v3.8

Linux deployment

Hideez Enterprise Server on CentOS or Ubuntu Server

System Requirements

  • Can be installed on a bare metal or virtual server

  • 8GB drive

  • 2GB RAM

  • Option 1: Clean installation of CentOS Linux x86_64 7.6, select "minimal install" option during installation

  • Option 2: Clean installation of CentOS Linux x86_64 8.2, select "minimal install" option during installation

  • Option 3: Clean installation of Ubuntu Server LTS 18.04

  • Option 4: Clean installation of Ubuntu Server LTS 20.04

Before you start

1. Preparation

1.1 System Update

CentOS 7

  $ sudo yum update -y

CentOS 8

  $ sudo dnf update -y

Ubuntu

  $ sudo apt update
  $ sudo apt upgrade -y

Reboot system

  $ sudo reboot

1.2 Disable SELinux (CentOS only)

  $ sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
  $ sudo reboot

To verify that SELinux is disabled, you can type:

  $ sudo sestatus
SELinux status:                 disabled

Note: on production servers, usually after installation and verification, you need to re-enable SELinux and configure it accordingly.

1.3 Firewall Configuration (optional)

To access the server from the network, ports 80 and 443 and port 22 (default port for connection via ssh) should be opened:

CentOS:

$ sudo firewall-cmd --zone=public --permanent --add-port=22/tcp
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
$ sudo firewall-cmd --zone=public --permanent --add-port=443/tcp
$ sudo firewall-cmd --reload

Ubuntu:

$ sudo ufw allow 22
$ sudo ufw allow 80
$ sudo ufw allow 443
$ sudo ufw enable

2. Installing Prerequisites

2.1 Install MySQL version 8

CentOS 7:

  $ sudo rpm -Uvh https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
  $ sudo yum install mysql-server -y

CentOS 8:

  $ sudo dnf install mysql-server -y

Ubuntu 18.04:

  $ wget -c  https://dev.mysql.com/get/mysql-apt-config_0.8.16-1_all.deb
  $ sudo dpkg -i mysql-apt-config_0.8.16-1_all.deb

note: click "ok" to confirm the server installation

  $ sudo apt update
  $ sudo apt install mysql-server -y

during the installation you will be prompted to enter the mysql user password. Remember this password for future use.

Ubuntu 20.04:

  $ sudo apt install mysql-server -y

2.2 Install Nginx

CentOS 7:

  $ sudo yum install epel-release -y
  $ sudo yum install nginx -y
  $ sudo systemctl enable nginx

CentOS 8:

  $ sudo dnf install nginx -y
  $ sudo systemctl enable nginx

Ubuntu:

  $ sudo apt install nginx -y

3. Configuring MySQL Server and Database

3.1 Enable and start MySQL service (CentOS only):

CentOS:

  $ sudo systemctl restart mysqld.service
  $ sudo systemctl enable mysqld.service

3.2 Verification of the Server availability

Run the following command to check that the server is running and has the correct version:

  $ mysql -V
mysql  Ver 8.0.26 for Linux on x86_64 (MySQL Community Server - GPL)

3.3 Setting a permanent root password and MySQL security settings

MySQL expects that your new password should consist of at least 8 characters, contain uppercase and lowercase letters, numbers and special characters (do not forget the password you set, it will come in handy later). After a successful password change, the following questions are recommended to answer "Y":

[Note]:

  • In CentOS 7, the default root password can be found using sudo grep "A temporary password" /var/log/mysqld.log

  • In CentOS 8, the root password is empty by default

  • In Ubuntu 18.04 the password was entered during installation of MySQL

  • In ubuntu 20.04 the password is empty after installation

  $ sudo mysql_secure_installation

Depending on the version of linux, the output of commands may differ slightly. The following is an example for CentOs 7:

Enter password for user root:

  The existing password for the user account root has expired. Please set a new password.

  New password:
  Re-enter new password:

  Remove anonymous users? (Press y|Y for Yes, any other key for No) : y

  Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y

  Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y

  Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y

To verify that everything is correct, you can run

  $ sudo mysql -h localhost -u root -p

After entering password, you will see MySQL console with a prompt:

  Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

3.4 Creating a MySQL user and database for Hideez Enterprise Server

The following lines create a database db, the user user with the password <user_password>. Сhange <user_password> to a strong password, otherwise you may get a password validator error.

