https://wiki.castanedo.es/api.php?action=feedcontributions&feedformat=atom&user=GuzmanWiki Castanedo.es - Contribuciones del usuario [es]2026-05-10T14:16:30ZContribuciones del usuarioMediaWiki 1.39.8https://wiki.castanedo.es/index.php?title=OS_limpio&diff=219OS limpio2026-04-19T21:17:17Z<p>Guzman: </p>
<hr />
<div>== Arrancar OS limpio en Docker ==<br />
Arrancar contenedores con diferentes OS limpios (para debuging o crear otras imágenes).<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
<br />
== Debian ==<br />
Debian es imagen muy popular (glibc y coreutils).<br />
<br />
=== Descargar imagen de debian-slim ===<br />
Vamos a usar la imagen estable y mínima.<br />
<syntaxhighlight lang="Bash"><br />
docker pull debian:stable-slim<br />
</syntaxhighlight><br />
<br />
=== Ejecutar contenedor de debian-slim ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d -it \<br />
--name debian \<br />
-v test-vol:/mnt/test-vol \<br />
debian:stable-slim<br />
</syntaxhighlight><br />
<br />
Nota: ejemplo con volumen asociado.<br />
<br />
== Alpine ==<br />
Alpine es imagen hiper reducida (musl libc y BusyBox).<br />
<br />
=== Descargar imagen de alpine ===<br />
Vamos a usar la imagen más reciente.<br />
<syntaxhighlight lang="Bash"><br />
docker pull alpine:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: es una imagen de un OS de solo 13 MB (en comparación con 120 MB de debian-slim).<br />
<br />
Nota 2: presenta menor superficie de ataque.<br />
<br />
Nota 3: puede presentar problemas de falta de herramientas de debug (ni tiene bash).<br />
<br />
Nota 4: puede presentar problemas de con software no preparado para musl.<br />
<br />
=== Ejecutar contenedor de alpine ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d -it \<br />
--name alpine \<br />
-v test-vol:/mnt/test-vol \<br />
alpine:latest<br />
</syntaxhighlight><br />
<br />
Nota: ejemplo con volumen asociado.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/debian?xk=ShowRecommendedBadge&xt=Disabled https://hub.docker.com/_/debian?xk=ShowRecommendedBadge&xt=Disabled]<br />
* [https://oneuptime.com/blog/post/2026-02-08-how-to-choose-between-alpine-and-debian-slim-base-images/view https://oneuptime.com/blog/post/2026-02-08-how-to-choose-between-alpine-and-debian-slim-base-images/view]<br />
* [https://cr0x.net/es/docker-alpine-vs-debian-slim/ https://cr0x.net/es/docker-alpine-vs-debian-slim/]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=OS_limpio&diff=218OS limpio2026-04-19T21:12:05Z<p>Guzman: </p>
<hr />
<div>== Arrancar OS limpio en Docker ==<br />
Arrancar contenedores con diferentes OS limpios (para debuging o crear otras imágenes).<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
<br />
== Debian ==<br />
Debian es imagen muy popular (glibc y coreutils).<br />
<br />
=== Descargar imagen de debian-slim ===<br />
Vamos a usar la imagen estable y mínima.<br />
<syntaxhighlight lang="Bash"><br />
docker pull debian:stable-slim<br />
</syntaxhighlight><br />
<br />
=== Ejecutar contenedor de debian-slim ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d -it \<br />
--name debian \<br />
-v test-vol:/mnt/test-vol \<br />
debian:stable-slim<br />
</syntaxhighlight><br />
<br />
Nota: ejemplo con volumen asociado.<br />
<br />
== Alpine ==<br />
Alpine es imagen hiper reducida (musl libc y BusyBox).<br />
<br />
=== Descargar imagen de alpine ===<br />
Vamos a usar la imagen más reciente.<br />
<syntaxhighlight lang="Bash"><br />
docker pull alpine:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: es una imagen de un OS de solo 13 MB (en comparación con 120 MB de debian-slim).<br />
<br />
Nota 2: presenta menor superficie de ataque.<br />
<br />
Nota 3: puede presentar problemas de falta de herramientas de debug.<br />
<br />
Nota 4: puede presentar problemas de con software no preparado para musl.<br />
<br />
=== Ejecutar contenedor de alpine ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d -it \<br />
--name alpine \<br />
-v test-vol:/mnt/test-vol \<br />
alpine:latest<br />
</syntaxhighlight><br />
<br />
Nota: ejemplo con volumen asociado.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/debian?xk=ShowRecommendedBadge&xt=Disabled https://hub.docker.com/_/debian?xk=ShowRecommendedBadge&xt=Disabled]<br />
* [https://oneuptime.com/blog/post/2026-02-08-how-to-choose-between-alpine-and-debian-slim-base-images/view https://oneuptime.com/blog/post/2026-02-08-how-to-choose-between-alpine-and-debian-slim-base-images/view]<br />
* [https://cr0x.net/es/docker-alpine-vs-debian-slim/ https://cr0x.net/es/docker-alpine-vs-debian-slim/]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=OS_limpio&diff=217OS limpio2026-04-19T21:10:40Z<p>Guzman: Página creada con «== Arrancar OS limpio en Docker == Arrancar contenedores con diferentes OS limpios (para debuging o crear otras imágenes). == Requisitos == Para poder realizar esta configuración se necesita: * Docker Engine (ver Docker Engine) ** Módulo: Docker Compose (para PRO) == Debian == Debian es imagen muy popular (glibc y coreutils). === Descargar imagen de debian-slim === Vamos a usar la imagen estable y mínima. <syntaxhighlight lang="Bash"> docker pull debian:sta…»</p>
<hr />
<div>== Arrancar OS limpio en Docker ==<br />
Arrancar contenedores con diferentes OS limpios (para debuging o crear otras imágenes).<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
<br />
== Debian ==<br />
Debian es imagen muy popular (glibc y coreutils).<br />
<br />
=== Descargar imagen de debian-slim ===<br />
Vamos a usar la imagen estable y mínima.<br />
<syntaxhighlight lang="Bash"><br />
docker pull debian:stable-slim<br />
</syntaxhighlight><br />
<br />
=== Ejecutar contenedor de debian-slim ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d -it \<br />
--name debian \<br />
-v test-vol:/mnt/test-vol \<br />
debian:stable-slim<br />
</syntaxhighlight><br />
<br />
Nota: ejemplo con volumen asociado.<br />
<br />
== Alpine ==<br />
Alpine es imagen hiper reducida (musl libc y BusyBox).<br />
<br />
=== Descargar imagen de debian-slim ===<br />
Vamos a usar la imagen más reciente.<br />
<syntaxhighlight lang="Bash"><br />
docker pull alpine:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: es una imagen de un OS de solo 13 MB (en comparación con 120 MB de debian-slim).<br />
<br />
Nota 2: presenta menor superficie de ataque.<br />
<br />
Nota 3: puede presentar problemas de falta de herramientas de debug.<br />
<br />
Nota 4: puede presentar problemas de con software no preparado para musl.<br />
<br />
=== Ejecutar contenedor de debian-slim ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d -it \<br />
--name alpine \<br />
-v nextcloud_aio_backupdir:/mnt/backup \<br />
alpine:latest<br />
</syntaxhighlight><br />
<br />
Nota: ejemplo con volumen asociado.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/debian?xk=ShowRecommendedBadge&xt=Disabled https://hub.docker.com/_/debian?xk=ShowRecommendedBadge&xt=Disabled]<br />
* [https://oneuptime.com/blog/post/2026-02-08-how-to-choose-between-alpine-and-debian-slim-base-images/view https://oneuptime.com/blog/post/2026-02-08-how-to-choose-between-alpine-and-debian-slim-base-images/view]<br />
* [https://cr0x.net/es/docker-alpine-vs-debian-slim/ https://cr0x.net/es/docker-alpine-vs-debian-slim/]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=P%C3%A1gina_principal&diff=216Página principal2026-04-19T20:45:58Z<p>Guzman: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Bienvenidos a Wiki Castanedo.es ==<br />
<br />
=== ¿Qué es esto? ===<br />
<br />
Mi Wiki personal. No sobre mi persona, sino sobre mis cosas.<br />
<br />
Antes tenía diferentes páginas en las que publicaba artículos y notas sobre temas, principalmente relacionados con el mundo [https://es.wikipedia.org/wiki/GNU/Linux GNU/Linux] y la administración de servidores, pero se hallaban dispersos y en diferentes formatos.<br />
<br />
Este proyecto busca en primer lugar unificarlo todo en un solo sitio y por otro retomar la publicación de las notas que voy tomando.<br />
<br />
=== Contenido ===<br />
<br />
Me gusta tomar notas de las cosas que voy haciendo, sobre todo en el mundo de la informática.<br />
<br />
Durante mucho tiempo estas notas me las he guardado para mi mismo, pero a partir de ahora las comparto con el que le interesen. Muchas son cosas sencillas y muy conocidas, otras sin embargo contienen información que me han llevado mucha documentación que leer y algunas, incluso, contienen información difícil de encontrar.<br />
<br />
Desde aquí se compartirá tres tipos de contenidos diferenciados: notas, código y ayuda.<br />
<br />
==== Notas ====<br />
<br />
Son las notas que he ido habiendo sobre administración de sistemas:<br />
* '''Máquinas virtuales:'''<br />
** [[Securizar Ubuntu Server]]<br />
** Instalar y configurar un Servidor [[LEMP]] en Ubuntu Server (Linux + Nginx + MySQL + PHP).<br />
** Instalar y configurar un [[Servidor de Correo]] (Postfix + Dovecot + SSL + SPF + OpenDKIM + OpenDMARC + Amavis + SpamAssassin).<br />
** [[Administración servidor de correo]].<br />
** Instalar y configurar [[GOGS]] (Repositorio Git).<br />
** Instalar y configurar [[TeamSpeak 3]].<br />
** Instalar y configurar un [[Servidor Minecraft]].<br />
** Instalar y configurar [[Etherpad]] en Ubuntu Server.<br />
** Notas sobre [[OpenSSL]].<br />
** Notas de configuración de [[Drupal 7]] y [[Drupal 8]].<br />
** Notas de configuración de [[WordPress]].<br />
** Notas de configuración de [[MediaWiki]].<br />
* '''Contenedores:'''<br />
** Instalar y configurar [[Docker Engine]] en Ubuntu Server.<br />
** Instalar y configurar [[OpenSSH]] en Docker.<br />
** Instalar y configurar [[OpenLDAP]] en Docker.<br />
** Instalar y configurar [[MariaDB]] en Docker.<br />
** Instalar y configurar [[Keycloak]] en Docker.<br />
** Instalar y configurar [[Nextcloud AIO]] en Docker.<br />
** Instalar y configurar de servidor de correo [[Docker-Mailserver]].<br />
** Arrancar [[OS limpio]] en Docker.<br />
<br />
Pulse en el siguiente enlace para consultar la '''lista completa: [[:Categoría:Notas]]'''.<br />
<br />
==== Código ====<br />
<br />
Las notas aquí descritas pueden tener referencias a código fuente escrito por mi.<br />
<br />
Está disponible en [https://code.castanedo.es code.castanedo.es].<br />
<br />
Todo este software está disponible con licencia [https://www.gnu.org/licenses/gpl.html GPLv3].<br />
<br />
==== Ayuda ====<br />
<br />
Además es esta Wiki hay una [[:Categoría:Ayuda]] en las que se encuentran pequeñas guías de uso de servicios disponibles en mis servidores.<br />
<br />
Su función es que sirvan de ayuda para las personas que están usando estos servicios, aunque, por supuesto, son de libre consulta para cualquiera que los encuentre útiles.<br />
<br />
=== Espíritu ===<br />
<br />
El espíritu de esta wiki es el carácter libre y abierto.<br />
<br />
Todo el material que se aloje aquí será bajo licencia '''Creative Commons Attribution-ShareAlike 4.0''' ([https://creativecommons.org/licenses/by-sa/4.0/ CC BY-SA]) a menos que se exprese lo contrario.<br />
<br />
Para más detalles leer [[Wiki_Castanedo.es:Descargo_general]].<br />
<br />
=== Gracias ===<br />
<br />
'''Muchas gracias''' por visitar este sitio.<br />
<br />
Cualquier duda, consulta o corrección contacta en [mailto:guzman@castanedo.es guzman@castanedo.es].</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=215Nextcloud AIO2026-04-19T20:05:47Z<p>Guzman: </p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
docker pull ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Crear volumen para backup ===<br />
Para guardar los backups de Borg Backup vamos a crear un volumen.<br />
<syntaxhighlight lang="Bash"><br />
docker volume create \<br />
--driver local \<br />
--name nextcloud_aio_backupdir \<br />
-o device="//mnt/host/c/Users/<user>/Documents/Docker/nextcloud-aio/backups" \<br />
-o type="none" \<br />
-o o="bind"<br />
</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--init \<br />
--sig-proxy=false \<br />
--name nextcloud-aio-mastercontainer \<br />
--restart unless-stopped \<br />
--publish 127.0.0.1:8443:8080 \<br />
--env APACHE_PORT=8081 \<br />
--env APACHE_IP_BINDING=0.0.0.0 \<br />
--env APACHE_ADDITIONAL_NETWORK="" \<br />
--env SKIP_DOMAIN_VALIDATION=true \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
--volume //var/run/docker.sock:/var/run/docker.sock:ro \<br />
ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: no se puede cambiar las siguientes configuraciones<br />
<syntaxhighlight lang="Bash"><br />
--name nextcloud-aio-mastercontainer \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
</syntaxhighlight><br />
<br />
Nota 2: para cambiar el puerto de la consola administrativa "--publish 127.0.0.1:8081:8080".<br />
<br />
Nota 3: para cambiar el puerto de acceso a Nextcloud "--env APACHE_PORT=9081 \".<br />
<br />
Nota 4: para entornos locales de prueba hay que indicar "--env SKIP_DOMAIN_VALIDATION=true". En PRO no nos hará falta.<br />
<br />
=== Pruebas ===<br />
* Acceso a la consola administrativa: [https://localhost:8443/ https://localhost:8443/].<br />
<br />
* Acceso a la Nextcloud: [http://localhost:8081/ http://localhost:8081/]<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
* [https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=214Nextcloud AIO2026-04-19T19:54:15Z<p>Guzman: </p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
docker pull ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Crear volumen para backup ===<br />
Para guardar los backups de Borg Backup vamos a crear un volumen.<br />
<syntaxhighlight lang="Bash"><br />
docker volume create \<br />
--driver local \<br />
--name nextcloud_aio_backupdir \<br />
-o device="//mnt/host/c/Users/<user>/Documents/Docker/nextcloud-aio/backups" \<br />
-o type="none" \<br />
-o o="bind"<br />
</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--init \<br />
--sig-proxy=false \<br />
--name nextcloud-aio-mastercontainer \<br />
--restart unless-stopped \<br />
--publish 127.0.0.1:8443:8080 \<br />
--env APACHE_PORT=8081 \<br />
--env APACHE_IP_BINDING=0.0.0.0 \<br />
--env APACHE_ADDITIONAL_NETWORK="" \<br />
--env SKIP_DOMAIN_VALIDATION=true \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
--volume //var/run/docker.sock:/var/run/docker.sock:ro \<br />
ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: no se puede cambiar las siguientes configuraciones<br />
<syntaxhighlight lang="Bash"><br />
--name nextcloud-aio-mastercontainer \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
</syntaxhighlight><br />
<br />
Nota 2: para cambiar el puerto de la consola administrativa "--publish 127.0.0.1:8081:8080".<br />
<br />
Nota 3: para cambiar el puerto de acceso a Nextcloud "--env APACHE_PORT=9081 \".<br />
<br />
Nota 4: para entornos locales de prueba hay que indicar "--env SKIP_DOMAIN_VALIDATION=true". En PRO no nos hará falta.<br />
<br />
=== Pruebas ===<br />
* Acceso a la consola administrativa: [https://localhost:8443/ https://localhost:8443/].<br />
<br />
* Acceso a la Nextcloud: [http://localhost:8081/ http://localhost:8081/]<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=OpenSSH&diff=213OpenSSH2026-04-19T18:27:33Z<p>Guzman: </p>
<hr />
<div>== Instalación OpenSSH SFTP en Docker ==<br />
Instalación de [https://hub.docker.com/r/atmoz/sftp atmoz/sftp] en Docker.<br />
Esta imagen se usa principalmente para funciones de debug.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
<br />
== Descargar imagen ==<br />
Vamos a usar la imagen que es la latest a día de hoy.<br />
<syntaxhighlight lang="Bash"><br />
docker pull atmoz/sftp:latest<br />
</syntaxhighlight><br />
<br />
== Ejecutar SFTP con usuario/contraseña ==<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--name openssh-sftp \<br />
-p 2222:22 \<br />
-v //mnt/host/c/Users/foo/Desktop/temp://home/foo/upload \<br />
atmoz/sftp \<br />
foo:1234:::upload<br />
</syntaxhighlight><br />
<br />
Nota: se usa un volumen para guardar los datos persistentemente.<br />
<br />
== Ejecutar SFTP con clave RSA ==<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--name openssh-sftp \<br />
-p 2222:22 \<br />
-v //mnt/host/c/Users/foo/Desktop/temp://home/foo/upload \<br />
-v //mnt/host/c/Users/foo/.ssh/foo.key.pub://home/foo/.ssh/keys/foo.key.pub:ro \<br />
atmoz/sftp \<br />
foo:1234:::upload<br />
</syntaxhighlight><br />
<br />
Nota: se usa un volumen para pasar las claves dentro de el directorio "/home/foo/.ssh/keys" (no se puede pasar directamente el fichero authorized_keys por temas de permisos).<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/atmoz/sftp https://hub.docker.com/r/atmoz/sftp]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=OpenSSH&diff=212OpenSSH2026-04-19T18:19:19Z<p>Guzman: Página creada con «== Instalación OpenSSH SFTP en Docker == Instalación de [https://hub.docker.com/r/atmoz/sftp atmoz/sftp] en Docker. Esta imagen se usa principalmente para funciones de debug. == Requisitos == Para poder realizar esta configuración se necesita: * Docker Engine (ver Docker Engine) ** Módulo: Docker Compose (para PRO) == Descargar imagen == Vamos a usar la imagen que es la latest a día de hoy. <syntaxhighlight lang="Bash"> docker pull atmoz/sftp:latest </synta…»</p>
<hr />
<div>== Instalación OpenSSH SFTP en Docker ==<br />
Instalación de [https://hub.docker.com/r/atmoz/sftp atmoz/sftp] en Docker.<br />
Esta imagen se usa principalmente para funciones de debug.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
<br />
== Descargar imagen ==<br />
Vamos a usar la imagen que es la latest a día de hoy.<br />
<syntaxhighlight lang="Bash"><br />
docker pull atmoz/sftp:latest<br />
</syntaxhighlight><br />
<br />
== Ejecutar SFTP con usuario/contraseña ==<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--name openssh-sftp \<br />
-p 2222:22 \<br />
-v //mnt/host/c/Users/foo/Desktop/temp://home/foo/upload \<br />
atmoz/sftp \<br />
foo:1234:::upload<br />
</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/atmoz/sftp https://hub.docker.com/r/atmoz/sftp]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=P%C3%A1gina_principal&diff=211Página principal2026-04-19T18:14:39Z<p>Guzman: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Bienvenidos a Wiki Castanedo.es ==<br />
<br />
=== ¿Qué es esto? ===<br />
<br />
Mi Wiki personal. No sobre mi persona, sino sobre mis cosas.<br />
<br />
Antes tenía diferentes páginas en las que publicaba artículos y notas sobre temas, principalmente relacionados con el mundo [https://es.wikipedia.org/wiki/GNU/Linux GNU/Linux] y la administración de servidores, pero se hallaban dispersos y en diferentes formatos.<br />
<br />
Este proyecto busca en primer lugar unificarlo todo en un solo sitio y por otro retomar la publicación de las notas que voy tomando.<br />
<br />
=== Contenido ===<br />
<br />
Me gusta tomar notas de las cosas que voy haciendo, sobre todo en el mundo de la informática.<br />
<br />
Durante mucho tiempo estas notas me las he guardado para mi mismo, pero a partir de ahora las comparto con el que le interesen. Muchas son cosas sencillas y muy conocidas, otras sin embargo contienen información que me han llevado mucha documentación que leer y algunas, incluso, contienen información difícil de encontrar.<br />
<br />
Desde aquí se compartirá tres tipos de contenidos diferenciados: notas, código y ayuda.<br />
<br />
==== Notas ====<br />
<br />
Son las notas que he ido habiendo sobre administración de sistemas:<br />
* '''Máquinas virtuales:'''<br />
** [[Securizar Ubuntu Server]]<br />
** Instalar y configurar un Servidor [[LEMP]] en Ubuntu Server (Linux + Nginx + MySQL + PHP).<br />
** Instalar y configurar un [[Servidor de Correo]] (Postfix + Dovecot + SSL + SPF + OpenDKIM + OpenDMARC + Amavis + SpamAssassin).<br />
** [[Administración servidor de correo]].<br />
** Instalar y configurar [[GOGS]] (Repositorio Git).<br />
** Instalar y configurar [[TeamSpeak 3]].<br />
** Instalar y configurar un [[Servidor Minecraft]].<br />
** Instalar y configurar [[Etherpad]] en Ubuntu Server.<br />
** Notas sobre [[OpenSSL]].<br />
** Notas de configuración de [[Drupal 7]] y [[Drupal 8]].<br />
** Notas de configuración de [[WordPress]].<br />
** Notas de configuración de [[MediaWiki]].<br />
* '''Contenedores:'''<br />
** Instalar y configurar [[Docker Engine]] en Ubuntu Server.<br />
** Instalar y configurar [[OpenSSH]] en Docker.<br />
** Instalar y configurar [[OpenLDAP]] en Docker.<br />
** Instalar y configurar [[MariaDB]] en Docker.<br />
** Instalar y configurar [[Keycloak]] en Docker.<br />
** Instalar y configurar [[Nextcloud AIO]] en Docker.<br />
** Instalar y configurar de servidor de correo [[Docker-Mailserver]].<br />
<br />
Pulse en el siguiente enlace para consultar la '''lista completa: [[:Categoría:Notas]]'''.<br />
<br />
==== Código ====<br />
<br />
Las notas aquí descritas pueden tener referencias a código fuente escrito por mi.<br />
<br />
Está disponible en [https://code.castanedo.es code.castanedo.es].<br />
<br />
Todo este software está disponible con licencia [https://www.gnu.org/licenses/gpl.html GPLv3].<br />
<br />
==== Ayuda ====<br />
<br />
Además es esta Wiki hay una [[:Categoría:Ayuda]] en las que se encuentran pequeñas guías de uso de servicios disponibles en mis servidores.<br />
<br />
Su función es que sirvan de ayuda para las personas que están usando estos servicios, aunque, por supuesto, son de libre consulta para cualquiera que los encuentre útiles.<br />
<br />
=== Espíritu ===<br />
<br />
El espíritu de esta wiki es el carácter libre y abierto.<br />
<br />
Todo el material que se aloje aquí será bajo licencia '''Creative Commons Attribution-ShareAlike 4.0''' ([https://creativecommons.org/licenses/by-sa/4.0/ CC BY-SA]) a menos que se exprese lo contrario.<br />
<br />
Para más detalles leer [[Wiki_Castanedo.es:Descargo_general]].<br />
<br />
=== Gracias ===<br />
<br />
'''Muchas gracias''' por visitar este sitio.<br />
<br />
Cualquier duda, consulta o corrección contacta en [mailto:guzman@castanedo.es guzman@castanedo.es].</div>Guzmanhttps://wiki.castanedo.es/index.php?title=P%C3%A1gina_principal&diff=210Página principal2026-04-19T18:14:22Z<p>Guzman: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Bienvenidos a Wiki Castanedo.es ==<br />
<br />
=== ¿Qué es esto? ===<br />
<br />
Mi Wiki personal. No sobre mi persona, sino sobre mis cosas.<br />
<br />
Antes tenía diferentes páginas en las que publicaba artículos y notas sobre temas, principalmente relacionados con el mundo [https://es.wikipedia.org/wiki/GNU/Linux GNU/Linux] y la administración de servidores, pero se hallaban dispersos y en diferentes formatos.<br />
<br />
Este proyecto busca en primer lugar unificarlo todo en un solo sitio y por otro retomar la publicación de las notas que voy tomando.<br />
<br />
=== Contenido ===<br />
<br />
Me gusta tomar notas de las cosas que voy haciendo, sobre todo en el mundo de la informática.<br />
<br />
Durante mucho tiempo estas notas me las he guardado para mi mismo, pero a partir de ahora las comparto con el que le interesen. Muchas son cosas sencillas y muy conocidas, otras sin embargo contienen información que me han llevado mucha documentación que leer y algunas, incluso, contienen información difícil de encontrar.<br />
<br />
Desde aquí se compartirá tres tipos de contenidos diferenciados: notas, código y ayuda.<br />
<br />
==== Notas ====<br />
<br />
Son las notas que he ido habiendo sobre administración de sistemas:<br />
* '''Máquinas virtuales:'''<br />
** [[Securizar Ubuntu Server]]<br />
** Instalar y configurar un Servidor [[LEMP]] en Ubuntu Server (Linux + Nginx + MySQL + PHP).<br />
** Instalar y configurar un [[Servidor de Correo]] (Postfix + Dovecot + SSL + SPF + OpenDKIM + OpenDMARC + Amavis + SpamAssassin).<br />
** [[Administración servidor de correo]].<br />
** Instalar y configurar [[GOGS]] (Repositorio Git).<br />
** Instalar y configurar [[TeamSpeak 3]].<br />
** Instalar y configurar un [[Servidor Minecraft]].<br />
** Instalar y configurar [[Etherpad]] en Ubuntu Server.<br />
** Notas sobre [[OpenSSL]].<br />
** Notas de configuración de [[Drupal 7]] y [[Drupal 8]].<br />
** Notas de configuración de [[WordPress]].<br />
** Notas de configuración de [[MediaWiki]].<br />
* '''Contenedores:'''<br />
** Instalar y configurar [[Docker Engine]] en Ubuntu Server.<br />
** Instalar y configurar [[OpenLDAP]] en Docker.<br />
** Instalar y configurar [[OpenSSH]] en Docker.<br />
** Instalar y configurar [[MariaDB]] en Docker.<br />
** Instalar y configurar [[Keycloak]] en Docker.<br />
** Instalar y configurar [[Nextcloud AIO]] en Docker.<br />
** Instalar y configurar de servidor de correo [[Docker-Mailserver]].<br />
<br />
Pulse en el siguiente enlace para consultar la '''lista completa: [[:Categoría:Notas]]'''.<br />
<br />
==== Código ====<br />
<br />
Las notas aquí descritas pueden tener referencias a código fuente escrito por mi.<br />
<br />
Está disponible en [https://code.castanedo.es code.castanedo.es].<br />
<br />
Todo este software está disponible con licencia [https://www.gnu.org/licenses/gpl.html GPLv3].<br />
<br />
==== Ayuda ====<br />
<br />
Además es esta Wiki hay una [[:Categoría:Ayuda]] en las que se encuentran pequeñas guías de uso de servicios disponibles en mis servidores.<br />
<br />
Su función es que sirvan de ayuda para las personas que están usando estos servicios, aunque, por supuesto, son de libre consulta para cualquiera que los encuentre útiles.<br />
<br />
=== Espíritu ===<br />
<br />
El espíritu de esta wiki es el carácter libre y abierto.<br />
<br />
Todo el material que se aloje aquí será bajo licencia '''Creative Commons Attribution-ShareAlike 4.0''' ([https://creativecommons.org/licenses/by-sa/4.0/ CC BY-SA]) a menos que se exprese lo contrario.<br />
<br />
Para más detalles leer [[Wiki_Castanedo.es:Descargo_general]].<br />
<br />
=== Gracias ===<br />
<br />
'''Muchas gracias''' por visitar este sitio.<br />
<br />
Cualquier duda, consulta o corrección contacta en [mailto:guzman@castanedo.es guzman@castanedo.es].</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=209Nextcloud AIO2026-04-19T17:27:13Z<p>Guzman: </p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
docker pull ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--init \<br />
--sig-proxy=false \<br />
--name nextcloud-aio-mastercontainer \<br />
--restart unless-stopped \<br />
--publish 127.0.0.1:8443:8080 \<br />
--env APACHE_PORT=8081 \<br />
--env APACHE_IP_BINDING=0.0.0.0 \<br />
--env APACHE_ADDITIONAL_NETWORK="" \<br />
--env SKIP_DOMAIN_VALIDATION=true \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
--volume //var/run/docker.sock:/var/run/docker.sock:ro \<br />
ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: no se puede cambiar las siguientes configuraciones<br />
<syntaxhighlight lang="Bash"><br />
--name nextcloud-aio-mastercontainer \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
</syntaxhighlight><br />
<br />
Nota 2: para cambiar el puerto de la consola administrativa "--publish 127.0.0.1:8081:8080".<br />
<br />
Nota 3: para cambiar el puerto de acceso a Nextcloud "--env APACHE_PORT=9081 \".<br />
<br />
Nota 4: para entornos locales de prueba hay que indicar "--env SKIP_DOMAIN_VALIDATION=true". En PRO no nos hará falta.<br />
<br />
=== Pruebas ===<br />
* Acceso a la consola administrativa: [https://localhost:8443/ https://localhost:8443/].<br />
<br />
* Acceso a la Nextcloud: [http://localhost:8081/ http://localhost:8081/]<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=208Nextcloud AIO2026-04-19T16:54:18Z<p>Guzman: </p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
docker pull ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--init \<br />
--sig-proxy=false \<br />
--name nextcloud-aio-mastercontainer \<br />
--restart unless-stopped \<br />
--publish 127.0.0.1:8443:8080 \<br />
--env APACHE_PORT=8081 \<br />
--env APACHE_IP_BINDING=0.0.0.0 \<br />
--env APACHE_ADDITIONAL_NETWORK="" \<br />
--env SKIP_DOMAIN_VALIDATION=true \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
--volume //var/run/docker.sock:/var/run/docker.sock:ro \<br />
ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: no se puede cambiar las siguientes configuraciones<br />
<syntaxhighlight lang="Bash"><br />
--name nextcloud-aio-mastercontainer \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
</syntaxhighlight><br />
<br />
Nota 2: para cambiar el puerto de la consola administrativa "--publish 127.0.0.1:8081:8080".<br />
<br />
Nota 3: para cambiar el puerto de acceso a Nextcloud "--env APACHE_PORT=9081 \".<br />
<br />
Note 4: para entornos locales de prueba hay que indicar "--env SKIP_DOMAIN_VALIDATION=true". En PRO no nos hará falta.<br />
<br />
=== Pruebas ===<br />
* Acceso a la consola administrativa: [https://localhost:8443/ https://localhost:8443/].<br />
<br />
* Acceso a la Nextcloud: [http://localhost:8081/ http://localhost:8081/]<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=207Nextcloud AIO2026-04-19T16:36:53Z<p>Guzman: </p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
docker pull ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--init \<br />
--sig-proxy=false \<br />
--name nextcloud-aio-mastercontainer \<br />
--restart unless-stopped \<br />
--publish 127.0.0.1:8443:8080 \<br />
--env APACHE_PORT=8081 \<br />
--env APACHE_IP_BINDING=0.0.0.0 \<br />
--env APACHE_ADDITIONAL_NETWORK="" \<br />
--env SKIP_DOMAIN_VALIDATION=false \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
--volume //var/run/docker.sock:/var/run/docker.sock:ro \<br />
ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: no se puede cambiar las siguientes configuraciones<br />
<syntaxhighlight lang="Bash"><br />
--name nextcloud-aio-mastercontainer \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
</syntaxhighlight><br />
<br />
Nota 2: para cambiar el puerto de la consola administrativa "--publish 127.0.0.1:8081:8080".<br />
<br />
Nota 3: para cambiar el puerto de acceso a Nextcloud "--env APACHE_PORT=9081 \".<br />
<br />
=== Pruebas ===<br />
* Acceso a la consola administrativa: [https://localhost:8443/ https://localhost:8443/].<br />
<br />
* Acceso a la Nextcloud: [http://localhost:8081/ http://localhost:8081/]<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=206Nextcloud AIO2026-04-19T16:27:25Z<p>Guzman: </p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
docker pull ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d \<br />
--init \<br />
--sig-proxy=false \<br />
--name nextcloud-aio-mastercontainer \<br />
--restart unless-stopped \<br />
--publish 127.0.0.1:8080:8080 \<br />
--env APACHE_PORT=8081 \<br />
--env APACHE_IP_BINDING=0.0.0.0 \<br />
--env APACHE_ADDITIONAL_NETWORK="" \<br />
--env SKIP_DOMAIN_VALIDATION=false \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
--volume //var/run/docker.sock:/var/run/docker.sock:ro \<br />
ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota 1: no se puede cambiar las siguientes configuraciones<br />
<syntaxhighlight lang="Bash"><br />
--name nextcloud-aio-mastercontainer \<br />
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \<br />
</syntaxhighlight><br />
<br />
Nota 2: para cambiar el puerto de la consola administrativa "--publish 127.0.0.1:9080:8080".<br />
<br />
Nota 3: para cambiar el puerto de acceso a Nextcloud "--env APACHE_PORT=9081 \".<br />
<br />
=== Pruebas ===<br />
Accedemos con un navegador web [https://localhost:9443/ https://localhost:9443/].<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=205Nextcloud AIO2026-04-19T16:12:15Z<p>Guzman: </p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
docker pull ghcr.io/nextcloud-releases/all-in-one:latest<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Accedemos con un navegador web [https://localhost:9443/ https://localhost:9443/].<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Nextcloud_AIO&diff=204Nextcloud AIO2026-04-19T16:06:37Z<p>Guzman: Página creada con «== Instalación Nextcloud AIO en Docker == Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker. Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO]. == Requisitos == Para poder realizar esta configuración se necesita: * Servidor GNU Linux (ver Securizar Ubuntu Server) ** Cortafuegos FirewallD (UFW tiene problemas con Docker) * Docker Engine (ver Docker Engine) ** Módulo: Docker…»</p>
<hr />
<div>== Instalación Nextcloud AIO en Docker ==<br />
Instalación de [https://hub.docker.com/r/nextcloud/all-in-one nextcloud/all-in-one] en Docker.<br />
Vamos a usar la imagen oficial de [https://github.com/nextcloud/all-in-one Nextcloud AIO].<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
** NextCloud AIO sólo soporta Docker (para podman hay que generar ficheros compose manualmente)<br />
* Nginx (ver [[LEMP]])<br />
