Renamed README.md to Server-Build-Instructions.md ; updated that file after testing up to WP installation; created /scripts/ssl-create-selfsigned.sh

5 files changed, 327 insertions, 0 deletions

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..41fdfb1
--- /dev/null
+++ b/README.md
@@ -0,0 +1,6 @@
+# Repository for Taler plugin for Woocommerce
+
+## Subdirectories:
+
+`/plugin` - Plugin directory
+`/server-build` - Guide and scripts for building a full WooCommerce server including the Taler plugin
diff --git a/server-build/Server-Build-Instructions.md b/server-build/Server-Build-Instructions.md
new file mode 100644
index 0000000..eb9ec0f
--- /dev/null
+++ b/server-build/Server-Build-Instructions.md
@@ -0,0 +1,212 @@
+# Purpose of this document
+
+This document is an instruction manual to install WordPress, WooCommerce, and the Taler WooComerce plugin on a bare system and have it serve a Taler-enabled WordPress/WooCommerce site using HTTPS withi a LetsEncrypt SSL certificate.
+
+## Assumptions
+
+* The target system for this build is a Debian 10 stable system.
+
+* You have root-level access to this system.
+
+* Apache2 will be the default web server.
+
+* Your server will have a domain name such as _domain.com_.  This is necessary for the LetsEncrypt SSL certificate.  If you will use this server locally or using the raw IP address, you may choose to configure a self-signed certificate instead.
+
+## Configure firewall
+
+You may use the file in `scripts/ufw-setup.sh` to install ufw (uncomplicated firewall) and automatically open ports 80 and 443 (needed for LetsEncrypt and for access to the WordPress/WooComerce site.)
+
+Alternatively, configure your firewall of choice to accept requests on ports 80 and 443 (and whatever port(s) you may be using to access your server, ex: SSH port 22.)
+
+##  Software from Debian Repositories
+
+Please note that all software can be installed at one time.  The separations are only to make the instructions more clear.
+
+### Install Apache2
+
+`$ sudo apt install apache2`
+
+### Install PHP and Supporting Packages for Wordpress
+
+`$ sudo apt install php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-mysql php-mbstring php-xml libapache2-mod-php
+
+### Install Certbot for LetsEncrypt
+
+`$ sudo apt install certbot`
+
+### mariaDB
+
+`sudo apt install mariadb-server`
+
+
+## Configure SSLEngine
+
+###  Using LetsEncrypt
+
+#### Get the certificate:
+
+You must have ports 80 and 443 open on your firewall before running this command:
+
+`$ sudo certbot certonly -d _domain.com_`
+
+LetsEncrypt will save the certificate and key as:
+
+`/etc/letsencrypt/live/_domain.com_/fullchain.pem` and
+`/etc/letsencrypt/live/_domain.com_/privkey.pem`
+
+#### Set the certificate to auto-renew:
+
+Become `root`:
+
+`$ su`
+
+(Now enter the root user's password)
+
+`# crontab -e`
+
+Add these lines to the crontab (please note you can change the date by adjusting this command.  Look up _cron_ jobs for details):
+
+```
+# Weekly Certbot Renewal Check
+25 11 4 * * certbot renew --rsa-key-size 4096 --pre-hook "service apache2 stop" --post-hook "service apache2 start"
+```
+
+### Using a self-signed certificate
+
+If you prefer to use a self-signed SSL certificate (for example, if your server does not have a public IP address), you may use the script in `/scripts/ssl-create-selfsigned.sh`.  You can also do this manually as follows:
+
+`$ openssl req -x509 -newkey rsa:4096 -keyout selfsigned-key.pem -out selfsigned-cert.pem -days 365 -nodes -subj '/CN=localhost'`
+
+Leave off the `-subj '/CN=localhost'` flag if you prefer to add identifying information to the certificate.
+
+The output will look something like this:
+
+```
+Generating a RSA private key
+.................................................................................++++
+..............................................................................................................................................................................................................................................................................................................................................++++
+writing new private key to 'key.pem'
+Enter PEM pass phrase:
+123976305214592:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:905:You must type in 4 to 1024 characters
+123976305214592:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:545:while reading strings
+123976305214592:error:0906406D:PEM routines:PEM_def_callback:problems getting password:../crypto/pem/pem_lib.c:59:
+123976305214592:error:0907E06F:PEM routines:do_pk8pkey:read key:../crypto/pem/pem_pk8.c:83:
+```
+
+Next, copy the certificate and key to a location where you will keep them permanently:
+
+`$ sudo mv selfsigned-key.pem selfsigned-cert.pem /etc/ssl/certs/``
+
+Remember this location for inclusion in your web server configuration files.
