yannstatic/static/2018/11/23/serveur-de-messagerie-complet-sur-debian-avec-iRedMail.html

2718 lines
243 KiB
HTML
Raw Permalink Normal View History

2024-10-31 20:18:37 +01:00
<!DOCTYPE html><html lang="fr">
<head><meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"><title>KVM Debian Stretch serveur de messagerie complet avec iRedMail - YannStatic</title>
<meta name="description" content="KVM Debian Stretch">
<link rel="canonical" href="https://static.rnmkcy.eu/2018/11/23/serveur-de-messagerie-complet-sur-debian-avec-iRedMail.html"><link rel="alternate" type="application/rss+xml" title="YannStatic" href="/feed.xml">
<!-- - include head/favicon.html - -->
<link rel="shortcut icon" type="image/png" href="/assets/favicon/favicon.png"><link rel="stylesheet" href="/assets/css/main.css"><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.13/css/all.css" ><!-- start custom head snippets --><link rel="stylesheet" href="/assets/css/expand.css">
<!-- end custom head snippets --><script>(function() {
window.isArray = function(val) {
return Object.prototype.toString.call(val) === '[object Array]';
};
window.isString = function(val) {
return typeof val === 'string';
};
window.hasEvent = function(event) {
return 'on'.concat(event) in window.document;
};
window.isOverallScroller = function(node) {
return node === document.documentElement || node === document.body || node === window;
};
window.isFormElement = function(node) {
var tagName = node.tagName;
return tagName === 'INPUT' || tagName === 'SELECT' || tagName === 'TEXTAREA';
};
window.pageLoad = (function () {
var loaded = false, cbs = [];
window.addEventListener('load', function () {
var i;
loaded = true;
if (cbs.length > 0) {
for (i = 0; i < cbs.length; i++) {
cbs[i]();
}
}
});
return {
then: function(cb) {
cb && (loaded ? cb() : (cbs.push(cb)));
}
};
})();
})();
(function() {
window.throttle = function(func, wait) {
var args, result, thisArg, timeoutId, lastCalled = 0;
function trailingCall() {
lastCalled = new Date;
timeoutId = null;
result = func.apply(thisArg, args);
}
return function() {
var now = new Date,
remaining = wait - (now - lastCalled);
args = arguments;
thisArg = this;
if (remaining <= 0) {
clearTimeout(timeoutId);
timeoutId = null;
lastCalled = now;
result = func.apply(thisArg, args);
} else if (!timeoutId) {
timeoutId = setTimeout(trailingCall, remaining);
}
return result;
};
};
})();
(function() {
var Set = (function() {
var add = function(item) {
var i, data = this._data;
for (i = 0; i < data.length; i++) {
if (data[i] === item) {
return;
}
}
this.size ++;
data.push(item);
return data;
};
var Set = function(data) {
this.size = 0;
this._data = [];
var i;
if (data.length > 0) {
for (i = 0; i < data.length; i++) {
add.call(this, data[i]);
}
}
};
Set.prototype.add = add;
Set.prototype.get = function(index) { return this._data[index]; };
Set.prototype.has = function(item) {
var i, data = this._data;
for (i = 0; i < data.length; i++) {
if (this.get(i) === item) {
return true;
}
}
return false;
};
Set.prototype.is = function(map) {
if (map._data.length !== this._data.length) { return false; }
var i, j, flag, tData = this._data, mData = map._data;
for (i = 0; i < tData.length; i++) {
for (flag = false, j = 0; j < mData.length; j++) {
if (tData[i] === mData[j]) {
flag = true;
break;
}
}
if (!flag) { return false; }
}
return true;
};
Set.prototype.values = function() {
return this._data;
};
return Set;
})();
window.Lazyload = (function(doc) {
var queue = {js: [], css: []}, sources = {js: {}, css: {}}, context = this;
var createNode = function(name, attrs) {
var node = doc.createElement(name), attr;
for (attr in attrs) {
if (attrs.hasOwnProperty(attr)) {
node.setAttribute(attr, attrs[attr]);
}
}
return node;
};
var end = function(type, url) {