** Usado como proxy inverso.<br />
<br />
== ¿Qué contiene Nextcloud AIO? ==<br />
Nextcloud All In One (AIO) es la forma más sencilla de instalar Nextcloud de forma que ya venga con todo el middleware instalado y configurado.<br />
Contiene los siguientes componentes:<br />
* Nextcloud<br />
* Base ded datos: PostgreSQL<br />
** Nextcloud soporta otras bases de datos, pero no en AIO.<br />
* Servidor web: Apache HTTP Server<br />
** Podría usarse directamente para conectar, pero para poder tener más servicios en el mismo servidor usaremos Nginx como proxy inverso con Virtual Hosts para cada aplicación.<br />
* Servicios:<br />
** Nextcloud Files (Client Push)<br />
** Cachés Redis & APCU<br />
** Nextcloud Office (opcional)<br />
** Nextcloud Talk y servidor TURN para Talk (opcional)<br />
** Nextcloud Talk servidor de grabación (opcional)<br />
** BorgBackup para backups (opcional)<br />
** Antivirus ClamAV (opcional)<br />
** Más<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Accedemos con un navegador web [https://localhost:9443/ https://localhost:9443/].<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/nube.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/nube.culturetas.net /etc/nginx/sites-enabled/nube.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/nextcloud-aio/data</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (20260409_094910). Contiene Nexcloud 33.<br />
<syntaxhighlight lang="Bash"><br />
<br />
</syntaxhighlight><br />
<br />
Nota: vamos a usar latest sin fijar versión exacta para tener actualizaciones automáticas. En caso de no querer esto fijar versión de repositorio [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged estable].<br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/nextcloud-aio/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/nextcloud-aio.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=Nextcloud AIO(Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/nextcloud-aio<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start nextcloud-aio</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable nextcloud-aio</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/nextcloud/all-in-one/tags https://hub.docker.com/r/nextcloud/all-in-one/tags]<br />
* [https://github.com/nextcloud/all-in-one https://github.com/nextcloud/all-in-one]<br />
* [https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md]<br />
* [https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged https://github.com/nextcloud-releases/all-in-one/pkgs/container/all-in-one/versions?filters%5Bversion_type%5D=tagged]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Keycloak&diff=203Keycloak2026-04-18T22:46:26Z<p>Guzman: </p>
<hr />
<div>== Instalación Keycloak en Docker ==<br />
Instalación de [https://hub.docker.com/hardened-images/catalog/dhi/keycloak dhi.io/keycloak] en Docker.<br />
Vamos a usar una imagen "Docker Hardened Image" (imágenes seguras, mínimas y listas para producción).<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* MariaDB (ver [[MariaDB]])<br />
** Usaremos MariaDB para almacenar los datos. [https://www.keycloak.org/server/db Más información].<br />
* Nginx (ver [[LEMP]])<br />
* Cuenta en Docker Hub<br />
** Necesario para acceder a Docker Hardened Image.<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Login en catálogo DHI ===<br />
<syntaxhighlight lang="Bash">docker login dhi.io</syntaxhighlight><br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (26.5.6). <br />
<syntaxhighlight lang="Bash">docker pull dhi.io/keycloak:26.5</syntaxhighlight><br />
<br />
=== Certificados SSL ===<br />
Para poder arrancar la Keycloak hace falta tener certificados SSL/TLS.<br />
Nombres:<br />
* tls.crt: Certificado Fullchain (X.509 PEM)<br />
* tls.key: Clave RSA (PKCS#8)<br />
'''Nota''': en DEV usaremos auto-firmados y en PRO de Let's Encrypt.<br />
<br />
=== Crear volumen para certificados SSL ===<br />
* Crear volumen "keycloak-certs"<br />
<syntaxhighlight lang="Bash">docker volume create keycloak-certs</syntaxhighlight><br />
<br />
* Copiar certificados en el "keycloak-cert":<br />
<syntaxhighlight lang="Bash"><br />
cd /c/Users/guzman/Desktop/temp<br />
docker create --name temp-copia -v keycloak-certs:/data alpine<br />
docker cp entrardev.culturetas.net-fullchain.crt temp-copia:/data/tls.crt<br />
docker cp entrardev.culturetas.net.key temp-copia:/data/tls.key<br />
docker cp culturetas-root-ca.crt temp-copia:/data/ca.crt<br />
docker rm temp-copia<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos para MariaDB ===<br />
Ver [[MariaDB]] para montar la BD necesaria.<br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run -d --name keycloak \<br />
--hostname entrardev.culturetas.net \<br />
--env KC_BOOTSTRAP_ADMIN_USERNAME=admin \<br />
--env KC_BOOTSTRAP_ADMIN_PASSWORD=admin \<br />
--env KC_HTTP_PORT=9080 \<br />
--env KC_HTTPS_PORT=9443 \<br />
--env KC_HTTPS_CERTIFICATE_FILE=//etc/x509/https/tls.crt \<br />
--env KC_HTTPS_CERTIFICATE_KEY_FILE=//etc/x509/https/tls.key \<br />
--env KC_HOSTNAME=https://localhost:9443/ \<br />
--env KC_DB=mariadb \<br />
--env KC_DB_URL=jdbc:mariadb://172.17.0.2:3306/keycloakdb \<br />
--env KC_DB_USERNAME=keycloak \<br />
--env KC_DB_PASSWORD=keycloak \<br />
-p 127.0.0.1:9443:9443 \<br />
-v keycloak-certs:/etc/x509/https:ro \<br />
dhi.io/keycloak:26.5 start<br />
</syntaxhighlight><br />
<br />
Nota: si se desea usar una DB H2 hay que crear un volumen para guardar persistentemente dicha DB. NO RECOMENDADO PARA PRO.<br />
<syntaxhighlight lang="Bash"><br />
-v keycloak-data:/opt/keycloak/data/ \<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Accedemos con un navegador web [https://localhost:9443/ https://localhost:9443/].<br />
[[Archivo:Keycloak-DEV-Accesos.png|border|900px|none]]<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Configurar Virtual Host para Keycloak ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/entrar.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
###########################<br />
# KEYCLOAK REVERSER PROXY #<br />
###########################<br />
server {<br />
listen 80;<br />
listen [::]:80;<br />
server_name entrar.culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2;<br />
listen [::]:443 ssl http2;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
<br />
# Root directory<br />
root /var/www/entrar.culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name entrar.culturetas.net;<br />
<br />
access_log /var/log/nginx/entrar.culturetas.net-access.log;<br />
error_log /var/log/nginx/entrar.culturetas.net-error.log;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
#include snippets/allowed.conf;<br />
#include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
proxy_pass https://127.0.0.1:9443;<br />
}<br />
<br />
location = /robots.txt {<br />
allow all;<br />
}<br />
<br />
location ~* ^/.well-known/ {<br />
allow all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/entrar.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/entrar.culturetas.net /etc/nginx/sites-enabled/entrar.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: entrar.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1<br />
Requesting a certificate for entrar.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/entrar.culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/entrar.culturetas.net/privkey.pem<br />
This certificate expires on 2026-07-17.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for entrar.culturetas.net to /etc/nginx/sites-enabled/entrar.culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://entrar.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Crear BD para keycloak (MariaDB) ===<br />
<br />
==== Conectar a la base de datos ====<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
mariadb<br />
</syntaxhighlight><br />
<br />
==== Crear base de datos ====<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
==== Crear usuario ====<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
==== Dar permisos a usuario en BD ====<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
==== Comprobar permisos ====<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
==== Habilitar conexiones remotas ====<br />
El necesario que la BD tenga configurada conexiones remotas (no sólo desde localhost).<br />
Ver documento [[LEMP|Configuración MariaDB]].<br />
<br />
Nota: se recomienda NO exponer la base de datos a Internet. Es decir, sí habilitar las conexiones remotas, pero no abrir el puerto en los firewalls.<br />
<br />
=== Crear carpetas para Keycloak ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/keycloak/data</syntaxhighlight><br />
<br />
=== Certificados SSL para el contenedor (auto-firmados) ===<br />
Vamos a usar los unos certificados SSL auto-firmados para usar dentro del contenedor.<br />
Aunque estos sean auto-firmados los finales son los que muestra Nginx (Let's Encrypt).<br />
<br />
<syntaxhighlight lang="Bash"><br />
mkdir -p /opt/keycloak/data/ssl<br />
mv /tmp/entrar.culturetas.net* /opt/keycloak/data/ssl/<br />
chown root:root /opt/keycloak/data/ssl/entrar.culturetas.net*<br />
chmod 644 /opt/keycloak/data/ssl/entrar.culturetas.net*<br />
</syntaxhighlight><br />
<br />
Nota: aunque la key no se recomienda 644 (sino 600). Keycloak no es capaz de leerlo con otros permisos.<br />
<br />
=== Login en catálogo DHI ===<br />
* Acceso a Docker Hub: https://app.docker.com/accounts/<user>/settings/personal-access-tokens<br />
<br />
* Generar nuevo token<br />
[[Archivo:Culturetas-access-token.png|border|900px|none]]<br />
<br />
* Guardar token en lugar seguro<br />
<br />
* Acceder a Docker<br />
<syntaxhighlight lang="Bash">docker login -u <user> dhi.io</syntaxhighlight><br />
Nota: las imágenes Hardened son libres pero bajo registro.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (26.5.6). <br />
<syntaxhighlight lang="Bash">docker pull dhi.io/keycloak:26.5</syntaxhighlight><br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/keycloak/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
name: keycloak<br />
services:<br />
keycloak:<br />
container_name: keycloak<br />
hostname: entrar.culturetas.net<br />
restart: unless-stopped<br />
environment:<br />
- KC_BOOTSTRAP_ADMIN_USERNAME=admin<br />
- KC_BOOTSTRAP_ADMIN_PASSWORD=admin<br />
- KC_HTTP_PORT=9080<br />
- KC_HTTPS_PORT=9443<br />
- KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/tls.crt<br />
- KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/tls.key<br />
- KC_HOSTNAME=https://entrar.culturetas.net/<br />
- KC_DB=mariadb<br />
- KC_DB_URL=jdbc:mariadb://135.125.179.32:3306/keycloakdb<br />
- KC_DB_USERNAME=keycloak<br />
- KC_DB_PASSWORD=keycloak<br />
ports:<br />
- 127.0.0.1:9443:9443<br />
volumes:<br />
- /opt/keycloak/data/ssl/entrar.culturetas.net-fullchain.crt:/etc/x509/https/tls.crt:ro<br />
- /opt/keycloak/data/ssl/entrar.culturetas.net.key:/etc/x509/https/tls.key:ro<br />
image: dhi.io/keycloak:26.5<br />
command: start<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/keycloak/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/keycloak</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/keycloak</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/keycloak.service</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[Unit]<br />
Description=KeyCloak (Docker Compose)<br />
After=docker.service mariadb.service network-online.target<br />
Requires=docker.service mariadb.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/keycloak<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start keycloak</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable keycloak</syntaxhighlight><br />
<br />
== Configuración KeyCloak ==<br />
=== Editar Realm (master) ===<br />
* Acceder a KeyCloak con usuario admin.<br />
* Pulsar en "Realm settings".<br />
* Pulsar en "General".<br />
** Display name: culturetas.net<br />
* Pulsar en "Email".<br />
** From: hola@culturetas.net<br />
** From display name: Hola Cultureta<br />
** Host: smtp.culturetas.net<br />
** Port: 587<br />
** Enable StartTLS: Sí<br />
** Authentication: Sí<br />
** Username: hola@culturetas.net<br />
** Password<br />
<br />
=== Crear usuario ===<br />
* Comprobar que estás en el realm "master".<br />
* Pulsar en "Users" -> "Create new user".<br />
** Username<br />
** Email<br />
** First name<br />
** Last name<br />
* Pulser en "Credentials" -> "Set password".<br />
** Password<br />
** Password confirmation<br />
** Temporary: Off<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/hardened-images/catalog/dhi/keycloak https://hub.docker.com/hardened-images/catalog/dhi/keycloak]<br />
* [https://www.keycloak.org/guides https://www.keycloak.org/guides]<br />
* [https://www.keycloak.org/getting-started/getting-started-docker https://www.keycloak.org/getting-started/getting-started-docker]<br />
* [https://www.keycloak.org/server/db https://www.keycloak.org/server/db]<br />
* [https://www.keycloak.org/server/configuration-production https://www.keycloak.org/server/configuration-production]<br />
* [https://www.keycloak.org/server/hostname https://www.keycloak.org/server/hostname]<br />
* [https://www.keycloak.org/server/reverseproxy https://www.keycloak.org/server/reverseproxy]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=OpenLDAP&diff=201OpenLDAP2026-04-18T21:40:09Z<p>Guzman: </p>
<hr />
<div>== Instalación OpenLDAP en Docker ==<br />
Instalación de [https://hub.docker.com/r/vegardit/openldap vegardit/openldap] en Docker.<br />
Se va a usar los siguientes protocolos:<br />
* LDAP (puerto 389/tcp): sólo en localhost<br />
* LDAPS (puerto 636/tcp): publicado con Nginx como reserve proxy (en PRO)<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
** Módulo: Nginx Stream (incluido en Ubuntu)<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (2.6.10).<br />
<syntaxhighlight lang="Bash">docker pull vegardit/openldap:2.6.10</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
Vamos a usar la imagen sólo con LDAP (389/tcp) solo para localhost.<br />
IMPORTANTE: para añadir SSL/TLS usaremos Nginx.<br />
<syntaxhighlight lang="Bash"><br />
docker run -d --name openldap \<br />
--hostname ldapdev.culturetas.net \<br />
--env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \<br />
--env LDAP_INIT_ORG_NAME="Culturetas SPQR" \<br />
--env LDAP_INIT_ROOT_USER_DN='uid=admin,dc=culturetas,dc=net' \<br />
--env LDAP_INIT_ROOT_USER_PW="CONTRASEÑA" \<br />
--env LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \<br />
--env LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,dc=culturetas,dc=net' \<br />
--env LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net' \<br />
--env LDAP_INIT_RFC2307BIS_SCHEMA=0 \<br />
--env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \<br />
--env LDAP_TLS_ENABLED=false \<br />
--env LDAP_LDAPS_ENABLED=false \<br />
-p 127.0.0.1:389:389 \<br />
-v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d \<br />
vegardit/openldap:2.6.10<br />
</syntaxhighlight><br />
'''Nota''': OpenSSL soporta SSL/TLS, pero con vegardit/openldap no funciona correctamente y tras un handshake correcot, no completa siempre la autenticación (usaremos un reverse proxy como alternativa y es más seguro).<br />
<br />
=== Pruebas ===<br />
Vamos a probar a conectar usando [https://directory.apache.org/studio/downloads.html Apache Directory Studio].<br />
* Hostname: 127.0.0.1<br />
* Port: 389<br />
* Encryption: LDAP<br />
* Bind DN: uid=admin,dc=culturetas,dc=net<br />
* Bind password: CONTRASEÑA<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Instalar módulo Stream de Nginx ===<br />
Nginx con módulo Stream permite balancear a puertos TCP o UDP (que no sean HTTP).<br />
No viene con el paquete estándar de Nginx, se instala aparte:<br />
<syntaxhighlight lang="Bash">apt install libnginx-mod-stream</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
=== Configuración módulo Stream ===<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.20260322</syntaxhighlight><br />
<br />
* Crear carpeta para Stream<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/stream-available</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/stream-enabled</syntaxhighlight><br />
<br />
* Añadir configuración para Stream<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
stream {<br />
# Log format<br />
log_format stream_format '$remote_addr [$time_local] '<br />
'$protocol $status $bytes_sent $bytes_received '<br />
'$session_time "$upstream_addr"';<br />
include /etc/nginx/stream-enabled/*;<br />
}<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
=== Configurar Virtual Host para LDAP (para HTTP) ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80;<br />
listen [::]:80;<br />
server_name ldap.culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2;<br />
listen [::]:443 ssl http2;<br />
ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;<br />
ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/ldap.culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name ldap.culturetas.net;<br />
<br />
access_log /var/log/nginx/ldap.culturetas.net-access.log;<br />
error_log /var/log/nginx/ldap.culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
# Redirect all to Keycloak<br />
return 301 https://entrar.culturetas.net;<br />
}<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/ldap.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: ldap.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1<br />
Requesting a certificate for ldap.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem<br />
This certificate expires on 2026-06-19.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Configurar Virtual Host para LDAP (para Stream) ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/stream-available/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
########################<br />
# STREAM REVERSE PROXY #<br />
########################<br />
<br />
# Nginx Stream allow load balancer to TCP or UDP ports (no HTTP).<br />
upstream ldap_backend {<br />
server 127.0.0.1:389 max_fails=3 fail_timeout=30s;<br />
# Opcional: High Availability<br />
# server 192.168.10.45:389 backup;<br />
}<br />
<br />
server {<br />
# LDAPS port (636/tcp)<br />
listen 636 ssl;<br />
<br />
# SSL/TLS Certificates<br />
ssl_certificate /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem;<br />
ssl_certificate_key /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem;<br />
<br />
# TLS Settings<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;<br />
ssl_prefer_server_ciphers on;<br />
ssl_session_cache shared:SSL:10m;<br />
ssl_session_timeout 10m;<br />
ssl_session_tickets off;<br />
<br />
# Forwarding to plain LDAP (LDAPS -> LDAP)<br />
proxy_pass ldap_backend;<br />
<br />
# LDAP timeouts<br />
proxy_connect_timeout 5s;<br />
proxy_timeout 3m;<br />
<br />
# Logging (stream format)<br />
access_log /var/log/nginx/ldaps.culturetas.net-access.log stream_format;<br />
error_log /var/log/nginx/ldaps.culturetas.net-error.log warn;<br />
}<br />
</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/stream-available/ldap.culturetas.net /etc/nginx/stream-enabled/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Habilitar LDAPS en FirewallD ===<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=636/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Crear carpetas para OpenLDAP ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/openldap/data</syntaxhighlight><br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/openldap/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
name: openldap<br />
services:<br />
openldap:<br />
container_name: openldap<br />
hostname: ldap.culturetas.net<br />
restart: unless-stopped<br />
environment:<br />
- LDAP_INIT_ORG_DN=dc=culturetas,dc=net<br />
- LDAP_INIT_ORG_NAME=Culturetas SPQR<br />
- LDAP_INIT_ROOT_USER_DN=uid=admin,dc=culturetas,dc=net<br />
- LDAP_INIT_ROOT_USER_PW=CONTRASEÑA<br />
- LDAP_INIT_PPOLICY_PW_MIN_LENGTH=12<br />
- LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,dc=culturetas,dc=net<br />
- LDAP_INIT_PASSWORD_RESET_GROUP_DN=cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net<br />
- LDAP_INIT_RFC2307BIS_SCHEMA=0<br />
- LDAP_INIT_ALLOW_CONFIG_ACCESS=true<br />
- LDAP_TLS_ENABLED=false<br />
- LDAP_LDAPS_ENABLED=false<br />
ports:<br />
- 127.0.0.1:389:389<br />
volumes:<br />
- /opt/openldap/data/var:/var/lib/ldap<br />
- /opt/openldap/data/etc:/etc/ldap/slapd.d<br />
image: vegardit/openldap:2.6.10<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/openldap/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/openldap</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/openldap</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/openldap.service</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
[Unit]<br />
Description=OpenLDAP (Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/openldap<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start openldap</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enabled openldap</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/vegardit/openldap https://hub.docker.com/r/vegardit/openldap]<br />
* [https://github.com/vegardit/docker-openldap https://github.com/vegardit/docker-openldap]<br />
* [https://directory.apache.org/studio/downloads.html https://directory.apache.org/studio/downloads.html]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=LEMP&diff=192LEMP2026-04-18T20:13:46Z<p>Guzman: </p>
<hr />
<div>== Instalación servidor LEMP ==<br />
Instalaremos:<br />
* GNU Linux (Ubuntu Server 24.04)<br />
* eNginx 1.24.0 (APT Ubuntu)<br />
* MariaDB 10.8 (Repo oficiales de MariaDB)<br />
* PHP 8.5 (PPA ondrej/php)<br />
<br />
== Permisos de root ==<br />
Todos los comandos en esta guía se realizarán como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
== Instalación Nginx (Stable) ==<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar Nginx<br />
<syntaxhighlight lang="Bash">apt install nginx</syntaxhighlight><br />
<br />
* Instalación Apache Utils<br />
<syntaxhighlight lang="Bash">apt install apache2-utils</syntaxhighlight><br />
<br />
== Instalación MariaDB ==<br />
* Instalar requisitos<br />
<syntaxhighlight lang="Bash">apt install apt-transport-https curl</syntaxhighlight><br />
<br />
* Añadir repositorios MariaDB (oficiales)<br />
<syntaxhighlight lang="Bash">mkdir -p /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/apt/sources.list.d/mariadb.sources</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# MariaDB 11.8 repository list - created 2026-02-23 08:31 UTC<br />
# https://mariadb.org/download/<br />
X-Repolib-Name: MariaDB<br />
Types: deb<br />
# deb.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.<br />
# URIs: https://deb.mariadb.org/11.8/ubuntu<br />
URIs: https://mirror.raiolanetworks.com/mariadb/repo/11.8/ubuntu<br />
Suites: noble<br />
Components: main main/debug<br />
Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp<br />
</syntaxhighlight><br />
<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalación de servidor y cliente<br />
<syntaxhighlight lang="Bash">apt install mariadb-client mariadb-server mariadb-plugin-provider-bzip2 mariadb-plugin-provider-lz4 mariadb-plugin-provider-lzma mariadb-plugin-provider-lzo mariadb-plugin-provider-snappy</syntaxhighlight><br />
<br />
* Inicializar base de datos<br />
<syntaxhighlight lang="Bash">mysql_secure_installation</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB<br />
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!<br />
<br />
In order to log into MariaDB to secure it, we'll need the current<br />
password for the root user. If you've just installed MariaDB, and<br />
haven't set the root password yet, you should just press enter here.<br />
<br />
Enter current password for root (enter for none):<br />
OK, successfully used password, moving on...<br />
<br />
Setting the root password or using the unix_socket ensures that nobody<br />
can log into the MariaDB root user without the proper authorisation.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Switch to unix_socket authentication [Y/n] n<br />
... skipping.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Change the root password? [Y/n] y<br />
New password:<br />
Re-enter new password:<br />
Password updated successfully!<br />
Reloading privilege tables..<br />
... Success!<br />
<br />
<br />
By default, a MariaDB installation has an anonymous user, allowing anyone<br />
to log into MariaDB without having to have a user account created for<br />
them. This is intended only for testing, and to make the installation<br />
go a bit smoother. You should remove them before moving into a<br />
production environment.<br />
<br />
Remove anonymous users? [Y/n] y<br />
... Success!<br />
<br />
Normally, root should only be allowed to connect from 'localhost'. This<br />
ensures that someone cannot guess at the root password from the network.<br />
<br />
Disallow root login remotely? [Y/n] Y<br />
... Success!<br />
<br />
By default, MariaDB comes with a database named 'test' that anyone can<br />
access. This is also intended only for testing, and should be removed<br />
before moving into a production environment.<br />
<br />
Remove test database and access to it? [Y/n] Y<br />
- Dropping test database...<br />
... Success!<br />
- Removing privileges on test database...<br />
... Success!<br />
<br />
Reloading the privilege tables will ensure that all changes made so far<br />
will take effect immediately.<br />
<br />
Reload privilege tables now? [Y/n] Y<br />
... Success!<br />
<br />
Cleaning up...<br />
<br />
All done! If you've completed all of the above steps, your MariaDB<br />
installation should now be secure.<br />
<br />
Thanks for using MariaDB!<br />
</syntaxhighlight><br />
<br />
== Instalación PHP ==<br />
Vamos a usar los repositorios PPA de ondrej/php<br />
<br />
* Instalar repositorio PPA<br />
<syntaxhighlight lang="Bash">add-apt-repository ppa:ondrej/php</syntaxhighlight><br />
<br />
* Actualizar repositorios<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar PHP 8.5<br />
<syntaxhighlight lang="Bash">apt install php8.5 php8.5-apcu php8.5-common php8.5-fpm php8.5-curl php8.5-gd php8.5-mysql php8.5-xml php8.5-xmlrpc php8.5-bz2 php8.5-imap php8.5-intl php8.5-mbstring php8.5-soap php8.5-gnupg php8.5-imagick php8.5-mcrypt php8.5-zip</syntaxhighlight><br />
<br />
== Instalación Let's Encrypt ==<br />
Vamos a usar Let's Encrypt para generar las claves y certificados usadas para comunicaciones HTTPS.<br />
<br />
* Instalar Snap Core<br />
<syntaxhighlight lang="Bash">snap install core</syntaxhighlight><br />
<br />
* Refrescar Snap Core<br />
<syntaxhighlight lang="Bash">snap refresh core</syntaxhighlight><br />
<br />
* Instalar Certbot<br />
<syntaxhighlight lang="Bash">snap install --classic certbot</syntaxhighlight><br />
<br />
* Crear enlace simbólico<br />
<syntaxhighlight lang="Bash">ln -s /snap/bin/certbot /usr/local/bin/certbot</syntaxhighlight><br />
<br />
* Comprobar que está activada el timer de renovación<br />
<syntaxhighlight lang="Bash"><br />
systemctl list-timers | grep certbot<br />
Mon 2026-02-23 11:47:00 UTC 12h - - snap.certbot.renew.timer snap.certbot.renew.service<br />
</syntaxhighlight><br />
<br />
== Configuración PHP ==<br />
* Configuración php-fpm:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/fpm/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = 128M<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Configuración php-cli:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/cli/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = -1<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar php-fpm:<br />
<syntaxhighlight lang="Bash">systemctl restart php8.5-fpm.service</syntaxhighlight><br />
<br />
== Configuración Nginx ==<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%Y%m%d)</syntaxhighlight><br />
<br />
* Editar nginx.conf<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
http {<br />
##<br />
# Basic Settings<br />
##<br />
sendfile on;<br />
tcp_nopush on;<br />
types_hash_max_size 2048;<br />
client_max_body_size 100M;<br />
server_tokens off;<br />
[...]<br />
##<br />
# SSL Settings<br />
##<br />
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_prefer_server_ciphers on;<br />
ssl_dhparam /etc/nginx/ssl/dhparam.pem;<br />
[...]<br />
}<br />
</syntaxhighlight><br />
<br />
* Generar PHParam:<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/ssl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096</syntaxhighlight><br />
<br />
* Configurar contraseñas:<br />
Si se quiere configurar contraseñas Auth Basic se almacenan en /etc/nginx/passwd.<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/passwd</syntaxhighlight><br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">htpasswd -c -B /etc/nginx/passwd/test.pw guzman</syntaxhighlight><br />
<br />
* Configurar snippets:<br />
Estos "fragmentos" se pueden usar para permitir que sistemas funcionen si se tiene Auth Basic activo (como robots.txt o validación de Let's Encrypt).<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/allowed.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Allow favicon.ico, robots.txt, .well-known/<br />
location = /favicon.ico {<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow robots.txt<br />
location = /robots.txt {<br />
allow all;<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)<br />
location ~* ^/.well-known/ {<br />
auth_basic off;<br />
allow all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/denied.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
<br />
# Not allow txt or logs to be downloaded<br />
location ~* \.(txt|log)$ {<br />
deny all;<br />
}<br />
<br />
# Not allow execute php in hidden folders<br />
location ~ \..*/.\.php$ {<br />
return 403;<br />
}<br />
<br />
# Not allow "hidden files"<br />
location ~ (^|/)\. {<br />
return 403;<br />
}<br />
<br />
# Not allow *.json or *.lock<br />
location ~* \.(json|lock)$ {<br />
return 403;<br />
}<br />
<br />
# Deny *.ht<br />
location ~ /\.ht {<br />
deny all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/hsts.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: if we set another header in a location we've to<br />
# rewrite it<br />
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;<br />
</syntaxhighlight><br />
<br />
* Configurar sites-available:<br />
En al carpeta /etc/nginx/sites-available/ se almacenan todos los Virtual Hosts disponibles.<br />
En Nginx hay que personalizar cada uno por cada tipo de aplicación.<br />
Hay que tener en cuenta las diferentes URL's.<br />
<br />
* Configurar sites-enabled:<br />
Se suelen configurar enlaces simbólicos con la carpeta sites-available para activarlos.<br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
* Reiniciar Nginx:<br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
== Configuración MariaDB ==<br />
* Conectar a MariaDB<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<br />
* Opción 1: Permitir conexiones por TCP (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified by 'password' with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
* Opción 2: Permitir conexiones por Sockets UNIX (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified via unix_socket with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
Nota: esta opción es la que suelo usar yo (no se pueden usar los dos a la vez).<br />
<br />
* Habilitar conexiones remotas<br />
<syntaxhighlight lang="Bash"><br />
vi /etc/mysql/mariadb.conf.d/50-server.cnf<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# Instead of skip-networking the default is now to listen only on<br />
# localhost which is more compatible and is not less secure.<br />
#bind-address = 127.0.0.1<br />
bind-address = 0.0.0.0<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
systemctl restart mariadb.service<br />
</syntaxhighlight><br />
<br />
Nota 1: vamos a necesitar deshabilitar el Bind Address para los contenedores de [[Docker Engine]].<br />
<br />
Nota 2: el puerto 3306/tcp de MariaDB no se va a ver expuesto a Internet, porque no se va a habilitar en el firewall.<br />
<br />
== Habilitar puertos en cortafuegos ==<br />
<syntaxhighlight lang="Bash">ufw allow 80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">ufw allow 443/tcp</syntaxhighlight><br />
<br />
== Virtual Host de ejemplo ==<br />
=== Generar certificados autofirmados (temporales) ===<br />
Estos certificados los vamos a generar sólo para levantar el Virtual Host y los sustituiremos por unos de Let's Encrypt.<br />
* Generamos clave privada:<br />
<syntaxhighlight lang="Bash">cd /etc/ssl/private</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl genrsa -out selfsigned.key</syntaxhighlight><br />
<br />