+
+
+## Configure Apache2
+
+### Apache2 modules
+
+#### Enable modules for Apache2 to support PHP
+
+`$ sudo a2enmod actions fastcgi alias proxy_fcgi php7.2 a2enmod proxy_fcgi setenvif php7.2-fpm`
+
+Please note that you may need to change the version from php7.2, depending on your system.
+
+#### Install modules for HTTP -> HTTPS, and SSL
+
+`$ sudo a2enmod rewrite ssl`
+
+#### Restart Apache2
+
+`$ sudo systemctl restart apache2`
+
+### .conf file
+
+Copy the `wordpress.conf` file in `/tools/wordpress.conf` and customize for your system.
+
+Save this file as _wordpress.conf_ and put it in `/etc/apache2/sites-available`. To make it active, issue this command:
+
+`$ sudo a2ensite wordpress && sudo systemctl reload apache2`
+
+You may also wish to remove the default `000-default.conf` apache2 configuration with this:
+
+`$ sudo a2dissite 000-default`
+
+Now reload apache2:
+
+`$ sudo systemctl reload apache2`
+
+
+## Install WordPress
+
+You are recommended to follow the official Wordpress instructions at https://wordpress.org/support/article/how-to-install-wordpress/
+
+Alternatively, instructions follow:
+
+### Download the latest Wordpress version:
+
+`$ wget https://wordpress.org/latest.tar.gz`
+
+### Unpack to /var/www/wordpress
+
+Untar WordPress to this directory (all files should be in `wordpress/` subdirectory):
+
+`$ sudo tar -xf latest.tar.gz -C /var/www`
+
+Set permissions and ownership:
+
+`$ sudo chmod -R 755 /var/www/wordpress`
+
+`$ sudo chown -R www-data:www-data /var/www/wordpress`
+
+### Create mariaDB database and password
+
+1. (Optional but highly recommended:) Secure the mariaDB installation:
+
+`$ sudo mysql_secure_installation`
+
+You will be prompted to accept some security defaults, and to set the root password.  Make sure to write this down.
+
+2. Create the WordPress database and user
+
+a. Log into the mySQL/mariaDB command line interface
+
+`$ sudo mysql -u root -p`
+
+Enter your password.  You should now be at the `MariaDB [(none)]>` prompt.
+
+b. Create the database:
+
+`MariaDB [(none)]> CREATE DATABASE wordpress;`
+
+c. Create the user to use the _wordpress_ database:
+
+`MariaDB [(none)]> GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "somepassword";`
+
+Please note that you should choose a secure password instead of "somepassword".  You will need to remember this password later when installing WordPress.
+
+d. Flush Privileges
+
+`MariaDB [(none)]> FLUSH PRIVILEGES;`
+
+e. quit
+
+`MariaDB [(none)]> quit`
+
+### Configure WordPress to use the database
+
+`$ sudo cp /var/www/wordpress/wp-config-sample.php /var/www/wordpress/wp-config.php`
+
+Now open your favorite text editor and edit `/var/www/wordpress/wp-config.php`.  Change the values for the `database_name_here`, `username_here`, and `password_here` to match the values you created in mariaDB.
+
+Save this file and exit.
+
+## Test the WordPress installation
+
+At this point, you should have an Apache2 web server, using a LetsEncrypt certificate, pointing to a WordPress installation on your server.
+
+If everything is correct, you should be able to open a web browser to _domain.com_ (or a local IP address if you are not using a public IP) and see a default WordPress site.  If you do not see this, please troubleshoot by looking back over the instructions above.  They have been tested on a Debian 10 system.
+
+If you do see Wordpress, please configure your Wordpress site and proceed to the next step when complete.
+
+## Install WooCommerce plugin
+
+You can install the WooCommerce plugin using the admin interface at `https://_domain.com_/wp-admin`
diff --git a/server-build/assets/wordpress.conf b/server-build/assets/wordpress.conf
new file mode 100644
index 0000000..983cedf
--- /dev/null
+++ b/server-build/assets/wordpress.conf
@@ -0,0 +1,25 @@
+# wordpress.conf
+# The following Apache2 .conf file will accept connections on ports 80 (http) or 443 (https).
+#
+# Connections on port 80 will be redirected to 443.  Please make sure to change the path to your
+#  SSL certificate and key.  If you are using LetsEncrypt, this probably means changing
+#  _domain.com_ in the path only.  Also change the _ServerName_ directive to match your domain name.