var s, q, qi, cbs, i, j, cur, val, flag;
if (type === 'js' || type ==='css') {
s = sources[type], q = queue[type];
s[url] = true;
for (i = 0; i < q.length; i++) {
cur = q[i];
if (cur.urls.has(url)) {
qi = cur, val = qi.urls.values();
qi && (cbs = qi.callbacks);
for (flag = true, j = 0; j < val.length; j++) {
cur = val[j];
if (!s[cur]) {
flag = false;
}
}
if (flag && cbs && cbs.length > 0) {
for (j = 0; j < cbs.length; j++) {
cbs[j].call(context);
}
qi.load = true;
}
}
}
}
};
var load = function(type, urls, callback) {
var s, q, qi, node, i, cur,
_urls = typeof urls === 'string' ? new Set([urls]) : new Set(urls), val, url;
if (type === 'js' || type ==='css') {
s = sources[type], q = queue[type];
for (i = 0; i < q.length; i++) {
cur = q[i];
if (_urls.is(cur.urls)) {
qi = cur;
break;
}
}
val = _urls.values();
if (qi) {
callback && (qi.load || qi.callbacks.push(callback));
callback && (qi.load && callback());
} else {
q.push({
urls: _urls,
callbacks: callback ? [callback] : [],
load: false
});
for (i = 0; i < val.length; i++) {
node = null, url = val[i];
if (s[url] === undefined) {
(type === 'js' ) && (node = createNode('script', { src: url }));
(type === 'css') && (node = createNode('link', { rel: 'stylesheet', href: url }));
if (node) {
node.onload = (function(type, url) {
return function() {
end(type, url);
};
})(type, url);
(doc.head || doc.body).appendChild(node);
s[url] = false;
}
}
}
}
}
};
return {
js: function(url, callback) {
load('js', url, callback);
},
css: function(url, callback) {
load('css', url, callback);
}
};
})(this.document);
})();
</script><script>
(function() {
var TEXT_VARIABLES = {
version: '2.2.6',
sources: {
font_awesome: 'https://use.fontawesome.com/releases/v5.0.13/css/all.css',
jquery: '/assets/js/jquery.min.js',
leancloud_js_sdk: '//cdn.jsdelivr.net/npm/leancloud-storage@3.13.2/dist/av-min.js',
chart: 'https://cdn.bootcss.com/Chart.js/2.7.2/Chart.bundle.min.js',
gitalk: {
js: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.js',
css: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.css'
},
valine: 'https://unpkg.com/valine/dist/Valine.min.js'
},
site: {
toc: {
selectors: 'h1,h2,h3'
}
},
paths: {
search_js: '/assets/search.js'
}
};
window.TEXT_VARIABLES = TEXT_VARIABLES;
})();
</script>
</head>
<body>
<div class="root" data-is-touch="false">
<div class="layout--page js-page-root"><!----><div class="page__main js-page-main page__viewport hide-footer has-aside has-aside cell cell--auto">
<div class="page__main-inner"><div class="page__header d-print-none"><header class="header"><div class="main">
<div class="header__title">
<div class="header__brand"><svg id="svg" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="400" height="478.9473684210526" viewBox="0, 0, 400,478.9473684210526"><g id="svgg"><path id="path0" d="M308.400 56.805 C 306.970 56.966,303.280 57.385,300.200 57.738 C 290.906 58.803,278.299 59.676,269.200 59.887 L 260.600 60.085 259.400 61.171 C 258.010 62.428,256.198 63.600,255.645 63.600 C 255.070 63.600,252.887 65.897,252.598 66.806 C 252.460 67.243,252.206 67.600,252.034 67.600 C 251.397 67.600,247.206 71.509,247.202 72.107 C 247.201 72.275,246.390 73.190,245.400 74.138 C 243.961 75.517,243.598 76.137,243.592 77.231 C 243.579 79.293,241.785 83.966,240.470 85.364 C 239.176 86.740,238.522 88.365,237.991 91.521 C 237.631 93.665,236.114 97.200,235.554 97.200 C 234.938 97.200,232.737 102.354,232.450 104.472 C 232.158 106.625,230.879 109.226,229.535 110.400 C 228.933 110.926,228.171 113.162,226.434 119.500 C 226.178 120.435,225.795 121.200,225.584 121.200 C 225.373 121.200,225.200 121.476,225.200 121.813 C 225.200 122.149,224.885 122.541,224.500 122.683 C 223.606 123.013,223.214 123.593,223.204 124.600 C 223.183 126.555,220.763 132.911,219.410 134.562 C 218.443 135.742,217.876 