* Generamos petición de firma (CSR):<br />
<syntaxhighlight lang="Bash"><br />
openssl req -key selfsigned.key -new -out selfsigned.csr<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [AU]:ES<br />
State or Province Name (full name) [Some-State]:Madrid<br />
Locality Name (eg, city) []:Madrid<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GCV<br />
Organizational Unit Name (eg, section) []:GCV<br />
Common Name (e.g. server FQDN or YOUR name) []:www.culturetas.net<br />
Email Address []:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</syntaxhighlight><br />
<br />
* Auto-firmamos con la misma firma:<br />
<syntaxhighlight lang="Bash">openssl x509 -signkey selfsigned.key -in selfsigned.csr -req -days 365 -out selfsigned.crt</syntaxhighlight><br />
<br />
* Movemos certificados a las carpetas correctas:<br />
<syntaxhighlight lang="Bash">mv selfsigned.key /etc/ssl/private/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv selfsigned.crt /etc/ssl/certs/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">rm selfsigned.csr</syntaxhighlight><br />
<br />
* Referencia: [https://www.baeldung.com/openssl-self-signed-cert https://www.baeldung.com/openssl-self-signed-cert]<br />
<br />
=== Dar de alta Virtual Host en Nginx ===<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80 default_server;<br />
listen [::]:80 default_server;<br />
server_name www.culturetas.net culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2 default_server;<br />
listen [::]:443 ssl http2 default_server;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name www.culturetas.net culturetas.net;<br />
<br />
access_log /var/log/nginx/culturetas.net-access.log;<br />
error_log /var/log/nginx/culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
try_files $uri $uri/ /index.php?$args;<br />
}<br />
<br />
# pass the PHP scripts to FastCGI server<br />
#<br />
location ~ \.php$ {<br />
include snippets/fastcgi-php.conf;<br />
<br />
# # With php8.5-cgi alone (TCP Ports):<br />
# fastcgi_pass 127.0.0.1:9000;<br />
# With php8.5-fpm (UNIX Socket):<br />
fastcgi_pass unix:/run/php/php8.5-fpm.sock;<br />
}<br />
<br />
# Disable hidden files<br />
location ~ /\. {<br />
deny all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== Desactivar Virtual Host por defecto ===<br />
<syntaxhighlight lang="Bash">rm /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
=== Activar Virtual Host nuevo ===<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/culturetas.net /etc/nginx/sites-enabled/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar nuevas claves con Let's Encrypt ===<br />
El certbot de Let's Encrypt ya contiene un plugin que gestiona Nginx.<br />
Usándolo no sólo nos generará automáticamente las claves y certificados, si no que lo aplicará en el servidor por nosotros.<br />
Además, también se encargará de la renovación, por lo que desatiende toda esa parte de gestión de certificados.<br />
<br />
<syntaxhighlight lang="Bash"><br />
certbot --nginx<br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
Enter email address or hit Enter to skip.<br />
(Enter 'c' to cancel): admin@ejemplo.com<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Please read the Terms of Service at:<br />
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf<br />
You must agree in order to register with the ACME server. Do you agree?<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: Y<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Would you be willing, once your first certificate is successfully issued, to<br />
share your email address with the Electronic Frontier Foundation, a founding<br />
partner of the Let's Encrypt project and the non-profit organization that<br />
develops Certbot? We'd like to send you email about our work encrypting the web,<br />
EFF news, campaigns, and ways to support digital freedom.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: N<br />
Account registered.<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: culturetas.net<br />
2: www.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1,2<br />
Requesting a certificate for culturetas.net and www.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/culturetas.net/privkey.pem<br />
This certificate expires on 2026-05-25.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Successfully deployed certificate for www.culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://culturetas.net and https://www.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Desplegar página de ejemplo ===<br />
<syntaxhighlight lang="Bash">mkdir /var/www/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /var/www/culturetas.net/index.html</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<!DOCTYPE html><br />
<html lang="es"><br />
<head><br />
<meta charset="UTF-8" /><br />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/><br />
<title>Culturetas.net - En construcción</title><br />
<style><br />
body {<br />
margin: 0;<br />
padding: 0;<br />
height: 100vh;<br />
font-family: system-ui, -apple-system, sans-serif;<br />
background: linear-gradient(135deg, #1e3a8a 0%, #3b82f6 100%);<br />
color: white;<br />
display: flex;<br />
flex-direction: column;<br />
align-items: center;<br />
justify-content: center;<br />
text-align: center;<br />
}<br />
<br />
.container {<br />
max-width: 700px;<br />
padding: 20px;<br />
}<br />
<br />
h1 {<br />
font-size: 4.5rem;<br />
margin: 0.2em 0;<br />
font-weight: 800;<br />
letter-spacing: -1px;<br />
text-shadow: 0 4px 12px rgba(0,0,0,0.3);<br />
}<br />
<br />
.subtitle {<br />
font-size: 1.6rem;<br />
margin: 0.8em 0 1.5em;<br />
opacity: 0.95;<br />
}<br />
<br />
.construction {<br />
font-size: 8rem;<br />
margin: 0.3em 0;<br />
animation: bounce 3s infinite;<br />
}<br />
<br />
p {<br />
font-size: 1.3rem;<br />
line-height: 1.6;<br />
max-width: 600px;<br />
margin: 1.5em auto;<br />
opacity: 0.9;<br />
}<br />
<br />
.soon {<br />
font-size: 2rem;<br />
font-weight: bold;<br />
margin-top: 2rem;<br />
color: #fef08a;<br />
text-shadow: 0 2px 10px rgba(0,0,0,0.4);<br />
}<br />
<br />
@keyframes bounce {<br />
0%, 20%, 50%, 80%, 100% { transform: translateY(0); }<br />
40% { transform: translateY(-25px); }<br />
60% { transform: translateY(-12px); }<br />
}<br />
<br />
@media (max-width: 600px) {<br />
h1 { font-size: 3.2rem; }<br />
.construction { font-size: 6rem; }<br />
.subtitle { font-size: 1.3rem; }<br />
}<br />
</style><br />
</head><br />
<body><br />
<br />
<div class="container"><br />
<div class="construction">🚧</div><br />
<h1>Culturetas.net</h1><br />
<div class="subtitle">Está en construcción</div><br />
<br />
<p>Estamos trabajando para traerte un espacio mucho más bonito, rápido y con mucho más contenido cultural interesante.</p><br />
<br />
<p>¡Vuelve en unos días y te sorprenderás!</p><br />
<br />
<div class="soon">Próximamente... ✨</div><br />
</div><br />
<br />
</body><br />
</html><br />
</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=LEMP&diff=191LEMP2026-04-18T20:00:55Z<p>Guzman: </p>
<hr />
<div>== Instalación servidor LEMP ==<br />
Instalaremos:<br />
* GNU Linux (Ubuntu Server 24.04)<br />
* eNginx 1.24.0 (APT Ubuntu)<br />
* MariaDB 10.8 (Repo oficiales de MariaDB)<br />
* PHP 8.5 (PPA ondrej/php)<br />
<br />
== Permisos de root ==<br />
Todos los comandos en esta guía se realizarán como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
== Instalación Nginx (Stable) ==<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar Nginx<br />
<syntaxhighlight lang="Bash">apt install nginx</syntaxhighlight><br />
<br />
* Instalación Apache Utils<br />
<syntaxhighlight lang="Bash">apt install apache2-utils</syntaxhighlight><br />
<br />
== Instalación MariaDB ==<br />
* Instalar requisitos<br />
<syntaxhighlight lang="Bash">apt install apt-transport-https curl</syntaxhighlight><br />
<br />
* Añadir repositorios MariaDB (oficiales)<br />
<syntaxhighlight lang="Bash">mkdir -p /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/apt/sources.list.d/mariadb.sources</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# MariaDB 11.8 repository list - created 2026-02-23 08:31 UTC<br />
# https://mariadb.org/download/<br />
X-Repolib-Name: MariaDB<br />
Types: deb<br />
# deb.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.<br />
# URIs: https://deb.mariadb.org/11.8/ubuntu<br />
URIs: https://mirror.raiolanetworks.com/mariadb/repo/11.8/ubuntu<br />
Suites: noble<br />
Components: main main/debug<br />
Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp<br />
</syntaxhighlight><br />
<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalación de servidor y cliente<br />
<syntaxhighlight lang="Bash">apt install mariadb-client mariadb-server mariadb-plugin-provider-bzip2 mariadb-plugin-provider-lz4 mariadb-plugin-provider-lzma mariadb-plugin-provider-lzo mariadb-plugin-provider-snappy</syntaxhighlight><br />
<br />
* Inicializar base de datos<br />
<syntaxhighlight lang="Bash">mysql_secure_installation</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB<br />
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!<br />
<br />
In order to log into MariaDB to secure it, we'll need the current<br />
password for the root user. If you've just installed MariaDB, and<br />
haven't set the root password yet, you should just press enter here.<br />
<br />
Enter current password for root (enter for none):<br />
OK, successfully used password, moving on...<br />
<br />
Setting the root password or using the unix_socket ensures that nobody<br />
can log into the MariaDB root user without the proper authorisation.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Switch to unix_socket authentication [Y/n] n<br />
... skipping.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Change the root password? [Y/n] y<br />
New password:<br />
Re-enter new password:<br />
Password updated successfully!<br />
Reloading privilege tables..<br />
... Success!<br />
<br />
<br />
By default, a MariaDB installation has an anonymous user, allowing anyone<br />
to log into MariaDB without having to have a user account created for<br />
them. This is intended only for testing, and to make the installation<br />
go a bit smoother. You should remove them before moving into a<br />
production environment.<br />
<br />
Remove anonymous users? [Y/n] y<br />
... Success!<br />
<br />
Normally, root should only be allowed to connect from 'localhost'. This<br />
ensures that someone cannot guess at the root password from the network.<br />
<br />
Disallow root login remotely? [Y/n] Y<br />
... Success!<br />
<br />
By default, MariaDB comes with a database named 'test' that anyone can<br />
access. This is also intended only for testing, and should be removed<br />
before moving into a production environment.<br />
<br />
Remove test database and access to it? [Y/n] Y<br />
- Dropping test database...<br />
... Success!<br />
- Removing privileges on test database...<br />
... Success!<br />
<br />
Reloading the privilege tables will ensure that all changes made so far<br />
will take effect immediately.<br />
<br />
Reload privilege tables now? [Y/n] Y<br />
... Success!<br />
<br />
Cleaning up...<br />
<br />
All done! If you've completed all of the above steps, your MariaDB<br />
installation should now be secure.<br />
<br />
Thanks for using MariaDB!<br />
</syntaxhighlight><br />
<br />
== Instalación PHP ==<br />
Vamos a usar los repositorios PPA de ondrej/php<br />
<br />
* Instalar repositorio PPA<br />
<syntaxhighlight lang="Bash">add-apt-repository ppa:ondrej/php</syntaxhighlight><br />
<br />
* Actualizar repositorios<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar PHP 8.5<br />
<syntaxhighlight lang="Bash">apt install php8.5 php8.5-apcu php8.5-common php8.5-fpm php8.5-curl php8.5-gd php8.5-mysql php8.5-xml php8.5-xmlrpc php8.5-bz2 php8.5-imap php8.5-intl php8.5-mbstring php8.5-soap php8.5-gnupg php8.5-imagick php8.5-mcrypt php8.5-zip</syntaxhighlight><br />
<br />
== Instalación Let's Encrypt ==<br />
Vamos a usar Let's Encrypt para generar las claves y certificados usadas para comunicaciones HTTPS.<br />
<br />
* Instalar Snap Core<br />
<syntaxhighlight lang="Bash">snap install core</syntaxhighlight><br />
<br />
* Refrescar Snap Core<br />
<syntaxhighlight lang="Bash">snap refresh core</syntaxhighlight><br />
<br />
* Instalar Certbot<br />
<syntaxhighlight lang="Bash">snap install --classic certbot</syntaxhighlight><br />
<br />
* Crear enlace simbólico<br />
<syntaxhighlight lang="Bash">ln -s /snap/bin/certbot /usr/local/bin/certbot</syntaxhighlight><br />
<br />
* Comprobar que está activada el timer de renovación<br />
<syntaxhighlight lang="Bash"><br />
systemctl list-timers | grep certbot<br />
Mon 2026-02-23 11:47:00 UTC 12h - - snap.certbot.renew.timer snap.certbot.renew.service<br />
</syntaxhighlight><br />
<br />
== Configuración PHP ==<br />
* Configuración php-fpm:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/fpm/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = 128M<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Configuración php-cli:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/cli/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = -1<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar php-fpm:<br />
<syntaxhighlight lang="Bash">systemctl restart php8.5-fpm.service</syntaxhighlight><br />
<br />
== Configuración Nginx ==<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%Y%m%d)</syntaxhighlight><br />
<br />
* Editar nginx.conf<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
http {<br />
##<br />
# Basic Settings<br />
##<br />
sendfile on;<br />
tcp_nopush on;<br />
types_hash_max_size 2048;<br />
client_max_body_size 100M;<br />
server_tokens off;<br />
[...]<br />
##<br />
# SSL Settings<br />
##<br />
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_prefer_server_ciphers on;<br />
ssl_dhparam /etc/nginx/ssl/dhparam.pem;<br />
[...]<br />
}<br />
</syntaxhighlight><br />
<br />
* Generar PHParam:<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/ssl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096</syntaxhighlight><br />
<br />
* Configurar contraseñas:<br />
Si se quiere configurar contraseñas Auth Basic se almacenan en /etc/nginx/passwd.<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/passwd</syntaxhighlight><br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">htpasswd -c -B /etc/nginx/passwd/test.pw guzman</syntaxhighlight><br />
<br />
* Configurar snippets:<br />
Estos "fragmentos" se pueden usar para permitir que sistemas funcionen si se tiene Auth Basic activo (como robots.txt o validación de Let's Encrypt).<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/allowed.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Allow favicon.ico, robots.txt, .well-known/<br />
location = /favicon.ico {<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow robots.txt<br />
location = /robots.txt {<br />
allow all;<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)<br />
location ~* ^/.well-known/ {<br />
auth_basic off;<br />
allow all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/denied.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
<br />
# Not allow txt or logs to be downloaded<br />
location ~* \.(txt|log)$ {<br />
deny all;<br />
}<br />
<br />
# Not allow execute php in hidden folders<br />
location ~ \..*/.\.php$ {<br />
return 403;<br />
}<br />
<br />
# Not allow "hidden files"<br />
location ~ (^|/)\. {<br />
return 403;<br />
}<br />
<br />
# Not allow *.json or *.lock<br />
location ~* \.(json|lock)$ {<br />
return 403;<br />
}<br />
<br />
# Deny *.ht<br />
location ~ /\.ht {<br />
deny all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/hsts.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: if we set another header in a location we've to<br />
# rewrite it<br />
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;<br />
</syntaxhighlight><br />
<br />
* Configurar sites-available:<br />
En al carpeta /etc/nginx/sites-available/ se almacenan todos los Virtual Hosts disponibles.<br />
En Nginx hay que personalizar cada uno por cada tipo de aplicación.<br />
Hay que tener en cuenta las diferentes URL's.<br />
<br />
* Configurar sites-enabled:<br />
Se suelen configurar enlaces simbólicos con la carpeta sites-available para activarlos.<br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
* Reiniciar Nginx:<br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
== Configuración MariaDB ==<br />
* Conectar a MariaDB<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<br />
* Opción 1: Permitir conexiones por TCP (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified by 'password' with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
* Opción 2: Permitir conexiones por Sockets UNIX (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified via unix_socket with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
Nota: esta opción es la que suelo usar yo (no se pueden usar los dos a la vez).<br />
<br />
* Habilitar conexiones remotas<br />
<syntaxhighlight lang="Bash"><br />
vi /etc/mysql/mariadb.conf.d/50-server.cnf<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# Instead of skip-networking the default is now to listen only on<br />
# localhost which is more compatible and is not less secure.<br />
#bind-address = 127.0.0.1<br />
bind-address = 0.0.0.0<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
systemctl restart mariadb.service<br />
</syntaxhighlight><br />
<br />
Nota 1: vamos a necesitar deshabilitar el Bind Address para los contenedores de [[Docker Engine]].<br />
<br />
Nota 2: el puerto 3306/tcp de MariaDB no se va a ver expuesto a Internet, porque no se va a habilitar en el firewall.<br />
<br />
== Habilitar puertos en cortafuegos ==<br />
<syntaxhighlight lang="Bash">ufw allow 80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">ufw allow 443/tcp</syntaxhighlight><br />
<br />
== Virtual Host de ejemplo ==<br />
=== Generar certificados autofirmados (temporales) ===<br />
Estos certificados los vamos a generar sólo para levantar el Virtual Host y los sustituiremos por unos de Let's Encrypt.<br />
* Generamos clave privada:<br />
<syntaxhighlight lang="Bash">cd /etc/ssl/private</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl genrsa -out selfsigned.key</syntaxhighlight><br />
<br />
* Generamos petición de firma (CSR):<br />
<syntaxhighlight lang="Bash"><br />
openssl req -key selfsigned.key -new -out selfsigned.csr<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [AU]:ES<br />
State or Province Name (full name) [Some-State]:Madrid<br />
Locality Name (eg, city) []:Madrid<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GCV<br />
Organizational Unit Name (eg, section) []:GCV<br />
Common Name (e.g. server FQDN or YOUR name) []:www.culturetas.net<br />
Email Address []:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</syntaxhighlight><br />
<br />
* Auto-firmamos con la misma firma:<br />
<syntaxhighlight lang="Bash">openssl x509 -signkey selfsigned.key -in selfsigned.csr -req -days 365 -out selfsigned.crt</syntaxhighlight><br />
<br />
* Movemos certificados a las carpetas correctas:<br />
<syntaxhighlight lang="Bash">mv selfsigned.key /etc/ssl/private/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv selfsigned.crt /etc/ssl/certs/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">rm selfsigned.csr</syntaxhighlight><br />
<br />
* Damos permisos a los certificados:<br />
<syntaxhighlight lang="Bash">chmod 644 /etc/ssl/private/selfsigned.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 644 /etc/ssl/certs/selfsigned.crt</syntaxhighlight><br />
<br />
* Referencia: [https://www.baeldung.com/openssl-self-signed-cert https://www.baeldung.com/openssl-self-signed-cert]<br />
<br />
=== Dar de alta Virtual Host en Nginx ===<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80 default_server;<br />
listen [::]:80 default_server;<br />
server_name www.culturetas.net culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2 default_server;<br />
listen [::]:443 ssl http2 default_server;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name www.culturetas.net culturetas.net;<br />
<br />
access_log /var/log/nginx/culturetas.net-access.log;<br />
error_log /var/log/nginx/culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
try_files $uri $uri/ /index.php?$args;<br />
}<br />
<br />
# pass the PHP scripts to FastCGI server<br />
#<br />
location ~ \.php$ {<br />
include snippets/fastcgi-php.conf;<br />
<br />
# # With php8.5-cgi alone (TCP Ports):<br />
# fastcgi_pass 127.0.0.1:9000;<br />
# With php8.5-fpm (UNIX Socket):<br />
fastcgi_pass unix:/run/php/php8.5-fpm.sock;<br />
}<br />
<br />
# Disable hidden files<br />
location ~ /\. {<br />
deny all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== Desactivar Virtual Host por defecto ===<br />
<syntaxhighlight lang="Bash">rm /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
=== Activar Virtual Host nuevo ===<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/culturetas.net /etc/nginx/sites-enabled/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar nuevas claves con Let's Encrypt ===<br />
El certbot de Let's Encrypt ya contiene un plugin que gestiona Nginx.<br />
Usándolo no sólo nos generará automáticamente las claves y certificados, si no que lo aplicará en el servidor por nosotros.<br />
Además, también se encargará de la renovación, por lo que desatiende toda esa parte de gestión de certificados.<br />
<br />
<syntaxhighlight lang="Bash"><br />
certbot --nginx<br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
Enter email address or hit Enter to skip.<br />
(Enter 'c' to cancel): admin@ejemplo.com<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Please read the Terms of Service at:<br />
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf<br />
You must agree in order to register with the ACME server. Do you agree?<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: Y<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Would you be willing, once your first certificate is successfully issued, to<br />
share your email address with the Electronic Frontier Foundation, a founding<br />
partner of the Let's Encrypt project and the non-profit organization that<br />
develops Certbot? We'd like to send you email about our work encrypting the web,<br />
EFF news, campaigns, and ways to support digital freedom.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: N<br />
Account registered.<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: culturetas.net<br />
2: www.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1,2<br />
Requesting a certificate for culturetas.net and www.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/culturetas.net/privkey.pem<br />
This certificate expires on 2026-05-25.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Successfully deployed certificate for www.culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://culturetas.net and https://www.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Desplegar página de ejemplo ===<br />
<syntaxhighlight lang="Bash">mkdir /var/www/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /var/www/culturetas.net/index.html</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<!DOCTYPE html><br />
<html lang="es"><br />
<head><br />
<meta charset="UTF-8" /><br />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/><br />
<title>Culturetas.net - En construcción</title><br />
<style><br />
body {<br />
margin: 0;<br />
padding: 0;<br />
height: 100vh;<br />
font-family: system-ui, -apple-system, sans-serif;<br />
background: linear-gradient(135deg, #1e3a8a 0%, #3b82f6 100%);<br />
color: white;<br />
display: flex;<br />
flex-direction: column;<br />
align-items: center;<br />
justify-content: center;<br />
text-align: center;<br />
}<br />
<br />
.container {<br />
max-width: 700px;<br />
padding: 20px;<br />
}<br />
<br />
h1 {<br />
font-size: 4.5rem;<br />
margin: 0.2em 0;<br />
font-weight: 800;<br />
letter-spacing: -1px;<br />
text-shadow: 0 4px 12px rgba(0,0,0,0.3);<br />
}<br />
<br />
.subtitle {<br />
font-size: 1.6rem;<br />
margin: 0.8em 0 1.5em;<br />
opacity: 0.95;<br />
}<br />
<br />
.construction {<br />
font-size: 8rem;<br />
margin: 0.3em 0;<br />
animation: bounce 3s infinite;<br />
}<br />
<br />
p {<br />
font-size: 1.3rem;<br />
line-height: 1.6;<br />
max-width: 600px;<br />
margin: 1.5em auto;<br />
opacity: 0.9;<br />
}<br />
<br />
.soon {<br />
font-size: 2rem;<br />
font-weight: bold;<br />
margin-top: 2rem;<br />
color: #fef08a;<br />
text-shadow: 0 2px 10px rgba(0,0,0,0.4);<br />
}<br />
<br />
@keyframes bounce {<br />
0%, 20%, 50%, 80%, 100% { transform: translateY(0); }<br />
40% { transform: translateY(-25px); }<br />
60% { transform: translateY(-12px); }<br />
}<br />
<br />
@media (max-width: 600px) {<br />
h1 { font-size: 3.2rem; }<br />
.construction { font-size: 6rem; }<br />
.subtitle { font-size: 1.3rem; }<br />
}<br />
</style><br />
</head><br />
<body><br />
<br />
<div class="container"><br />
<div class="construction">🚧</div><br />
<h1>Culturetas.net</h1><br />
<div class="subtitle">Está en construcción</div><br />
<br />
<p>Estamos trabajando para traerte un espacio mucho más bonito, rápido y con mucho más contenido cultural interesante.</p><br />
<br />
<p>¡Vuelve en unos días y te sorprenderás!</p><br />
<br />
<div class="soon">Próximamente... ✨</div><br />
</div><br />
<br />
</body><br />
</html><br />
</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=LEMP&diff=189LEMP2026-04-18T18:57:10Z<p>Guzman: </p>
<hr />
<div>== Instalación servidor LEMP ==<br />
Instalaremos:<br />
* GNU Linux (Ubuntu Server 24.04)<br />
* eNginx 1.24.0 (APT Ubuntu)<br />
* MariaDB 10.8 (Repo oficiales de MariaDB)<br />
* PHP 8.5 (PPA ondrej/php)<br />
<br />
== Permisos de root ==<br />
Todos los comandos en esta guía se realizarán como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
== Instalación Nginx (Stable) ==<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar Nginx<br />
<syntaxhighlight lang="Bash">apt install nginx</syntaxhighlight><br />
<br />
* Instalación Apache Utils<br />
<syntaxhighlight lang="Bash">apt install apache2-utils</syntaxhighlight><br />
<br />
== Instalación MariaDB ==<br />
* Instalar requisitos<br />
<syntaxhighlight lang="Bash">apt install apt-transport-https curl</syntaxhighlight><br />
<br />
* Añadir repositorios MariaDB (oficiales)<br />
<syntaxhighlight lang="Bash">mkdir -p /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/apt/sources.list.d/mariadb.sources</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# MariaDB 11.8 repository list - created 2026-02-23 08:31 UTC<br />
# https://mariadb.org/download/<br />
X-Repolib-Name: MariaDB<br />
Types: deb<br />
# deb.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.<br />
# URIs: https://deb.mariadb.org/11.8/ubuntu<br />
URIs: https://mirror.raiolanetworks.com/mariadb/repo/11.8/ubuntu<br />
Suites: noble<br />
Components: main main/debug<br />
Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp<br />
</syntaxhighlight><br />
<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalación de servidor y cliente<br />
<syntaxhighlight lang="Bash">apt install mariadb-client mariadb-server mariadb-plugin-provider-bzip2 mariadb-plugin-provider-lz4 mariadb-plugin-provider-lzma mariadb-plugin-provider-lzo mariadb-plugin-provider-snappy</syntaxhighlight><br />
<br />
* Inicializar base de datos<br />
<syntaxhighlight lang="Bash">mysql_secure_installation</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB<br />
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!<br />
<br />
In order to log into MariaDB to secure it, we'll need the current<br />
password for the root user. If you've just installed MariaDB, and<br />
haven't set the root password yet, you should just press enter here.<br />
<br />
Enter current password for root (enter for none):<br />
OK, successfully used password, moving on...<br />
<br />
Setting the root password or using the unix_socket ensures that nobody<br />
can log into the MariaDB root user without the proper authorisation.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Switch to unix_socket authentication [Y/n] n<br />
... skipping.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Change the root password? [Y/n] y<br />
New password:<br />
Re-enter new password:<br />
Password updated successfully!<br />
Reloading privilege tables..<br />
... Success!<br />
<br />
<br />
By default, a MariaDB installation has an anonymous user, allowing anyone<br />
to log into MariaDB without having to have a user account created for<br />
them. This is intended only for testing, and to make the installation<br />
go a bit smoother. You should remove them before moving into a<br />
production environment.<br />
<br />
Remove anonymous users? [Y/n] y<br />
... Success!<br />
<br />
Normally, root should only be allowed to connect from 'localhost'. This<br />
ensures that someone cannot guess at the root password from the network.<br />
<br />
Disallow root login remotely? [Y/n] Y<br />
... Success!<br />
<br />
By default, MariaDB comes with a database named 'test' that anyone can<br />
access. This is also intended only for testing, and should be removed<br />
before moving into a production environment.<br />
<br />
Remove test database and access to it? [Y/n] Y<br />
- Dropping test database...<br />
... Success!<br />
- Removing privileges on test database...<br />
... Success!<br />
<br />
Reloading the privilege tables will ensure that all changes made so far<br />
will take effect immediately.<br />
<br />
Reload privilege tables now? [Y/n] Y<br />
... Success!<br />
<br />
Cleaning up...<br />
<br />
All done! If you've completed all of the above steps, your MariaDB<br />
installation should now be secure.<br />
<br />
Thanks for using MariaDB!<br />
</syntaxhighlight><br />
<br />
== Instalación PHP ==<br />
Vamos a usar los repositorios PPA de ondrej/php<br />
<br />
* Instalar repositorio PPA<br />
<syntaxhighlight lang="Bash">add-apt-repository ppa:ondrej/php</syntaxhighlight><br />
<br />
* Actualizar repositorios<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar PHP 8.5<br />
<syntaxhighlight lang="Bash">apt install php8.5 php8.5-apcu php8.5-common php8.5-fpm php8.5-curl php8.5-gd php8.5-mysql php8.5-xml php8.5-xmlrpc php8.5-bz2 php8.5-imap php8.5-intl php8.5-mbstring php8.5-soap php8.5-gnupg php8.5-imagick php8.5-mcrypt php8.5-zip</syntaxhighlight><br />
<br />
== Instalación Let's Encrypt ==<br />
Vamos a usar Let's Encrypt para generar las claves y certificados usadas para comunicaciones HTTPS.<br />
<br />
* Instalar Snap Core<br />
<syntaxhighlight lang="Bash">snap install core</syntaxhighlight><br />
<br />
* Refrescar Snap Core<br />
<syntaxhighlight lang="Bash">snap refresh core</syntaxhighlight><br />
<br />
* Instalar Certbot<br />
<syntaxhighlight lang="Bash">snap install --classic certbot</syntaxhighlight><br />
<br />
* Crear enlace simbólico<br />
<syntaxhighlight lang="Bash">ln -s /snap/bin/certbot /usr/local/bin/certbot</syntaxhighlight><br />
<br />
* Comprobar que está activada el timer de renovación<br />
<syntaxhighlight lang="Bash"><br />
systemctl list-timers | grep certbot<br />
Mon 2026-02-23 11:47:00 UTC 12h - - snap.certbot.renew.timer snap.certbot.renew.service<br />
</syntaxhighlight><br />
<br />
== Configuración PHP ==<br />
* Configuración php-fpm:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/fpm/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = 128M<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Configuración php-cli:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/cli/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = -1<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar php-fpm:<br />
<syntaxhighlight lang="Bash">systemctl restart php8.5-fpm.service</syntaxhighlight><br />
<br />
== Configuración Nginx ==<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%Y%m%d)</syntaxhighlight><br />
<br />
* Editar nginx.conf<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
http {<br />
##<br />
# Basic Settings<br />
##<br />
sendfile on;<br />
tcp_nopush on;<br />
types_hash_max_size 2048;<br />
client_max_body_size 100M;<br />
server_tokens off;<br />
[...]<br />
##<br />
# SSL Settings<br />
##<br />
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_prefer_server_ciphers on;<br />
ssl_dhparam /etc/nginx/ssl/dhparam.pem;<br />
[...]<br />
}<br />
</syntaxhighlight><br />
<br />
* Generar PHParam:<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/ssl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096</syntaxhighlight><br />
<br />
* Configurar contraseñas:<br />
