En|Ru
Knowledge Base Help Center
< All Topics
Print

Linux server setup

Posted
Updated
Byadmin

Before of server setup

Before these steps, you need to have a Linux VPS server registered with your provider. After registration, the provider sends the necessary data to work with the server:

  1. IP address of your server
  2. Password for root user

This data is used to enter the server using the SSH protocol.

For convenient work with the server via the SSH protocol, I recommend using the MobaXterm program - it allows you to quickly connect to the server, easily work with its file system, and edit settings files.
Here is an example of setting up a server on Ubuntu 22.04 OS

Java

  1. Download JDK 8.XXX (tar.gz x64) from oracle.com (you need to be registered in oracle). Instead of "XXX" here and after means actual number of minor version of the distributive, example: jdk-8u261-linux-x64.tar.gz (minor version is 261)
  2. cd /usr/lib | mkdir java | cd java
  3. Upload JDK distributive file into /usr/lib/java
  4. tar -zxvf jdk-8uXXX-linux-x64.tar.gz
  5. update-alternatives --install "/usr/bin/java" "java" "/usr/lib/java/jdk1.8.0_XXX/bin/java" 1 |
    update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/java/jdk1.8.0_XXX/bin/javac" 1 |
    update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/java/jdk1.8.0_XXX/bin/javaws" 1
  6. In the end of nano ~/.bashrc insert:
    #JAVA HOME directory setup
    export JAVA_HOME=/usr/lib/java/jdk1.8.0_XXX
    export PATH="$PATH:$JAVA_HOME/bin"
     And save file (in Nano press "Ctrl+X, Y, Enter")
  7. Close and reopen the terminal. Should process commands java, javac, java -version, echo $JAVA_HOME
  8. To speed up the launch of Tomcat, you need to replace in the file
    $JAVA_PATH/jre/lib/security/java.security
    string
    securerandom.source=file:/dev/urandom
    to the line
    securerandom.source=file:/dev/./urandom

PostgreSQL

  1. Create the file repository configuration:
    sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
  2. Import the repository signing key:
    wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
  3. update package list:
    apt-get update
  4. To install PostgreSQL 10, write the following command:
    apt-get -y install postgresql-10
  5. At the end of the installation process, we check if the PostgreSQL server is running.
    systemctl status postgresql
    (can be started with pg_ctlcluster 10 main start command)
  6. Generate new locale ru_RU.UTF-8 (do not worry ablut "ru" - it needs only for using the internal date format dd.mm.yyyy, no more) :
    locale-gen ru_RU.UTF-8
  7. Drop cluster "main 10": pg_dropcluster --stop 10 main
  8. Create new cluster: pg_createcluster --locale ru_RU.utf8 --start 10 main
  9. Reload service manager: systemctl daemon-reload
  10. Run service: systemctl start postgresql@10-main
  11. Run cluster: pg_ctlcluster 10 main start
  12. After installation, you can connect to the PostgreSQL server only using the postgres system user, and without a password. To do this, switch to the postgres user (the account in Ubuntu was created automatically during the installation of PostgreSQL):
    su - postgres
  13. Now start psql - this is the PostgreSQL management console:
    psql
  14. Set a password for the postgres user:
    \password postgres
  15. Now create a database:
    CREATE DATABASE dokio WITH OWNER "postgres" ENCODING 'UTF8' LC_COLLATE = 'ru_RU.UTF-8' LC_CTYPE = 'ru_RU.UTF-8' TEMPLATE = template0;
  16. Give the permissions to manage the database to our new user:
    grant all privileges on database dokio to root
  17. To connect to the database under the postgres user:
    psql -d dokio
  18. \l will show you all created databases
  19. Everything is ready, exit the console:
    \q
  20. To switch back to root, type exit.
    exit

External access and SSL

By default, PostgreSQL only listens on the localhost address, so in order for us to connect over the network (to manage DB with pgAdmin, for example), we need to do it securely - access the server with encryption on SSL.