+
+<VirtualHost *:80>
+		RewriteEngine On
+		RewriteCond %{HTTPS} off
+		RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+		SSLEngine on
+    # Edit the path to your SSL certificate and key here:
+		SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
+		SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
+		<Directory /var/www/wordpress/>
+			AllowOverride All
+		</Directory>
+		DocumentRoot /var/www/wordpress/
+    # Add your server name here:
+		ServerName domain.com
+</VirtualHost>
diff --git a/server-build/scripts/ssl-create-selfsigned.sh b/server-build/scripts/ssl-create-selfsigned.sh
new file mode 100644
index 0000000..e8b4e01
--- /dev/null
+++ b/server-build/scripts/ssl-create-selfsigned.sh
@@ -0,0 +1,27 @@
+# This script will create a self-signed certificate with blank identity information (localhost)
+#  on a Debian 10 system for use by apache2 or nginx
+
+echo 'This script will create a self-signed certificate with blank identity information (localhost) on a Debian 10 system for use by apache2 or nginx'
+echo '(Run as root or sudo)'
+echo
+echo 'Hit CTRL-C now if this is not what you wish to do.'
+echo 'Waiting 8 seconds...'
+sleep 8
+echo
+echo 'Continuing...'
+
+# Create the certificate:
+openssl req -x509 -newkey rsa:4096 -keyout selfsigned-key.pem -out selfsigned-cert.pem -days 365 -nodes -subj '/CN=localhost'
+
+# Move the .pem files to /etc/ssl/certs
+mv selfsigned-key.pem selfsigned-cert.pem /etc/ssl/certs/
+
+echo
+echo 'Your files are now located in:'
+echo
+echo 'Cert: /etc/ssl/certs/selfsigned-cert.pem'
+echo 'Key:  /etc/ssl/certs/selfsigned-key.pem'
+echo
+echo 'To use this cert/key, you must give the correct paths to your program(s).'
+echo
+echo 'Goodbye'
diff --git a/server-build/scripts/ufw-setup.sh b/server-build/scripts/ufw-setup.sh
new file mode 100644
index 0000000..914a0ce
--- /dev/null
+++ b/server-build/scripts/ufw-setup.sh
@@ -0,0 +1,57 @@
+#/bin/bash
+## This script will set up ufw (uncomplicated firewall) on a Debian 10 system and open ports 443 and 80 for LetsEncrypt
+echo 'This script will set up ufw (uncomplicated firewall) on a Debian 10 system and open ports 443 and 80 for LetsEncrypt.'
+echo '(Run as root)'
+echo
+echo 'Hit CTRL-C now if this is not what you wish to do.'
+echo 'Waiting 8 seconds...'
+sleep 8
+echo
+echo 'Continuing...'
+
+## Due to Debian 10's migration from iptables to nftables (which is not supported by ufw) it is necessary to revert to iptables-legacy first.
+# Note that if ufw supports nftables in the future you may switch back to nftables with these commands:
+# # update-alternatives --set iptables /usr/sbin/iptables-legacy
+# # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+# # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+# # update-alternatives --set arptables /usr/sbin/arptables-legacy
+echo
+echo
+echo 'To use ufw, it is necessary to revert to iptables-legacy on Debian 10, which may result in removing any current firewall rules.'
+echo 'Hit CTRL-C now if this is not what you wish to do.'
+echo 'Waiting 8 seconds...'
+sleep 8
+echo
+echo 'Continuing...'
+
+# Revert to iptables-legacy
+echo
+echo 'Reverting to iptables-legacy for compatibility with ufw'
+echo
+update-alternatives --set iptables /usr/sbin/iptables-legacy
+update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+update-alternatives --set arptables /usr/sbin/arptables-legacy
+update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+
+# Install ufw
+echo
+echo 'Installing ufw from Debian Repositories'
+echo
+apt update && apt -y install ufw
+
+## Opening ports 443 and 80
+echo
+echo 'Opening ports 80 and 443'
+ufw allow 80
+ufw allow 443
+
+# Final notes:
+echo
+echo Done.
+echo 'ufw is installed but is not active.'
+echo
+echo 'To enable ufw, type (as root) "ufw enable"'
+echo
+echo 'IMPORTANT:  If you are connected to this server remotely, do not activate ufw until you open the port you use to connect (ex: "sudo ufw allow ssh")'
+echo
+echo 'Goodbye'