Si se quiere configurar contraseñas Auth Basic se almacenan en /etc/nginx/passwd.<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/passwd</syntaxhighlight><br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">htpasswd -c -B /etc/nginx/passwd/test.pw guzman</syntaxhighlight><br />
<br />
* Configurar snippets:<br />
Estos "fragmentos" se pueden usar para permitir que sistemas funcionen si se tiene Auth Basic activo (como robots.txt o validación de Let's Encrypt).<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/allowed.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Allow favicon.ico, robots.txt, .well-known/<br />
location = /favicon.ico {<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow robots.txt<br />
location = /robots.txt {<br />
allow all;<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)<br />
location ~* ^/.well-known/ {<br />
auth_basic off;<br />
allow all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/denied.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
<br />
# Not allow txt or logs to be downloaded<br />
location ~* \.(txt|log)$ {<br />
deny all;<br />
}<br />
<br />
# Not allow execute php in hidden folders<br />
location ~ \..*/.\.php$ {<br />
return 403;<br />
}<br />
<br />
# Not allow "hidden files"<br />
location ~ (^|/)\. {<br />
return 403;<br />
}<br />
<br />
# Not allow *.json or *.lock<br />
location ~* \.(json|lock)$ {<br />
return 403;<br />
}<br />
<br />
# Deny *.ht<br />
location ~ /\.ht {<br />
deny all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/hsts.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: if we set another header in a location we've to<br />
# rewrite it<br />
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;<br />
</syntaxhighlight><br />
<br />
* Configurar sites-available:<br />
En al carpeta /etc/nginx/sites-available/ se almacenan todos los Virtual Hosts disponibles.<br />
En Nginx hay que personalizar cada uno por cada tipo de aplicación.<br />
Hay que tener en cuenta las diferentes URL's.<br />
<br />
* Configurar sites-enabled:<br />
Se suelen configurar enlaces simbólicos con la carpeta sites-available para activarlos.<br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
* Reiniciar Nginx:<br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
== Configuración MariaDB ==<br />
* Conectar a MariaDB<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<br />
* Opción 1: Permitir conexiones por TCP (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified by 'password' with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
* Opción 2: Permitir conexiones por Sockets UNIX (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified via unix_socket with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
Nota: esta opción es la que suelo usar yo (no se pueden usar los dos a la vez).<br />
<br />
* Habilitar conexiones remotas<br />
<syntaxhighlight lang="Bash"><br />
vi /etc/mysql/mariadb.conf.d/50-server.cnf<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# Instead of skip-networking the default is now to listen only on<br />
# localhost which is more compatible and is not less secure.<br />
#bind-address = 127.0.0.1<br />
bind-address = 0.0.0.0<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
systemctl restart mariadb.service<br />
</syntaxhighlight><br />
<br />
Nota 1: vamos a necesitar deshabilitar el Bind Address para los contenedores de [[Docker Engine]].<br />
<br />
Nota 2: el puerto 3306/tcp de MariaDB no se va a ver expuesto a Internet, porque no se va a habilitar en el firewall.<br />
<br />
== Habilitar puertos en cortafuegos ==<br />
<syntaxhighlight lang="Bash">ufw allow 80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">ufw allow 443/tcp</syntaxhighlight><br />
<br />
== Virtual Host de ejemplo ==<br />
=== Generar certificados autofirmados (temporales) ===<br />
Estos certificados los vamos a generar sólo para levantar el Virtual Host y los sustituiremos por unos de Let's Encrypt.<br />
* Generamos clave privada:<br />
<syntaxhighlight lang="Bash">cd /etc/ssl/private</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl genrsa -out selfsigned.key</syntaxhighlight><br />
<br />
* Generamos petición de firma (CSR):<br />
<syntaxhighlight lang="Bash"><br />
openssl req -key selfsigned.key -new -out selfsigned.csr<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [AU]:ES<br />
State or Province Name (full name) [Some-State]:Madrid<br />
Locality Name (eg, city) []:Madrid<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GCV<br />
Organizational Unit Name (eg, section) []:GCV<br />
Common Name (e.g. server FQDN or YOUR name) []:www.culturetas.net<br />
Email Address []:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</syntaxhighlight><br />
<br />
* Auto-firmamos con la misma firma:<br />
<syntaxhighlight lang="Bash">openssl x509 -signkey selfsigned.key -in selfsigned.csr -req -days 365 -out selfsigned.crt</syntaxhighlight><br />
<br />
* Movemos certificados a las carpetas correctas:<br />
<syntaxhighlight lang="Bash">mv selfsigned.key /etc/ssl/private/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv selfsigned.crt /etc/ssl/certs/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">rm selfsigned.csr</syntaxhighlight><br />
<br />
* Referencia: [https://www.baeldung.com/openssl-self-signed-cert https://www.baeldung.com/openssl-self-signed-cert]<br />
<br />
=== Dar de alta Virtual Host en Nginx ===<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80 default_server;<br />
listen [::]:80 default_server;<br />
server_name www.culturetas.net culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2 default_server;<br />
listen [::]:443 ssl http2 default_server;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name www.culturetas.net culturetas.net;<br />
<br />
access_log /var/log/nginx/culturetas.net-access.log;<br />
error_log /var/log/nginx/culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
try_files $uri $uri/ /index.php?$args;<br />
}<br />
<br />
# pass the PHP scripts to FastCGI server<br />
#<br />
location ~ \.php$ {<br />
include snippets/fastcgi-php.conf;<br />
<br />
# # With php8.5-cgi alone (TCP Ports):<br />
# fastcgi_pass 127.0.0.1:9000;<br />
# With php8.5-fpm (UNIX Socket):<br />
fastcgi_pass unix:/run/php/php8.5-fpm.sock;<br />
}<br />
<br />
# Disable hidden files<br />
location ~ /\. {<br />
deny all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== Desactivar Virtual Host por defecto ===<br />
<syntaxhighlight lang="Bash">rm /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
=== Activar Virtual Host nuevo ===<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/culturetas.net /etc/nginx/sites-enabled/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar nuevas claves con Let's Encrypt ===<br />
El certbot de Let's Encrypt ya contiene un plugin que gestiona Nginx.<br />
Usándolo no sólo nos generará automáticamente las claves y certificados, si no que lo aplicará en el servidor por nosotros.<br />
Además, también se encargará de la renovación, por lo que desatiende toda esa parte de gestión de certificados.<br />
<br />
<syntaxhighlight lang="Bash"><br />
certbot --nginx<br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
Enter email address or hit Enter to skip.<br />
(Enter 'c' to cancel): admin@ejemplo.com<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Please read the Terms of Service at:<br />
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf<br />
You must agree in order to register with the ACME server. Do you agree?<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: Y<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Would you be willing, once your first certificate is successfully issued, to<br />
share your email address with the Electronic Frontier Foundation, a founding<br />
partner of the Let's Encrypt project and the non-profit organization that<br />
develops Certbot? We'd like to send you email about our work encrypting the web,<br />
EFF news, campaigns, and ways to support digital freedom.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: N<br />
Account registered.<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: culturetas.net<br />
2: www.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1,2<br />
Requesting a certificate for culturetas.net and www.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/culturetas.net/privkey.pem<br />
This certificate expires on 2026-05-25.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Successfully deployed certificate for www.culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://culturetas.net and https://www.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Desplegar página de ejemplo ===<br />
<syntaxhighlight lang="Bash">mkdir /var/www/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /var/www/culturetas.net/index.html</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<!DOCTYPE html><br />
<html lang="es"><br />
<head><br />
<meta charset="UTF-8" /><br />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/><br />
<title>Culturetas.net - En construcción</title><br />
<style><br />
body {<br />
margin: 0;<br />
padding: 0;<br />
height: 100vh;<br />
font-family: system-ui, -apple-system, sans-serif;<br />
background: linear-gradient(135deg, #1e3a8a 0%, #3b82f6 100%);<br />
color: white;<br />
display: flex;<br />
flex-direction: column;<br />
align-items: center;<br />
justify-content: center;<br />
text-align: center;<br />
}<br />
<br />
.container {<br />
max-width: 700px;<br />
padding: 20px;<br />
}<br />
<br />
h1 {<br />
font-size: 4.5rem;<br />
margin: 0.2em 0;<br />
font-weight: 800;<br />
letter-spacing: -1px;<br />
text-shadow: 0 4px 12px rgba(0,0,0,0.3);<br />
}<br />
<br />
.subtitle {<br />
font-size: 1.6rem;<br />
margin: 0.8em 0 1.5em;<br />
opacity: 0.95;<br />
}<br />
<br />
.construction {<br />
font-size: 8rem;<br />
margin: 0.3em 0;<br />
animation: bounce 3s infinite;<br />
}<br />
<br />
p {<br />
font-size: 1.3rem;<br />
line-height: 1.6;<br />
max-width: 600px;<br />
margin: 1.5em auto;<br />
opacity: 0.9;<br />
}<br />
<br />
.soon {<br />
font-size: 2rem;<br />
font-weight: bold;<br />
margin-top: 2rem;<br />
color: #fef08a;<br />
text-shadow: 0 2px 10px rgba(0,0,0,0.4);<br />
}<br />
<br />
@keyframes bounce {<br />
0%, 20%, 50%, 80%, 100% { transform: translateY(0); }<br />
40% { transform: translateY(-25px); }<br />
60% { transform: translateY(-12px); }<br />
}<br />
<br />
@media (max-width: 600px) {<br />
h1 { font-size: 3.2rem; }<br />
.construction { font-size: 6rem; }<br />
.subtitle { font-size: 1.3rem; }<br />
}<br />
</style><br />
</head><br />
<body><br />
<br />
<div class="container"><br />
<div class="construction">🚧</div><br />
<h1>Culturetas.net</h1><br />
<div class="subtitle">Está en construcción</div><br />
<br />
<p>Estamos trabajando para traerte un espacio mucho más bonito, rápido y con mucho más contenido cultural interesante.</p><br />
<br />
<p>¡Vuelve en unos días y te sorprenderás!</p><br />
<br />
<div class="soon">Próximamente... ✨</div><br />
</div><br />
<br />
</body><br />
</html><br />
</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=LEMP&diff=188LEMP2026-04-18T18:55:38Z<p>Guzman: </p>
<hr />
<div>== Instalación servidor LEMP ==<br />
Instalaremos:<br />
* GNU Linux (Ubuntu Server 24.04)<br />
* eNginx 1.24.0 (APT Ubuntu)<br />
* MariaDB 10.8 (Repo oficiales de MariaDB)<br />
* PHP 8.5 (PPA ondrej/php)<br />
<br />
== Permisos de root ==<br />
Todos los comandos en esta guía se realizarán como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
== Instalación Nginx (Stable) ==<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar Nginx<br />
<syntaxhighlight lang="Bash">apt install nginx</syntaxhighlight><br />
<br />
* Instalación Apache Utils<br />
<syntaxhighlight lang="Bash">apt install apache2-utils</syntaxhighlight><br />
<br />
== Instalación MariaDB ==<br />
* Instalar requisitos<br />
<syntaxhighlight lang="Bash">apt install apt-transport-https curl</syntaxhighlight><br />
<br />
* Añadir repositorios MariaDB (oficiales)<br />
<syntaxhighlight lang="Bash">mkdir -p /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/apt/sources.list.d/mariadb.sources</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# MariaDB 11.8 repository list - created 2026-02-23 08:31 UTC<br />
# https://mariadb.org/download/<br />
X-Repolib-Name: MariaDB<br />
Types: deb<br />
# deb.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.<br />
# URIs: https://deb.mariadb.org/11.8/ubuntu<br />
URIs: https://mirror.raiolanetworks.com/mariadb/repo/11.8/ubuntu<br />
Suites: noble<br />
Components: main main/debug<br />
Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp<br />
</syntaxhighlight><br />
<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalación de servidor y cliente<br />
<syntaxhighlight lang="Bash">apt install mariadb-client mariadb-server mariadb-plugin-provider-bzip2 mariadb-plugin-provider-lz4 mariadb-plugin-provider-lzma mariadb-plugin-provider-lzo mariadb-plugin-provider-snappy</syntaxhighlight><br />
<br />
* Inicializar base de datos<br />
<syntaxhighlight lang="Bash">mysql_secure_installation</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB<br />
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!<br />
<br />
In order to log into MariaDB to secure it, we'll need the current<br />
password for the root user. If you've just installed MariaDB, and<br />
haven't set the root password yet, you should just press enter here.<br />
<br />
Enter current password for root (enter for none):<br />
OK, successfully used password, moving on...<br />
<br />
Setting the root password or using the unix_socket ensures that nobody<br />
can log into the MariaDB root user without the proper authorisation.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Switch to unix_socket authentication [Y/n] n<br />
... skipping.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Change the root password? [Y/n] y<br />
New password:<br />
Re-enter new password:<br />
Password updated successfully!<br />
Reloading privilege tables..<br />
... Success!<br />
<br />
<br />
By default, a MariaDB installation has an anonymous user, allowing anyone<br />
to log into MariaDB without having to have a user account created for<br />
them. This is intended only for testing, and to make the installation<br />
go a bit smoother. You should remove them before moving into a<br />
production environment.<br />
<br />
Remove anonymous users? [Y/n] y<br />
... Success!<br />
<br />
Normally, root should only be allowed to connect from 'localhost'. This<br />
ensures that someone cannot guess at the root password from the network.<br />
<br />
Disallow root login remotely? [Y/n] Y<br />
... Success!<br />
<br />
By default, MariaDB comes with a database named 'test' that anyone can<br />
access. This is also intended only for testing, and should be removed<br />
before moving into a production environment.<br />
<br />
Remove test database and access to it? [Y/n] Y<br />
- Dropping test database...<br />
... Success!<br />
- Removing privileges on test database...<br />
... Success!<br />
<br />
Reloading the privilege tables will ensure that all changes made so far<br />
will take effect immediately.<br />
<br />
Reload privilege tables now? [Y/n] Y<br />
... Success!<br />
<br />
Cleaning up...<br />
<br />
All done! If you've completed all of the above steps, your MariaDB<br />
installation should now be secure.<br />
<br />
Thanks for using MariaDB!<br />
</syntaxhighlight><br />
<br />
== Instalación PHP ==<br />
Vamos a usar los repositorios PPA de ondrej/php<br />
<br />
* Instalar repositorio PPA<br />
<syntaxhighlight lang="Bash">add-apt-repository ppa:ondrej/php</syntaxhighlight><br />
<br />
* Actualizar repositorios<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar PHP 8.5<br />
<syntaxhighlight lang="Bash">apt install php8.5 php8.5-apcu php8.5-common php8.5-fpm php8.5-curl php8.5-gd php8.5-mysql php8.5-xml php8.5-xmlrpc php8.5-bz2 php8.5-imap php8.5-intl php8.5-mbstring php8.5-soap php8.5-gnupg php8.5-imagick php8.5-mcrypt php8.5-zip</syntaxhighlight><br />
<br />
== Instalación Let's Encrypt ==<br />
Vamos a usar Let's Encrypt para generar las claves y certificados usadas para comunicaciones HTTPS.<br />
<br />
* Instalar Snap Core<br />
<syntaxhighlight lang="Bash">snap install core</syntaxhighlight><br />
<br />
* Refrescar Snap Core<br />
<syntaxhighlight lang="Bash">snap refresh core</syntaxhighlight><br />
<br />
* Instalar Certbot<br />
<syntaxhighlight lang="Bash">snap install --classic certbot</syntaxhighlight><br />
<br />
* Crear enlace simbólico<br />
<syntaxhighlight lang="Bash">ln -s /snap/bin/certbot /usr/local/bin/certbot</syntaxhighlight><br />
<br />
* Comprobar que está activada el timer de renovación<br />
<syntaxhighlight lang="Bash"><br />
systemctl list-timers | grep certbot<br />
Mon 2026-02-23 11:47:00 UTC 12h - - snap.certbot.renew.timer snap.certbot.renew.service<br />
</syntaxhighlight><br />
<br />
== Configuración PHP ==<br />
* Configuración php-fpm:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/fpm/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = 128M<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Configuración php-cli:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/cli/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = -1<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar php-fpm:<br />
<syntaxhighlight lang="Bash">systemctl restart php8.5-fpm.service</syntaxhighlight><br />
<br />
== Configuración Nginx ==<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%Y%m%d)</syntaxhighlight><br />
<br />
* Editar nginx.conf<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
http {<br />
##<br />
# Basic Settings<br />
##<br />
sendfile on;<br />
tcp_nopush on;<br />
types_hash_max_size 2048;<br />
client_max_body_size 100M;<br />
server_tokens off;<br />
[...]<br />
##<br />
# SSL Settings<br />
##<br />
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_prefer_server_ciphers on;<br />
ssl_dhparam /etc/nginx/ssl/dhparam.pem;<br />
[...]<br />
}<br />
</syntaxhighlight><br />
<br />
* Generar PHParam:<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/ssl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096</syntaxhighlight><br />
<br />
* Configurar contraseñas:<br />
Si se quiere configurar contraseñas Auth Basic se almacenan en /etc/nginx/passwd.<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/passwd</syntaxhighlight><br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">htpasswd -c -B /etc/nginx/passwd/test.pw guzman</syntaxhighlight><br />
<br />
* Configurar snippets:<br />
Estos "fragmentos" se pueden usar para permitir que sistemas funcionen si se tiene Auth Basic activo (como robots.txt o validación de Let's Encrypt).<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/allowed.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Allow favicon.ico, robots.txt, .well-known/<br />
location = /favicon.ico {<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow robots.txt<br />
location = /robots.txt {<br />
allow all;<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)<br />
location ~* ^/.well-known/ {<br />
auth_basic off;<br />
allow all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/denied.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
<br />
# Not allow txt or logs to be downloaded<br />
location ~* \.(txt|log)$ {<br />
deny all;<br />
}<br />
<br />
# Not allow execute php in hidden folders<br />
location ~ \..*/.\.php$ {<br />
return 403;<br />
}<br />
<br />
# Not allow "hidden files"<br />
location ~ (^|/)\. {<br />
return 403;<br />
}<br />
<br />
# Not allow *.json or *.lock<br />
location ~* \.(json|lock)$ {<br />
return 403;<br />
}<br />
<br />
# Deny *.ht<br />
location ~ /\.ht {<br />
deny all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/hsts.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: if we set another header in a location we've to<br />
# rewrite it<br />
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;<br />
</syntaxhighlight><br />
<br />
* Configurar sites-available:<br />
En al carpeta /etc/nginx/sites-available/ se almacenan todos los Virtual Hosts disponibles.<br />
En Nginx hay que personalizar cada uno por cada tipo de aplicación.<br />
Hay que tener en cuenta las diferentes URL's.<br />
<br />
* Configurar sites-enabled:<br />
Se suelen configurar enlaces simbólicos con la carpeta sites-available para activarlos.<br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
* Reiniciar Nginx:<br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
== Configuración MariaDB ==<br />
* Conectar a MariaDB<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<br />
* Opción 1: Permitir conexiones por TCP (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified by 'password' with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
* Opción 2: Permitir conexiones por Sockets UNIX (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified via unix_socket with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
Nota: esta opción es la que suelo usar yo (no se pueden usar los dos a la vez).<br />
<br />
* Habilitar conexiones remotas<br />
<syntaxhighlight lang="Bash"><br />
vi /etc/mysql/mariadb.conf.d/50-server.cnf<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# Instead of skip-networking the default is now to listen only on<br />
# localhost which is more compatible and is not less secure.<br />
#bind-address = 127.0.0.1<br />
bind-address = 0.0.0.0<br />
[...]<br />
</syntaxhighlight><br />
<br />
Nota 1: vamos a necesitar deshabilitar el Bind Address para los contenedores de [[Docker Engine]].<br />
<br />
Nota 2: el puerto 3306/tcp de MariaDB no se va a ver expuesto a Internet, porque no se va a habilitar en el firewall.<br />
<br />
== Habilitar puertos en cortafuegos ==<br />
<syntaxhighlight lang="Bash">ufw allow 80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">ufw allow 443/tcp</syntaxhighlight><br />
<br />
== Virtual Host de ejemplo ==<br />
=== Generar certificados autofirmados (temporales) ===<br />
Estos certificados los vamos a generar sólo para levantar el Virtual Host y los sustituiremos por unos de Let's Encrypt.<br />
* Generamos clave privada:<br />
<syntaxhighlight lang="Bash">cd /etc/ssl/private</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl genrsa -out selfsigned.key</syntaxhighlight><br />
<br />
* Generamos petición de firma (CSR):<br />
<syntaxhighlight lang="Bash"><br />
openssl req -key selfsigned.key -new -out selfsigned.csr<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [AU]:ES<br />
State or Province Name (full name) [Some-State]:Madrid<br />
Locality Name (eg, city) []:Madrid<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GCV<br />
Organizational Unit Name (eg, section) []:GCV<br />
Common Name (e.g. server FQDN or YOUR name) []:www.culturetas.net<br />
Email Address []:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</syntaxhighlight><br />
<br />
* Auto-firmamos con la misma firma:<br />
<syntaxhighlight lang="Bash">openssl x509 -signkey selfsigned.key -in selfsigned.csr -req -days 365 -out selfsigned.crt</syntaxhighlight><br />
<br />
* Movemos certificados a las carpetas correctas:<br />
<syntaxhighlight lang="Bash">mv selfsigned.key /etc/ssl/private/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv selfsigned.crt /etc/ssl/certs/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">rm selfsigned.csr</syntaxhighlight><br />
<br />
* Referencia: [https://www.baeldung.com/openssl-self-signed-cert https://www.baeldung.com/openssl-self-signed-cert]<br />
<br />
=== Dar de alta Virtual Host en Nginx ===<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80 default_server;<br />
listen [::]:80 default_server;<br />
server_name www.culturetas.net culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2 default_server;<br />
listen [::]:443 ssl http2 default_server;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name www.culturetas.net culturetas.net;<br />
<br />
access_log /var/log/nginx/culturetas.net-access.log;<br />
error_log /var/log/nginx/culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
try_files $uri $uri/ /index.php?$args;<br />
}<br />
<br />
# pass the PHP scripts to FastCGI server<br />
#<br />
location ~ \.php$ {<br />
include snippets/fastcgi-php.conf;<br />
<br />
# # With php8.5-cgi alone (TCP Ports):<br />
# fastcgi_pass 127.0.0.1:9000;<br />
# With php8.5-fpm (UNIX Socket):<br />
fastcgi_pass unix:/run/php/php8.5-fpm.sock;<br />
}<br />
<br />
# Disable hidden files<br />
location ~ /\. {<br />
deny all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== Desactivar Virtual Host por defecto ===<br />
<syntaxhighlight lang="Bash">rm /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
=== Activar Virtual Host nuevo ===<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/culturetas.net /etc/nginx/sites-enabled/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar nuevas claves con Let's Encrypt ===<br />
El certbot de Let's Encrypt ya contiene un plugin que gestiona Nginx.<br />
Usándolo no sólo nos generará automáticamente las claves y certificados, si no que lo aplicará en el servidor por nosotros.<br />
Además, también se encargará de la renovación, por lo que desatiende toda esa parte de gestión de certificados.<br />
<br />
<syntaxhighlight lang="Bash"><br />
certbot --nginx<br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
Enter email address or hit Enter to skip.<br />
(Enter 'c' to cancel): admin@ejemplo.com<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Please read the Terms of Service at:<br />
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf<br />
You must agree in order to register with the ACME server. Do you agree?<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: Y<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Would you be willing, once your first certificate is successfully issued, to<br />
share your email address with the Electronic Frontier Foundation, a founding<br />
partner of the Let's Encrypt project and the non-profit organization that<br />
develops Certbot? We'd like to send you email about our work encrypting the web,<br />
EFF news, campaigns, and ways to support digital freedom.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: N<br />
Account registered.<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: culturetas.net<br />
2: www.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1,2<br />
Requesting a certificate for culturetas.net and www.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/culturetas.net/privkey.pem<br />
This certificate expires on 2026-05-25.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Successfully deployed certificate for www.culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://culturetas.net and https://www.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Desplegar página de ejemplo ===<br />
<syntaxhighlight lang="Bash">mkdir /var/www/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /var/www/culturetas.net/index.html</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<!DOCTYPE html><br />
<html lang="es"><br />
<head><br />
<meta charset="UTF-8" /><br />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/><br />
<title>Culturetas.net - En construcción</title><br />
<style><br />
body {<br />
margin: 0;<br />
padding: 0;<br />
height: 100vh;<br />
font-family: system-ui, -apple-system, sans-serif;<br />
background: linear-gradient(135deg, #1e3a8a 0%, #3b82f6 100%);<br />
color: white;<br />
display: flex;<br />
flex-direction: column;<br />
align-items: center;<br />
justify-content: center;<br />
text-align: center;<br />
}<br />
<br />
.container {<br />
max-width: 700px;<br />
padding: 20px;<br />
}<br />
<br />
h1 {<br />
font-size: 4.5rem;<br />
margin: 0.2em 0;<br />
font-weight: 800;<br />
letter-spacing: -1px;<br />
text-shadow: 0 4px 12px rgba(0,0,0,0.3);<br />
}<br />
<br />
.subtitle {<br />
font-size: 1.6rem;<br />
margin: 0.8em 0 1.5em;<br />
opacity: 0.95;<br />
}<br />
<br />
.construction {<br />
font-size: 8rem;<br />
margin: 0.3em 0;<br />
animation: bounce 3s infinite;<br />
}<br />
<br />
p {<br />
font-size: 1.3rem;<br />
line-height: 1.6;<br />
max-width: 600px;<br />
margin: 1.5em auto;<br />
opacity: 0.9;<br />
}<br />
<br />
.soon {<br />
font-size: 2rem;<br />
font-weight: bold;<br />
margin-top: 2rem;<br />
color: #fef08a;<br />
text-shadow: 0 2px 10px rgba(0,0,0,0.4);<br />
}<br />
<br />
@keyframes bounce {<br />
0%, 20%, 50%, 80%, 100% { transform: translateY(0); }<br />
40% { transform: translateY(-25px); }<br />
60% { transform: translateY(-12px); }<br />
}<br />
<br />
@media (max-width: 600px) {<br />
h1 { font-size: 3.2rem; }<br />
.construction { font-size: 6rem; }<br />
.subtitle { font-size: 1.3rem; }<br />
}<br />
</style><br />
</head><br />
<body><br />
<br />
<div class="container"><br />
<div class="construction">🚧</div><br />
<h1>Culturetas.net</h1><br />
<div class="subtitle">Está en construcción</div><br />
<br />
<p>Estamos trabajando para traerte un espacio mucho más bonito, rápido y con mucho más contenido cultural interesante.</p><br />
<br />
<p>¡Vuelve en unos días y te sorprenderás!</p><br />
<br />
<div class="soon">Próximamente... ✨</div><br />
</div><br />
<br />
</body><br />
</html><br />
</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Archivo:Culturetas-access-token.png&diff=185Archivo:Culturetas-access-token.png2026-04-18T18:19:51Z<p>Guzman: </p>
<hr />
<div></div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=176MariaDB2026-04-18T11:48:50Z<p>Guzman: </p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
-v mariadb-data:/var/lib/mysql:Z \<br />
-v mariadb-backup:/var/backups/mariadb \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Conectar a la base de datos ===<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 mariadb --host localhost --user root --password<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
=== Crear usuario ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
=== Dar permisos a usuario en BD ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
=== Comprobar permisos ===<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Realizar un Backup ==<br />
=== Crear script de backup ===<br />
<syntaxhighlight lang="Bash"><br />
docker debug mariadb-11.8<br />
</syntaxhighlight><br />
Nota: el contenedor no tiene herramientas de edición como vi.<br />
<br />
<syntaxhighlight lang="Bash"><br />
nano /var/backups/mariadb/make-mariadb-backup.sh<br />
</syntaxhighlight><br />
<br />
<syntaxhighlight lang="Bash"><br />
#!/bin/bash<br />
<br />
export DATE=$(date +%Y%m%d-%H%M%S)<br />
mkdir /var/backups/mariadb/${DATE}<br />
mariadb-backup --backup --target-dir=/var/backups/mariadb/${DATE} --user=root --password=root<br />
</syntaxhighlight><br />
<br />
<syntaxhighlight lang="Bash"><br />
chmod 755 /var/backups/mariadb/make-mariadb-backup.sh<br />
</syntaxhighlight><br />
<br />
<syntaxhighlight lang="Bash"><br />
exit<br />
</syntaxhighlight><br />
<br />
=== Ejecutar backup ===<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 /var/backups/mariadb/make-mariadb-backup.sh<br />
</syntaxhighlight><br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
* [https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=175MariaDB2026-04-18T11:47:16Z<p>Guzman: </p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
-v mariadb-data:/var/lib/mysql:Z \<br />
-v mariadb-backup:/var/backups/mariadb \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Conectar a la base de datos ===<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 mariadb --host localhost --user root --password<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
=== Crear usuario ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
=== Dar permisos a usuario en BD ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
=== Comprobar permisos ===<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Realizar un Backup ==<br />
=== Crear script de backup ===<br />
<syntaxhighlight lang="Bash"><br />
docker debug mariadb-11.8<br />
</syntaxhighlight><br />
Nota: el contenedor no tiene herramientas de edición como vi.<br />
<br />
<syntaxhighlight lang="Bash"><br />
nano /var/backups/mariadb/make-mariadb-backup.sh<br />
</syntaxhighlight><br />
<br />
<syntaxhighlight lang="Bash"><br />
#!/bin/bash<br />
<br />
DATE=$(date +%Y%m%d-%H%M%S)<br />
mkdir /var/backups/mariadb/${DATE}<br />
mariadb-backup --backup --target-dir=/var/backups/mariadb/${DATE} --user=root --password=root<br />
</syntaxhighlight><br />
<br />
<syntaxhighlight lang="Bash"><br />
chmod 755 /var/backups/mariadb/make-mariadb-backup.sh<br />
</syntaxhighlight><br />
<br />
<syntaxhighlight lang="Bash"><br />
exit<br />