  1. Create directory "1" in /bin for generated keys
    mkdir /bin/1
    cd /bin/1
  2. Generate Root Key and then Root Certificate
    openssl genrsa -out rootCA.key 1024
    openssl req -x509 -new -key /bin/1/rootCA.key -days 10000 -out /bin/1/rootCA.crt
    The previous command will ask you some info. You need to enter it (does not affect anything).
  3. Next, you need to generate key and certificate for the server.
    key:
    openssl genrsa -out /bin/1/server.key 2048
    Certificate request:
    openssl req -new -key /bin/1/server.key -out /bin/1/server.csr
  4. Sign the certificate request with the root certificate:
    openssl x509 -req -in /bin/1/server.csr -CA /bin/1/rootCA.crt -CAkey /bin/1/rootCA.key -CAcreateserial -out /bin/1/server.crt -days 10000
  5. Copy the root CA certificate, key and server certificate to the DB directory:
    cp server.crt /var/lib/postgresql/10/main/
    cp server.key /var/lib/postgresql/10/main/
    cp rootCA.crt /var/lib/postgresql/10/main/
  6. Change permissions for postgres user:
    chown postgres /var/lib/postgresql/10/main/server.crt
    chown postgres /var/lib/postgresql/10/main/server.key
    chown postgres /var/lib/postgresql/10/main/rootCA.crt
    chmod 600 /var/lib/postgresql/10/main/server.crt
    chmod 600 /var/lib/postgresql/10/main/server.key
  7. Now you need to specify that PostgreSQL will listen on all available interfaces. To do this, open the /etc/postgresql/10/main/postgresql.conf file and change string
    #listen_addresses = 'localhost'
    to string
    listen_addresses = '*'
  8. Open /etc/postgresql/10/main/postgresql.conf and set these variables to the following values:
    ssl = on
    ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
    ssl_cert_file = '/var/lib/postgresql/10/main/server.crt'
    ssl_key_file = '/var/lib/postgresql/10/main/server.key'
    ssl_ca_file = '/var/lib/postgresql/10/main/rootCA.crt'
  9. Open /etc/postgresql/10/main/pg_hba.conf, remove all text from a file and, if you will access from one place and you have static IP address, put:
    # TYPE DATABASE USER ADDRESS METHOD
    hostssl dokio postgres 92.248.142.251/32 password # External IP
    host all all 127.0.0.1/32 md5 # Java Apps
    local all all trust # UNIX users
    in the other cases put:
    # TYPE DATABASE USER ADDRESS METHOD
    hostssl dokio postgres 0.0.0.0/0 password # External IP
    host all all 127.0.0.1/32 md5 # Java Apps
    local all all trust # UNIX users
  10. Save this file and reload PostgreSQL:
    systemctl restart postgresql
  11. Check the settings:
    netstat -pant | grep postgres
    If everything is ok, it must display smth like this:
    tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 1492/postgres
    tcp6 0 0 :::5432 :::* LISTEN 1492/postgres

Now you should be able to connect to database from pgAdmin, installed on your computer with following parameters:

  • Host name/address ip_address_of_your_server
  • Port 5432
  • Maintenance database dokio
  • Username postgres
  • SSL mode Require

Tomcat

  1. Go to Tomcat site and download tar.gz file from Core section.
  2. Change directory to /opt:
    cd /opt
  3. Upload tar.gz file into /opt and unpack it:
    tar -zxvf apache-tomcat-9.0.63.tar.gz
  4. Rename extracted directory to tomcat:
    mv /opt/apache-tomcat-9.0.63 /opt/tomcat
  5. Go to /etc/systemd/system/ and create file tomcat.service
  6. Open tomcat.service and paste this text (don't forget to change line Environment=JAVA_HOME ... ):
    [Unit]
    Description=Tomcat9
    After=network.target
    [Service]
    Type=forking
    Environment=CATALINA_PID=/opt/tomcat/tomcat9.pid
    Environment=JAVA_HOME={YOUR_JAVA_home} (for example: Environment=JAVA_HOME=/usr/lib/java/jdk1.8.0_261)
    Environment=CATALINA_HOME=/opt/tomcat
    Environment=CATALINA_BASE=/opt/tomcat
    Environment="CATALINA_OPTS=-Xms512m -Xmx512m"
    Environment="JAVA_OPTS=-Dfile.encoding=UTF-8 -Dnet.sf.ehcache.skipUpdateCheck=true -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC"
    ExecStart=/opt/tomcat/bin/startup.sh
    ExecStop=/opt/tomcat/bin/shutdown.sh
    [Install]
    WantedBy=multi-user.target
  7. Save the file and restart the service manager:
    systemctl daemon-reload
  8. Start Tomcat through the service and check its status:
    service tomcat start
  9. Check Tomcat status:
    service tomcat status - it must show "Active: active (running)"
  10. Add service to autostart:
    systemctl enable tomcat
  11. Open /opt/tomcat/conf/tomcat-users.xml
    and in the end of file before tag </tomcat-users> add (with your passwords):
    <role rolename="manager-gui" />
    <user username="manager" password=" YOUR PWD HERE! " roles="manager-gui" />
    <role rolename="admin-gui" />
    <user username="admin" password=" YOUR PWD HERE! " roles="manager-gui,admin-gui" />

