siua.ac.cr'