</syntaxhighlight><br />
<br />
=== Ejecutar backup ===<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 /var/backups/mariadb/make-mariadb-backup.sh<br />
</syntaxhighlight><br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
* [https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=174MariaDB2026-04-18T10:57:47Z<p>Guzman: </p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
-v mariadb-data:/var/lib/mysql:Z \<br />
-v mariadb-backup:/var/backups/mariadb \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Conectar a la base de datos ===<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 mariadb --host localhost --user root --password<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
=== Crear usuario ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
=== Dar permisos a usuario en BD ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
=== Comprobar permisos ===<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Realizar un Backup ==<br />
<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
* [https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=173MariaDB2026-04-18T10:53:14Z<p>Guzman: </p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
-v mariadb-data:/var/lib/mysql:Z \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Conectar a la base de datos ===<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 mariadb --host localhost --user root --password<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
=== Crear usuario ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
=== Dar permisos a usuario en BD ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
=== Comprobar permisos ===<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Realizar un Backup ==<br />
<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
* [https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=172MariaDB2026-04-18T10:49:34Z<p>Guzman: </p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
-v mariadb-data:/var/lib/mysql:Z \<br />
-v mariadb-backup:/var/backups/mariadb \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Conectar a la base de datos ===<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 mariadb --host localhost --user root --password<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
=== Crear usuario ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
=== Dar permisos a usuario en BD ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
=== Comprobar permisos ===<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Realizar un Backup ==<br />
<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
* [https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=170MariaDB2026-04-18T10:33:33Z<p>Guzman: </p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
-v mariadb-data:/var/lib/mysql:Z \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Conectar a la base de datos ===<br />
Conectamos como root:<br />
<syntaxhighlight lang="Bash"><br />
docker exec -it mariadb-11.8 mariadb --host localhost --user root --password<br />
</syntaxhighlight><br />
<br />
=== Crear base de datos ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE DATABASE keycloakdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;<br />
</syntaxhighlight><br />
<br />
=== Crear usuario ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
CREATE USER keycloak IDENTIFIED BY 'keycloak';<br />
</syntaxhighlight><br />
<br />
=== Dar permisos a usuario en BD ===<br />
En este ejemplo creamos una BD para keycloak:<br />
<syntaxhighlight lang="Bash"><br />
GRANT ALL PRIVILEGES ON keycloakdb.* TO 'keycloak';<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
=== Comprobar permisos ===<br />
<syntaxhighlight lang="Bash"><br />
SHOW GRANTS FOR 'keycloak';<br />
</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
+---------------------------------------------------------------------------------------------------------+<br />
| Grants for keycloak@% |<br />
+---------------------------------------------------------------------------------------------------------+<br />
| GRANT USAGE ON *.* TO `keycloak`@`%` IDENTIFIED BY PASSWORD '*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' |<br />
| GRANT ALL PRIVILEGES ON `keycloakdb`.* TO `keycloak`@`%` |<br />
+---------------------------------------------------------------------------------------------------------+<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
* [https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges https://phoenixnap.com/kb/how-to-create-mariadb-user-grant-privileges]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=169MariaDB2026-04-18T10:18:28Z<p>Guzman: </p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
-v mariadb-data:/var/lib/mysql:Z \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=MariaDB&diff=168MariaDB2026-04-18T09:45:37Z<p>Guzman: Página creada con «== Instalación MariaDB en Docker == Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker. Vamos a usar una imagen oficial de Docker. == Requisitos == Para poder realizar esta configuración se necesita: * Servidor GNU Linux (ver Securizar Ubuntu Server) ** Cortafuegos FirewallD (UFW tiene problemas con Docker) * Docker Engine (ver Docker Engine) ** Módulo: Docker Compose (para PRO) * Nginx (ver LEMP) == Entorno de DEV == Como entorno de…»</p>
<hr />
<div>== Instalación MariaDB en Docker ==<br />
Instalación de [https://hub.docker.com/_/mariadb mariadb] en Docker.<br />
Vamos a usar una imagen oficial de Docker.<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar MariaDB 11.8 que es la versión LTS a día de hoy. <br />
<syntaxhighlight lang="Bash">docker pull mariadb:11.8-noble</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
<syntaxhighlight lang="Bash"><br />
docker run --detach --name mariadb-11.8 \<br />
--env MARIADB_ROOT_PASSWORD=root \<br />
-p 127.0.0.1:3306:3306 \<br />
mariadb:11.8-noble<br />
</syntaxhighlight><br />
<br />
=== Pruebas ===<br />
Probaremos a conectar a la BBDD mediante el cliente [http://www.squirrelsql.org/ SquirrelSQL].<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO MariaDB no la vamos a ejecutar en contenedores.<br />
Usaremos un servidor [[LEMP]] dedicado que usará MariaDB como base de datos.<br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/_/mariadb https://hub.docker.com/_/mariadb]<br />
* [http://www.squirrelsql.org/ http://www.squirrelsql.org/]<br />
* [https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector https://mariadb.com/downloads/connectors/connectors-data-access/java8-connector]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=P%C3%A1gina_principal&diff=167Página principal2026-04-18T09:37:15Z<p>Guzman: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Bienvenidos a Wiki Castanedo.es ==<br />
<br />
=== ¿Qué es esto? ===<br />
<br />
Mi Wiki personal. No sobre mi persona, sino sobre mis cosas.<br />
<br />
Antes tenía diferentes páginas en las que publicaba artículos y notas sobre temas, principalmente relacionados con el mundo [https://es.wikipedia.org/wiki/GNU/Linux GNU/Linux] y la administración de servidores, pero se hallaban dispersos y en diferentes formatos.<br />
<br />
Este proyecto busca en primer lugar unificarlo todo en un solo sitio y por otro retomar la publicación de las notas que voy tomando.<br />
<br />
=== Contenido ===<br />
<br />
Me gusta tomar notas de las cosas que voy haciendo, sobre todo en el mundo de la informática.<br />
<br />
Durante mucho tiempo estas notas me las he guardado para mi mismo, pero a partir de ahora las comparto con el que le interesen. Muchas son cosas sencillas y muy conocidas, otras sin embargo contienen información que me han llevado mucha documentación que leer y algunas, incluso, contienen información difícil de encontrar.<br />
<br />
Desde aquí se compartirá tres tipos de contenidos diferenciados: notas, código y ayuda.<br />
<br />
==== Notas ====<br />
<br />
Son las notas que he ido habiendo sobre administración de sistemas:<br />
* '''Máquinas virtuales:'''<br />
** [[Securizar Ubuntu Server]]<br />
** Instalar y configurar un Servidor [[LEMP]] en Ubuntu Server (Linux + Nginx + MySQL + PHP).<br />
** Instalar y configurar un [[Servidor de Correo]] (Postfix + Dovecot + SSL + SPF + OpenDKIM + OpenDMARC + Amavis + SpamAssassin).<br />
** [[Administración servidor de correo]].<br />
** Instalar y configurar [[GOGS]] (Repositorio Git).<br />
** Instalar y configurar [[TeamSpeak 3]].<br />
** Instalar y configurar un [[Servidor Minecraft]].<br />
** Instalar y configurar [[Etherpad]] en Ubuntu Server.<br />
** Notas sobre [[OpenSSL]].<br />
** Notas de configuración de [[Drupal 7]] y [[Drupal 8]].<br />
** Notas de configuración de [[WordPress]].<br />
** Notas de configuración de [[MediaWiki]].<br />
* '''Contenedores:'''<br />
** Instalar y configurar [[Docker Engine]] en Ubuntu Server.<br />
** Instalar y configurar [[OpenLDAP]] en Docker.<br />
** Instalar y configurar [[MariaDB]] en Docker.<br />
** Instalar y configurar [[Keycloak]] en Docker.<br />
** Instalar y configurar [[Nextcloud AIO]] en Docker.<br />
** Instalar y configurar de servidor de correo [[Docker-Mailserver]].<br />
<br />
Pulse en el siguiente enlace para consultar la '''lista completa: [[:Categoría:Notas]]'''.<br />
<br />
==== Código ====<br />
<br />
Las notas aquí descritas pueden tener referencias a código fuente escrito por mi.<br />
<br />
Está disponible en [https://code.castanedo.es code.castanedo.es].<br />
<br />
Todo este software está disponible con licencia [https://www.gnu.org/licenses/gpl.html GPLv3].<br />
<br />
==== Ayuda ====<br />
<br />
Además es esta Wiki hay una [[:Categoría:Ayuda]] en las que se encuentran pequeñas guías de uso de servicios disponibles en mis servidores.<br />
<br />
Su función es que sirvan de ayuda para las personas que están usando estos servicios, aunque, por supuesto, son de libre consulta para cualquiera que los encuentre útiles.<br />
<br />
=== Espíritu ===<br />
<br />
El espíritu de esta wiki es el carácter libre y abierto.<br />
<br />
Todo el material que se aloje aquí será bajo licencia '''Creative Commons Attribution-ShareAlike 4.0''' ([https://creativecommons.org/licenses/by-sa/4.0/ CC BY-SA]) a menos que se exprese lo contrario.<br />
<br />
Para más detalles leer [[Wiki_Castanedo.es:Descargo_general]].<br />
<br />
=== Gracias ===<br />
<br />
'''Muchas gracias''' por visitar este sitio.<br />
<br />
Cualquier duda, consulta o corrección contacta en [mailto:guzman@castanedo.es guzman@castanedo.es].</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Archivo:Keycloak-DEV-Accesos.png&diff=160Archivo:Keycloak-DEV-Accesos.png2026-03-22T21:21:16Z<p>Guzman: </p>
<hr />
<div>Keycloak-DEV-Accesos</div>Guzmanhttps://wiki.castanedo.es/index.php?title=P%C3%A1gina_principal&diff=154Página principal2026-03-22T19:26:29Z<p>Guzman: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Bienvenidos a Wiki Castanedo.es ==<br />
<br />
=== ¿Qué es esto? ===<br />
<br />
Mi Wiki personal. No sobre mi persona, sino sobre mis cosas.<br />
<br />
Antes tenía diferentes páginas en las que publicaba artículos y notas sobre temas, principalmente relacionados con el mundo [https://es.wikipedia.org/wiki/GNU/Linux GNU/Linux] y la administración de servidores, pero se hallaban dispersos y en diferentes formatos.<br />
<br />
Este proyecto busca en primer lugar unificarlo todo en un solo sitio y por otro retomar la publicación de las notas que voy tomando.<br />
<br />
=== Contenido ===<br />
<br />
Me gusta tomar notas de las cosas que voy haciendo, sobre todo en el mundo de la informática.<br />
<br />
Durante mucho tiempo estas notas me las he guardado para mi mismo, pero a partir de ahora las comparto con el que le interesen. Muchas son cosas sencillas y muy conocidas, otras sin embargo contienen información que me han llevado mucha documentación que leer y algunas, incluso, contienen información difícil de encontrar.<br />
<br />
Desde aquí se compartirá tres tipos de contenidos diferenciados: notas, código y ayuda.<br />
<br />
==== Notas ====<br />
<br />
Son las notas que he ido habiendo sobre administración de sistemas:<br />
* '''Máquinas virtuales:'''<br />
** [[Securizar Ubuntu Server]]<br />
** Instalar y configurar un Servidor [[LEMP]] en Ubuntu Server (Linux + Nginx + MySQL + PHP).<br />
** Instalar y configurar un [[Servidor de Correo]] (Postfix + Dovecot + SSL + SPF + OpenDKIM + OpenDMARC + Amavis + SpamAssassin).<br />
** [[Administración servidor de correo]].<br />
** Instalar y configurar [[GOGS]] (Repositorio Git).<br />
** Instalar y configurar [[TeamSpeak 3]].<br />
** Instalar y configurar un [[Servidor Minecraft]].<br />
** Instalar y configurar [[Etherpad]] en Ubuntu Server.<br />
** Notas sobre [[OpenSSL]].<br />
** Notas de configuración de [[Drupal 7]] y [[Drupal 8]].<br />
** Notas de configuración de [[WordPress]].<br />
** Notas de configuración de [[MediaWiki]].<br />
* '''Contenedores:'''<br />
** Instalar y configurar [[Docker Engine]] en Ubuntu Server.<br />
** Instalar y configurar [[OpenLDAP]] en Docker.<br />
** Instalar y configurar [[Keycloak]] en Docker.<br />
** Instalar y configurar [[Nextcloud AIO]] en Docker.<br />
** Instalar y configurar de servidor de correo [[Docker-Mailserver]].<br />
<br />
Pulse en el siguiente enlace para consultar la '''lista completa: [[:Categoría:Notas]]'''.<br />
<br />
==== Código ====<br />
<br />
Las notas aquí descritas pueden tener referencias a código fuente escrito por mi.<br />
<br />
Está disponible en [https://code.castanedo.es code.castanedo.es].<br />
<br />
Todo este software está disponible con licencia [https://www.gnu.org/licenses/gpl.html GPLv3].<br />
<br />
==== Ayuda ====<br />
<br />
Además es esta Wiki hay una [[:Categoría:Ayuda]] en las que se encuentran pequeñas guías de uso de servicios disponibles en mis servidores.<br />
<br />
Su función es que sirvan de ayuda para las personas que están usando estos servicios, aunque, por supuesto, son de libre consulta para cualquiera que los encuentre útiles.<br />
<br />
=== Espíritu ===<br />
<br />
El espíritu de esta wiki es el carácter libre y abierto.<br />
<br />
Todo el material que se aloje aquí será bajo licencia '''Creative Commons Attribution-ShareAlike 4.0''' ([https://creativecommons.org/licenses/by-sa/4.0/ CC BY-SA]) a menos que se exprese lo contrario.<br />
<br />
Para más detalles leer [[Wiki_Castanedo.es:Descargo_general]].<br />
<br />
=== Gracias ===<br />
<br />
'''Muchas gracias''' por visitar este sitio.<br />
<br />
Cualquier duda, consulta o corrección contacta en [mailto:guzman@castanedo.es guzman@castanedo.es].</div>Guzmanhttps://wiki.castanedo.es/index.php?title=LEMP&diff=142LEMP2026-03-22T15:04:43Z<p>Guzman: </p>
<hr />
<div>== Instalación servidor LEMP ==<br />
Instalaremos:<br />
* GNU Linux (Ubuntu Server 24.04)<br />
* eNginx 1.24.0 (APT Ubuntu)<br />
* MariaDB 10.8 (Repo oficiales de MariaDB)<br />
* PHP 8.5 (PPA ondrej/php)<br />
<br />
== Permisos de root ==<br />
Todos los comandos en esta guía se realizarán como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
== Instalación Nginx (Stable) ==<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar Nginx<br />
<syntaxhighlight lang="Bash">apt install nginx</syntaxhighlight><br />
<br />
* Instalación Apache Utils<br />
<syntaxhighlight lang="Bash">apt install apache2-utils</syntaxhighlight><br />
<br />
== Instalación MariaDB ==<br />
* Instalar requisitos<br />
<syntaxhighlight lang="Bash">apt install apt-transport-https curl</syntaxhighlight><br />
<br />
* Añadir repositorios MariaDB (oficiales)<br />
<syntaxhighlight lang="Bash">mkdir -p /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/apt/sources.list.d/mariadb.sources</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# MariaDB 11.8 repository list - created 2026-02-23 08:31 UTC<br />
# https://mariadb.org/download/<br />
X-Repolib-Name: MariaDB<br />
Types: deb<br />
# deb.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.<br />
# URIs: https://deb.mariadb.org/11.8/ubuntu<br />
URIs: https://mirror.raiolanetworks.com/mariadb/repo/11.8/ubuntu<br />
Suites: noble<br />
Components: main main/debug<br />
Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp<br />
</syntaxhighlight><br />
<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalación de servidor y cliente<br />
<syntaxhighlight lang="Bash">apt install mariadb-client mariadb-server mariadb-plugin-provider-bzip2 mariadb-plugin-provider-lz4 mariadb-plugin-provider-lzma mariadb-plugin-provider-lzo mariadb-plugin-provider-snappy</syntaxhighlight><br />
<br />
* Inicializar base de datos<br />
<syntaxhighlight lang="Bash">mysql_secure_installation</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB<br />
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!<br />
<br />
In order to log into MariaDB to secure it, we'll need the current<br />
password for the root user. If you've just installed MariaDB, and<br />
haven't set the root password yet, you should just press enter here.<br />
<br />
Enter current password for root (enter for none):<br />
OK, successfully used password, moving on...<br />
<br />
Setting the root password or using the unix_socket ensures that nobody<br />
can log into the MariaDB root user without the proper authorisation.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Switch to unix_socket authentication [Y/n] n<br />
... skipping.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Change the root password? [Y/n] y<br />
New password:<br />
Re-enter new password:<br />
Password updated successfully!<br />
Reloading privilege tables..<br />
... Success!<br />
<br />
<br />
By default, a MariaDB installation has an anonymous user, allowing anyone<br />
to log into MariaDB without having to have a user account created for<br />
them. This is intended only for testing, and to make the installation<br />
go a bit smoother. You should remove them before moving into a<br />
production environment.<br />
<br />
Remove anonymous users? [Y/n] y<br />
... Success!<br />
<br />
Normally, root should only be allowed to connect from 'localhost'. This<br />
ensures that someone cannot guess at the root password from the network.<br />
<br />
Disallow root login remotely? [Y/n] Y<br />
... Success!<br />
<br />
By default, MariaDB comes with a database named 'test' that anyone can<br />
access. This is also intended only for testing, and should be removed<br />
before moving into a production environment.<br />
<br />
Remove test database and access to it? [Y/n] Y<br />
- Dropping test database...<br />
... Success!<br />
- Removing privileges on test database...<br />
... Success!<br />
<br />
Reloading the privilege tables will ensure that all changes made so far<br />
will take effect immediately.<br />
<br />
Reload privilege tables now? [Y/n] Y<br />
... Success!<br />
<br />
Cleaning up...<br />
<br />
All done! If you've completed all of the above steps, your MariaDB<br />
installation should now be secure.<br />
<br />
Thanks for using MariaDB!<br />
</syntaxhighlight><br />
<br />
== Instalación PHP ==<br />
Vamos a usar los repositorios PPA de ondrej/php<br />
<br />
* Instalar repositorio PPA<br />
<syntaxhighlight lang="Bash">add-apt-repository ppa:ondrej/php</syntaxhighlight><br />
<br />
* Actualizar repositorios<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar PHP 8.5<br />
<syntaxhighlight lang="Bash">apt install php8.5 php8.5-apcu php8.5-common php8.5-fpm php8.5-curl php8.5-gd php8.5-mysql php8.5-xml php8.5-xmlrpc php8.5-bz2 php8.5-imap php8.5-intl php8.5-mbstring php8.5-soap php8.5-gnupg php8.5-imagick php8.5-mcrypt php8.5-zip</syntaxhighlight><br />
<br />
== Instalación Let's Encrypt ==<br />
Vamos a usar Let's Encrypt para generar las claves y certificados usadas para comunicaciones HTTPS.<br />
<br />
* Instalar Snap Core<br />
<syntaxhighlight lang="Bash">snap install core</syntaxhighlight><br />
<br />
* Refrescar Snap Core<br />
<syntaxhighlight lang="Bash">snap refresh core</syntaxhighlight><br />
<br />
* Instalar Certbot<br />
<syntaxhighlight lang="Bash">snap install --classic certbot</syntaxhighlight><br />
<br />
* Crear enlace simbólico<br />
<syntaxhighlight lang="Bash">ln -s /snap/bin/certbot /usr/local/bin/certbot</syntaxhighlight><br />
<br />
* Comprobar que está activada el timer de renovación<br />
<syntaxhighlight lang="Bash"><br />
systemctl list-timers | grep certbot<br />
Mon 2026-02-23 11:47:00 UTC 12h - - snap.certbot.renew.timer snap.certbot.renew.service<br />
</syntaxhighlight><br />
<br />
== Configuración PHP ==<br />
* Configuración php-fpm:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/fpm/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = 128M<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Configuración php-cli:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/cli/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = -1<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar php-fpm:<br />
<syntaxhighlight lang="Bash">systemctl restart php8.5-fpm.service</syntaxhighlight><br />
<br />
== Configuración Nginx ==<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%Y%m%d)</syntaxhighlight><br />
<br />
* Editar nginx.conf<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
http {<br />
##<br />
# Basic Settings<br />
##<br />
sendfile on;<br />
tcp_nopush on;<br />
types_hash_max_size 2048;<br />
client_max_body_size 100M;<br />
server_tokens off;<br />
[...]<br />
##<br />
# SSL Settings<br />
##<br />
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_prefer_server_ciphers on;<br />
ssl_dhparam /etc/nginx/ssl/dhparam.pem;<br />
[...]<br />
}<br />
</syntaxhighlight><br />
<br />
* Generar PHParam:<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/ssl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096</syntaxhighlight><br />
<br />
* Configurar contraseñas:<br />
Si se quiere configurar contraseñas Auth Basic se almacenan en /etc/nginx/passwd.<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/passwd</syntaxhighlight><br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">htpasswd -c -B /etc/nginx/passwd/test.pw guzman</syntaxhighlight><br />
<br />
* Configurar snippets:<br />
Estos "fragmentos" se pueden usar para permitir que sistemas funcionen si se tiene Auth Basic activo (como robots.txt o validación de Let's Encrypt).<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/allowed.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Allow favicon.ico, robots.txt, .well-known/<br />
location = /favicon.ico {<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow robots.txt<br />
location = /robots.txt {<br />
allow all;<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)<br />
location ~* ^/.well-known/ {<br />
auth_basic off;<br />
allow all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/denied.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
<br />
# Not allow txt or logs to be downloaded<br />
location ~* \.(txt|log)$ {<br />
deny all;<br />
}<br />
<br />
# Not allow execute php in hidden folders<br />
location ~ \..*/.\.php$ {<br />
return 403;<br />
}<br />
<br />
# Not allow "hidden files"<br />
location ~ (^|/)\. {<br />
return 403;<br />
}<br />
<br />
# Not allow *.json or *.lock<br />
location ~* \.(json|lock)$ {<br />
return 403;<br />
}<br />
<br />
# Deny *.ht<br />
location ~ /\.ht {<br />
deny all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/hsts.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: if we set another header in a location we've to<br />
# rewrite it<br />
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;<br />
</syntaxhighlight><br />
<br />
* Configurar sites-available:<br />
En al carpeta /etc/nginx/sites-available/ se almacenan todos los Virtual Hosts disponibles.<br />
En Nginx hay que personalizar cada uno por cada tipo de aplicación.<br />
Hay que tener en cuenta las diferentes URL's.<br />
<br />
* Configurar sites-enabled:<br />
Se suelen configurar enlaces simbólicos con la carpeta sites-available para activarlos.<br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
* Reiniciar Nginx:<br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
== Configuración MariaDB ==<br />
* Conectar a MariaDB<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<br />
* Opción 1: Permitir conexiones por TCP (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified by 'password' with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
* Opción 2: Permitir conexiones por Sockets UNIX (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified via unix_socket with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
Nota: esta opción es la que suelo usar yo (no se pueden usar los dos a la vez).<br />
<br />
== Habilitar puertos en cortafuegos ==<br />
<syntaxhighlight lang="Bash">ufw allow 80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">ufw allow 443/tcp</syntaxhighlight><br />
<br />
== Virtual Host de ejemplo ==<br />
=== Generar certificados autofirmados (temporales) ===<br />
Estos certificados los vamos a generar sólo para levantar el Virtual Host y los sustituiremos por unos de Let's Encrypt.<br />
* Generamos clave privada:<br />
<syntaxhighlight lang="Bash">cd /etc/ssl/private</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl genrsa -out selfsigned.key</syntaxhighlight><br />
<br />
* Generamos petición de firma (CSR):<br />
<syntaxhighlight lang="Bash"><br />
openssl req -key selfsigned.key -new -out selfsigned.csr<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [AU]:ES<br />
State or Province Name (full name) [Some-State]:Madrid<br />
Locality Name (eg, city) []:Madrid<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GCV<br />
Organizational Unit Name (eg, section) []:GCV<br />
Common Name (e.g. server FQDN or YOUR name) []:www.culturetas.net<br />
Email Address []:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</syntaxhighlight><br />
<br />
* Auto-firmamos con la misma firma:<br />
<syntaxhighlight lang="Bash">openssl x509 -signkey selfsigned.key -in selfsigned.csr -req -days 365 -out selfsigned.crt</syntaxhighlight><br />
<br />
* Movemos certificados a las carpetas correctas:<br />
<syntaxhighlight lang="Bash">mv selfsigned.key /etc/ssl/private/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv selfsigned.crt /etc/ssl/certs/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">rm selfsigned.csr</syntaxhighlight><br />
<br />
* Referencia: [https://www.baeldung.com/openssl-self-signed-cert https://www.baeldung.com/openssl-self-signed-cert]<br />
<br />
=== Dar de alta Virtual Host en Nginx ===<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80 default_server;<br />
listen [::]:80 default_server;<br />
server_name www.culturetas.net culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2 default_server;<br />
listen [::]:443 ssl http2 default_server;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name www.culturetas.net culturetas.net;<br />
<br />
access_log /var/log/nginx/culturetas.net-access.log;<br />
error_log /var/log/nginx/culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
try_files $uri $uri/ /index.php?$args;<br />
}<br />
<br />
# pass the PHP scripts to FastCGI server<br />
#<br />
location ~ \.php$ {<br />
include snippets/fastcgi-php.conf;<br />
<br />
# # With php8.5-cgi alone (TCP Ports):<br />
# fastcgi_pass 127.0.0.1:9000;<br />
# With php8.5-fpm (UNIX Socket):<br />
fastcgi_pass unix:/run/php/php8.5-fpm.sock;<br />
}<br />
<br />
# Disable hidden files<br />
location ~ /\. {<br />
deny all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== Desactivar Virtual Host por defecto ===<br />
<syntaxhighlight lang="Bash">rm /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
=== Activar Virtual Host nuevo ===<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/culturetas.net /etc/nginx/sites-enabled/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar nuevas claves con Let's Encrypt ===<br />
El certbot de Let's Encrypt ya contiene un plugin que gestiona Nginx.<br />
Usándolo no sólo nos generará automáticamente las claves y certificados, si no que lo aplicará en el servidor por nosotros.<br />
Además, también se encargará de la renovación, por lo que desatiende toda esa parte de gestión de certificados.<br />
<br />
<syntaxhighlight lang="Bash"><br />
certbot --nginx<br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
Enter email address or hit Enter to skip.<br />
(Enter 'c' to cancel): admin@ejemplo.com<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Please read the Terms of Service at:<br />
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf<br />
You must agree in order to register with the ACME server. Do you agree?<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: Y<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Would you be willing, once your first certificate is successfully issued, to<br />
share your email address with the Electronic Frontier Foundation, a founding<br />
partner of the Let's Encrypt project and the non-profit organization that<br />
develops Certbot? We'd like to send you email about our work encrypting the web,<br />
EFF news, campaigns, and ways to support digital freedom.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: N<br />
Account registered.<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: culturetas.net<br />
2: www.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1,2<br />
Requesting a certificate for culturetas.net and www.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/culturetas.net/privkey.pem<br />
This certificate expires on 2026-05-25.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Successfully deployed certificate for www.culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://culturetas.net and https://www.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Desplegar página de ejemplo ===<br />
<syntaxhighlight lang="Bash">mkdir /var/www/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /var/www/culturetas.net/index.html</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<!DOCTYPE html><br />
<html lang="es"><br />
<head><br />
<meta charset="UTF-8" /><br />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/><br />
<title>Culturetas.net - En construcción</title><br />
<style><br />
body {<br />
margin: 0;<br />
padding: 0;<br />
height: 100vh;<br />
font-family: system-ui, -apple-system, sans-serif;<br />
background: linear-gradient(135deg, #1e3a8a 0%, #3b82f6 100%);<br />
color: white;<br />
display: flex;<br />
flex-direction: column;<br />
align-items: center;<br />
justify-content: center;<br />
text-align: center;<br />
}<br />
<br />
.container {<br />
max-width: 700px;<br />
padding: 20px;<br />
}<br />
<br />
h1 {<br />
font-size: 4.5rem;<br />
margin: 0.2em 0;<br />
font-weight: 800;<br />
letter-spacing: -1px;<br />
text-shadow: 0 4px 12px rgba(0,0,0,0.3);<br />
}<br />
<br />
.subtitle {<br />
font-size: 1.6rem;<br />
margin: 0.8em 0 1.5em;<br />
opacity: 0.95;<br />
}<br />
<br />
.construction {<br />
font-size: 8rem;<br />
margin: 0.3em 0;<br />
animation: bounce 3s infinite;<br />
}<br />
<br />
p {<br />
font-size: 1.3rem;<br />
line-height: 1.6;<br />
max-width: 600px;<br />
margin: 1.5em auto;<br />
opacity: 0.9;<br />
}<br />
<br />
.soon {<br />
font-size: 2rem;<br />
font-weight: bold;<br />
margin-top: 2rem;<br />
color: #fef08a;<br />
text-shadow: 0 2px 10px rgba(0,0,0,0.4);<br />
}<br />
<br />
@keyframes bounce {<br />
0%, 20%, 50%, 80%, 100% { transform: translateY(0); }<br />
40% { transform: translateY(-25px); }<br />
60% { transform: translateY(-12px); }<br />
}<br />
<br />
@media (max-width: 600px) {<br />
h1 { font-size: 3.2rem; }<br />
.construction { font-size: 6rem; }<br />
.subtitle { font-size: 1.3rem; }<br />
}<br />
</style><br />
</head><br />
<body><br />
<br />
<div class="container"><br />
<div class="construction">🚧</div><br />
<h1>Culturetas.net</h1><br />
<div class="subtitle">Está en construcción</div><br />
<br />
<p>Estamos trabajando para traerte un espacio mucho más bonito, rápido y con mucho más contenido cultural interesante.</p><br />
<br />
<p>¡Vuelve en unos días y te sorprenderás!</p><br />
<br />
<div class="soon">Próximamente... ✨</div><br />
</div><br />
<br />
</body><br />
</html><br />
</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=LEMP&diff=141LEMP2026-03-22T14:59:00Z<p>Guzman: </p>
<hr />
<div>== Instalación servidor LEMP ==<br />
Instalaremos:<br />
* GNU Linux (Ubuntu Server 24.04)<br />
* eNginx 1.24.0 (APT Ubuntu)<br />
* MariaDB 10.8 (Repo oficiales de MariaDB)<br />
* PHP 8.5 (PPA ondrej/php)<br />
<br />
== Permisos de root ==<br />
Todos los comandos en esta guía se realizarán como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
== Instalación Nginx (Stable) ==<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar Nginx<br />
