Install Ghost Blog with Nginx and ModSecurity or Naxsi

howardsl2

New Member
Hello all, I have created two Github Gists for detailed step-by-step instructions on installing the latest Ghost Blog with Nginx and ModSecurity or Naxsi. Blogging is a good way to utilize any idle VPS you have! The instructions have been successfully tested on Ubuntu 12.04 LTS Server (freshly installed). However, use at your own risk. To configure extra features, see my blog articles here and here.

Instructions for Ghost Blog w/ Nginx & Naxsi    
Instructions for Ghost Blog w/ Nginx & ModSecurity     

Enjoy! Feel free to leave a comment if you have any question.
 

Raymii

New Member
And this is why I hate fscking hipsters apps like nodejs and shit, they don't even have a regular init/upstart/systemd script but require a module like forever or god (I'm looking at you Ruby). Why do you think these things exist? Because it is not in a hipster language? Because it "just works"? And of course, let's compile everything from source, why even would we think of using packages or the package management system the distro provides?

This is what happens when you let some stoned hipsters with a CS degree get loose and make software...

Now, end rant. The tutorial has some issues ass well and some of the steps could use a bit more explanation.

Why would you run ssh on a different port and then also install fail2ban, but still allow password login via ssh? ssh+fail2ban with keys on port 22 is fine as well, a simple NMAP scan finds your super secret port. The only thing a different ssh port does is keep your logs more clean, but since root login and password login is enabled by default on Ubuntu, it won't help you much. My botnet will try it happily from every IP it got, only just 2 times per hour so it won't get caught by fail2ban..

This:  "if [ $(ps aux | grep node | grep -v grep | wc -l | tr -s "\n") -eq 0 ]; then" - is also where a normal init system is for. By the way, you could just use pgrep for this.

Also, explain why the specific modsecurity rules should be "relaxed". And, you don't relax them, you just disable them. You can override a modesecurity rule by undefining it and redifining it but changing the action or regex. I use this to "relax" rules that should be on, but cannot because of the software. Disabling them is just wrong unless there is a good reason for it.

The init script for NGINX does not require the expect fork if you specify daemon off in the nginx config file.
 

howardsl2

New Member
Thank you @Raymii for the helpful suggestions. I have implemented some of them with credit to you on top of the guide.

Regarding the ModSecurity rules, I just copied them from Mr. Stevens' post. I am no expert in this so I'd appreciate that you point me to the right direction on how to override a rule.

The NGINX documents says "Do not use the daemon or master_process directives in a production mode":

http://wiki.nginx.org/CoreModule#daemon
 

manacit

New Member
And this is why I hate fscking hipsters apps like nodejs and shit, they don't even have a regular init/upstart/systemd script but require a module like forever or god (I'm looking at you Ruby). Why do you think these things exist? Because it is not in a hipster language? Because it "just works"? And of course, let's compile everything from source, why even would we think of using packages or the package management system the distro provides?
You hate node because there's no init script for it? You realize that it's just another interpreter like anything else on a unix system - php-fcgi uses a handler to keep it alive, just like perl fcgi and anything else. 

You can create a systemd conf for ghost or any node app in approximately 2.5 seconds that will work perfectly - don't blame the language for people not using unix tools right. 

As for source compilation versus package managers, I guarantee if you did `apt-get install nodejs nginx nodejs-dev; npm install forever` you would have a working system in another 30 seconds, put the systemd script in and configure your blog and you're done.

You're what happens when people refuse to accept new things because they're afraid of them, and instead just complain about it. What would you use to run a blog? Use a static site generator? Create your own CMS? Installing node isn't some sort of curse, it's just a fucking javascript interpreter that people use. 
 
Last edited by a moderator:

Raymii

New Member
You hate node because there's no init script for it? You realize that it's just another interpreter like anything else on a unix system - php-fcgi uses a handler to keep it alive, just like perl fcgi and anything else. 

You can create a systemd conf for ghost or any node app in approximately 2.5 seconds that will work perfectly - don't blame the language for people not using unix tools right. 

As for source compilation versus package managers, I guarantee if you did `apt-get install nodejs nginx nodejs-dev; npm install forever` you would have a working system in another 30 seconds, put the systemd script in and configure your blog and you're done.

You're what happens when people refuse to accept new things because they're afraid of them, and instead just complain about it. What would you use to run a blog? Use a static site generator? Create your own CMS? Installing node isn't some sort of curse, it's just a fucking javascript interpreter that people use. 
If they target a unix/linux system, the creators of the language should be using standard unix tools. They are there for a reason. Well tested, considered stable, documented and the people who admin the server should be familier with them.

The whole point of automaticly restarting a service is mostly bullocks as well, if something crashes there is a problem that needs to be researched and fixed before the service just goes on and maybe goes haywire on the data or the users. That a process requires automatic respawning should be a red flag for people, the code is bad and you should feel bad.

Sometimes packaged software is older than the latest hip version. You can still compile it from source then, but just make it into a package. There are plenty of tools that do that, for example fpm, checkinstall and maybe even alien. That way, you keep your system clean and it makes upgrading and removing the software easier. Why do you think both Arch, Gentoo and most of the BSD's compile the source code of software into a package and then install that package?

