Secure Moodle on Raspberry Pi Model 2, Gentoo Linux and Nginx server

From MoodleDocs

Hi,

I want to share my experiences when I installed Moodle on a Raspberry Pi Model 2 hardware, on which is running Gentoo Linux operating system and the Nginx web server. It can reach here: [1]

First I installed Gentoo Linux on my Raspberry Pi Model 2 hardware by following this guide: [2]

Then I installed and did setup Nginx web server by following these guids: [3] [4]

My nginx.config file is: user nginx nginx; worker_processes 1;

error_log /var/log/nginx/error_log info;

events {

       worker_connections 1024;
       use epoll;

}

http {

       include /etc/nginx/mime.types;
       default_type application/octet-stream;
       log_format main
       '$remote_addr - $remote_user [$time_local] '
       '"$request" $status $bytes_sent '
       '"$http_referer" "$http_user_agent" '
       '"$gzip_ratio"';
       client_max_body_size 15m;
       client_header_timeout 10m;
       client_body_timeout 10m;
       send_timeout 10m;
       connection_pool_size 256;
       client_header_buffer_size 1k;
       large_client_header_buffers 4 2k;
       request_pool_size 4k;
       gzip off;
       output_buffers 1 32k;
       postpone_output 1460;
       sendfile on;
       tcp_nopush on;
       tcp_nodelay on;
       keepalive_timeout 75 20;
       ignore_invalid_headers on;
       index index.html index.php;
       add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
       server {
               listen 443 ssl http2;
               listen [::]:443 ssl http2;
               server_name www.cspl.hu;
               root /var/www/localhost/htdocs;
               location = /KisTechTavOktKulcsosPicike.ico {
               log_not_found off;
               access_log off;
               }
               ssl_certificate /etc/ssl/certs/chained.pem;
               ssl_certificate_key /etc/ssl/private/domain.key;
               ssl_session_timeout 5m;
               ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
               ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S

HA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA- AES256-SHA:DHE-RSA-AES128-SHA:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES: RSA+3DES:!MD5;

               ssl_session_cache shared:SSL:50m;
               ssl_dhparam /etc/ssl/certs/dhparam.pem;
               ssl_prefer_server_ciphers on;
               access_log /var/log/nginx/localhost.access_log main;
               error_log /var/log/nginx/localhost.error_log info;
               access_log /var/log/nginx/localhost.ssl_access_log main;
               error_log /var/log/nginx/localhost.ssl_error_log info;
               location ~ [^/]\.php(/|$) {
               fastcgi_split_path_info ^(.+?\.php)(/.*)$;
               if (!-f $document_root$fastcgi_script_name) {
               return 404;
               }
               
               fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
               fastcgi_index index.php;
               include fastcgi_params;
               include fastcgi.conf;
               }


               location /dataroot/ {
               internal;
               alias /var/www/localhost/moodle/; # ensure the path ends with /
               }
               
               location /moodlelib/ {
               internal;
               alias /var/www/localhost/htdocs/moodle/lib/; # ensure the path ends with /
               }
               
               location /moodlepix/ {
               internal;
               alias /var/www/localhost/htdocs/moodle/pix/; # ensure the path ends with /
               }
               location /moodletheme/ {
               internal;
               alias /var/www/localhost/htdocs/moodle/theme/; # ensure the path ends with /
               }
       }
               server {
                       listen          80;
                       listen          [::]:80;
                       server_name     www.cspl.hu;
                       return          301 https://$server_name$request_uri;
               }

}

My fastcgi.config file is: fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name;

  1. PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

My fastcgi_params file is: fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name;

  1. PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

I obtain a certificate from here: [5]

Finally I did followings, in that order:

  1. remove previous moodle installation with help of webapp-config:
    1. webapp-config -C moodle 3.2.3
    2. ( I had installed 3.2.3 version of moodle prior to move my Moodle site from HTTP to HTTPS )
  2. remove the Gentoo moodle package with emerge
    1. emerge --depclean www-apps/moodle
  3. uninstall, then install again webapp-config package because of ghost installs ( look here for this: [6]
    1. emerge --unmerge app-admin/webapp-config
    2. rm -rf /var/db/webapps/
    3. emerge -a app-admin/webapp-config
    4. dispatch-conf
      1. here I choose 'u' but then must to edit /etc/vhosts/webapp-config
      2. vhost_server="nginx"
  4. install moodle package again ( but this one is a newer 3.3.1 version )
    1. emerge -a www-apps/moodle
    2. webapp-config -I moodle 3.3.1
    3. after installation I get message 'POST-INSTALL INSTRUCTIONS' in which is a guid how to proceed with Moodle site installation, eg. about mysql and postgresql databases, commands to run, etc.
  5. set up config.php file:

My config.php file is: <?php unset($CFG); // Ignore this line global $CFG; // This is necessary here for PHPUnit execution $CFG = new stdClass();

$CFG->dbtype = 'pgsql'; // 'pgsql', 'mariadb', 'mysqli', 'mssql', 'sqlsrv' or 'oci' $CFG->dblibrary = 'native'; // 'native' only at the moment $CFG->dbhost = 'localhost'; // eg 'localhost' or 'db.isp.com' or IP $CFG->dbname = 'moodle'; // database name, eg moodle $CFG->dbuser = 'postgres'; // your database username $CFG->dbpass = 'secret_password'; // your database password $CFG->prefix = 'mdl_'; // prefix to use for all table names $CFG->dboptions = array(

   'dbpersist' => false,       // should persistent database connections be
                               //  used? set to 'false' for the most stable
                               //  setting, 'true' can improve performance
                               //  sometimes
   'dbsocket'  => '/var/run/postgresql/',       // should connection via UNIX socket be used?
                               //  if you set it to 'true' or custom path
                               //  here set dbhost to 'localhost',
                               //  (please note mysql is always using socket
                               //  if dbhost is 'localhost' - if you need
                               //  local port connection use '127.0.0.1')
   'dbport'    => ,          // the TCP port number to use when connecting
                               //  to the server. keep empty string for the
                               //  default port

);

$CFG->wwwroot = 'https://www.cspl.hu/moodle'; $CFG->dataroot = '/var/www/localhost/moodle'; $CFG->directorypermissions = 02777;

$CFG->admin = 'admin';

$CFG->slasharguments = true;

$CFG->xsendfile = 'X-Accel-Redirect'; $CFG->xsendfilealiases = array( '/dataroot/' => $CFG->dataroot, '/moodlelib/' => '/var/www/localhost/htdocs/moodle/lib', '/moodlepix/' => '/var/www/localhost/htdocs/moodle/pix', '/moodletheme/' => '/var/www/localhost/htdocs/moodle/theme' );

require_once(dirname(__FILE__) . '/lib/setup.php'); // Do not edit ?>

Finally, I would like to thank those people who helped me: Matteo Scaramuccia, Ken Task, and many others too.

--Pál Csányi (talk) 04:01, 22 July 2017 (AWST)