Installation de Rocket.Chat

Installation de Rocket.Chat.

I/ Serveur Gandi IaaS : hacklab.

Distribution : Debian 9
CPU : 1
RAM : 1 Go

Nom du disque système : sysdiskhl01
Taille : 15 Go
Nom (Hostname) : serverhl01
Identifiant administrateur : admin

II/ Configuration.

1/ Connexion sur le serveur.

util01@station02:~$ ssh admin@217.70.191.106
admin@217.70.191.106's password: 
Linux serverhl01 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64
...
admin@serverhl01:~$ 

2/ Passage sous l’utilisateur d’administration.

admin@serverhl01:~$ su
Password: 
root@serverhl01:/home/admin# 

3/ Mise-à-jour du système.

root@serverhl01:/home/admin# apt-get update && apt-get upgrade

4/ Installation des paquets de base.

root@serverhl01:/home/admin# apt-get install mc vim htop screen 

5/ Installation des locales.

Ouvrir :

/etc/locale.gen

Chercher et décommenter :

# fr_FR ISO-8859-1
# fr_FR.UTF-8 UTF-8

Actions :

root@serverhl01:/home/admin# locale-gen
root@serverhl01:/home/admin# export LANGUAGE=fr_FR.UTF-8
root@serverhl01:/home/admin# export LANG=fr_FR.UTF-8
root@serverhl01:/home/admin# export LC_ALL=fr_FR.UTF-8

6/ Installation de LXC.

root@serverhl01:/home/admin# apt install lxc xz-utils bridge-utils dnsmasq-base iptables debootstrap

7/ Configuration du bridge.

Ouvrir :

/etc/lxc/default.conf 

Chercher :

lxc.network.type = empty

Remplacer par :

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

Créer :

/etc/default/lxc-net

Ajouter :

USE_LXC_BRIDGE="true"

8/ Redémarrer le serveur ‘lxc-net’.

root@serverhl01:/home/admin# systemctl restart lxc-net

9/ Afficher le statut du serveur LXC.

root@serverhl01:/home/admin# systemctl status lxc-net
● lxc-net.service - LXC network bridge setup
   Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2019-08-13 21:37:20 CEST; 27s ago
  Process: 20296 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0
 Main PID: 20296 (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 4915)
   Memory: 820.0K
      CPU: 67ms
   CGroup: /system.slice/lxc-net.service
           └─20354 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dn

Aug 13 21:37:20 serverhl01 dnsmasq[20354]: started, version 2.76 cachesize 150
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: compile time options: IPv6 GNU-getopt DBus i18n ID
Aug 13 21:37:20 serverhl01 dnsmasq-dhcp[20354]: DHCP, IP range 10.0.3.2 -- 10.0.3.254, lease 
Aug 13 21:37:20 serverhl01 dnsmasq-dhcp[20354]: DHCP, sockets bound exclusively to interface 
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: reading /etc/resolv.conf
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: using nameserver 155.133.136.131#53
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: using nameserver 155.133.136.130#53
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: using nameserver 2001:4b98:dc5:255::129#53
Aug 13 21:37:20 serverhl01 dnsmasq[20354]: read /etc/hosts - 5 addresses
Aug 13 21:37:20 serverhl01 systemd[1]: Started LXC network bridge setup.
root@serverhl01:/home/admin# 

10/ Vérification.

root@serverhl01:/home/admin# ip -4 -o a show lxcbr0
3: lxcbr0    inet 10.0.3.1/24 scope global lxcbr0\       valid_lft forever preferred_lft forever
root@serverhl01:/home/admin# 

11/ Création d’une machine virtuelle Debian 9.

root@serverhl01:/home/admin# lxc-create -n rocketchat -t debian -- -r stretch
debootstrap is /usr/sbin/debootstrap
Checking cache download in /var/cache/lxc/debian/rootfs-stretch-amd64 ... 
Downloading debian minimal ...
I: Retrieving InRelease 
I: Retrieving Release 
...
libseccomp2 libssl1.0.2 libstdc++6 libwrap0 openssh-client openssh-sftp-server procps systemd systemd-sysv ucf 
I: Checking component main on http://httpredir.debian.org/debian...
I: Retrieving libacl1 2.2.52-3+b1
...
Current default time zone: 'Etc/UTC'
Local time is now:      Tue Aug 13 19:49:08 UTC 2019.
Universal Time is now:  Tue Aug 13 19:49:08 UTC 2019.