Nginx

  1. Installation:
    apt install nginx
  2. Add to startup:
    systemctl enable nginx
    Now it can be opened, and should already be running on port 80.
    On this stage you need to get a SSL-certifiate for browsers. You can get free SSL-certificate from "Let's encrypt" project. Certbot automatically can form, download and replace the certificate when it expires.

    3. Certbot installing

  3. Install snap package installer:
    apt install snapd
  4. link to /var/lib/snapd/snap at the root:
    ln -s /var/lib/snapd/snap /snap
  5. Install and update snap core:
    snap install core
    snap refresh core
  6. Install Certbot:
    snap install --classic certbot
  7. Create a link to Certbot:
    ln -s /snap/bin/certbot /usr/bin/certbot
  8. Automatic installation of certificate (When asked about the name of the site - enter the name of your site (for example, yourdomain.com) or its IP address)
    certbot --nginx
    If a successful installation says "Certbot has set up a scheduled task to automatically renew this certificate in the background." means Certbot has set up a scheduled task to automatically renew the certificate in the background.
  9. Go to /etc/nginx/sites-enabled:
    cd /etc/nginx/sites-enabled
  10. Create file site.conf:
    > site.conf

    11. Put into siteconf this configuration and save it: (instead of yourdomain.com insert your site, like in "certbot --nginx" comand)

    server {
    if ($host = yourdomain.com) {
    return 301 https://$host$request_uri;
    }
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
    }
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    client_max_body_size 11m;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name yourdomain.com;
    # use this block when DokioCRM is running under site subdirectory (eg /dss). In this case in of index.html you should write base href="/dss/" instead of base href="/"
    location /dss {
    root /var/www/html/;
    try_files $uri $uri/ /dss/index.html;
    }
    location /assets {
    root /var/www/html/dss/;
    }
    # end of block for running DokioCRM under site subdirectory
    location /api/auth/ {
    proxy_pass http://127.0.0.1:8080/dokio_war/api/auth/;
    }
    location /api/public/ {
    proxy_pass http://127.0.0.1:8080/dokio_war/api/public/;
    }
    location /manager/ {
    proxy_pass http://127.0.0.1:8080/manager/;
    }
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
    if (!-e $request_filename)
    {
    rewrite ^(.*)$ /index.html break;
    }
    }
    }

  11. Check for validity of configuration files:
    nginx -t
  12. Then we restart the server and check the status:
    service nginx reload
    service nginx restart

Firewall UFW

  1. Install ufw:
    apt-get install ufw
  2. View status:
    ufw status
  3. Unblock SSH connections:
    ufw allow ssh
  4. To enable UFW, type: (!!! DO NOT DO THIS WITHOUT THE PREVIOUS COMMAND !!!)
    ufw enable
    At this stage, all incoming and outgoing connections, except for incoming on port 22, will be blocked.
  5. To view the current set of rules, type:
    ufw status verbose
  6. Open ports required for system operation:
    ufw allow http
    ufw allow 80
    ufw allow https
    ufw allow 443
    ufw allow ftp
    ufw allow 20/tcp
    ufw allow 21/tcp
    ufw allow 25
    ufw allow 5432
  7. Useful сommands:
    To delete rule, type:
    ufw status numbered
    ufw delete {num}
    Limit the number of connection attempts (6 in 30 seconds):
    ufw limit ssh/tcp

FTP

  1. Install vsftpd:
    apt install vsftpd
  2. Start vsftpd:
    systemctl start vsftpd
  3. Add to autostart:
    systemctl enable vsftpd
  4. Open firewall ports:
    ufw allow 20/tcp
    ufw allow 21/tcp
    ufw status
  5. Make a copy of the original settings file (in any case)
    cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
  6. Create a new user to connect to FTP:
    useradd -m -c "FTP User" -s /bin/bash ftpuser
    passwd ftpuser
  7. Create /etc/vsftpd.userlist
    > /etc/vsftpd.userlist
  8. Open /etc/vsftpd.userlist and enter username ftpuser, push Enter button and save file
  9. Create folder for user
    mkdir -p /home/ftpuser/ftp/files
  10. Revoke his rights to write to ftp
    chown nobody:nogroup /home/ftpuser/ftp
    chmod a-w /home/ftpuser/ftp
  11. Give write permissions to files:
    chown -R ftpuser:ftpuser /home/ftpuser/ftp/files
    chmod -R 0770 /home/ftpuser/ftp/files/

