Skip to content

Latest commit

 

History

History
412 lines (316 loc) · 11.4 KB

README.md

File metadata and controls

412 lines (316 loc) · 11.4 KB

Domain Registry

Maintainability Test Coverage Documentation Status

Full stack top-level domain (TLD) management.

Documentation

Installation

Registry app

Registry based on Rails 4 installation (rbenv install is under Debian build doc)

Manual demo install and database setup:

cd /home/registry
git clone [email protected]:internetee/registry.git demo-registry
cd demo-registry
rbenv local 2.2.2
bundle
cp config/application.yml.sample config/application.yml # and edit it
cp config/database.yml.sample config/database.yml # and edit it
bundle exec rake db:setup:all # for production, please follow deployment howto
bundle exec rake bootstrap
bundle exec rake assets:precompile

Apache (Debian 7/Ubuntu 14.04 LTS)

sudo apt-get install apache2

Enable ssl:

sudo a2enmod proxy_http
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
sudo a2enmod ssl
sudo nano /etc/apache2/sites-enabled/epp_ssl.conf

For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:

<VirtualHost *:443>
  ServerName your-domain
  ServerAdmin [email protected]

  PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  PassengerRuby /home/registry/.rbenv/shims/ruby
  PassengerEnabled on
  PassengerMinInstances 10
  PassengerMaxPoolSize 10
  PassengerPoolIdleTime 0
  PassengerMaxRequests 1000

  RailsEnv production # or staging
  DocumentRoot /home/registry/registry/current/public

  # Possible values include: debug, info, notice, warn, error, crit,
  LogLevel info
  ErrorLog /var/log/apache2/registry.error.log
  CustomLog /var/log/apache2/registry.access.log combined

  SSLEngine On
  SSLCertificateFile    /etc/ssl/certs/your.crt
  SSLCertificateKeyFile /etc/ssl/private/your.key
  SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
  SSLCACertificateFile /etc/ssl/certs/ca.pem

  SSLProtocol -all +TLSv1.2
  SSLHonorCipherOrder On
  SSLCompression off
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  RewriteEnginriteEngine on
  RedirectMatch ^/$ /admin
  RedirectMatch ^/login$ /admin/login

  <Directory /app/registry/registry/current/public>
      # for Apache older than version 2.4
      Allow from all

      # for Apache verison 2.4 or newer
      # Require all granted
      Options -MultiViews
  </Directory>

  <Location />
      Allow from none
      Deny from all
  </Location>

  <Location /admin>
      Allow from all
  </Location>

  <Location /assets>
      Allow from all
  </Location>
</VirtualHost>

Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follows:

<VirtualHost *:443>
  ServerName your-registrar-domain
  ServerAdmin [email protected]

  PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  PassengerRuby /home/registry/.rbenv/shims/ruby
  PassengerEnabled on
  PassengerMinInstances 10
  PassengerMaxPoolSize 10
  PassengerPoolIdleTime 0
  PassengerMaxRequests 1000

  RailsEnv production # or staging
  DocumentRoot /home/registry/registrar/current/public

  # Possible values include: debug, info, notice, warn, error, crit,
  LogLevel info
  ErrorLog /var/log/apache2/registrar.error.log
  CustomLog /var/log/apache2/registrar.access.log combined

  SSLEngine On
  SSLCertificateFile    /etc/ssl/certs/your.crt
  SSLCertificateKeyFile /etc/ssl/private/your.key
  SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
  SSLCACertificateFile /etc/ssl/certs/ca.pem

  SSLProtocol -all +TLSv1.2
  SSLHonorCipherOrder On
  SSLCompression off
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  RewriteEngine on
  RedirectMatch ^/$ /registrar
  RedirectMatch ^/login$ /registrar/login

  <Directory /app/registry/registrar/current/public>
      # for Apache older than version 2.4
      Allow from all

      # for Apache verison 2.4 or newer
      # Require all granted

      Options -MultiViews
  </Directory>

  <Location />
      Allow from none
      Deny from all
  </Location>

  <Location /registrar>
      Allow from all
  </Location>

  <Location /assets>
      Allow from all
  </Location>

  SSLVerifyClient none
  SSLVerifyDepth 1
  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
  SSLCARevocationPath /home/registry/registry/shared/ca/crl
  # Uncomment in Apache 2.4
  # SSLCARevocationCheck chain

  RequestHeader set SSL_CLIENT_S_DN_CN ""
  RequestHeader set SSL_CLIENT_CERT ""
  <Location /registrar/sessions>
      SSLVerifyClient require
      RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  </Location>

  <Location /registrar/id>
      SSLVerifyClient require
      Options Indexes FollowSymLinks MultiViews
      SSLVerifyDepth 2
      SSLOptions +StdEnvVars +ExportCertData
  </Location>
</VirtualHost>

Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as follows:

<VirtualHost *:443>
    ServerName your-registrant-domain
    ServerAdmin [email protected]

    PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
    PassengerRuby /home/registry/.rbenv/shims/ruby
    PassengerEnabled on
    PassengerMinInstances 10
    PassengerMaxPoolSize 10
    PassengerPoolIdleTime 0
    PassengerMaxRequests 1000

    RailsEnv production # or staging
    DocumentRoot /home/registry/registrant/current/public

    # Possible values include: debug, info, notice, warn, error, crit,
    LogLevel info
    ErrorLog /var/log/apache2/registrant.error.log
    CustomLog /var/log/apache2/registrant.access.log combined

    SSLEngine On
    SSLCertificateFile    /etc/ssl/certs/your.crt
    SSLCertificateKeyFile /etc/ssl/private/your.key
    SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
    SSLCACertificateFile /etc/ssl/certs/ca.pem

    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder On
    SSLCompression off
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    RewriteEngine on
    RedirectMatch ^/$ /registrant
    RedirectMatch ^/login$ /registrant/login

    <Directory /app/registry/registrant/current/public>
        # for Apache older than version 2.4
        Allow from all

        # for Apache verison 2.4 or newer
        # Require all granted

        Options -MultiViews
    </Directory>

    <Location />
        Allow from none
        Deny from all
    </Location>

    <Location /registrant>
        Allow from all
    </Location>

    <Location /assets>
        Allow from all
    </Location>

    SSLVerifyClient none
    SSLVerifyDepth 1
    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
    SSLCARevocationPath /home/registry/registry/shared/ca/crl
    # Uncomment in Apache 2.4
    # SSLCARevocationCheck chain

    RequestHeader set SSL_CLIENT_S_DN_CN ""
    RequestHeader set SSL_CLIENT_CERT ""
    <Location /registrant/sessions>
        SSLVerifyClient require
        RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
        RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
    </Location>

    <Location /registrant/id>
        SSLVerifyClient require
        Options Indexes FollowSymLinks MultiViews
        SSLVerifyDepth 2
        SSLOptions +StdEnvVars +ExportCertData
    </Location>
</VirtualHost>

For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp.conf short example:

<VirtualHost *:443>
    ServerName your-repp-domain
    SSLEngine on
    #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ProxyPreserveHost on
    RequestHeader set X_FORWARDED_PROTO 'https'

    SSLVerifyClient none
    SSLVerifyDepth 1
    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
    SSLCARevocationPath /home/registry/registry/shared/ca/crl
    # Uncomment this when upgrading to apache 2.4:
    # SSLCARevocationCheck chain

    RequestHeader set SSL_CLIENT_S_DN_CN ""
    RequestHeader set SSL_CLIENT_CERT ""

    <Location />
        Allow from none
        Deny from all
    </Location>

    <Location /repp>
        Allow from all
        SSLVerifyClient require
        RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
        RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
    </Location>
</VirtualHost>

For Apache, epp goes to port 700. Be sure to update paths to match your system configuration. /etc/apache2/sites-enabled/epp.conf short example:

<IfModule mod_ssl.c>
    Listen 127.0.0.1:8080
    <VirtualHost 127.0.0.1:8080>
        ServerName your-epp-backend-domain
        ServerAdmin [email protected]

        PassengerEnabled on
        PassengerMinInstances 10
        PassengerMaxPoolSize 10
        PassengerPoolIdleTime 0
        PassengerMaxRequests 1000
        PassengerRoot "/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini"
        PassengerRuby "/home/registry/.rbenv/shims/ruby"

        RailsEnv production # or staging
        DocumentRoot "/home/registry/registry/public"

        # Possible values include: debug, info, notice, warn, error, crit,
        LogLevel info
        ErrorLog "/var/log/apache2/eppback.error.log"
        CustomLog "/var/log/apache2/eppback.access.log" combined

        <Directory />
            Options +FollowSymLinks -Indexes
            AllowOverride None
        </Directory>

        <Directory /home/registry/registry/public>
            Order allow,deny
            Allow from all
            Options -MultiViews -Indexes
            AllowOverride all
        </Directory>
    </VirtualHost>
</IfModule>

Enable epp_ssl and restart apache

sudo a2ensite epp_ssl
sudo service apache2 restart

Now you should see registry admin at https://your-domain

All registry demo data can be found at:

db/seeds.rb

Initially you can use two type of users: admin users and EPP users.

For using EPP we are strongly recommend to install epp_proxy instead of mod_epp. You can get epp_proxy from https://github.com/internetee/epp_proxy

Wkhtmltopdf setup

sudo apt-get install libxext-dev libxrender1 fontconfig

Certificates setup

Deployment

Autotesting

Github Actions CI

  • Github Actions CI is configured to build all the PRs.

EPP web client

Please follow EPP web client readme:

https://github.com/internetee/EPP-web-client

WHOIS server

Please follow WHOIS server readme:

https://github.com/internetee/whois