root@serverhl01:/home/admin# 

12/ Démarrer la machine virtuelle ‘rocketchat‘.

root@serverhl01:/home/admin# lxc-start -n rocketchat

13/ Vérification.

root@serverhl01:/home/admin# lxc-ls --fancy
NAME       STATE   AUTOSTART GROUPS IPV4       IPV6 
rocketchat RUNNING 0         -      10.0.3.245 -    
root@serverhl01:/home/admin# 

14/ S’attacher au conteneur ‘rocketchat‘.

root@serverhl01:/home/admin# lxc-attach -n rocketchat
root@rocketchat:/# 

15/ Test.

root@rocketchat:/# apt install iputils-ping
root@rocketchat:/# ping -c 1 google.fr
PING google.fr (172.217.19.195) 56(84) bytes of data.
64 bytes from ams16s31-in-f3.1e100.net (172.217.19.195): icmp_seq=1 ttl=55 time=14.0 ms

--- google.fr ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 14.060/14.060/14.060/0.000 ms
root@rocketchat:/# 

16/ Sortir de la machine virtuelle.

root@rocketchat:/# exit
exit
root@serverhl01:/home/admin# 

17/ Activer une adresse statique pour la machine virtuelle.

Créer :

/etc/lxc/dhcp.conf

Ajouter :

dhcp-host=rocketchat,10.0.3.11

Ouvrir :

/etc/default/lxc-net

Ajouter à la fin :

LXC_DHCP_CONFILE=/etc/lxc/dhcp.conf

18/ Redémarrer le service LXC.

root@serverhl01:/home/admin# systemctl restart lxc-net

19/ Redémarrer le conteneur ‘rocketchat‘.

root@serverhl01:/home/admin# lxc-stop -n rocketchat && lxc-start -n rocketchat

20/ Vérification.

root@serverhl01:/home/admin# lxc-ls --fancy
NAME       STATE   AUTOSTART GROUPS IPV4      IPV6 
rocketchat RUNNING 0         -      10.0.3.11 -    
root@serverhl01:/home/admin# 

21/ Attacher le conteneur ‘rocketchat‘.

root@serverhl01:/home/admin# lxc-attach -n rocketchat
root@rocketchat:/# 

22/ Installation des paquets de base.

root@rocketchat:/# apt-get install mc vim htop screen 

23/ Configuration des locales.

Ouvrir :

/etc/locale.gen

Chercher et décommenter :

# fr_FR ISO-8859-1
# fr_FR.UTF-8 UTF-8

Actions :

root@rocketchat:/# locale-gen
root@rocketchat:/# export LANGUAGE=fr_FR.UTF-8
root@rocketchat:/# export LANG=fr_FR.UTF-8
root@rocketchat:/# export LC_ALL=fr_FR.UTF-8

24/ Sortir du conteneur.

root@rocketchat:/# exit
exit
root@serverhl01:/home/admin# 

25/ Faire un snapshot.

root@serverhl01:/home/admin# lxc-stop -n rocketchat

root@serverhl01:/home/admin# lxc-snapshot -n rocketchat
lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3407 Snapshot of directory-backed container requested.
lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3408 Making a copy-clone.  If you do want snapshots, then
lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3409 please create an aufs or overlayfs clone first, snapshot that
lxc-snapshot: lxccontainer.c: do_lxcapi_snapshot: 3410 and keep the original container pristine.
root@serverhl01:/home/admin# lxc-start -n rocketchat
root@serverhl01:/home/admin# lxc-snapshot -L -n rocketchat
snap0 (/var/lib/lxc/rocketchat/snaps) 2019:08:13 22:16:33
root@serverhl01:/home/admin# 

III/ Installation de RocketChat.