    12. Adding SSL

  12. Create certificate:
    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
  13. open settings file /etc/vsftpd.conf and enter this information:
    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    use_localtime=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    idle_session_timeout=600
    pam_service_name=vsftpd
    chroot_local_user=YES
    userlist_enable=YES
    userlist_file=/etc/vsftpd.userlist
    userlist_deny=NO
    user_sub_token=$USER
    local_root=/home/$USER/ftp
    #SSL
    rsa_cert_file=/etc/ssl/private/vsftpd.pem
    rsa_private_key_file=/etc/ssl/private/vsftpd.pem
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    require_ssl_reuse=NO
    ssl_ciphers=HIGH
  14. Restart vsftpd:
    systemctl restart vsftpd

Automatic backup

  1. Create a directory where the script will be placed:
    mkdir /scripts
  2. Create script:
    > /scripts/postgresql_dump.sh
  3. Open created script by MobaXterm text editor and enter this information:
    #!/bin/sh
    PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    PGPASSWORD=_!!!YOUR PASSWORD!!!_
    export PGPASSWORD
    pathB=/home/ftpuser/ftp/files/backup
    dbUser=postgres
    database=dokio_empty
    find $pathB -name "*.sql.gz" -ctime +10 -delete
    pg_dump -F custom -U $dbUser $database | gzip > $pathB/pgsql_$(date "+%Y-%m-%d").sql.gz
    unset PGPASSWORD
    This script will first delete all backups older than 10 days.
    In MobaXterm text editor menu tab click Format - Unix (to avoid /bin/sh^M error), and save file
  4. Files are stored separately from the database, so you need to create a script to backup files:
    > /scripts/files_backup.sh
  5. Open created script and enter this information:
    #!/bin/sh
    PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    find /home/ftpuser/ftp/files/backup -name "*.tar.gz" -ctime +10 -delete
    tar -cvf /home/ftpuser/ftp/files/backup/files_$(date "+%Y-%m-%d").tar.gz /usr/dokio/files
    This script also will first delete all backups older than 10 days.
    In MobaXterm text editor menu tab click Format - Unix (to avoid /bin/sh^M error), and save file.
    Or you can clean the carriage return characters by following command:
    sed -i -e 's/\r$//' /_path_/_to_/_file.sh
  6. Allow scripts to run as an executable
    chmod +x /scripts/postgresql_dump.sh
    chmod +x /scripts/files_backup.sh
  7. create a task in the scheduler:
    crontab -e
  8. In the Nano editor that opens, paste at the end of the file:
    0 0 * * * /scripts/files_backup.sh
    0 0 * * * /scripts/postgresql_dump.sh
  9. Exit Nano and save the file:
    Ctrl+X Y Enter
  10. Check that everything is saved (in any case)
    crontab -l

Mail server

Mail server is an optional but useful component of the DokioCRM server. This is necessary to check the email registration and recover the password if the user has forgotten it. In this case mail server works only in Send-only mode.
Before starting a mail server, you should go to your domain register account and set A record and MX record for yourdomain.com. If you do not take these actions, the letters will come, but most likely they will end up in the Spam folder.
Postfix config file is here: /etc/postfix/main.cf