136.956,217.599 138.440 C 217.041 141.424,215.177 146.434,214.532 146.681 C 214.240 146.794,214.000 147.055,214.000 147.261 C 214.000 147.467,213.550 148.086,213.000 148.636 C 212.450 149.186,212.000 149.893,212.000 150.208 C 212.000 151.386,208.441 154.450,207.597 153.998 C 206.319 153.315,204.913 150.379,204.633 147.811 C 204.365 145.357,202.848 142.147,201.759 141.729 C 200.967 141.425,199.200 137.451,199.200 135.974 C 199.200 134.629,198.435 133.224,196.660 131.311 C 195.363 129.913,194.572 128.123,193.870 125.000 C 193.623 123.900,193.236 122.793,193.010 122.540 C 190.863 120.133,190.147 118.880,188.978 115.481 C 188.100 112.928,187.151 111.003,186.254 109.955 C 185.358 108.908,184.518 107.204,183.847 105.073 C 183.280 103.273,182.497 101.329,182.108 100.753 C 181.719 100.177,180.904 98.997,180.298 98.131 C 179.693 97.265,178.939 95.576,178.624 94.378 C 178.041 92.159,177.125 90.326,175.023 87.168 C 174.375 86.196,173.619 84.539,173.342 83.486 C 172.800 81.429,171.529 79.567,170.131 78.785 C 169.654 78.517,168.697 77.511,168.006 76.549 C 167.316 75.587,166.594 74.800,166.402 74.800 C 166.210 74.800,164.869 73.633,163.421 72.206 C 160.103 68.936,161.107 69.109,146.550 69.301 C 133.437 69.474,128.581 70.162,126.618 72.124 C 126.248 72.495,125.462 72.904,124.872 73.033 C 124.282 73.163,123.088 73.536,122.219 73.863 C 121.349 74.191,119.028 74.638,117.061 74.858 C 113.514 75.254,109.970 76.350,108.782 77.419 C 107.652 78.436,100.146 80.400,97.388 80.400 C 95.775 80.400,93.167 81.360,91.200 82.679 C 90.430 83.195,89.113 83.804,88.274 84.031 C 85.875 84.681,78.799 90.910,74.400 96.243 L 73.400 97.456 73.455 106.028 C 73.526 117.055,74.527 121.238,77.820 124.263 C 78.919 125.273,80.400 127.902,80.400 128.842 C 80.400 129.202,81.075 130.256,81.900 131.186 C 83.563 133.059,85.497 136.346,86.039 138.216 C 86.233 138.886,87.203 140.207,88.196 141.153 C 89.188 142.098,90.000 143.104,90.000 143.388 C 90.000 144.337,92.129 148.594,92.869 149.123 C 93.271 149.410,93.600 149.831,93.600 150.059 C 93.600 150.286,93.932 150.771,94.337 151.136 C 94.743 151.501,95.598 153.004,96.237 154.475 C 96.877 155.947,97.760 157.351,98.200 157.596 C 98.640 157.841,99.900 159.943,101.000 162.267 C 102.207 164.817,103.327 166.644,103.825 166.876 C 104.278 167.087,105.065 168.101,105.573 169.130 C 107.658 173.348,108.097 174.093,110.006 176.647 C 111.103 178.114,112.000 179.725,112.000 180.227 C 112.000 181.048,113.425 183.163,114.678 184.200 C 115.295 184.711,117.396 188.733,117.720 190.022 C 117.855 190.562,118.603 191.633,119.381 192.402 C 120.160 193.171,121.496 195.258,122.351 197.039 C 123.206 198.820,124.167 200.378,124.487 200.501 C 124.807 200.624,125.953 202.496,127.034 204.662 C 128.114 206.828,129.676 209.299,130.505 210.153 C 131.333 211.007,132.124 212.177,132.262 212.753 C 132.618 214.239,134.291 217.048,136.288 219.5
" href="/">YannStatic</a></div><!--<button class="button button--secondary button--circle search-button js-search-toggle"><i class="fas fa-search"></i></button>--><!-- <li><button class="button button--secondary button--circle search-button js-search-toggle"><i class="fas fa-search"></i></button></li> -->
<!-- Champ de recherche -->
<div id="searchbox" class="search search--dark" style="visibility: visible">
<div class="main">
<div class="search__header"></div>
<div class="search-bar">
<div class="search-box js-search-box">
<div class="search-box__icon-search"><i class="fas fa-search"></i></div>
<input id="search-input" type="text" />
<!-- <div class="search-box__icon-clear js-icon-clear">
<a><i class="fas fa-times"></i></a>
</div> -->
</div>
</div>
</div>
</div>
<!-- Script pointing to search-script.js -->
<script>/*!
* Simple-Jekyll-Search
* Copyright 2015-2020, Christian Fei
* Licensed under the MIT License.
