Nginx + MariaDB + MyAAC

1 - Installation - Nginx:

Nginx

sudo apt update && sudo apt upgrade -y
sudo apt install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx

How to test: http://server-ip

2 - Installation - MariaDB:

MariaDB

sudo apt install -y mariadb-server mariadb-client
sudo systemctl enable mariadb
sudo systemctl start mariadb
sudo systemctl status mariadb

sudo mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] n
 ... skipping.

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n]
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

When you're done, test if you can log into the MariaDB console by typing: 

sudo mariadb
 
This will connect to the MariaDB server as the database root administrative user, which is assumed by using sudo when running this command.

You should see a result like this: 

"Output
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.6.12-MariaDB-0Ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDb Corporation and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

To exit the MariaDB console, type:  exit

MariaDB [(none)]> exit

3 - Configuration - MariaDB User:

Configuration - MariaDB User

If you have root user-enabled password authentication, you will need to run the following command and enter your password when prompted to be able to connect:

sudo mariadb -u root -p

From there, create a new user and give them a strong password:

CREATE USER 'your_user'@'localhost' IDENTIFIED BY 'your_password';

Then grant your new user the appropriate privileges. For example, you can grant user privileges to all tables within the database, in addition to the power to add, change, and remove user privileges, with this command:

GRANT ALL PRIVILEGES ON *.* TO 'your_user'@'localhost' WITH GRANT OPTION;

After that, exit the MariaDB shell:

exit

4 - Installation - PHP:

PHP

sudo apt remove php*
sudo apt update && sudo apt upgrade -y
sudo apt install python3-launchpadlib
sudo apt install software-properties-common apt-transport-https -y
sudo add-apt-repository ppa:ondrej/php -y
sudo apt update
sudo apt install php8.2 php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-mysql php8.2-xml php8.2-zip php8.2-bcmath php8.2-mbstring php8.2-calendar -y
php8.2 -v
sudo systemctl start php8.2-fpm
sudo systemctl enable php8.2-fpm
sudo systemctl status php8.2-fpm

sudo apt purge apache2*
sudo apt autoremove -y
cd /
cd etc
sudo rm -r apache2

5 - Installation - phpMyAdmin:

phpMyAdmin

cd /var/www
sudo rm -r html && sudo mkdir html
cd ~
sudo apt install -y wget 
sudo wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.zip -O phpmyadmin.zip 
sudo unzip phpmyadmin.zip 
sudo mv phpMyAdmin-*-all-languages /var/www/html/phpmyadmin 
sudo rm phpmyadmin.zip 
sudo chown -R www-data:www-data /var/www/html/phpmyadmin 
sudo chmod -R 775 /var/www/html/phpmyadmin 

blowfish_secret=$(openssl rand -base64 24 | sed 's/[\/&]/\\&/g')
sudo cp /var/www/html/phpmyadmin/config.sample.inc.php /var/www/html/phpmyadmin/config.inc.php
sudo sed -i "s#\$cfg\['blowfish_secret'\] = '';#\$cfg\['blowfish_secret'\] = '$blowfish_secret';#" /var/www/html/phpmyadmin/config.inc.php

How to test: http://server-ip/phpmyadmin
How to restrict phpMyAdmin access:

sudo mv /var/www/html/phpmyadmin /var/www/html/any_combination_youwant

• Change any_combination_youwant for a word that only you know.

• Then you will access phpMyAdmin by: http://server-ip/any_combination_youwant

6 - Configuration - Nginx:

Configuration - Nginx

In the terminal type the following command:

sudo apt install nano

Once installed we will configure Nginx, then in the terminal enter the following command:

sudo rm /etc/nginx/sites-enabled/default
sudo nano /etc/nginx/conf.d/default.conf

Configure leaving it this way:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    root /var/www/html;
    index index.php;

    # Allow larger uploads
    client_max_body_size 10M;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # PHP execution
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_read_timeout 240;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    # Deny access to internal/system folders
    location ~ ^/(system|vendor|storage|tests|\.env) {
        deny all;
    }

    # Deny access to dotfiles and version control
    location ~* /\.(?:ht|git|svn|env)\$ {
        deny all;
    }

    # Deny access to backups, docs, dumps, etc.
    location ~* \.(?:md|json|dist|sql|bak|old|backup|tpl|twig|log)\$ {
        deny all;
    }

    # Additional security headers
    add_header X-Frame-Options        "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection       "1; mode=block";
}

sudo nginx -t
sudo systemctl reload nginx

7 - Database:

Go to phpMyAdmin.
On the left side click +New and create a database (e.g. canary)
Import the schema.sql that is in the server folder.

8 - Config.lua:

For data-canary

-- Core settings
-- Note: If you want to use datapack folder canary (custom), put only "data-canary"
-- If you want to use the global datapack folder, put "data-otservbr-global"
-- If "useAnyDatapackFolder" is set to true then you can choose any datapack folder for your server
useAnyDatapackFolder = false
dataPackDirectory = "data-canary"
-- Don't change this unless you know what you're doing
coreDirectory = "data"

-- Map
-- NOTE: set mapName WITHOUT .otbm at the end
-- NOTE: If toggleDownloadMap if false, then the mapDownloadUrl will not be used
-- NOTE: If a map with the name already exists in the world folder, the map will not be downloaded even if the toggleDownloadMap is true
toggleDownloadMap = false
mapName = "canary"

-- Custom Map
-- NOTE: toggleMapCustom set to true will load all maps in custom map folder
toggleMapCustom = false

-- Connection Config
ip = "your-ip-or-domain"
serverName = "Canary"

