Autorarchive: André P.

Über André P.

Seit einigen Jahren in der IT unterwegs, teile ich nun auch meine Gedanken und Ideen in Form dieses Blogs.

Snippet: GoCryptFS kompilieren (für HW-beschleunigtes AES) und Systemd Dienst einrichten

Wichtig: Nach der Initialisierung den Master-Key sicher speichern!

# 1.
yum install openssl-devel fuse

# 2.
go get -d github.com/rfjakob/gocryptfs
cd $(go env GOPATH)/src/github.com/rfjakob/gocryptfs
./build.bash
cp gocryptfs /usr/local/bin/

# 3.
mkdir -p /data/{crypted,decrypted}

# 4.
if [ ! -f /data/crypted/gocryptfs.conf ]; then
  if ! gocryptfs -init /data/crypted; then
    echo "cannot init /data/crypted directory, skipping"
  fi
else
  echo "/data/crypted is an initialized gocryptfs directory"
fi

# 5.
systemctl stop gocryptfs

# 6.
cat << 'EOF' > /etc/systemd/system/gocryptfs.service
[Unit]
Description=gocryptfs Mount Unit
Requires=network.target local-fs.target
After=network.target local-fs.target
[Service]
Type=forking
ExecStart=/usr/local/bin/gocryptfs -extpass "systemd-ask-password GoCryptFS:" -allow_other /data/crypted/ /data/decrypted/
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
# Do not start on boot
systemctl disable gocryptfs

# 7.
until systemctl start gocryptfs; do
  sleep 1
done

Template Zammad Reverse Proxy mit Apache

<VirtualHost *:80>
  ServerName ticket.domain.tld
  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
  ProxyPass / http://127.0.0.1:8090/
  ProxyPassReverse / http://127.0.0.1:8090/
  ProxyPreserveHost On
  ProxyAddHeaders On
  RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>
<VirtualHost *:443>
  ServerName ticket.domain.tld
  ProxyPass /ws ws://127.0.0.1:8090/ws
  ProxyPassReverse /ws ws://127.0.0.1:8090/ws
  ProxyPass / http://127.0.0.1:8090/
  ProxyPassReverse / http://127.0.0.1:8090/
  ProxyPreserveHost On
  ProxyAddHeaders On
  RequestHeader set X-Forwarded-Proto 'https'env=HTTPS
  RequestHeader set X-Forwarded-Ssl on
  SSLCertificateFile /etc/letsencrypt/live/ticket.domain.tld/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/ticket.domain.tld/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>