1/ S’attacher au contenair ‘rocketchat’.

root@serverhl01:/home/admin# lxc-attach -n rocketchat

2/ Configuration du dépôt MongoDB.

root@rocketchat:/# apt-get install -y dirmngr && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
root@rocketchat:/# echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.0 main" | tee /etc/apt/sources.list.d/mongodb-org-4.0.list
root@rocketchat:/# apt-get -y update && apt-get install -y curl && curl -sL https://deb.nodesource.com/setup_8.x | bash -

3/ Installation de la base de données MongoDB.

root@rocketchat:/# apt-get install -y build-essential mongodb-org nodejs graphicsmagick

4/ Installation de module Nodejs.

root@rocketchat:/# npm install -g inherits n && n 8.11.4

5/ Téléchargement de l’archive du code source de Rocketchat.

root@rocketchat:/# curl -L https://releases.rocket.chat/latest/download -o /tmp/rocket.chat.tgz

6/ Installation de l’archive Rocketchat.

root@rocketchat:/# tar -xzf /tmp/rocket.chat.tgz -C /tmp
root@rocketchat:/# cd /tmp/
root@rocketchat:/tmp# mv bundle Rocket.Chat
root@rocketchat:/tmp# cd Rocket.Chat/
root@rocketchat:/tmp# cd Rocket.Chat/programs/server/

7/ Installation de Rocketchat.

root@rocketchat:/tmp/Rocket.Chat/programs/server# npm install

8/ Configuration des accès.

root@rocketchat:/tmp/Rocket.Chat/programs/server# cd
root@rocketchat:~# useradd -M rocketchat && usermod -L rocketchat
root@rocketchat:~# mv /tmp/Rocket.Chat/ /opt/Rocket.Chat
root@rocketchat:~# chown -R rocketchat:rocketchat /opt/Rocket.Chat

9/ Configuration du service Rocketchat.

root@rocketchat:~# cat << EOF | tee -a /lib/systemd/system/rocketchat.service
[Unit]
Description=The Rocket.Chat server
After=network.target remote-fs.target nss-lookup.target nginx.target mongod.target
[Service]
ExecStart=/usr/local/bin/node /opt/Rocket.Chat/main.js
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rocketchat
User=rocketchat
Environment=MONGO_URL=mongodb://localhost:27017/rocketchat?replicaSet=rs01 MONGO_OPLOG_URL=mongodb://localhost:27017/local?replicaSet=rs01 ROOT_URL=http://localhost:3000/ PORT=3000
[Install]
WantedBy=multi-user.target
EOF

Ouvir :

/lib/systemd/system/rocketchat.service

Chercher :

ROOT_URL=http://localhost:3000/

Remplacer par :

ROOT_URL=http://rocketchat.hacklab.fr:3000/

10/ Post-configuration.

root@rocketchat:~# sed -i "s/^#  engine:/  engine: mmapv1/"  /etc/mongod.conf
root@rocketchat:~# sed -i "s/^#replication:/replication:\n  replSetName: rs01/" /etc/mongod.conf

11/ Activer le service MongoDB.

root@rocketchat:~# systemctl enable mongod
Created symlink /etc/systemd/system/multi-user.target.wants/mongod.service → /lib/systemd/system/mongod.service.
root@rocketchat:~#

12/ Lancement du service MongoDB.

root@rocketchat:~# systemctl start mongod

13/ Vérification de la version.

root@rocketchat:~# mongo --eval "printjson(rs.initiate())"
MongoDB shell version v4.0.12
...
root@rocketchat:~# 

14/ Activer le service Rocketchat.

root@rocketchat:~# systemctl enable rocketchat 
Created symlink /etc/systemd/system/multi-user.target.wants/rocketchat.service → /lib/systemd/system/rocketchat.service.
root@rocketchat:~# 

15/ Lancement du service Rocketchat.

root@rocketchat:~# systemctl start rocketchat

16/ Vérification.

root@rocketchat:~# ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
...
mongodb   6694  2.8  8.9 4112032 91068 ?       Ssl  20:43   0:03 /usr/bin/mongod --config /etc/mongod.conf
rocketc+  6761 74.6 52.8 1835192 535744 ?      Ssl  20:44   0:30 /usr/local/bin/node /opt/Rocket.Chat/main.js
root@rocketchat:~# 