  ### CREATE DATABASE
  mysql> CREATE DATABASE db;

  ### CREATE USER ACCOUNT
  mysql> CREATE USER 'user'@'127.0.0.1' IDENTIFIED BY '<user_password>';

  ### GRANT PERMISSIONS ON DATABASE
  mysql> GRANT ALL ON db.* TO 'user'@'127.0.0.1';
 
  ###  RELOAD PRIVILEGES
  mysql> FLUSH PRIVILEGES;

You should remember the user password, it will come in handy later.

To exit from the MySql console, press Ctrl+D.

4. Installing the HES server

4.1 Download HES server

$ cd ~
$ curl -O https://update.hideez.com/hes/linux_x64_latest.tar.gz

4.2 Extracting files and moving to the /opt directory

$ tar -xvf linux_x64_latest.tar.gz
$ sudo mv HES /opt/

4.3 Configuring the HES

Copy appsettings.json to appsettings.Production.json

  $ sudo cp /opt/HES/appsettings.json /opt/HES/appsettings.Production.json

Edit the file /opt/HES/appsettings.Production.json

  {
   "ConnectionStrings": {
    "DefaultConnection": "server=127.0.0.1;port=3306;database=db;uid=user;pwd=<user_password>"
  },

  "EmailSender": {
    "Host": "<smtp_host>",
    "Port": "<smtp_port>",
    "EnableSSL": true,
    "UserName": "<email_address>",
    "Password": "<email_password>"
  },

  "Fido2": {
    "ServerDomain":"<your_domain_name>",
    "ServerName": "HES",
    "Origin": "https://<your_domain_name>",
    "TimestampDriftTolerance": 300000,
    "MDSAccessKey": null
  },

  "ServerSettings": {
    "Name": "HES",
    "Url": "https://<your_domain_name>"
  },
  
  ...

Replace the following settings in this file with your own:

  • <user_password> - Password for the user on MySQL server

  • <smtp_host> - Host name of your SMTP server (example: smtp.example.com)

  • <smtp_port> - Port number of your SMTP server (example: 123)

  • <email_address> - Your email adress (example: user@example.com)

  • <email_password> - Password to access the SMTP server (example: password)

  • <you_domain_name> - you fully qualified domain name (FQDN) of your HES site (example: hideez.example.com)

Important note: by default, .Net Core uses ports 5000 and 5001. Therefore, if only one domain is running on the server, port numbers can be skipped. But if it is supposed to run a few sites on one computer, then it is necessary to specify different ports for each site in json file. For example, for a site to listen to ports 6000 and 6001, after "AllowedHosts": "*" add the following (via comma) :

,
 "Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "http://localhost:6000"
      },
      "Https": {
        "Url": "https://localhost:6001"
      }
    }
  }

The basic format of a connection string includes a series of keyword/value pairs separated by semicolons. The equal sign (=) connects each keyword and its value. To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotation marks. If the value contains both a semicolon and a double-quote character, the value can be enclosed in single quotation marks. The single quotation mark is also useful if the value starts with a double-quote character. Conversely, the double quotation mark can be used if the value starts with a single quotation mark. If the value contains both single-quote and double-quote characters, the quotation mark character used to enclose the value must be doubled every time it occurs within the value.

4.4 Daemonizing of the Enterprise Server

We prepared file for to start and manage the HES server in the /opt/HES/Deploy directory

Copy file HES.service to the /lib/systemd/system/:

  $ sudo cp /opt/HES/Deploy/HES.service /lib/systemd/system/HES.service

Enabling autostart:

  $ sudo systemctl enable HES.service
  $ sudo systemctl restart HES.service

You can verify that HES server is running with the command:

  $ sudo systemctl status HES

The output of the command should be something like this:

● HES.service - Hideez Enterprise Service
   Loaded: loaded (/usr/lib/systemd/system/HES.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-03-25 09:05:04 UTC; 34s ago
 Main PID: 2964 (HES.Web)
   CGroup: /system.slice/HES.service
           └─2964 /opt/HES/HES.Web

Mar 25 09:05:04 hesservertest systemd[1]: Started Hideez Enterprise Service.

5. Configuring Reverse Proxy Server

To access your server from the local network as well as from the Internet, you have to configure a reverse proxy. We will use the Nginx server for this.