  1. To check the hostname (FQDN) of your server, run:
    hostname -f
    FQDN is a name assigned to an individual machine. Its purpose is to uniquely identify a single machine across internet.
  2. You can change FQDN by this comand:
    hostnamectl set-hostname yourdomain.com
  3. Install mailutils:
    apt-get install mailutils
    On question "Please select the mail server configuration type that best meets your needs" type 2 (Internet Site)
    On question "System mail name" type noreply@yourdomain.com or noreply@dokio
  4. Set mail logs to separate file:
    postconf maillog_file=/var/log/postfix.log
  5. Open postfix configuration file
    nano /etc/postfix/main.cf
    and be sure that parameter mynetworks IS NOT equals to 0.0.0.0/0
    (it must be something like that: mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128)
  6. Start postfix:
    systemctl start postfix
  7. Add to autoload:
    systemctl enable postfix
  8. Setting the protocol (Google gmail likes it so much!):
    postconf -e "inet_protocols = ipv4"
  9. Setting the Postfix hostname (it must be like your FQDN):
    postconf -e "myhostname = yourdomain.com"
  10. Setting $mydomain Parameter:
    postconf -e "mydomain = yourdomain.com"
  11. Setting $myorigin Parameter:
    postconf -e "myorigin = yourdomain.com"
  12. To check these settings use:
    postconf myhostname
    postconf mydomain
    postconf myorigin
  13. Restart Postfix:
    systemctl restart postfix
  14. You can test sending mail using command:
    mail your@mailbox
    Cc: can be empty, after mail text press Ctrl+D - the letter will be sent
  15. Add new user "noreply" with password like in "mail.password" parameter of application.properties backend file:
    adduser noreply
  16. Useful commands:
    View queue - mailq
    Clear queue - postsuper -d ALL
    Retry delivery of mail in queue - postqueue -f
    See log - nano /var/log/postfix.log

Deploy DokioCRM files and database

If the server already has a site, then DokioCRM must be placed in a subdirectory. All examples are given for a subdirectory called dss, but you can name your own whatever you want (then don't forget to change your /etc/nginx/sites-enabled/site.conf in according to your subdirectory's name).
To install DokioCRM you need to go to Downloads and download the following files of the last version DokioCRM:

  • Backend (dokio_war.war) - this is the backend file
  • Fronfend (dokio.tar) - this is the frontend file
  • Empty data base (dokio_db_xxx.sql) - the dump of empty database
  • Start files (start_files.tar) - start files

Firsteval, upload dokio.tar , dokio_war.war and start_files.tar into your ftp folder /home/ftpuser/ftp/files via an FTP client (eg FileZilla).

  1. Use pgAdmin to upload the dump to an empty DokioCRM database. This process may take several minutes or more.
  2. Copy dokio_war.war to $CATALINA_HOME:
    cp /home/ftpuser/ftp/files/dokio_war.war /opt/tomcat/webapps/
    It will find by Tomcat and deployed automatically. But it won't run - you can check it by opening yourdomain.com/manager (need manager's password from /opt/tomcat/conf/tomcat-users.xml). Because it is necessary to make settings in the file application.properties
  3. Unpack the file start_files.tar into desired directory. For example, into /var:
    tar -C /var -xvf /home/ftpuser/ftp/files/start_files.tar
  4. Open your application.properties:
    nano /opt/tomcat/webapps/dokio_war/WEB-INF/classes/application.properties
    and set the following values:

    • spring.datasource.password - password of your postgres user
    • mail.password - password of user "noreply"
    • start_files_path = /var/start_files/ - start files, unpacked from start_files.tar file
    • dokioserver.host - path to DokioCRM files. If files are in /var/www/html - it must be yourdomain.com, If files are in /var/www/html/dss - it must be yourdomain.com/dss. The last option is suitable if, in addition to Dockio, the site is or will be located on the server
    • activate_account.from_email - this email will be displayed as "From" in e-mails of confirmation of registration or password recovery
  5. Save this file and make a backup of it:
    mkdir /opt/tomcat/dokio_properties
    cp /opt/tomcat/webapps/dokio_war/WEB-INF/classes/application.properties /opt/tomcat/dokio_properties
  6. Go to yourdomain.com/manager and click on Start buttor of dokio_war.war file. It must be true in Running column

    7. If DokioCRM will run from root directory of site - just skip next step:

  7. Create new subdirectory to run DokioCRM on yourdomain.com/dss :
    mkdir /var/www/html/dss
  8. Unpack the archive with DokioCRM into a folder according to the dokioserver.host property.
    For root directory:
    tar -C /var/www/html -xvf /home/ftpuser/ftp/files/dokio.tar
    For yourdomain.com/dss:
    tar -C /var/www/html/dss -xvf /home/ftpuser/ftp/files/dokio.tar

    9. If DokioCRM will run from root directory of site - just skip next step:

  9. Open index.html:
    nano /var/www/html/dss/index.html
    and change base href="/" to base href="/dss/"
  10. Now DokioCRM can be opened from address yourdomain.com or yourdomain.com/dss
Next DokioCRM update
Table of Contents