利用環境の準備をします。
- 必要なツール類のインストール
- git環境からAvideo環境をコピーします。
- apacheの設定
- セキュリティ証明書取得
- MySQLのセットアップ
今回は検証なので、root環境にて作成してしまいます。
まずはUbuntuパッケージのアップデート
| apt update |
AVideoで必要とされるパッケージ一式とnet-toolsは検証便利なので追加してあります。
DNS管理も一緒にこのサーバーで行う場合などは bind の他 dig も追加してあると便利です。
| apt install apache2 libapache2-mod-php php-mysql php-curl php-gd php-intl php-xml \ git libimage-exiftool-perl curl net-tools libimage-exiftool-perl libnginx-mod-rtmp nginx \ mysql-server mysql-client ffmpeg php-mbstring |
Apacheのmod_rewriteを有効化します。
| a2enmod rewrite |
youtube-dlのインストール
| curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl chmod a+rx /usr/local/bin/youtube-dl |
AVideoをgit環境よりダウンロード
| cd /var/www/html git clone https://github.com/WWBN/AVideo.git avideo |
AVideo-Encoderのダウンロード
| cd /var/www/html git clone https://github.com/WWBN/AVideo-Encoder.git encoder |
パーミッションを変更します。
| chown -R www-data:www-data avideo chown -R www-data:www-data encoder |
Apache HTTP Server / PHPの設定
デフォルト設定を無効化して、001-avideo.confを読み込むようにします
apache用confファイルでは取得したドメインの設定の他、アップロードが発生するため、AllowOverride Allを指定します。
| a2dissite 000-default nano /etc/apache2/sites-available/001-avideo.conf |
| <VirtualHost *:80> ServerName ドメイン名xxxx.xxxxx.xxxx DocumentRoot /var/www/html Options Indexes FollowSymLinks DirectoryIndex index.html index.php <Directory “/var/www/html/avideo”> AllowOverride All Require all granted </Directory> <Directory “/var/www/html/encoder”> AllowOverride All Require all granted </Directory> </VirtualHost> |
| a2ensite 001-avideo |
HTTPSでの接続を行う場合は証明書の設定を行います。
今回は無料証明書のCerbotをapacheで利用します。
| apt install certbot python3-certbot-apache |
ファイヤーウォール設定を忘れずに。
第3回の説明にてVPS上のセキュリティ設定を行いましたが、サーバー内のファイヤーウォールでもポートの通過設定を行う必要があり、矛盾しない様に設定します。
| ufw allow ‘Apache Full’ |
SSL証明書の取得
| certbot –apache |
| Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): xxxxx@xxxx.xxx.xxx – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – (A)gree/(C)ancel: a – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – (Y)es/(N)o: y Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 1: xxxxx.xxxxxx.xxxxxx – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter ‘c’ to cancel):1 Obtaining a new certificate Performing the following challenges: http-01 challenge for xxxxx.xxxxxx.xxxxxx Waiting for verification… Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/001-avideo-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/001-avideo-le-ssl.conf Enabling available site: /etc/apache2/sites-available/001-avideo-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 1: No redirect – Make no further changes to the webserver configuration. 2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you’re confident your site works on HTTPS. You can undo this change by editing your web server’s configuration. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2 Redirecting vhost in /etc/apache2/sites-enabled/001-avideo.conf to ssl vhost in /etc/apache2/sites-enabled/001-avideo-le-ssl.conf – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Congratulations! You have successfully enabled https://xxxxx.xxxxxx.xxxxxx You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=xxxxx.xxxxxx.xxxxxx – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – IMPORTANT NOTES: – Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/jtsrv01.actry-system.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/jtsrv01.actry-system.net/privkey.pem Your cert will expire on 2022-09-29. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the “certonly” option. To non-interactively renew *all* of your certificates, run “certbot renew” – If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
apacheでのPHP動作設定
PHPのバージョンによってフォルダの場所が変わりますので、適時php.iniファイルを編集する必要があります。
| cd /etc/php/7.4/apache2/ sed -i -e ‘s/max_execution_time = 30/max_execution_time = 7200/g’ php.ini sed -i -e ‘s/memory_limit = 128M/memory_limit = 512M/g’ php.ini sed -i -e ‘s/post_max_size = 8M/post_max_size = 5000M/g’ php.ini sed -i -e ‘s/upload_max_filesize = 2M/upload_max_filesize = 5000M/g’ php.ini |
エンコードファイルのサイズやメモリーについては運用するサイズを目安に設定をします。
ここでは5GB(HD記録で2時間30分)を目安にしてます。
apacheの再起動
| systemctl restart apache2 |
今回はMySQLを利用します。
| systemctl start mysql mysql -u root -p |
rootユーザーのパスワード設定をしておく事をお勧めします。
本来は次のステップで設定すると思うのですが、エラーの無限ループに突入することがしばしばあったので、事前に設定しておく方が良いかと思います。
| ALTER USER ‘root’@’localhost’ IDENTIFIED WITH mysql_native_password by ‘xxxxxxxxx‘; flush privileges; exit |
MySQLのセキュリティセットアップ
| mysql_secure_installation |
| Securing the MySQL server deployment. Enter password for user root: VALIDATE PASSWORD COMPONENT can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD component? Press y|Y for Yes, any other key for No: y There are three levels of password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 0 Using existing password for root. Estimated strength of the password: 100 Change the password for root ? ((Press y|Y for Yes, any other key for No) : y New password: Re-enter new password: Estimated strength of the password: 100 Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : y Success. Normally, root should only be allowed to connect from ‘localhost’. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y Success. By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y – Dropping test database… Success. – Removing privileges on test database… Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y Success. All done! |
パスワード等のセキュリティレベルについては環境に合わせてレベルを設定してください。
ここまででインフラ的なセットアップは完了です、このあとはAVideo(アプリ側)のセットアップとなります。