17/ Sorti du conteneur.

root@rocketchat:~# exit
exit
root@serverhl01:/home/admin# 

18/ Ajouter la régle iptable pour le port 3000.

root@serverhl01:/home/admin# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3000 -j DNAT --to-destination 10.0.3.11:3000

19/ Modification de la zone DNS du nom de domaine 'hacklab.fr'.

rocketchat.hacklab.fr.	10671	IN	A	217.70.191.106

20/ Test.

http://rocketchat.hacklab.fr:3000/

21/ Liens.

https://rockstarninja.laboratoire-bidouille.dev/gandi-serveur-iaas-installation-de-lxc/
https://rocket.chat/docs/installation/manual-installation/debian/

IV/ Installation d'un reverse-proxy.

1/ Redirection des ports 80 et 443.

root@serverhl01:/home/admin# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.3.11:80
root@serverhl01:/home/admin# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.3.11:443

2/ S'attacher au conteneur 'rocketchat'.

root@serverhl01:/home/admin# lxc-attach -n rocketchat
root@rocketchat:/# 

3/ Installation de serveur web 'nginx'.

root@rocketchat:/# apt-get install nginx links 

4/ Test.

root@rocketchat:/# links http://localhost/

5/ Configuration des dépôts pour Let's Encrypt.

Ouvrir :

/etc/apt/sources.list

Ajouter à la fin :

deb http://deb.debian.org/debian stretch-backports main contrib non-free
deb-src http://deb.debian.org/debian stretch-backports main contrib non-free

Action :

root@rocketchat:/# apt update

6/ Installation du générateur de certificat Let's Encrypt.

root@rocketchat:/# apt-get install certbot python-certbot-nginx -t stretch-backports

7/ Génération d'un certificat Let's Encrypt.

root@rocketchat:/# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: rocketchat.hacklab.fr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
...
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default
...
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=rocketchat.hacklab.fr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

...
root@rocketchat:/# 

8/ Test.

https://rocketchat.hacklab.fr/

9/ Liens.

https://www.howtoforge.com/tutorial/install-letsencrypt-and-secure-nginx-in-debian-9/
https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-debian-9/
https://certbot.eff.org/lets-encrypt/debianstretch-nginx.html

V/ Configuration de Nginx.

1/ Sauvegarde du fichier de configuration de Nginx.

root@rocketchat:/# cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak

2/ Reconfiguration de Nginx.

Ouvrir :

/etc/nginx/sites-available/default

Remplacer tout par :

upstream rocketchat_backend {
  server 127.0.0.1:3000;
}

server {
    listen 80;
    server_name rocketchat.hacklab.fr;

    return 301 https://rocketchat.hacklab.fr$request_uri;
}

server {
    listen 443 ssl http2;
    server_name rocketchat.hacklab.fr;

    ssl_certificate /etc/letsencrypt/live/rocketchat.hacklab.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rocketchat.hacklab.fr/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/rocketchat.hacklab.fr/chain.pem;

    access_log /var/log/nginx/rocketchat.hacklab.fr-access.log;
    error_log /var/log/nginx/rocketchat.hacklab.fr-error.log;

    location / {
        proxy_pass http://rocketchat_backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
}

3/ Redémarrer Nginx.

root@rocketchat:/# service nginx restart

4/ Suppression de la régle NAT pour le port 3000.

root@serverhl01:/home/admin# iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DNAT       tcp  --  anywhere             anywhere             tcp dpt:3000 to:10.0.3.11:3000
2    DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.0.3.11:80
3    DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.0.3.11:443
...
root@serverhl01:/home/admin# iptables -t nat -D PREROUTING 1

5/ Le serveur Rocketchat est maintenant accessible uniquement à l'adresse internet :

https://rocketchat.hacklab.fr/

6/ Liens.

https://technologyrss.com/how-to-setup-rocket-chat-ssl-configuration-using-letsencrypt-for-nginx/
https://rocket.chat/docs/installation/manual-installation/configuring-ssl-reverse-proxy/

septembre 18, 2019