<syntaxhighlight lang="Bash">apt install nginx</syntaxhighlight><br />
<br />
* Instalación Apache Utils<br />
<syntaxhighlight lang="Bash">apt install apache2-utils</syntaxhighlight><br />
<br />
* Instalación módulo Nginx Stream (para balancear a puertos TCP o UDP no HTTP)<br />
<syntaxhighlight lang="Bash">apt install libnginx-mod-stream</syntaxhighlight><br />
<br />
== Instalación MariaDB ==<br />
* Instalar requisitos<br />
<syntaxhighlight lang="Bash">apt install apt-transport-https curl</syntaxhighlight><br />
<br />
* Añadir repositorios MariaDB (oficiales)<br />
<syntaxhighlight lang="Bash">mkdir -p /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/apt/sources.list.d/mariadb.sources</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# MariaDB 11.8 repository list - created 2026-02-23 08:31 UTC<br />
# https://mariadb.org/download/<br />
X-Repolib-Name: MariaDB<br />
Types: deb<br />
# deb.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.<br />
# URIs: https://deb.mariadb.org/11.8/ubuntu<br />
URIs: https://mirror.raiolanetworks.com/mariadb/repo/11.8/ubuntu<br />
Suites: noble<br />
Components: main main/debug<br />
Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp<br />
</syntaxhighlight><br />
<br />
* Actualizar repositorio<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalación de servidor y cliente<br />
<syntaxhighlight lang="Bash">apt install mariadb-client mariadb-server mariadb-plugin-provider-bzip2 mariadb-plugin-provider-lz4 mariadb-plugin-provider-lzma mariadb-plugin-provider-lzo mariadb-plugin-provider-snappy</syntaxhighlight><br />
<br />
* Inicializar base de datos<br />
<syntaxhighlight lang="Bash">mysql_secure_installation</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB<br />
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!<br />
<br />
In order to log into MariaDB to secure it, we'll need the current<br />
password for the root user. If you've just installed MariaDB, and<br />
haven't set the root password yet, you should just press enter here.<br />
<br />
Enter current password for root (enter for none):<br />
OK, successfully used password, moving on...<br />
<br />
Setting the root password or using the unix_socket ensures that nobody<br />
can log into the MariaDB root user without the proper authorisation.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Switch to unix_socket authentication [Y/n] n<br />
... skipping.<br />
<br />
You already have your root account protected, so you can safely answer 'n'.<br />
<br />
Change the root password? [Y/n] y<br />
New password:<br />
Re-enter new password:<br />
Password updated successfully!<br />
Reloading privilege tables..<br />
... Success!<br />
<br />
<br />
By default, a MariaDB installation has an anonymous user, allowing anyone<br />
to log into MariaDB without having to have a user account created for<br />
them. This is intended only for testing, and to make the installation<br />
go a bit smoother. You should remove them before moving into a<br />
production environment.<br />
<br />
Remove anonymous users? [Y/n] y<br />
... Success!<br />
<br />
Normally, root should only be allowed to connect from 'localhost'. This<br />
ensures that someone cannot guess at the root password from the network.<br />
<br />
Disallow root login remotely? [Y/n] Y<br />
... Success!<br />
<br />
By default, MariaDB comes with a database named 'test' that anyone can<br />
access. This is also intended only for testing, and should be removed<br />
before moving into a production environment.<br />
<br />
Remove test database and access to it? [Y/n] Y<br />
- Dropping test database...<br />
... Success!<br />
- Removing privileges on test database...<br />
... Success!<br />
<br />
Reloading the privilege tables will ensure that all changes made so far<br />
will take effect immediately.<br />
<br />
Reload privilege tables now? [Y/n] Y<br />
... Success!<br />
<br />
Cleaning up...<br />
<br />
All done! If you've completed all of the above steps, your MariaDB<br />
installation should now be secure.<br />
<br />
Thanks for using MariaDB!<br />
</syntaxhighlight><br />
<br />
== Instalación PHP ==<br />
Vamos a usar los repositorios PPA de ondrej/php<br />
<br />
* Instalar repositorio PPA<br />
<syntaxhighlight lang="Bash">add-apt-repository ppa:ondrej/php</syntaxhighlight><br />
<br />
* Actualizar repositorios<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<br />
* Instalar PHP 8.5<br />
<syntaxhighlight lang="Bash">apt install php8.5 php8.5-apcu php8.5-common php8.5-fpm php8.5-curl php8.5-gd php8.5-mysql php8.5-xml php8.5-xmlrpc php8.5-bz2 php8.5-imap php8.5-intl php8.5-mbstring php8.5-soap php8.5-gnupg php8.5-imagick php8.5-mcrypt php8.5-zip</syntaxhighlight><br />
<br />
== Instalación Let's Encrypt ==<br />
Vamos a usar Let's Encrypt para generar las claves y certificados usadas para comunicaciones HTTPS.<br />
<br />
* Instalar Snap Core<br />
<syntaxhighlight lang="Bash">snap install core</syntaxhighlight><br />
<br />
* Refrescar Snap Core<br />
<syntaxhighlight lang="Bash">snap refresh core</syntaxhighlight><br />
<br />
* Instalar Certbot<br />
<syntaxhighlight lang="Bash">snap install --classic certbot</syntaxhighlight><br />
<br />
* Crear enlace simbólico<br />
<syntaxhighlight lang="Bash">ln -s /snap/bin/certbot /usr/local/bin/certbot</syntaxhighlight><br />
<br />
* Comprobar que está activada el timer de renovación<br />
<syntaxhighlight lang="Bash"><br />
systemctl list-timers | grep certbot<br />
Mon 2026-02-23 11:47:00 UTC 12h - - snap.certbot.renew.timer snap.certbot.renew.service<br />
</syntaxhighlight><br />
<br />
== Configuración PHP ==<br />
* Configuración php-fpm:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/fpm/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = 128M<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Configuración php-cli:<br />
<syntaxhighlight lang="Bash">vi /etc/php/8.5/cli/php.ini</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
; Maximum amount of memory a script may consume<br />
; https://php.net/memory-limit<br />
memory_limit = -1<br />
max_memory_limit = -1<br />
[...]<br />
; Maximum size of POST data that PHP will accept.<br />
; Its value may be 0 to disable the limit. It is ignored if POST data reading<br />
; is disabled through enable_post_data_reading.<br />
; https://php.net/post-max-size<br />
post_max_size = 100M<br />
[...]<br />
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's<br />
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok<br />
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting<br />
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting<br />
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts<br />
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.<br />
; https://php.net/cgi.fix-pathinfo<br />
cgi.fix_pathinfo=0<br />
[...]<br />
; Whether to allow HTTP file uploads.<br />
; https://php.net/file-uploads<br />
file_uploads = On<br />
[...]<br />
; Maximum allowed size for uploaded files.<br />
; https://php.net/upload-max-filesize<br />
upload_max_filesize = 100M<br />
[...]<br />
; Maximum number of files that can be uploaded via a single request<br />
max_file_uploads = 20<br />
[...]<br />
[Session]<br />
; Handler used to store/retrieve data.<br />
; https://php.net/session.save-handler<br />
session.save_handler = files<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar php-fpm:<br />
<syntaxhighlight lang="Bash">systemctl restart php8.5-fpm.service</syntaxhighlight><br />
<br />
== Configuración Nginx ==<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%Y%m%d)</syntaxhighlight><br />
<br />
* Editar nginx.conf<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
http {<br />
##<br />
# Basic Settings<br />
##<br />
sendfile on;<br />
tcp_nopush on;<br />
types_hash_max_size 2048;<br />
client_max_body_size 100M;<br />
server_tokens off;<br />
[...]<br />
##<br />
# SSL Settings<br />
##<br />
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_prefer_server_ciphers on;<br />
ssl_dhparam /etc/nginx/ssl/dhparam.pem;<br />
[...]<br />
}<br />
</syntaxhighlight><br />
<br />
* Generar PHParam:<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/ssl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096</syntaxhighlight><br />
<br />
* Configurar contraseñas:<br />
Si se quiere configurar contraseñas Auth Basic se almacenan en /etc/nginx/passwd.<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/passwd</syntaxhighlight><br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">htpasswd -c -B /etc/nginx/passwd/test.pw guzman</syntaxhighlight><br />
<br />
* Configurar snippets:<br />
Estos "fragmentos" se pueden usar para permitir que sistemas funcionen si se tiene Auth Basic activo (como robots.txt o validación de Let's Encrypt).<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/allowed.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Allow favicon.ico, robots.txt, .well-known/<br />
location = /favicon.ico {<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow robots.txt<br />
location = /robots.txt {<br />
allow all;<br />
log_not_found off;<br />
access_log off;<br />
}<br />
<br />
# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)<br />
location ~* ^/.well-known/ {<br />
auth_basic off;<br />
allow all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/denied.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
<br />
# Not allow txt or logs to be downloaded<br />
location ~* \.(txt|log)$ {<br />
deny all;<br />
}<br />
<br />
# Not allow execute php in hidden folders<br />
location ~ \..*/.\.php$ {<br />
return 403;<br />
}<br />
<br />
# Not allow "hidden files"<br />
location ~ (^|/)\. {<br />
return 403;<br />
}<br />
<br />
# Not allow *.json or *.lock<br />
location ~* \.(json|lock)$ {<br />
return 403;<br />
}<br />
<br />
# Deny *.ht<br />
location ~ /\.ht {<br />
deny all;<br />
}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/snippets/hsts.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: if we set another header in a location we've to<br />
# rewrite it<br />
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;<br />
</syntaxhighlight><br />
<br />
* Configurar sites-available:<br />
En al carpeta /etc/nginx/sites-available/ se almacenan todos los Virtual Hosts disponibles.<br />
En Nginx hay que personalizar cada uno por cada tipo de aplicación.<br />
Hay que tener en cuenta las diferentes URL's.<br />
<br />
* Configurar sites-enabled:<br />
Se suelen configurar enlaces simbólicos con la carpeta sites-available para activarlos.<br />
Por ejemplo:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
* Reiniciar Nginx:<br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
== Configuración MariaDB ==<br />
* Conectar a MariaDB<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<br />
* Opción 1: Permitir conexiones por TCP (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified by 'password' with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
<br />
* Opción 2: Permitir conexiones por Sockets UNIX (sólo desde localhost)<br />
<syntaxhighlight lang="Sql"><br />
grant all privileges on *.* to 'root'@'localhost' identified via unix_socket with grant option;<br />
FLUSH PRIVILEGES;<br />
</syntaxhighlight><br />
Nota: esta opción es la que suelo usar yo (no se pueden usar los dos a la vez).<br />
<br />
== Habilitar puertos en cortafuegos ==<br />
<syntaxhighlight lang="Bash">ufw allow 80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">ufw allow 443/tcp</syntaxhighlight><br />
<br />
== Virtual Host de ejemplo ==<br />
=== Generar certificados autofirmados (temporales) ===<br />
Estos certificados los vamos a generar sólo para levantar el Virtual Host y los sustituiremos por unos de Let's Encrypt.<br />
* Generamos clave privada:<br />
<syntaxhighlight lang="Bash">cd /etc/ssl/private</syntaxhighlight><br />
<syntaxhighlight lang="Bash">openssl genrsa -out selfsigned.key</syntaxhighlight><br />
<br />
* Generamos petición de firma (CSR):<br />
<syntaxhighlight lang="Bash"><br />
openssl req -key selfsigned.key -new -out selfsigned.csr<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [AU]:ES<br />
State or Province Name (full name) [Some-State]:Madrid<br />
Locality Name (eg, city) []:Madrid<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GCV<br />
Organizational Unit Name (eg, section) []:GCV<br />
Common Name (e.g. server FQDN or YOUR name) []:www.culturetas.net<br />
Email Address []:<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</syntaxhighlight><br />
<br />
* Auto-firmamos con la misma firma:<br />
<syntaxhighlight lang="Bash">openssl x509 -signkey selfsigned.key -in selfsigned.csr -req -days 365 -out selfsigned.crt</syntaxhighlight><br />
<br />
* Movemos certificados a las carpetas correctas:<br />
<syntaxhighlight lang="Bash">mv selfsigned.key /etc/ssl/private/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv selfsigned.crt /etc/ssl/certs/</syntaxhighlight><br />
<syntaxhighlight lang="Bash">rm selfsigned.csr</syntaxhighlight><br />
<br />
* Referencia: [https://www.baeldung.com/openssl-self-signed-cert https://www.baeldung.com/openssl-self-signed-cert]<br />
<br />
=== Dar de alta Virtual Host en Nginx ===<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80 default_server;<br />
listen [::]:80 default_server;<br />
server_name www.culturetas.net culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2 default_server;<br />
listen [::]:443 ssl http2 default_server;<br />
ssl_certificate /etc/ssl/certs/selfsigned.crt;<br />
ssl_certificate_key /etc/ssl/private/selfsigned.key;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name www.culturetas.net culturetas.net;<br />
<br />
access_log /var/log/nginx/culturetas.net-access.log;<br />
error_log /var/log/nginx/culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
location / {<br />
# First attempt to serve request as file, then<br />
# as directory, then fall back to displaying a 404.<br />
#try_files $uri $uri/ =404;<br />
try_files $uri $uri/ /index.php?$args;<br />
}<br />
<br />
# pass the PHP scripts to FastCGI server<br />
#<br />
location ~ \.php$ {<br />
include snippets/fastcgi-php.conf;<br />
<br />
# # With php8.5-cgi alone (TCP Ports):<br />
# fastcgi_pass 127.0.0.1:9000;<br />
# With php8.5-fpm (UNIX Socket):<br />
fastcgi_pass unix:/run/php/php8.5-fpm.sock;<br />
}<br />
<br />
# Disable hidden files<br />
location ~ /\. {<br />
deny all;<br />
}<br />
}<br />
</syntaxhighlight><br />
<br />
=== Desactivar Virtual Host por defecto ===<br />
<syntaxhighlight lang="Bash">rm /etc/nginx/sites-enabled/default</syntaxhighlight><br />
<br />
=== Activar Virtual Host nuevo ===<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/culturetas.net /etc/nginx/sites-enabled/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar nuevas claves con Let's Encrypt ===<br />
El certbot de Let's Encrypt ya contiene un plugin que gestiona Nginx.<br />
Usándolo no sólo nos generará automáticamente las claves y certificados, si no que lo aplicará en el servidor por nosotros.<br />
Además, también se encargará de la renovación, por lo que desatiende toda esa parte de gestión de certificados.<br />
<br />
<syntaxhighlight lang="Bash"><br />
certbot --nginx<br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
Enter email address or hit Enter to skip.<br />
(Enter 'c' to cancel): admin@ejemplo.com<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Please read the Terms of Service at:<br />
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf<br />
You must agree in order to register with the ACME server. Do you agree?<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: Y<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Would you be willing, once your first certificate is successfully issued, to<br />
share your email address with the Electronic Frontier Foundation, a founding<br />
partner of the Let's Encrypt project and the non-profit organization that<br />
develops Certbot? We'd like to send you email about our work encrypting the web,<br />
EFF news, campaigns, and ways to support digital freedom.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
(Y)es/(N)o: N<br />
Account registered.<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: culturetas.net<br />
2: www.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1,2<br />
Requesting a certificate for culturetas.net and www.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/culturetas.net/privkey.pem<br />
This certificate expires on 2026-05-25.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Successfully deployed certificate for www.culturetas.net to /etc/nginx/sites-enabled/culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://culturetas.net and https://www.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Desplegar página de ejemplo ===<br />
<syntaxhighlight lang="Bash">mkdir /var/www/culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /var/www/culturetas.net/index.html</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
<!DOCTYPE html><br />
<html lang="es"><br />
<head><br />
<meta charset="UTF-8" /><br />
<meta name="viewport" content="width=device-width, initial-scale=1.0"/><br />
<title>Culturetas.net - En construcción</title><br />
<style><br />
body {<br />
margin: 0;<br />
padding: 0;<br />
height: 100vh;<br />
font-family: system-ui, -apple-system, sans-serif;<br />
background: linear-gradient(135deg, #1e3a8a 0%, #3b82f6 100%);<br />
color: white;<br />
display: flex;<br />
flex-direction: column;<br />
align-items: center;<br />
justify-content: center;<br />
text-align: center;<br />
}<br />
<br />
.container {<br />
max-width: 700px;<br />
padding: 20px;<br />
}<br />
<br />
h1 {<br />
font-size: 4.5rem;<br />
margin: 0.2em 0;<br />
font-weight: 800;<br />
letter-spacing: -1px;<br />
text-shadow: 0 4px 12px rgba(0,0,0,0.3);<br />
}<br />
<br />
.subtitle {<br />
font-size: 1.6rem;<br />
margin: 0.8em 0 1.5em;<br />
opacity: 0.95;<br />
}<br />
<br />
.construction {<br />
font-size: 8rem;<br />
margin: 0.3em 0;<br />
animation: bounce 3s infinite;<br />
}<br />
<br />
p {<br />
font-size: 1.3rem;<br />
line-height: 1.6;<br />
max-width: 600px;<br />
margin: 1.5em auto;<br />
opacity: 0.9;<br />
}<br />
<br />
.soon {<br />
font-size: 2rem;<br />
font-weight: bold;<br />
margin-top: 2rem;<br />
color: #fef08a;<br />
text-shadow: 0 2px 10px rgba(0,0,0,0.4);<br />
}<br />
<br />
@keyframes bounce {<br />
0%, 20%, 50%, 80%, 100% { transform: translateY(0); }<br />
40% { transform: translateY(-25px); }<br />
60% { transform: translateY(-12px); }<br />
}<br />
<br />
@media (max-width: 600px) {<br />
h1 { font-size: 3.2rem; }<br />
.construction { font-size: 6rem; }<br />
.subtitle { font-size: 1.3rem; }<br />
}<br />
</style><br />
</head><br />
<body><br />
<br />
<div class="container"><br />
<div class="construction">🚧</div><br />
<h1>Culturetas.net</h1><br />
<div class="subtitle">Está en construcción</div><br />
<br />
<p>Estamos trabajando para traerte un espacio mucho más bonito, rápido y con mucho más contenido cultural interesante.</p><br />
<br />
<p>¡Vuelve en unos días y te sorprenderás!</p><br />
<br />
<div class="soon">Próximamente... ✨</div><br />
</div><br />
<br />
</body><br />
</html><br />
</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Docker_Engine&diff=132Docker Engine2026-03-21T23:06:41Z<p>Guzman: </p>
<hr />
<div>== Instalación de Docker Engine en Ubuntu Server ==<br />
El objetivo de este documento es instalar Docker Engine en Ubuntu Server 24.04.<br />
<br />
== Requisitos ==<br />
Antes de instalar Docker hay que tener en cuenta una serie de consideraciones.<br />
<br />
=== Usuario root ===<br />
Todos los comandos que aquí se ponen, han de ejecutarse como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
=== Desinstalar UFW ===<br />
El firewall que viene por defecto en entornos tipo Debian (como Ubuntu) tiene problemas de compatibilidad con Docker Engine.<br />
Debido a que Docker crea reglas directamente con IPTables, se ocasiona que Docker cree reglas que se salten las reglas existentes.<br />
Para evitar que esto pase vamos a sustituir UFW por FirewallD (en modo IPTables), que evita este tipo de problemas.<br />
<syntaxhighlight lang="Bash">ufw disable</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl disable ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl stop ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt remove --purge ufw</syntaxhighlight><br />
<br />
=== Instalar FirewallD ===<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start firewalld</syntaxhighlight><br />
<br />
=== Habilitar modo IPTables a FirewallD (opcional) ===<br />
Hay problemas reportados de conexión entre contenedores de Docker cuando FirewallD está en modo nftables, se resuelven cambiando a modo IPTables.<br />
<br />
<syntaxhighlight lang="Bash">vi /etc/firewalld/firewalld.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# FirewallBackend<br />
# Selects the firewall backend implementation.<br />
# Choices are:<br />
# - nftables (default)<br />
# - iptables (iptables, ip6tables, ebtables and ipset)<br />
# Note: The iptables backend is deprecated. It will be removed in a future<br />
# release.<br />
#FirewallBackend=nftables<br />
FirewallBackend=iptables<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart firewalld</syntaxhighlight><br />
<br />
=== Habilitar reglas anteriores ===<br />
En mi paso prefiero habilitar puertos TCP en vez de servicios (aunque también es posible).<br />
<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=443/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Habilitar salida a Internet de contenedores ===<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-masquerade</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Comprobar estado de FirewallD ===<br />
<syntaxhighlight lang="Bash"><br />
firewall-cmd --list-all<br />
public (default, active)<br />
target: default<br />
ingress-priority: 0<br />
egress-priority: 0<br />
icmp-block-inversion: no<br />
interfaces:<br />
sources:<br />
services: dhcpv6-client ssh<br />
ports: 80/tcp 443/tcp<br />
protocols:<br />
forward: yes<br />
masquerade: yes<br />
forward-ports:<br />
source-ports:<br />
icmp-blocks:<br />
rich rules:<br />
</syntaxhighlight><br />
<br />
=== Consideraciones importantes ===<br />
* Toda esta configuración estamos asumiendo que estamos usando la zona public.<br />
* Cuando se creen contenedores en Docker hay que evitar usar la opción -p (--port), ya que creará reglas en el firewall (iptables) que habilitarán acceso directo desde Internet a los contenedores.<br />
* Mi recomendación es no hacerlo así y exponer los servicios a través de un proxy inverso (ver artículo sobre servidor [[LEMP]]).<br />
<br />
== Desinstalar versiones anteriores de Docker Engine ==<br />
Comprobar que no existe una versión de Docker Engine instalada.<br />
<syntaxhighlight lang="Bash">apt remove $(dpkg --get-selections docker.io docker-compose docker-compose-v2 docker-doc podman-docker containerd runc | cut -f1)</syntaxhighlight><br />
<br />
== Añadir repositorios APT oficiales de Docker ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install ca-certificates curl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">install -m 0755 -d /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod a+r /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF<br />
Types: deb<br />
URIs: https://download.docker.com/linux/ubuntu<br />
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")<br />
Components: stable<br />
Signed-By: /etc/apt/keyrings/docker.asc<br />
EOF<br />
</syntaxhighlight><br />
<br />
== Instalar Docker Engine ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin</syntaxhighlight><br />
<br />
== Comprobar Docker Engine ==<br />
=== Comprobar servicio ===<br />
<syntaxhighlight lang="Bash"><br />
systemctl status docker<br />
● docker.service - Docker Application Container Engine<br />
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)<br />
Active: active (running) since Thu 2026-02-26 22:52:45 UTC; 2min 39s ago<br />
TriggeredBy: ● docker.socket<br />
Docs: https://docs.docker.com<br />
Main PID: 23159 (dockerd)<br />
Tasks: 11<br />
Memory: 26.5M (peak: 29.2M)<br />
CPU: 284ms<br />
CGroup: /system.slice/docker.service<br />
└─23159 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock<br />
<br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.065056936Z" level=info msg="Deleting nftables IPv4 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.088078290Z" level=info msg="Deleting nftables IPv6 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.118636746Z" level=info msg="Firewalld: created docker-forwarding policy"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.117792420Z" level=info msg="Loading containers: done."<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131108392Z" level=info msg="Docker daemon" commit=6bc6209 containerd-sn><br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131332307Z" level=info msg="Initializing buildkit"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.149255659Z" level=info msg="Completed buildkit initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158529795Z" level=info msg="Daemon has completed initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158627568Z" level=info msg="API listen on /run/docker.sock"<br />
Feb 26 22:52:45 culturetas.net systemd[1]: Started docker.service - Docker Application Container Engine.<br />
</syntaxhighlight><br />
<br />
Si el servicio está apagado hay que arrancarlo y habilitarlo en el arranque:<br />
<syntaxhighlight lang="Bash">systemctl start docker</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable docker</syntaxhighlight><br />
<br />
=== Desplegar contenedor de prueba (hello-world) ===<br />
<syntaxhighlight lang="Bash">docker run hello-world</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker ps --all<br />
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES<br />
3995e4839733 hello-world "/hello" 2 minutes ago Exited (0) 2 minutes ago elated_matsumoto<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker stop elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker rm elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker image list<br />
i Info → U In Use<br />
IMAGE ID DISK USAGE CONTENT SIZE EXTRA<br />
hello-world:latest ef54e839ef54 25.9kB 9.52kB<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker image rm hello-world:latest</syntaxhighlight><br />
<br />
== Desarrollo con Docker Compose ==<br />
Para entornos productivos está recomendado usar Docker Compose para declarar todos los contenedores que se van a usar (mediante fichero YAML).<br />
Para su eso utilizo las siguientes herramientas:<br />
<br />
=== Visual Studio Codium ===<br />
Visual Studio Codium o [https://vscodium.com/ VS Codium] es la versión libre de Visual Studio Code.<br />
<br />
Se compilan del mismo repositio, pero no se incluyen las herramientas de telemetría que introduce Microsoft.<br />
<br />
Esta es una buena herramienta para desarrollar los ficheros YAML.<br />
<br />
Sin embargo, es necesario añadir extensiones.<br />
<br />
=== Docker (extensión) ===<br />
Extensión de VS Codium para gestionar contenedores.<br />
<br />
URL: [https://open-vsx.org/extension/ms-azuretools/vscode-docker https://open-vsx.org/extension/ms-azuretools/vscode-docker]<br />
<br />
Instalará automática otra extensión: [https://open-vsx.org/extension/ms-azuretools/vscode-containers Container Tools].<br />
<br />
=== YAML (extensión) ===<br />
Extensión de VS Codium para soporte al formato YAML.<br />
<br />
URL: [https://open-vsx.org/extension/redhat/vscode-yaml https://open-vsx.org/extension/redhat/vscode-yaml]<br />
<br />
=== Open Remote - SSH (extensión) ===<br />
Para poder conectar a servidores SSH en el propio VS Codium.<br />
<br />
URL: [https://open-vsx.org/extension/jeanp413/open-remote-ssh https://open-vsx.org/extension/jeanp413/open-remote-ssh]<br />
<br />
=== Spanish Language Pack (extensión) ===<br />
Para traducir VS Codium al español.<br />
<br />
URL: [https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es]<br />
<br />
== Herramientas útiles ==<br />
=== Skopeo ===<br />
Permite analizar los repositorios de imágenes.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install skopeo</syntaxhighlight><br />
<br />
Uso:<br />
<syntaxhighlight lang="Bash">skopeo list-tags docker://cleanstart/openldap</syntaxhighlight><br />
<br />
=== Composerize ===<br />
Permite transformar un comando "docker run..." en fichero YAML para Docker Compose.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install npm</syntaxhighlight><br />
<syntaxhighlight lang="Bash">npm install composerize -g</syntaxhighlight><br />
<br />
Uso:<br />
<syntaxhighlight lang="Bash">composerize docker run -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro --restart always --log-opt max-size=1g nginx</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://docs.docker.com/engine/install/ubuntu/ https://docs.docker.com/engine/install/ubuntu/]<br />
* [https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw]<br />
* [https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others]<br />
* [https://github.com/composerize/composerize https://github.com/composerize/composerize]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Docker_Engine&diff=131Docker Engine2026-03-21T23:05:00Z<p>Guzman: </p>
<hr />
<div>== Instalación de Docker Engine en Ubuntu Server ==<br />
El objetivo de este documento es instalar Docker Engine en Ubuntu Server 24.04.<br />
<br />
== Requisitos ==<br />
Antes de instalar Docker hay que tener en cuenta una serie de consideraciones.<br />
<br />
=== Usuario root ===<br />
Todos los comandos que aquí se ponen, han de ejecutarse como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
=== Desinstalar UFW ===<br />
El firewall que viene por defecto en entornos tipo Debian (como Ubuntu) tiene problemas de compatibilidad con Docker Engine.<br />
Debido a que Docker crea reglas directamente con IPTables, se ocasiona que Docker cree reglas que se salten las reglas existentes.<br />
Para evitar que esto pase vamos a sustituir UFW por FirewallD (en modo IPTables), que evita este tipo de problemas.<br />
<syntaxhighlight lang="Bash">ufw disable</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl disable ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl stop ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt remove --purge ufw</syntaxhighlight><br />
<br />
=== Instalar FirewallD ===<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start firewalld</syntaxhighlight><br />
<br />
=== Habilitar modo IPTables a FirewallD (opcional) ===<br />
Hay problemas reportados de conexión entre contenedores de Docker cuando FirewallD está en modo nftables, se resuelven cambiando a modo IPTables.<br />
<br />
<syntaxhighlight lang="Bash">vi /etc/firewalld/firewalld.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# FirewallBackend<br />
# Selects the firewall backend implementation.<br />
# Choices are:<br />
# - nftables (default)<br />
# - iptables (iptables, ip6tables, ebtables and ipset)<br />
# Note: The iptables backend is deprecated. It will be removed in a future<br />
# release.<br />
#FirewallBackend=nftables<br />
FirewallBackend=iptables<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart firewalld</syntaxhighlight><br />
<br />
=== Habilitar reglas anteriores ===<br />
En mi paso prefiero habilitar puertos TCP en vez de servicios (aunque también es posible).<br />
<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=443/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Habilitar salida a Internet de contenedores ===<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-masquerade</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Comprobar estado de FirewallD ===<br />
<syntaxhighlight lang="Bash"><br />
firewall-cmd --list-all<br />
public (default, active)<br />
target: default<br />
ingress-priority: 0<br />
egress-priority: 0<br />
icmp-block-inversion: no<br />
interfaces:<br />
sources:<br />
services: dhcpv6-client ssh<br />
ports: 80/tcp 443/tcp<br />
protocols:<br />
forward: yes<br />
masquerade: yes<br />
forward-ports:<br />
source-ports:<br />
icmp-blocks:<br />
rich rules:<br />
</syntaxhighlight><br />
<br />
=== Consideraciones importantes ===<br />
* Toda esta configuración estamos asumiendo que estamos usando la zona public.<br />
* Cuando se creen contenedores en Docker hay que evitar usar la opción -p (--port), ya que creará reglas en el firewall (iptables) que habilitarán acceso directo desde Internet a los contenedores.<br />
* Mi recomendación es no hacerlo así y exponer los servicios a través de un proxy inverso (ver artículo sobre servidor [[LEMP]]).<br />