-- MySQL
mysqlHost = "127.0.0.1"
mysqlUser = "your-user"                      
mysqlPass = "your-password"                       
mysqlDatabase = "your-database-name"        
mysqlPort = 3306
mysqlSock = "/var/run/mysqld/mysqld.sock"
passwordType = "sha1"

For data-otservbr-global

-- Core settings
-- Note: If you want to use datapack folder canary (custom), put only "data-canary"
-- If you want to use the global datapack folder, put "data-otservbr-global"
-- If "useAnyDatapackFolder" is set to true then you can choose any datapack folder for your server
useAnyDatapackFolder = false
dataPackDirectory = "data-otservbr-global"
-- Don't change this unless you know what you're doing
coreDirectory = "data"

-- Map
-- NOTE: set mapName WITHOUT .otbm at the end
-- NOTE: If toggleDownloadMap if false, then the mapDownloadUrl will not be used
-- NOTE: If a map with the name already exists in the world folder, the map will not be downloaded even if the toggleDownloadMap is true
toggleDownloadMap = true
mapName = "otservbr"

-- Custom Map
-- NOTE: toggleMapCustom set to true will load all maps in custom map folder
toggleMapCustom = true

-- Connection Config
ip = "your-ip-or-domain"
serverName = "OTServBR-Global"

-- MySQL
mysqlHost = "127.0.0.1"
mysqlUser = "your-user"                      
mysqlPass = "your-password"                       
mysqlDatabase = "your-database-name"        
mysqlPort = 3306
mysqlSock = "/var/run/mysqld/mysqld.sock"
passwordType = "sha1"

9 - Installation - MyAAC:

MyAAC

cd ~
sudo git clone https://github.com/slawkens/myaac.git
sudo mv myaac/* /var/www/html
sudo rm -rf myaac
sudo chown -R www-data:www-data /var/www/html
sudo usermod -aG www-data $(whoami)
cd /var/www/html
sudo chmod -R 775 . && sudo chmod -R 775 system/ images/ plugins/ tools/
sudo curl -Ss https://getcomposer.org/installer | php
sudo php composer.phar install
sudo curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash
command -v nvm
sudo nvm install node # "node" is an alias for the latest version
sudo npm install -g npm
sudo npm install

Install MyAAC: http://domain-or-ip/install;
Follow the installation steps;

10 - Firewall:

Firewall

sudo apt install ufw
sudo ufw app list
sudo ufw allow in "Nginx Full"

sudo ufw status
sudo ufw enable
sudo ufw allow 22/tcp
sudo ufw allow 7171/tcp
sudo ufw allow 7172/tcp
sudo ufw allow 8245/tcp
sudo ufw reload

11 - Releasing Ports - Google Cloud / Oracle:

Releasing Ports - Google Cloud / Oracle

sudo cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak
sudo truncate -s 0 /etc/iptables/rules.v4

iptables -A INPUT -p tcp --dport 7171 -j ACCEPT
iptables -A INPUT -p tcp --dport 7172 -j ACCEPT
iptables -A INPUT -p tcp --dport 8245 -j ACCEPT

gcloud compute firewall-rules create allow-sete --description "Incoming seteum allowed." \
         --allow tcp:7171 --format json     
   
gcloud compute firewall-rules create allow-dois --description "Incoming setedois allowed." \
         --allow tcp:7172 --format json 

gcloud compute firewall-rules create allow-dois --description "Incoming quatrocinco allowed." \
         --allow tcp:8245 --format json

12 - Starting the Server:

Starting the Server

You will need the installed screen:

sudo apt install screen

12.1 - Basic screen commands:

Open a screen:

screen

Exit a screen:

CTRL + A, D

Back to the last open screen:

screen -r

Close a screen:

CTRL + K, Y/N

Info:

With the screen open use ./canary in the project root directory to start the server.

13 - Connecting to the Server:

To connect to the server according to the indicated version, you can use:
Normal Client
OTClient Redemption

If you changed the port to 8080 or 8090, remember to add it in the normal client or otclient redemption.

14 - Useful Tips:

Use this example nginx file with security checks to protect your configurations.

Nginx

server {
    listen       80;
    listen       [::]:80;
#   listen       443 ssl http2;
#   listen       [::]:443 ssl http2;

    server_name _;
#   server_name example.com  www.example.com;
    
    root   /var/www/html/;
    index index.php index.html index.htm;

#   if ($host !~ ^(exemple.com|www.example.com)$){
#       return 400;
#   }

    if ($request_method !~ ^(GET|HEAD|POST)$) {
        return 444;
    }
    
    location ~ /system {
        deny all;
        return 404;
    }

    location ~ /\.ht {
        deny all;
    }

    location ~ /\.git {
        return 403;
    }

    location ~* \.(pl|cgi|py|sh|lua)\$ {
        return 403;
    }

    location ~* ^/wp-content/uploads/.*.(asp|cgi|htm|html|js|jsp|php|pl|py|sh|shtml|swf)$ {
        return 403;
    }

    location ~* ^/(readme|license|schema|password|passwords).*.(txt|html)$ {
        return 403;
    }

    location / {
        try_files $uri $uri/ /index.php?$query_string;
#       try_files $uri $uri/ /index.php;
    }

    location ~ ^/(conf|doc|sql|setup)/ {
        deny all;
        return 403;
    }

#   Pass PHP Scripts To FastCGI Server
    location ~ \.php$ {
#       root /var/www/html/;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

15 - Credits:

Beats, Majesty (Tutorial)
OpenTibiaBR (https://github.com/opentibiabr/canary)
Slawkens (https://github.com/slawkens/myaac)

Last updated 2 months ago