I'm absolutely not afraid of new things. I like change, because most of the time change means progress. Change also helps with the natural selection part, bad software dies and good software evolves.

What I don't like, is stupid code or ignoring best practices. Don't get me wrong, the ghost software looks very nice and works well. NodeJS however is a big fscking while true loop with some javascript, just because the creators of node find C or C++ to be a to low level language. That mentality is what I don't like.

Plus, as I already said, the complete ignoring of best practices and standard tools and the "not invented here" syndrome. That results in a lot of people setting up servers that become insecure and/or unmanagable in the long run. As with this tutorial for example, what should the beginner that followed it do when there is a new release of nginx? Should he just compile over it? He doesn't know. And because he did not follow best practices, the people she will consult for support will tell him that what he did was stupid, while she just followed a tutorial.. It just spreads the bad...

And what I would use for running a blog? For myself a self written static site generator. For "regular people" something like MT, Wordpress or whatever they find working best. However, the server / backend part would be very clean and managable.
 

Raymii

New Member
Most other tutorials use checkinstall to first build a package from the compiled source (https://raymii.org/s/tutorials/Install_nmap_6_on_Ubuntu_12.04.html for example), however, the nagios installation requires 6 makes which checkinstall does not support. In that specific tutorial the only thing that can be checkinstalled is the NRPE plugin, the rest borks with both fpm and checkinstall.
 

tchen

New Member
the nagios installation requires 6 makes which checkinstall does not support. In that specific tutorial the only thing that can be checkinstalled is the NRPE plugin, the rest borks with both fpm and checkinstall.
Have you tried:



checkinstall
checkinstall --pkgname=nagios-init make install-init
checkinstall --pkgname=nagios-config make install-config
checkinstall --pkgname=nagios-commandmode make install-commandmode
checkinstall --pkgname=nagios-webconf make install-webconf
checkinstall --pkgname=nagios-exfoliation make install-exfoliation


That used to work in nagios 3.x
 

manacit

New Member
You've successfully managed to write a lot of stuff that refutes absolutely nothing that I've said and demonstrates how little you know about the node ecosystem outside of this shell script. 

Node *does* use system tools and packages - they distribute prebuilt binaries on their website, and you can find their packages in practically every repo in existence. I'm still not sure why you think they haven't. Perhaps you're criticizing this tutorial? It's certainly not indicative of the entire node ecosystem. You're conflating the two and getting angry at the entire node community because of some random shell script some dude wrote on a website that gets a few hundred uniques a month. 

Furthermore, you seem to hate node because it's "a big while loop of javascript" - that's what every fucking web server is: it sits there and waits for a request, processes it, and continues sitting there waiting for another. You don't seem to have a single coherent answer for why that's bad, beside it being javascript. That's not a real argument. Maybe you should read your own damn words - paypal and walmart have embraced using node as part of their infrastructure, it's got to have at least a few merits. Or maybe they should write everything in C because that's the only respectable language? Have you heard of python? That's as high level as node. 

Not only does your complete lack of knowledge about what you're critiquing shine through, but you top it all off and recommend Wordpress, a shining example of everything a web app shouldn't be. It's slow by default, extremely insecure and generally pretty shit. 
 

Raymii

New Member
Have you tried:



checkinstall
checkinstall --pkgname=nagios-init make install-init
checkinstall --pkgname=nagios-config make install-config
checkinstall --pkgname=nagios-commandmode make install-commandmode
checkinstall --pkgname=nagios-webconf make install-webconf
checkinstall --pkgname=nagios-exfoliation make install-exfoliation


That used to work in nagios 3.x
It now requires a few override options, but it still works. I've updated the tutorial for Nagios 4.0.4 which was just released, now with checkinstall included. The last time I tried it borked on the last two makes, however, now it seems to work...

https://raymii.org/s/tutorials/Nagios_Core_4_Installation_on_Ubuntu_12.04.html

You've successfully managed to write a lot of stuff that refutes absolutely nothing that I've said and demonstrates how little you know about the node ecosystem outside of this shell script. 

Node *does* use system tools and packages - they distribute prebuilt binaries on their website, and you can find their packages in practically every repo in existence. I'm still not sure why you think they haven't. Perhaps you're criticizing this tutorial? It's certainly not indicative of the entire node ecosystem. You're conflating the two and getting angry at the entire node community because of some random shell script some dude wrote on a website that gets a few hundred uniques a month. 

Furthermore, you seem to hate node because it's "a big while loop of javascript" - that's what every fucking web server is: it sits there and waits for a request, processes it, and continues sitting there waiting for another. You don't seem to have a single coherent answer for why that's bad, beside it being javascript. That's not a real argument. Maybe you should read your own damn words - paypal and walmart have embraced using node as part of their infrastructure, it's got to have at least a few merits. Or maybe they should write everything in C because that's the only respectable language? Have you heard of python? That's as high level as node. 

Not only does your complete lack of knowledge about what you're critiquing shine through, but you top it all off and recommend Wordpress, a shining example of everything a web app shouldn't be. It's slow by default, extremely insecure and generally pretty shit. 
It was nice discussing, however, this seems to be going in a direction that seems to be rather useless.
 
Top