<br />
== Desinstalar versiones anteriores de Docker Engine ==<br />
Comprobar que no existe una versión de Docker Engine instalada.<br />
<syntaxhighlight lang="Bash">apt remove $(dpkg --get-selections docker.io docker-compose docker-compose-v2 docker-doc podman-docker containerd runc | cut -f1)</syntaxhighlight><br />
<br />
== Añadir repositorios APT oficiales de Docker ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install ca-certificates curl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">install -m 0755 -d /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod a+r /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF<br />
Types: deb<br />
URIs: https://download.docker.com/linux/ubuntu<br />
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")<br />
Components: stable<br />
Signed-By: /etc/apt/keyrings/docker.asc<br />
EOF<br />
</syntaxhighlight><br />
<br />
== Instalar Docker Engine ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin</syntaxhighlight><br />
<br />
== Comprobar Docker Engine ==<br />
=== Comprobar servicio ===<br />
<syntaxhighlight lang="Bash"><br />
systemctl status docker<br />
● docker.service - Docker Application Container Engine<br />
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)<br />
Active: active (running) since Thu 2026-02-26 22:52:45 UTC; 2min 39s ago<br />
TriggeredBy: ● docker.socket<br />
Docs: https://docs.docker.com<br />
Main PID: 23159 (dockerd)<br />
Tasks: 11<br />
Memory: 26.5M (peak: 29.2M)<br />
CPU: 284ms<br />
CGroup: /system.slice/docker.service<br />
└─23159 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock<br />
<br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.065056936Z" level=info msg="Deleting nftables IPv4 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.088078290Z" level=info msg="Deleting nftables IPv6 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.118636746Z" level=info msg="Firewalld: created docker-forwarding policy"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.117792420Z" level=info msg="Loading containers: done."<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131108392Z" level=info msg="Docker daemon" commit=6bc6209 containerd-sn><br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131332307Z" level=info msg="Initializing buildkit"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.149255659Z" level=info msg="Completed buildkit initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158529795Z" level=info msg="Daemon has completed initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158627568Z" level=info msg="API listen on /run/docker.sock"<br />
Feb 26 22:52:45 culturetas.net systemd[1]: Started docker.service - Docker Application Container Engine.<br />
</syntaxhighlight><br />
<br />
Si el servicio está apagado hay que arrancarlo y habilitarlo en el arranque:<br />
<syntaxhighlight lang="Bash">systemctl start docker</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable docker</syntaxhighlight><br />
<br />
=== Desplegar contenedor de prueba (hello-world) ===<br />
<syntaxhighlight lang="Bash">docker run hello-world</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker ps --all<br />
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES<br />
3995e4839733 hello-world "/hello" 2 minutes ago Exited (0) 2 minutes ago elated_matsumoto<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker stop elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker rm elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker image list<br />
i Info → U In Use<br />
IMAGE ID DISK USAGE CONTENT SIZE EXTRA<br />
hello-world:latest ef54e839ef54 25.9kB 9.52kB<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker image rm hello-world:latest</syntaxhighlight><br />
<br />
== Desarrollo con Docker Compose ==<br />
Para entornos productivos está recomendado usar Docker Compose para declarar todos los contenedores que se van a usar (mediante fichero YAML).<br />
Para su eso utilizo las siguientes herramientas:<br />
<br />
=== Visual Studio Codium ===<br />
Visual Studio Codium o [https://vscodium.com/ VS Codium] es la versión libre de Visual Studio Code.<br />
<br />
Se compilan del mismo repositio, pero no se incluyen las herramientas de telemetría que introduce Microsoft.<br />
<br />
Esta es una buena herramienta para desarrollar los ficheros YAML.<br />
<br />
Sin embargo, es necesario añadir extensiones.<br />
<br />
=== Docker (extensión) ===<br />
Extensión de VS Codium para gestionar contenedores.<br />
<br />
URL: [https://open-vsx.org/extension/ms-azuretools/vscode-docker https://open-vsx.org/extension/ms-azuretools/vscode-docker]<br />
<br />
Instalará automática otra extensión: [https://open-vsx.org/extension/ms-azuretools/vscode-containers Container Tools].<br />
<br />
=== YAML (extensión) ===<br />
Extensión de VS Codium para soporte al formato YAML.<br />
<br />
URL: [https://open-vsx.org/extension/redhat/vscode-yaml https://open-vsx.org/extension/redhat/vscode-yaml]<br />
<br />
=== Open Remote - SSH (extensión) ===<br />
Para poder conectar a servidores SSH en el propio VS Codium.<br />
<br />
URL: [https://open-vsx.org/extension/jeanp413/open-remote-ssh https://open-vsx.org/extension/jeanp413/open-remote-ssh]<br />
<br />
=== Spanish Language Pack (extensión) ===<br />
Para traducir VS Codium al español.<br />
<br />
URL: [https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es]<br />
<br />
== Herramientas útiles ==<br />
=== Skopeo ===<br />
Permite analizar los repositorios de imágenes.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install skopeo</syntaxhighlight><br />
<br />
Uso:<br />
<syntaxhighlight lang="Bash">skopeo list-tags docker://cleanstart/openldap</syntaxhighlight><br />
<br />
=== Composerize ===<br />
Permite transformar un comando "docker run..." en fichero YAML para Docker Compose.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install npm</syntaxhighlight><br />
<syntaxhighlight lang="Bash">npm install composerize -g</syntaxhighlight><br />
<br />
Uso:<br />
<syntaxhighlight lang="Bash">composerize docker run -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro --restart always --log-opt max-size=1g nginx</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://docs.docker.com/engine/install/ubuntu/ https://docs.docker.com/engine/install/ubuntu/]<br />
* [https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw]<br />
* [https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Docker_Engine&diff=120Docker Engine2026-03-21T11:30:17Z<p>Guzman: </p>
<hr />
<div>== Instalación de Docker Engine en Ubuntu Server ==<br />
El objetivo de este documento es instalar Docker Engine en Ubuntu Server 24.04.<br />
<br />
== Requisitos ==<br />
Antes de instalar Docker hay que tener en cuenta una serie de consideraciones.<br />
<br />
=== Usuario root ===<br />
Todos los comandos que aquí se ponen, han de ejecutarse como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
=== Desinstalar UFW ===<br />
El firewall que viene por defecto en entornos tipo Debian (como Ubuntu) tiene problemas de compatibilidad con Docker Engine.<br />
Debido a que Docker crea reglas directamente con IPTables, se ocasiona que Docker cree reglas que se salten las reglas existentes.<br />
Para evitar que esto pase vamos a sustituir UFW por FirewallD (en modo IPTables), que evita este tipo de problemas.<br />
<syntaxhighlight lang="Bash">ufw disable</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl disable ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl stop ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt remove --purge ufw</syntaxhighlight><br />
<br />
=== Instalar FirewallD ===<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start firewalld</syntaxhighlight><br />
<br />
=== Habilitar modo IPTables a FirewallD (opcional) ===<br />
Hay problemas reportados de conexión entre contenedores de Docker cuando FirewallD está en modo nftables, se resuelven cambiando a modo IPTables.<br />
<br />
<syntaxhighlight lang="Bash">vi /etc/firewalld/firewalld.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# FirewallBackend<br />
# Selects the firewall backend implementation.<br />
# Choices are:<br />
# - nftables (default)<br />
# - iptables (iptables, ip6tables, ebtables and ipset)<br />
# Note: The iptables backend is deprecated. It will be removed in a future<br />
# release.<br />
#FirewallBackend=nftables<br />
FirewallBackend=iptables<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart firewalld</syntaxhighlight><br />
<br />
=== Habilitar reglas anteriores ===<br />
En mi paso prefiero habilitar puertos TCP en vez de servicios (aunque también es posible).<br />
<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=443/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Habilitar salida a Internet de contenedores ===<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-masquerade</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Comprobar estado de FirewallD ===<br />
<syntaxhighlight lang="Bash"><br />
firewall-cmd --list-all<br />
public (default, active)<br />
target: default<br />
ingress-priority: 0<br />
egress-priority: 0<br />
icmp-block-inversion: no<br />
interfaces:<br />
sources:<br />
services: dhcpv6-client ssh<br />
ports: 80/tcp 443/tcp<br />
protocols:<br />
forward: yes<br />
masquerade: yes<br />
forward-ports:<br />
source-ports:<br />
icmp-blocks:<br />
rich rules:<br />
</syntaxhighlight><br />
<br />
=== Consideraciones importantes ===<br />
* Toda esta configuración estamos asumiendo que estamos usando la zona public.<br />
* Cuando se creen contenedores en Docker hay que evitar usar la opción -p (--port), ya que creará reglas en el firewall (iptables) que habilitarán acceso directo desde Internet a los contenedores.<br />
* Mi recomendación es no hacerlo así y exponer los servicios a través de un proxy inverso (ver artículo sobre servidor [[LEMP]]).<br />
<br />
== Desinstalar versiones anteriores de Docker Engine ==<br />
Comprobar que no existe una versión de Docker Engine instalada.<br />
<syntaxhighlight lang="Bash">apt remove $(dpkg --get-selections docker.io docker-compose docker-compose-v2 docker-doc podman-docker containerd runc | cut -f1)</syntaxhighlight><br />
<br />
== Añadir repositorios APT oficiales de Docker ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install ca-certificates curl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">install -m 0755 -d /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod a+r /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF<br />
Types: deb<br />
URIs: https://download.docker.com/linux/ubuntu<br />
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")<br />
Components: stable<br />
Signed-By: /etc/apt/keyrings/docker.asc<br />
EOF<br />
</syntaxhighlight><br />
<br />
== Instalar Docker Engine ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin</syntaxhighlight><br />
<br />
== Comprobar Docker Engine ==<br />
=== Comprobar servicio ===<br />
<syntaxhighlight lang="Bash"><br />
systemctl status docker<br />
● docker.service - Docker Application Container Engine<br />
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)<br />
Active: active (running) since Thu 2026-02-26 22:52:45 UTC; 2min 39s ago<br />
TriggeredBy: ● docker.socket<br />
Docs: https://docs.docker.com<br />
Main PID: 23159 (dockerd)<br />
Tasks: 11<br />
Memory: 26.5M (peak: 29.2M)<br />
CPU: 284ms<br />
CGroup: /system.slice/docker.service<br />
└─23159 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock<br />
<br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.065056936Z" level=info msg="Deleting nftables IPv4 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.088078290Z" level=info msg="Deleting nftables IPv6 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.118636746Z" level=info msg="Firewalld: created docker-forwarding policy"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.117792420Z" level=info msg="Loading containers: done."<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131108392Z" level=info msg="Docker daemon" commit=6bc6209 containerd-sn><br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131332307Z" level=info msg="Initializing buildkit"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.149255659Z" level=info msg="Completed buildkit initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158529795Z" level=info msg="Daemon has completed initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158627568Z" level=info msg="API listen on /run/docker.sock"<br />
Feb 26 22:52:45 culturetas.net systemd[1]: Started docker.service - Docker Application Container Engine.<br />
</syntaxhighlight><br />
<br />
Si el servicio está apagado hay que arrancarlo y habilitarlo en el arranque:<br />
<syntaxhighlight lang="Bash">systemctl start docker</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable docker</syntaxhighlight><br />
<br />
=== Desplegar contenedor de prueba (hello-world) ===<br />
<syntaxhighlight lang="Bash">docker run hello-world</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker ps --all<br />
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES<br />
3995e4839733 hello-world "/hello" 2 minutes ago Exited (0) 2 minutes ago elated_matsumoto<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker stop elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker rm elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker image list<br />
i Info → U In Use<br />
IMAGE ID DISK USAGE CONTENT SIZE EXTRA<br />
hello-world:latest ef54e839ef54 25.9kB 9.52kB<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker image rm hello-world:latest</syntaxhighlight><br />
<br />
== Desarrollo con Docker Compose ==<br />
Para entornos productivos está recomendado usar Docker Compose para declarar todos los contenedores que se van a usar (mediante fichero YAML).<br />
Para su eso utilizo las siguientes herramientas:<br />
<br />
=== Visual Studio Codium ===<br />
Visual Studio Codium o [https://vscodium.com/ VS Codium] es la versión libre de Visual Studio Code.<br />
<br />
Se compilan del mismo repositio, pero no se incluyen las herramientas de telemetría que introduce Microsoft.<br />
<br />
Esta es una buena herramienta para desarrollar los ficheros YAML.<br />
<br />
Sin embargo, es necesario añadir extensiones.<br />
<br />
=== Docker (extensión) ===<br />
Extensión de VS Codium para gestionar contenedores.<br />
<br />
URL: [https://open-vsx.org/extension/ms-azuretools/vscode-docker https://open-vsx.org/extension/ms-azuretools/vscode-docker]<br />
<br />
Instalará automática otra extensión: [https://open-vsx.org/extension/ms-azuretools/vscode-containers Container Tools].<br />
<br />
=== YAML (extensión) ===<br />
Extensión de VS Codium para soporte al formato YAML.<br />
<br />
URL: [https://open-vsx.org/extension/redhat/vscode-yaml https://open-vsx.org/extension/redhat/vscode-yaml]<br />
<br />
=== Open Remote - SSH (extensión) ===<br />
Para poder conectar a servidores SSH en el propio VS Codium.<br />
<br />
URL: [https://open-vsx.org/extension/jeanp413/open-remote-ssh https://open-vsx.org/extension/jeanp413/open-remote-ssh]<br />
<br />
=== Spanish Language Pack (extensión) ===<br />
Para traducir VS Codium al español.<br />
<br />
URL: [https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es]<br />
<br />
== Herramientas útiles ==<br />
=== Skopeo ===<br />
Permite analizar los repositorios de imágenes.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install skopeo</syntaxhighlight><br />
<br />
Uso:<br />
<syntaxhighlight lang="Bash">skopeo list-tags docker://cleanstart/openldap</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://docs.docker.com/engine/install/ubuntu/ https://docs.docker.com/engine/install/ubuntu/]<br />
* [https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw]<br />
* [https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=P%C3%A1gina_principal&diff=118Página principal2026-03-21T10:54:21Z<p>Guzman: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Bienvenidos a Wiki Castanedo.es ==<br />
<br />
=== ¿Qué es esto? ===<br />
<br />
Mi Wiki personal. No sobre mi persona, sino sobre mis cosas.<br />
<br />
Antes tenía diferentes páginas en las que publicaba artículos y notas sobre temas, principalmente relacionados con el mundo [https://es.wikipedia.org/wiki/GNU/Linux GNU/Linux] y la administración de servidores, pero se hallaban dispersos y en diferentes formatos.<br />
<br />
Este proyecto busca en primer lugar unificarlo todo en un solo sitio y por otro retomar la publicación de las notas que voy tomando.<br />
<br />
=== Contenido ===<br />
<br />
Me gusta tomar notas de las cosas que voy haciendo, sobre todo en el mundo de la informática.<br />
<br />
Durante mucho tiempo estas notas me las he guardado para mi mismo, pero a partir de ahora las comparto con el que le interesen. Muchas son cosas sencillas y muy conocidas, otras sin embargo contienen información que me han llevado mucha documentación que leer y algunas, incluso, contienen información difícil de encontrar.<br />
<br />
Desde aquí se compartirá tres tipos de contenidos diferenciados: notas, código y ayuda.<br />
<br />
==== Notas ====<br />
<br />
Son las notas que he ido habiendo sobre administración de sistemas:<br />
* '''Máquinas virtuales:'''<br />
** [[Securizar Ubuntu Server]]<br />
** Instalar y configurar un Servidor [[LEMP]] en Ubuntu Server (Linux + Nginx + MySQL + PHP).<br />
** Instalar y configurar un [[Servidor de Correo]] (Postfix + Dovecot + SSL + SPF + OpenDKIM + OpenDMARC + Amavis + SpamAssassin).<br />
** [[Administración servidor de correo]].<br />
** Instalar y configurar [[GOGS]] (Repositorio Git).<br />
** Instalar y configurar [[TeamSpeak 3]].<br />
** Instalar y configurar un [[Servidor Minecraft]].<br />
** Instalar y configurar [[Etherpad]] en Ubuntu Server.<br />
** Notas sobre [[OpenSSL]].<br />
** Notas de configuración de [[Drupal 7]] y [[Drupal 8]].<br />
** Notas de configuración de [[WordPress]].<br />
** Notas de configuración de [[MediaWiki]].<br />
* '''Contenedores:'''<br />
** Instalar y configurar [[Docker Engine]] en Ubuntu Server.<br />
** Instalar y configurar [[OpenLDAP]] en Docker.<br />
** Instalar y configurar [[Nextcloud AIO]] en Docker.<br />
** Instalar y configurar de servidor de correo [[Docker-Mailserver]].<br />
<br />
Pulse en el siguiente enlace para consultar la '''lista completa: [[:Categoría:Notas]]'''.<br />
<br />
==== Código ====<br />
<br />
Las notas aquí descritas pueden tener referencias a código fuente escrito por mi.<br />
<br />
Está disponible en [https://code.castanedo.es code.castanedo.es].<br />
<br />
Todo este software está disponible con licencia [https://www.gnu.org/licenses/gpl.html GPLv3].<br />
<br />
==== Ayuda ====<br />
<br />
Además es esta Wiki hay una [[:Categoría:Ayuda]] en las que se encuentran pequeñas guías de uso de servicios disponibles en mis servidores.<br />
<br />
Su función es que sirvan de ayuda para las personas que están usando estos servicios, aunque, por supuesto, son de libre consulta para cualquiera que los encuentre útiles.<br />
<br />
=== Espíritu ===<br />
<br />
El espíritu de esta wiki es el carácter libre y abierto.<br />
<br />
Todo el material que se aloje aquí será bajo licencia '''Creative Commons Attribution-ShareAlike 4.0''' ([https://creativecommons.org/licenses/by-sa/4.0/ CC BY-SA]) a menos que se exprese lo contrario.<br />
<br />
Para más detalles leer [[Wiki_Castanedo.es:Descargo_general]].<br />
<br />
=== Gracias ===<br />
<br />
'''Muchas gracias''' por visitar este sitio.<br />
<br />
Cualquier duda, consulta o corrección contacta en [mailto:guzman@castanedo.es guzman@castanedo.es].</div>Guzmanhttps://wiki.castanedo.es/index.php?title=P%C3%A1gina_principal&diff=117Página principal2026-03-09T10:26:32Z<p>Guzman: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Bienvenidos a Wiki Castanedo.es ==<br />
<br />
=== ¿Qué es esto? ===<br />
<br />
Mi Wiki personal. No sobre mi persona, sino sobre mis cosas.<br />
<br />
Antes tenía diferentes páginas en las que publicaba artículos y notas sobre temas, principalmente relacionados con el mundo [https://es.wikipedia.org/wiki/GNU/Linux GNU/Linux] y la administración de servidores, pero se hallaban dispersos y en diferentes formatos.<br />
<br />
Este proyecto busca en primer lugar unificarlo todo en un solo sitio y por otro retomar la publicación de las notas que voy tomando.<br />
<br />
=== Contenido ===<br />
<br />
Me gusta tomar notas de las cosas que voy haciendo, sobre todo en el mundo de la informática.<br />
<br />
Durante mucho tiempo estas notas me las he guardado para mi mismo, pero a partir de ahora las comparto con el que le interesen. Muchas son cosas sencillas y muy conocidas, otras sin embargo contienen información que me han llevado mucha documentación que leer y algunas, incluso, contienen información difícil de encontrar.<br />
<br />
Desde aquí se compartirá tres tipos de contenidos diferenciados: notas, código y ayuda.<br />
<br />
==== Notas ====<br />
<br />
Son las notas que he ido habiendo sobre administración de sistemas:<br />
* '''Máquinas virtuales:'''<br />
** [[Securizar Ubuntu Server]]<br />
** Instalar y configurar un Servidor [[LEMP]] en Ubuntu Server (Linux + Nginx + MySQL + PHP).<br />
** Instalar y configurar un [[Servidor de Correo]] (Postfix + Dovecot + SSL + SPF + OpenDKIM + OpenDMARC + Amavis + SpamAssassin).<br />
** [[Administración servidor de correo]].<br />
** Instalar y configurar [[GOGS]] (Repositorio Git).<br />
** Instalar y configurar [[TeamSpeak 3]].<br />
** Instalar y configurar un [[Servidor Minecraft]].<br />
** Instalar y configurar [[Etherpad]] en Ubuntu Server.<br />
** Notas sobre [[OpenSSL]].<br />
** Notas de configuración de [[Drupal 7]] y [[Drupal 8]].<br />
** Notas de configuración de [[WordPress]].<br />
** Notas de configuración de [[MediaWiki]].<br />
* '''Contenedores:'''<br />
** Instalar y configurar [[Docker Engine]] en Ubuntu Server.<br />
** Instalar y configurar [[Nextcloud AIO]] en Docker.<br />
** Instalar y configurar de servidor de correo [[Docker-Mailserver]].<br />
<br />
Pulse en el siguiente enlace para consultar la '''lista completa: [[:Categoría:Notas]]'''.<br />
<br />
==== Código ====<br />
<br />
Las notas aquí descritas pueden tener referencias a código fuente escrito por mi.<br />
<br />
Está disponible en [https://code.castanedo.es code.castanedo.es].<br />
<br />
Todo este software está disponible con licencia [https://www.gnu.org/licenses/gpl.html GPLv3].<br />
<br />
==== Ayuda ====<br />
<br />
Además es esta Wiki hay una [[:Categoría:Ayuda]] en las que se encuentran pequeñas guías de uso de servicios disponibles en mis servidores.<br />
<br />
Su función es que sirvan de ayuda para las personas que están usando estos servicios, aunque, por supuesto, son de libre consulta para cualquiera que los encuentre útiles.<br />
<br />
=== Espíritu ===<br />
<br />
El espíritu de esta wiki es el carácter libre y abierto.<br />
<br />
Todo el material que se aloje aquí será bajo licencia '''Creative Commons Attribution-ShareAlike 4.0''' ([https://creativecommons.org/licenses/by-sa/4.0/ CC BY-SA]) a menos que se exprese lo contrario.<br />
<br />
Para más detalles leer [[Wiki_Castanedo.es:Descargo_general]].<br />
<br />
=== Gracias ===<br />
<br />
'''Muchas gracias''' por visitar este sitio.<br />
<br />
Cualquier duda, consulta o corrección contacta en [mailto:guzman@castanedo.es guzman@castanedo.es].</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Docker_Engine&diff=116Docker Engine2026-03-08T22:15:06Z<p>Guzman: </p>
<hr />
<div>== Instalación de Docker Engine en Ubuntu Server ==<br />
El objetivo de este documento es instalar Docker Engine en Ubuntu Server 24.04.<br />
<br />
== Requisitos ==<br />
Antes de instalar Docker hay que tener en cuenta una serie de consideraciones.<br />
<br />
=== Usuario root ===<br />
Todos los comandos que aquí se ponen, han de ejecutarse como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
=== Desinstalar UFW ===<br />
El firewall que viene por defecto en entornos tipo Debian (como Ubuntu) tiene problemas de compatibilidad con Docker Engine.<br />
Debido a que Docker crea reglas directamente con IPTables, se ocasiona que Docker cree reglas que se salten las reglas existentes.<br />
Para evitar que esto pase vamos a sustituir UFW por FirewallD (en modo IPTables), que evita este tipo de problemas.<br />
<syntaxhighlight lang="Bash">ufw disable</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl disable ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl stop ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt remove --purge ufw</syntaxhighlight><br />
<br />
=== Instalar FirewallD ===<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start firewalld</syntaxhighlight><br />
<br />
=== Habilitar modo IPTables a FirewallD (opcional) ===<br />
Hay problemas reportados de conexión entre contenedores de Docker cuando FirewallD está en modo nftables, se resuelven cambiando a modo IPTables.<br />
<br />
<syntaxhighlight lang="Bash">vi /etc/firewalld/firewalld.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# FirewallBackend<br />
# Selects the firewall backend implementation.<br />
# Choices are:<br />
# - nftables (default)<br />
# - iptables (iptables, ip6tables, ebtables and ipset)<br />
# Note: The iptables backend is deprecated. It will be removed in a future<br />
# release.<br />
#FirewallBackend=nftables<br />
FirewallBackend=iptables<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart firewalld</syntaxhighlight><br />
<br />
=== Habilitar reglas anteriores ===<br />
En mi paso prefiero habilitar puertos TCP en vez de servicios (aunque también es posible).<br />
<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=443/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Habilitar salida a Internet de contenedores ===<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-masquerade</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Comprobar estado de FirewallD ===<br />
<syntaxhighlight lang="Bash"><br />
firewall-cmd --list-all<br />
public (default, active)<br />
target: default<br />
ingress-priority: 0<br />
egress-priority: 0<br />
icmp-block-inversion: no<br />
interfaces:<br />
sources:<br />
services: dhcpv6-client ssh<br />
ports: 80/tcp 443/tcp<br />
protocols:<br />
forward: yes<br />
masquerade: yes<br />
forward-ports:<br />
source-ports:<br />
icmp-blocks:<br />
rich rules:<br />
</syntaxhighlight><br />
<br />
=== Consideraciones importantes ===<br />
* Toda esta configuración estamos asumiendo que estamos usando la zona public.<br />
* Cuando se creen contenedores en Docker hay que evitar usar la opción -p (--port), ya que creará reglas en el firewall (iptables) que habilitarán acceso directo desde Internet a los contenedores.<br />
* Mi recomendación es no hacerlo así y exponer los servicios a través de un proxy inverso (ver artículo sobre servidor [[LEMP]]).<br />
<br />
== Desinstalar versiones anteriores de Docker Engine ==<br />
Comprobar que no existe una versión de Docker Engine instalada.<br />
<syntaxhighlight lang="Bash">apt remove $(dpkg --get-selections docker.io docker-compose docker-compose-v2 docker-doc podman-docker containerd runc | cut -f1)</syntaxhighlight><br />
<br />
== Añadir repositorios APT oficiales de Docker ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install ca-certificates curl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">install -m 0755 -d /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod a+r /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF<br />
Types: deb<br />
URIs: https://download.docker.com/linux/ubuntu<br />
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")<br />
Components: stable<br />
Signed-By: /etc/apt/keyrings/docker.asc<br />
EOF<br />
</syntaxhighlight><br />
<br />
== Instalar Docker Engine ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin</syntaxhighlight><br />
<br />
== Comprobar Docker Engine ==<br />
=== Comprobar servicio ===<br />
<syntaxhighlight lang="Bash"><br />
systemctl status docker<br />
● docker.service - Docker Application Container Engine<br />
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)<br />
Active: active (running) since Thu 2026-02-26 22:52:45 UTC; 2min 39s ago<br />
TriggeredBy: ● docker.socket<br />
Docs: https://docs.docker.com<br />
Main PID: 23159 (dockerd)<br />
Tasks: 11<br />
Memory: 26.5M (peak: 29.2M)<br />
CPU: 284ms<br />
CGroup: /system.slice/docker.service<br />
└─23159 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock<br />
<br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.065056936Z" level=info msg="Deleting nftables IPv4 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.088078290Z" level=info msg="Deleting nftables IPv6 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.118636746Z" level=info msg="Firewalld: created docker-forwarding policy"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.117792420Z" level=info msg="Loading containers: done."<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131108392Z" level=info msg="Docker daemon" commit=6bc6209 containerd-sn><br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131332307Z" level=info msg="Initializing buildkit"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.149255659Z" level=info msg="Completed buildkit initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158529795Z" level=info msg="Daemon has completed initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158627568Z" level=info msg="API listen on /run/docker.sock"<br />
Feb 26 22:52:45 culturetas.net systemd[1]: Started docker.service - Docker Application Container Engine.<br />
</syntaxhighlight><br />
<br />
Si el servicio está apagado hay que arrancarlo y habilitarlo en el arranque:<br />
<syntaxhighlight lang="Bash">systemctl start docker</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable docker</syntaxhighlight><br />
<br />
=== Desplegar contenedor de prueba (hello-world) ===<br />
<syntaxhighlight lang="Bash">docker run hello-world</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker ps --all<br />
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES<br />
3995e4839733 hello-world "/hello" 2 minutes ago Exited (0) 2 minutes ago elated_matsumoto<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker stop elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker rm elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker image list<br />
i Info → U In Use<br />
IMAGE ID DISK USAGE CONTENT SIZE EXTRA<br />
hello-world:latest ef54e839ef54 25.9kB 9.52kB<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker image rm hello-world:latest</syntaxhighlight><br />
<br />
== Desarrollo con Docker Compose ==<br />
Para entornos productivos está recomendado usar Docker Compose para declarar todos los contenedores que se van a usar (mediante fichero YAML).<br />
Para su eso utilizo las siguientes herramientas:<br />
<br />
=== Visual Studio Codium ===<br />
Visual Studio Codium o [https://vscodium.com/ VS Codium] es la versión libre de Visual Studio Code.<br />
<br />
Se compilan del mismo repositio, pero no se incluyen las herramientas de telemetría que introduce Microsoft.<br />
<br />
Esta es una buena herramienta para desarrollar los ficheros YAML.<br />
<br />
Sin embargo, es necesario añadir extensiones.<br />
<br />
=== Docker (extensión) ===<br />
Extensión de VS Codium para gestionar contenedores.<br />
<br />
URL: [https://open-vsx.org/extension/ms-azuretools/vscode-docker https://open-vsx.org/extension/ms-azuretools/vscode-docker]<br />
<br />
Instalará automática otra extensión: [https://open-vsx.org/extension/ms-azuretools/vscode-containers Container Tools].<br />
<br />
=== YAML (extensión) ===<br />
Extensión de VS Codium para soporte al formato YAML.<br />
<br />
URL: [https://open-vsx.org/extension/redhat/vscode-yaml https://open-vsx.org/extension/redhat/vscode-yaml]<br />
<br />
=== Open Remote - SSH (extensión) ===<br />
Para poder conectar a servidores SSH en el propio VS Codium.<br />
<br />
URL: [https://open-vsx.org/extension/jeanp413/open-remote-ssh https://open-vsx.org/extension/jeanp413/open-remote-ssh]<br />
<br />
=== Spanish Language Pack (extensión) ===<br />
Para traducir VS Codium al español.<br />
<br />
URL: [https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es]<br />
<br />
== Referencias ==<br />
* [https://docs.docker.com/engine/install/ubuntu/ https://docs.docker.com/engine/install/ubuntu/]<br />
* [https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw]<br />
* [https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Docker_Engine&diff=115Docker Engine2026-03-08T22:12:45Z<p>Guzman: </p>
<hr />
<div>== Instalación de Docker Engine en Ubuntu Server ==<br />