5.1 Creating a Self-Signed SSL Certificate for Nginx

Note 1:

In production, you should take care of acquiring a certificate from a certificate authority. For a self-signed certificate, the browser will alert you that site has security issues.

Note 2:

When generating a certificate, answer a few simple questions, of which Common Name (CN) will be important - here be the name of your site, in our example it is hideez.example.com

 $ sudo mkdir /etc/nginx/certs
 $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/certs/hes.key -out /etc/nginx/certs/hes.crt
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:hideez.example.com
Email Address []:.

5.2 Updating Nginx config

We prepared some Nginx configurations for different versions of Linux and placed them in the /opt/HES/Deploy directory. You may just copy the corresponding file or you can review and edit it for your needs.

CentOS 7:

  $ sudo cp /opt/HES/Deploy/CentOS7/nginx.conf /etc/nginx/nginx.conf

CentOS 8:

  $ sudo cp /opt/HES/Deploy/CentOS8/nginx.conf /etc/nginx/nginx.conf

Ubuntu 18:

  $ sudo cp /opt/HES/Deploy/Ubuntu18/nginx.conf /etc/nginx/nginx.conf

Ubuntu 20:

  $ sudo cp /opt/HES/Deploy/Ubuntu20/nginx.conf /etc/nginx/nginx.conf

After copying the file, it is recommended to verify nginx settings:

  $ sudo nginx -t

The output should be something like this:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Otherwise, you should carefully review the settings and correct the errors.

5.3 Restart nginx

  $ sudo systemctl restart nginx

5.4 Check that nginx service is installed and started

  $ sudo systemctl status nginx

The output would be something like this:

* nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-01-25 08:22:56 UTC; 8min ago
  Process: 1702 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 1700 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 1699 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 1704 (nginx)
   CGroup: /system.slice/nginx.service
           +-1704 nginx: master process /usr/sbin/nginx
           +-1705 nginx: worker process

6. Final Verification

After these steps, your server should be up and running. Go to the https://<you_domain_name> in the browser and verify if the site is available.

Note: for a self-signed certificate, it should be a warning that your connection isn't private. Press Advanced/Proceed to ignore the warning.

Updating HES

Option 1 (using a script)

To update the server, you can use the update.sh script, which is located in the HES directory (/opt/HES default). You can run it either manually or through the web interface (by clicking on the server version). If an update is available, you will be prompted to update the server using a script. If you have changed the location of the server, the name of the service to run, you can manually specify the necessary parameters in the script.

Option 2 (without using a script)

2.1 Stopping HES Service

  $ sudo systemctl stop HES

2.2 Back up the HES binaries and the configuration file

  $ sudo mv /opt/HES /opt/HES.old

2.3 Back up the MySQL Database

The following command will create a copy (dump) of the database in file db.sql in /opt/HES.old directory:

  $ sudo mysqldump -uroot -p<MySQL_root_password>  db > /opt/HES.old/db.sql

change <MySQL_root_password> with your real password

2.4 Download a new version of the HES

$ cd ~
$ curl -O https://update.hideez.com/hes/linux_x64_latest.tar.gz
$ tar -xvf linux_x64_latest.tar.gz
$ sudo mv HES /opt/

2.5 Restore the configuration file

  $ sudo cp /opt/HES.old/appsettings.Production.json /opt/HES/appsettings.Production.json

2.6 Restart the HES and check its status

  $ sudo systemctl restart HES
  $ sudo systemctl status HES

  
  ● HES-hideez.example.com.service - Hideez Enterprise Service
   Loaded: loaded (/usr/lib/systemd/system/HES-hideez.example.com.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-03-25 10:48:12 UTC; 16s ago
 Main PID: 4657 (HES.Web)
   CGroup: /system.slice/HES.service
           └─4657 /opt/HES/HES.Web

Mar 25 10:48:12 hesservertest systemd[1]: Started Hideez Enterprise Service.

If something goes wrong, you can restore the HES server using the following commands

$ sudo systemctl stop HES
$ sudo mv /opt/HES.old /opt/HES
$ sudo mysql -uroot -p<MySQL_root_password> db < /opt/HES.old/db.sql
$ sudo systemctl start HES

change <MySQL_root_password> with your real password

After checking that the update was successful and everything works fine, you can delete copies of the database and server:

$ sudo rm -rf /opt/HES.old

Last updated