El objetivo de este documento es instalar Docker Engine en Ubuntu Server 24.04.<br />
<br />
== Requisitos ==<br />
Antes de instalar Docker hay que tener en cuenta una serie de consideraciones.<br />
<br />
=== Usuario root ===<br />
Todos los comandos que aquí se ponen, han de ejecutarse como root.<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<br />
=== Desinstalar UFW ===<br />
El firewall que viene por defecto en entornos tipo Debian (como Ubuntu) tiene problemas de compatibilidad con Docker Engine.<br />
Debido a que Docker crea reglas directamente con IPTables, se ocasiona que Docker cree reglas que se salten las reglas existentes.<br />
Para evitar que esto pase vamos a sustituir UFW por FirewallD (en modo IPTables), que evita este tipo de problemas.<br />
<syntaxhighlight lang="Bash">ufw disable</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl disable ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl stop ufw</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt remove --purge ufw</syntaxhighlight><br />
<br />
=== Instalar FirewallD ===<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable firewalld</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start firewalld</syntaxhighlight><br />
<br />
=== Habilitar modo IPTables a FirewallD (opcional) ===<br />
Hay problemas reportados de conexión entre contenedores de Docker cuando FirewallD está en modo nftables, se resuelven cambiando a modo IPTables.<br />
<br />
<syntaxhighlight lang="Bash">vi /etc/firewalld/firewalld.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
# FirewallBackend<br />
# Selects the firewall backend implementation.<br />
# Choices are:<br />
# - nftables (default)<br />
# - iptables (iptables, ip6tables, ebtables and ipset)<br />
# Note: The iptables backend is deprecated. It will be removed in a future<br />
# release.<br />
#FirewallBackend=nftables<br />
FirewallBackend=iptables<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart firewalld</syntaxhighlight><br />
<br />
=== Habilitar reglas anteriores ===<br />
En mi paso prefiero habilitar puertos TCP en vez de servicios (aunque también es posible).<br />
<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=80/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=443/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Habilitar salida a Internet de contenedores ===<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-masquerade</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Comprobar estado de FirewallD ===<br />
<syntaxhighlight lang="Bash"><br />
firewall-cmd --list-all<br />
public (default, active)<br />
target: default<br />
ingress-priority: 0<br />
egress-priority: 0<br />
icmp-block-inversion: no<br />
interfaces:<br />
sources:<br />
services: dhcpv6-client ssh<br />
ports: 80/tcp 443/tcp<br />
protocols:<br />
forward: yes<br />
masquerade: yes<br />
forward-ports:<br />
source-ports:<br />
icmp-blocks:<br />
rich rules:<br />
</syntaxhighlight><br />
<br />
=== Consideraciones importantes ===<br />
* Toda esta configuración estamos asumiendo que estamos usando la zona public.<br />
* Cuando se creen contenedores en Docker hay que evitar usar la opción -p (--port), ya que creará reglas en el firewall (iptables) que habilitarán acceso directo desde Internet a los contenedores.<br />
* Mi recomendación es no hacerlo así y exponer los servicios a través de un proxy inverso (ver artículo sobre servidor [[LEMP]]).<br />
<br />
== Desinstalar versiones anteriores de Docker Engine ==<br />
Comprobar que no existe una versión de Docker Engine instalada.<br />
<syntaxhighlight lang="Bash">apt remove $(dpkg --get-selections docker.io docker-compose docker-compose-v2 docker-doc podman-docker containerd runc | cut -f1)</syntaxhighlight><br />
<br />
== Añadir repositorios APT oficiales de Docker ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install ca-certificates curl</syntaxhighlight><br />
<syntaxhighlight lang="Bash">install -m 0755 -d /etc/apt/keyrings</syntaxhighlight><br />
<syntaxhighlight lang="Bash">curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod a+r /etc/apt/keyrings/docker.asc</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF<br />
Types: deb<br />
URIs: https://download.docker.com/linux/ubuntu<br />
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")<br />
Components: stable<br />
Signed-By: /etc/apt/keyrings/docker.asc<br />
EOF<br />
</syntaxhighlight><br />
<br />
== Instalar Docker Engine ==<br />
<syntaxhighlight lang="Bash">apt update</syntaxhighlight><br />
<syntaxhighlight lang="Bash">apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin</syntaxhighlight><br />
<br />
== Comprobar Docker Engine ==<br />
=== Comprobar servicio ===<br />
<syntaxhighlight lang="Bash"><br />
systemctl status docker<br />
● docker.service - Docker Application Container Engine<br />
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: enabled)<br />
Active: active (running) since Thu 2026-02-26 22:52:45 UTC; 2min 39s ago<br />
TriggeredBy: ● docker.socket<br />
Docs: https://docs.docker.com<br />
Main PID: 23159 (dockerd)<br />
Tasks: 11<br />
Memory: 26.5M (peak: 29.2M)<br />
CPU: 284ms<br />
CGroup: /system.slice/docker.service<br />
└─23159 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock<br />
<br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.065056936Z" level=info msg="Deleting nftables IPv4 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.088078290Z" level=info msg="Deleting nftables IPv6 rules" error="exit s><br />
Feb 26 22:52:44 culturetas.net dockerd[23159]: time="2026-02-26T22:52:44.118636746Z" level=info msg="Firewalld: created docker-forwarding policy"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.117792420Z" level=info msg="Loading containers: done."<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131108392Z" level=info msg="Docker daemon" commit=6bc6209 containerd-sn><br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.131332307Z" level=info msg="Initializing buildkit"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.149255659Z" level=info msg="Completed buildkit initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158529795Z" level=info msg="Daemon has completed initialization"<br />
Feb 26 22:52:45 culturetas.net dockerd[23159]: time="2026-02-26T22:52:45.158627568Z" level=info msg="API listen on /run/docker.sock"<br />
Feb 26 22:52:45 culturetas.net systemd[1]: Started docker.service - Docker Application Container Engine.<br />
</syntaxhighlight><br />
<br />
Si el servicio está apagado hay que arrancarlo y habilitarlo en el arranque:<br />
<syntaxhighlight lang="Bash">systemctl start docker</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enable docker</syntaxhighlight><br />
<br />
=== Desplegar contenedor de prueba (hello-world) ===<br />
<syntaxhighlight lang="Bash">docker run hello-world</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker ps --all<br />
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES<br />
3995e4839733 hello-world "/hello" 2 minutes ago Exited (0) 2 minutes ago elated_matsumoto<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker stop elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker rm elated_matsumoto</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
docker image list<br />
i Info → U In Use<br />
IMAGE ID DISK USAGE CONTENT SIZE EXTRA<br />
hello-world:latest ef54e839ef54 25.9kB 9.52kB<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker image rm hello-world:latest</syntaxhighlight><br />
<br />
== Desarrollo con Docker Compose ==<br />
Para entornos productivos está recomendado usar Docker Compose para declarar todos los contenedores que se van a usar (mediante fichero YAML).<br />
Para su eso utilizo las siguientes herramientas:<br />
<br />
=== Visual Studio Codium ===<br />
Visual Studio Codium o [https://vscodium.com/ VS Codium] es la versión libre de Visual Studio Code.<br />
Se compilan del mismo repositio, pero no se incluyen las herramientas de telemetría que introduce Microsoft.<br />
<br />
Esta es una buena herramienta para desarrollar los ficheros YAML.<br />
Sin embargo, es necesario añadir extensiones<br />
<br />
=== Docker (extensión) ===<br />
Extensión de VS Codium para gestionar contenedores.<br />
URL: [https://open-vsx.org/extension/ms-azuretools/vscode-docker https://open-vsx.org/extension/ms-azuretools/vscode-docker]<br />
Instalará automática otra extensión: [https://open-vsx.org/extension/ms-azuretools/vscode-containers Container Tools].<br />
<br />
=== YAML (extensión) ===<br />
Extensión de VS Codium para soporte al formato YAML.<br />
URL: [https://open-vsx.org/extension/redhat/vscode-yaml https://open-vsx.org/extension/redhat/vscode-yaml]<br />
<br />
=== Open Remote - SSH (extensión) ===<br />
Para poder conectar a servidores SSH en el propio VS Codium.<br />
URL: [https://open-vsx.org/extension/jeanp413/open-remote-ssh https://open-vsx.org/extension/jeanp413/open-remote-ssh]<br />
<br />
=== Spanish Language Pack (extensión) ===<br />
Para traducir VS Codium al español.<br />
URL: [https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es https://open-vsx.org/extension/MS-CEINTL/vscode-language-pack-es]<br />
<br />
== Referencias ==<br />
* [https://docs.docker.com/engine/install/ubuntu/ https://docs.docker.com/engine/install/ubuntu/]<br />
* [https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-ufw]<br />
* [https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-resolve-firewall-problems-with-fedora-linux-rhel-os-centos-suse-linux-and-others]<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Administraci%C3%B3n_servidor_de_correo&diff=114Administración servidor de correo2026-02-27T22:10:59Z<p>Guzman: </p>
<hr />
<div>== Objetivo ==<br />
En esta página se muestra cómo administrar el correo genérico instalado en la página [Servidor de Correo].<br />
<br />
== Añadir un nuevo dominio ==<br />
Consiste en configurar el servidor de correo para que sirva correos de un nuevo dominio (en este ejemplo culturetas.net).<br />
<br />
=== Añadir nuevo dominio en BD ===<br />
En mi configuración los dominios, usuarios y aliases se encuentran en una base de datos MariaDB.<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<syntaxhighlight lang="Bash">use mailserver;</syntaxhighlight><br />
<syntaxhighlight lang="Bash">INSERT INTO virtual_domains (domain) VALUES ('culturetas.net');</syntaxhighlight><br />
<syntaxhighlight lang="Bash">COMMIT;</syntaxhighlight><br />
<br />
<br />
<br />
=== Configuración OpenDKIM ===<br />
* Generamos una clave criptográficas:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<syntaxhighlight lang="Bash">opendkim-genkey -s mail -d culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.private /etc/dkimkeys/culturetas.net-dkim.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.txt /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chown opendkim:opendkim /etc/dkimkeys/culturetas.net-dkim.*</syntaxhighlight><br />
<br />
* Habilitar dominios en OpenDKIM:<br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/key_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#KEYID DOMAIN:SELECTOR:KEY<br />
[...]<br />
mail._domainkey.culturetas.net culturetas.net:mail:/etc/dkimkeys/culturetas.net-dkim.key<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/signing_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#DOMAIN KEYID<br />
[...]<br />
culturetas.net mail._domainkey.culturetas.net<br />
</syntaxhighlight><br />
<br />
* Anotar clavé pública de OpenDKIM:<br />
<syntaxhighlight lang="Bash">cat /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "<br />
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSM"<br />
"f//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB" ) ; ----- DKIM key mail for culturetas.net<br />
</syntaxhighlight><br />
<br />
* Reiniciar OpenDKIM:<br />
<syntaxhighlight lang="Bash">systemctl restart opendkim</syntaxhighlight><br />
<br />
=== Configuración OpenDMARC ===<br />
* Configurar dominios en OpenDMARC:<br />
<syntaxhighlight lang="Bash">vi /etc/opendmarc.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
TrustedAuthservIDs HOSTNAME,culturetas.net<br />
[...]<br />
IgnoreMailFrom smtp.castanedo.es,culturetas.net<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar OpenDMARC:<br />
<syntaxhighlight lang="Bash">systemctl restart opendmarc</syntaxhighlight><br />
<br />
<br />
=== Configurar registros DNS ===<br />
Es necesario acceder a la zona DNS para añadir nuevos dominios para el dominio (culturetas.net en este ejemplo).<br />
<br />
* Registro DKIM<br />
Hay que añadir un registro DNS con la información de la clave pública de DKIM.<br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT "v=DKIM1;g=*;h=sha256;k=rsa;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSMf//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB;"<br />
</syntaxhighlight><br />
<br />
* Registro SPF:<br />
Hay que añadir un registro DNS con la información de SPF.<br />
<syntaxhighlight lang="text"><br />
culturetas.net. IN TXT "v=spf1 mx include:smtp.castanedo.es ~all"<br />
</syntaxhighlight><br />
** a: permite que el servidor en A envien correo.<br />
** mx: permite que el servidor en MX envie correo.<br />
** -all: la información describe a todos los hosts estrictamente.<br />
<br />
* Registro ADSP:<br />
Hay que añadir un registro DNS con la información de ADSP (Author Domain Signing Practices).<br />
<syntaxhighlight lang="text"><br />
_adsp._domainkey IN TXT "dkim=all"<br />
</syntaxhighlight><br />
** unknown: válidos tanto firmados como sin firmar.<br />
** all: todos los emails firmados.<br />
** discardable: todos los emails firmados y los que no lo estén pueden eliminarse.<br />
<br />
* Registro DMARC:<br />
Hay que añadir un registro DNS con la información DMAR (Domain bases Message Authentication, Reporting and Conformance).<br />
<syntaxhighlight lang="text"><br />
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:admin@culturetas.net; fo=0; adkim=r; aspf=r"<br />
</syntaxhighlight><br />
** p puede ser:<br />
*** none: no hace nada si falla DMARC.<br />
*** quarantine: si falla que sean tratado como sospechoso.<br />
*** reject: si falla que sea eliminado.<br />
** rua: dirección a donde los fallos deben ser reportados.<br />
** fo puede ser:<br />
*** 0: generar reporte si falla SPF y DKIM.<br />
*** 1: generar reporte si falla SPF o DKIM.<br />
*** s: generar reporte si falla SPF.<br />
*** d: generar reporte si falla DKIM.<br />
<br />
== Añadir un nuevo buzón ==<br />
=== Generar contraseña ===<br />
<syntaxhighlight lang="Bash">doveadm pw -s SHA512-CRYPT</syntaxhighlight><br />
<br />
=== Añadir a base de datos ===<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<syntaxhighlight lang="Bash">use mailserver;</syntaxhighlight><br />
<syntaxhighlight lang="Bash">INSERT INTO virtual_users (domain_id, email, password, access) VALUES ('6', 'admin@culturetas.net', '$6$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'OK');</syntaxhighlight><br />
<syntaxhighlight lang="Bash">COMMIT;</syntaxhighlight><br />
<br />
<br />
== Añadir un nuevo alias ==<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<syntaxhighlight lang="Bash">use mailserver;</syntaxhighlight><br />
<syntaxhighlight lang="Bash">INSERT INTO virtual_aliases (domain_id, source, destination) VALUES ('6', 'postmaster@culturetas.net', 'admin@culturetas.net');</syntaxhighlight><br />
<syntaxhighlight lang="Bash">INSERT INTO virtual_aliases (domain_id, source, destination) VALUES ('6', 'webmaster@culturetas.net', 'admin@culturetas.net');</syntaxhighlight><br />
<syntaxhighlight lang="Bash">COMMIT;</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Administraci%C3%B3n_servidor_de_correo&diff=113Administración servidor de correo2026-02-27T21:49:07Z<p>Guzman: </p>
<hr />
<div>== Objetivo ==<br />
En esta página se muestra cómo administrar el correo genérico instalado en la página [Servidor de Correo].<br />
<br />
== Añadir un nuevo dominio ==<br />
Consiste en configurar el servidor de correo para que sirva correos de un nuevo dominio (en este ejemplo culturetas.net).<br />
<br />
=== Añadir nuevo dominio en BD ===<br />
En mi configuración los dominios, usuarios y aliases se encuentran en una base de datos MariaDB.<br />
<syntaxhighlight lang="Bash">mariadb</syntaxhighlight><br />
<syntaxhighlight lang="Bash">use mailserver;</syntaxhighlight><br />
<syntaxhighlight lang="Bash">INSERT INTO virtual_domains (domain) VALUES ('culturetas.net');</syntaxhighlight><br />
<syntaxhighlight lang="Bash">COMMIT;</syntaxhighlight><br />
<br />
<br />
<br />
=== Configuración OpenDKIM ===<br />
* Generamos una clave criptográficas:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<syntaxhighlight lang="Bash">opendkim-genkey -s mail -d culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.private /etc/dkimkeys/culturetas.net-dkim.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.txt /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chown opendkim:opendkim /etc/dkimkeys/culturetas.net-dkim.*</syntaxhighlight><br />
<br />
* Habilitar dominios en OpenDKIM:<br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/key_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#KEYID DOMAIN:SELECTOR:KEY<br />
[...]<br />
mail._domainkey.culturetas.net culturetas.net:mail:/etc/dkimkeys/culturetas.net-dkim.key<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/signing_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#DOMAIN KEYID<br />
[...]<br />
culturetas.net mail._domainkey.culturetas.net<br />
</syntaxhighlight><br />
<br />
* Anotar clavé pública de OpenDKIM:<br />
<syntaxhighlight lang="Bash">cat /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "<br />
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSM"<br />
"f//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB" ) ; ----- DKIM key mail for culturetas.net<br />
</syntaxhighlight><br />
<br />
* Reiniciar OpenDKIM:<br />
<syntaxhighlight lang="Bash">systemctl restart opendkim</syntaxhighlight><br />
<br />
=== Configuración OpenDMARC ===<br />
* Configurar dominios en OpenDMARC:<br />
<syntaxhighlight lang="Bash">vi /etc/opendmarc.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
TrustedAuthservIDs HOSTNAME,culturetas.net<br />
[...]<br />
IgnoreMailFrom smtp.castanedo.es,culturetas.net<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar OpenDMARC:<br />
<syntaxhighlight lang="Bash">systemctl restart opendmarc</syntaxhighlight><br />
<br />
<br />
=== Configurar registros DNS ===<br />
Es necesario acceder a la zona DNS para añadir nuevos dominios para el dominio (culturetas.net en este ejemplo).<br />
<br />
* Registro DKIM<br />
Hay que añadir un registro DNS con la información de la clave pública de DKIM.<br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT "v=DKIM1;g=*;h=sha256;k=rsa;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSMf//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB;"<br />
</syntaxhighlight><br />
<br />
* Registro SPF:<br />
Hay que añadir un registro DNS con la información de SPF.<br />
<syntaxhighlight lang="text"><br />
culturetas.net. IN TXT "v=spf1 mx include:smtp.castanedo.es ~all"<br />
</syntaxhighlight><br />
** a: permite que el servidor en A envien correo.<br />
** mx: permite que el servidor en MX envie correo.<br />
** -all: la información describe a todos los hosts estrictamente.<br />
<br />
* Registro ADSP:<br />
Hay que añadir un registro DNS con la información de ADSP (Author Domain Signing Practices).<br />
<syntaxhighlight lang="text"><br />
_adsp._domainkey IN TXT "dkim=all"<br />
</syntaxhighlight><br />
** unknown: válidos tanto firmados como sin firmar.<br />
** all: todos los emails firmados.<br />
** discardable: todos los emails firmados y los que no lo estén pueden eliminarse.<br />
<br />
* Registro DMARC:<br />
Hay que añadir un registro DNS con la información DMAR (Domain bases Message Authentication, Reporting and Conformance).<br />
<syntaxhighlight lang="text"><br />
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:admin@culturetas.net; fo=0; adkim=r; aspf=r"<br />
</syntaxhighlight><br />
** p puede ser:<br />
*** none: no hace nada si falla DMARC.<br />
*** quarantine: si falla que sean tratado como sospechoso.<br />
*** reject: si falla que sea eliminado.<br />
** rua: dirección a donde los fallos deben ser reportados.<br />
** fo puede ser:<br />
*** 0: generar reporte si falla SPF y DKIM.<br />
*** 1: generar reporte si falla SPF o DKIM.<br />
*** s: generar reporte si falla SPF.<br />
*** d: generar reporte si falla DKIM.<br />
<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Administraci%C3%B3n_servidor_de_correo&diff=112Administración servidor de correo2026-02-27T21:40:16Z<p>Guzman: </p>
<hr />
<div>== Objetivo ==<br />
En esta página se muestra cómo administrar el correo genérico instalado en la página [Servidor de Correo].<br />
<br />
== Añadir un nuevo dominio ==<br />
Consiste en configurar el servidor de correo para que sirva correos de un nuevo dominio (en este ejemplo culturetas.net).<br />
<br />
=== Configuración OpenDKIM ===<br />
* Generamos una clave criptográficas:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<syntaxhighlight lang="Bash">opendkim-genkey -s mail -d culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.private /etc/dkimkeys/culturetas.net-dkim.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.txt /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chown opendkim:opendkim /etc/dkimkeys/culturetas.net-dkim.*</syntaxhighlight><br />
<br />
* Habilitar dominios en OpenDKIM:<br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/key_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#KEYID DOMAIN:SELECTOR:KEY<br />
[...]<br />
mail._domainkey.culturetas.net culturetas.net:mail:/etc/dkimkeys/culturetas.net-dkim.key<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/signing_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#DOMAIN KEYID<br />
[...]<br />
culturetas.net mail._domainkey.culturetas.net<br />
</syntaxhighlight><br />
<br />
* Anotar clavé pública de OpenDKIM:<br />
<syntaxhighlight lang="Bash">cat /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "<br />
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSM"<br />
"f//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB" ) ; ----- DKIM key mail for culturetas.net<br />
</syntaxhighlight><br />
<br />
* Reiniciar OpenDKIM:<br />
<syntaxhighlight lang="Bash">systemctl restart opendkim</syntaxhighlight><br />
<br />
=== Configuración OpenDMARC ===<br />
* Configurar dominios en OpenDMARC:<br />
<syntaxhighlight lang="Bash">vi /etc/opendmarc.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
TrustedAuthservIDs HOSTNAME,culturetas.net<br />
[...]<br />
IgnoreMailFrom smtp.castanedo.es,culturetas.net<br />
[...]<br />
</syntaxhighlight><br />
<br />
* Reiniciar OpenDMARC:<br />
<syntaxhighlight lang="Bash">systemctl restart opendmarc</syntaxhighlight><br />
<br />
<br />
=== Configurar registros DNS ===<br />
Es necesario acceder a la zona DNS para añadir nuevos dominios para el dominio (culturetas.net en este ejemplo).<br />
<br />
* Registro DKIM<br />
Hay que añadir un registro DNS con la información de la clave pública de DKIM.<br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT "v=DKIM1;g=*;h=sha256;k=rsa;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSMf//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB;"<br />
</syntaxhighlight><br />
<br />
* Registro SPF:<br />
Hay que añadir un registro DNS con la información de SPF.<br />
<syntaxhighlight lang="text"><br />
culturetas.net. IN TXT "v=spf1 mx include:smtp.castanedo.es ~all"<br />
</syntaxhighlight><br />
** a: permite que el servidor en A envien correo.<br />
** mx: permite que el servidor en MX envie correo.<br />
** -all: la información describe a todos los hosts estrictamente.<br />
<br />
* Registro ADSP:<br />
Hay que añadir un registro DNS con la información de ADSP (Author Domain Signing Practices).<br />
<syntaxhighlight lang="text"><br />
_adsp._domainkey IN TXT "dkim=all"<br />
</syntaxhighlight><br />
** unknown: válidos tanto firmados como sin firmar.<br />
** all: todos los emails firmados.<br />
** discardable: todos los emails firmados y los que no lo estén pueden eliminarse.<br />
<br />
* Registro DMARC:<br />
Hay que añadir un registro DNS con la información DMAR (Domain bases Message Authentication, Reporting and Conformance).<br />
<syntaxhighlight lang="text"><br />
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:admin@culturetas.net; fo=0; adkim=r; aspf=r"<br />
</syntaxhighlight><br />
** p puede ser:<br />
*** none: no hace nada si falla DMARC.<br />
*** quarantine: si falla que sean tratado como sospechoso.<br />
*** reject: si falla que sea eliminado.<br />
** rua: dirección a donde los fallos deben ser reportados.<br />
** fo puede ser:<br />
*** 0: generar reporte si falla SPF y DKIM.<br />
*** 1: generar reporte si falla SPF o DKIM.<br />
*** s: generar reporte si falla SPF.<br />
*** d: generar reporte si falla DKIM.<br />
<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Administraci%C3%B3n_servidor_de_correo&diff=111Administración servidor de correo2026-02-27T20:31:09Z<p>Guzman: </p>
<hr />
<div>== Objetivo ==<br />
En esta página se muestra cómo administrar el correo genérico instalado en la página [Servidor de Correo].<br />
<br />
== Añadir un nuevo dominio ==<br />
Consiste en configurar el servidor de correo para que sirva correos de un nuevo dominio (en este ejemplo culturetas.net).<br />
<br />
=== Configuración OpenDKIM ===<br />
* Generamos una clave criptográficas:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<syntaxhighlight lang="Bash">opendkim-genkey -s mail -d culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.private /etc/dkimkeys/culturetas.net-dkim.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.txt /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chown opendkim:opendkim /etc/dkimkeys/culturetas.net-dkim.*</syntaxhighlight><br />
<br />
* Habilitar dominios en OpenDKIM:<br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/key_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#KEYID DOMAIN:SELECTOR:KEY<br />
[...]<br />
mail._domainkey.culturetas.net culturetas.net:mail:/etc/dkimkeys/culturetas.net-dkim.key<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/signing_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#DOMAIN KEYID<br />
[...]<br />
culturetas.net mail._domainkey.culturetas.net<br />
</syntaxhighlight><br />
<br />
* Anotar clavé pública de OpenDKIM:<br />
<syntaxhighlight lang="Bash">cat /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "<br />
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSM"<br />
"f//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB" ) ; ----- DKIM key mail for culturetas.net<br />
</syntaxhighlight><br />
<br />
=== Configurar registros DNS ===<br />
Es necesario acceder a la zona DNS para añadir nuevos dominios para el dominio (culturetas.net en este ejemplo).<br />
<br />
* Registro DKIM<br />
Hay que añadir un registro DNS con la información de la clave pública de DKIM.<br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT "v=DKIM1;g=*;h=sha256;k=rsa;s=email;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSMf//sdjGuc5zQnnnqdSLgNa6vSidM/71MvF0L5rPpeaQ0bAAicb2Iv047lDT2G1LnJ+y1wpugDdJGQoEa6D8SV2Q8ffzaPyRJ340wP9d1m2BZT2EvLTJA60wFc22GfkM0ha6N2QtwIDAQAB;"<br />
</syntaxhighlight><br />
<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Administraci%C3%B3n_servidor_de_correo&diff=110Administración servidor de correo2026-02-27T20:23:52Z<p>Guzman: </p>
<hr />
<div>== Objetivo ==<br />
En esta página se muestra cómo administrar el correo genérico instalado en la página [Servidor de Correo].<br />
<br />
== Añadir un nuevo dominio ==<br />
Consiste en configurar el servidor de correo para que sirva correos de un nuevo dominio (en este ejemplo culturetas.net).<br />
<br />
=== Configuración OpenDKIM ===<br />
* Generamos una clave criptográficas:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<syntaxhighlight lang="Bash">opendkim-genkey -s mail -d culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.private /etc/dkimkeys/culturetas.net-dkim.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.txt /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chown opendkim:opendkim /etc/dkimkeys/culturetas.net-dkim.*</syntaxhighlight><br />
<br />
* Habilitar dominios en OpenDKIM:<br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/key_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#KEYID DOMAIN:SELECTOR:KEY<br />
[...]<br />
mail._domainkey.culturetas.net culturetas.net:mail:/etc/dkimkeys/culturetas.net-dkim.key<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/signing_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#DOMAIN KEYID<br />
[...]<br />
culturetas.net mail._domainkey.culturetas.net<br />
</syntaxhighlight><br />
<br />
* Anotar clavé pública de OpenDKIM:<br />
<syntaxhighlight lang="Bash">cat /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<br />
=== Configurar registros DNS ===<br />
Es necesario acceder a la zona DNS para añadir nuevos dominios para el dominio (culturetas.net en este ejemplo).<br />
<br />
* Registro DKIM<br />
Hay que añadir un registro DNS con la información de la clave pública de DKIM.<br />
<syntaxhighlight lang="text"><br />
mail._domainkey IN TXT "v=DKIM1;g=*;h=sha256;k=rsa;s=mail;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG1MMcJ0XbHKCgwLrr8zO1AVXxNYE+ut/3SQD0VxdHvexIvlIovyKFMagAQlzIJ0Tr+9l7FUNlCdeUoCqIxi4R4mOgOcrqgXRNXAwQoa7ns1j2pFeYnKHCODIiDRsszU0gKmgUX82ps55Feo/Fx5v1xtZNy855G+h8LnGy6lEoXx87TcCIsdXkslWPdGBJZPwNlvO+SCtttSM<br />
</syntaxhighlight><br />
<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Administraci%C3%B3n_servidor_de_correo&diff=109Administración servidor de correo2026-02-27T20:09:33Z<p>Guzman: </p>
<hr />
<div>== Objetivo ==<br />
En esta página se muestra cómo administrar el correo genérico instalado en la página [Servidor de Correo].<br />
<br />
== Añadir un nuevo dominio ==<br />
Consiste en configurar el servidor de correo para que sirva correos de un nuevo dominio (en este ejemplo culturetas.net).<br />
<br />
=== Configuración OpenDKIM ===<br />
* Generamos una clave criptográficas:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<syntaxhighlight lang="Bash">opendkim-genkey -t -s mail -d culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.private /etc/dkimkeys/culturetas.net-dkim.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.txt /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chown opendkim:opendkim /etc/dkimkeys/culturetas.net-dkim.*</syntaxhighlight><br />
<br />
* Habilitar dominios en OpenDKIM:<br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/key_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#KEYID DOMAIN:SELECTOR:KEY<br />
[...]<br />
mail._domainkey.culturetas.net culturetas.net:mail:/etc/dkimkeys/culturetas.net-dkim.key<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/dkimkeys/signing_table</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
#DOMAIN KEYID<br />
[...]<br />
culturetas.net mail._domainkey.culturetas.net<br />
</syntaxhighlight><br />
<br />
* Anotar clavé pública de OpenDKIM:<br />
<syntaxhighlight lang="Bash">cat /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<br />
=== Configurar registros DNS ===<br />
Es necesario acceder a la zona DNS para añadir nuevos dominios para el dominio (culturetas.net en este ejemplo).<br />
<br />
* Registro DKIM<br />
<br />
<br />
<br />
<br />
[[Categoría:Notas]]</div>Guzmanhttps://wiki.castanedo.es/index.php?title=Administraci%C3%B3n_servidor_de_correo&diff=108Administración servidor de correo2026-02-27T20:01:51Z<p>Guzman: </p>
<hr />
<div>== Objetivo ==<br />
En esta página se muestra cómo administrar el correo genérico instalado en la página [Servidor de Correo].<br />
<br />
== Añadir un nuevo dominio ==<br />
Consiste en configurar el servidor de correo para que sirva correos de un nuevo dominio (en este ejemplo culturetas.net).<br />
<br />
=== Configuración OpenDKIM ===<br />
* Generamos una clave criptográficas:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<syntaxhighlight lang="Bash">opendkim-genkey -t -s mail -d culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.private /etc/dkimkeys/culturetas.net-dkim.key</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mv mail.txt /etc/dkimkeys/culturetas.net-dkim.txt</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chown opendkim:opendkim /etc/dkimkeys/culturetas.net-dkim.*</syntaxhighlight><br />
<br />
* Habilitar dominios en OpenDKIM:<br />
<syntaxhighlight lang="Bash">cd /etc/dkimkeys</syntaxhighlight><br />
<br />
[[Categoría:Notas]]</div>Guzman