*/
(function(){
'use strict'
var _$Templater_7 = {
compile: compile,
setOptions: setOptions
}
const options = {}
options.pattern = /\{(.*?)\}/g
options.template = ''
options.middleware = function () {}
function setOptions (_options) {
options.pattern = _options.pattern || options.pattern
options.template = _options.template || options.template
if (typeof _options.middleware === 'function') {
options.middleware = _options.middleware
}
}
function compile (data) {
return options.template.replace(options.pattern, function (match, prop) {
const value = options.middleware(prop, data[prop], options.template)
if (typeof value !== 'undefined') {
return value
}
return data[prop] || match
})
}
'use strict';
function fuzzysearch (needle, haystack) {
var tlen = haystack.length;
var qlen = needle.length;
if (qlen > tlen) {
return false;
}
if (qlen === tlen) {
return needle === haystack;
}
outer: for (var i = 0, j = 0; i < qlen; i++) {
var nch = needle.charCodeAt(i);
while (j < tlen) {
if (haystack.charCodeAt(j++) === nch) {
continue outer;
}
}
return false;
}
return true;
}
var _$fuzzysearch_1 = fuzzysearch;
'use strict'
/* removed: const _$fuzzysearch_1 = require('fuzzysearch') */;
var _$FuzzySearchStrategy_5 = new FuzzySearchStrategy()
function FuzzySearchStrategy () {
this.matches = function (string, crit) {
return _$fuzzysearch_1(crit.toLowerCase(), string.toLowerCase())
}
}
'use strict'
var _$LiteralSearchStrategy_6 = new LiteralSearchStrategy()
function LiteralSearchStrategy () {
this.matches = function (str, crit) {
if (!str) return false
str = str.trim().toLowerCase()
crit = crit.trim().toLowerCase()
return crit.split(' ').filter(function (word) {
return str.indexOf(word) >= 0
}).length === crit.split(' ').length
}
}
'use strict'
var _$Repository_4 = {
put: put,
clear: clear,
search: search,
setOptions: __setOptions_4
}
/* removed: const _$FuzzySearchStrategy_5 = require('./SearchStrategies/FuzzySearchStrategy') */;
/* removed: const _$LiteralSearchStrategy_6 = require('./SearchStrategies/LiteralSearchStrategy') */;
function NoSort () {
return 0
}
const data = []
let opt = {}
opt.fuzzy = false
opt.limit = 10
opt.searchStrategy = opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = NoSort
opt.exclude = []
function put (data) {
if (isObject(data)) {
return addObject(data)
}
if (isArray(data)) {
return addArray(data)
}
return undefined
}
function clear () {
data.length = 0
return data
}
function isObject (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Object]'
}
function isArray (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Array]'
}
function addObject (_data) {
data.push(_data)
return data
}
function addArray (_data) {
const added = []
clear()
for (let i = 0, len = _data.length; i < len; i++) {
if (isObject(_data[i])) {
added.push(addObject(_data[i]))
}
}
return added
}
function search (crit) {
if (!crit) {
return []
}
return findMatches(data, crit, opt.searchStrategy, opt).sort(opt.sort)
}
function __setOptions_4 (_opt) {
opt = _opt || {}
opt.fuzzy = _opt.fuzzy || false
opt.limit = _opt.limit || 10
opt.searchStrategy = _opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = _opt.sort || NoSort
opt.exclude = _opt.exclude || []
}
function findMatches (data, crit, strategy, opt) {
const matches = []
for (let i = 0; i < data.length && matches.length < opt.limit; i++) {
const match = findMatchesInObject(data[i], crit, strategy, opt)
if (match) {
matches.push(match)
}
}
return matches
}
function findMatchesInObject (obj, crit, strategy, opt) {
for (const key in obj) {
if (!isExcluded(obj[key], opt.exclude) && strategy.matches(obj[key], crit)) {
return obj
}
}
}
function isExcluded (term, excludedTerms) {
for (let i = 0, len = excludedTerms.length; i < len; i++) {
const excludedTerm = excludedTerms[i]
if (new RegExp(excludedTerm).test(term)) {
return true
}
}
return false
}
/* globals ActiveXObject:false */
'use strict'
var _$JSONLoader_2 = {
load: load
}
function load (location, callback) {
const xhr = getXHR()
xhr.open('GET', location, true)
xhr.onreadystatechange = createStateChangeListener(xhr, callback)
xhr.send()
}
function createStateChangeListener (xhr, callback) {
return function () {
if (xhr.readyState === 4 && xhr.status === 200) {
try {
callback(null, JSON.parse(xhr.responseText))
} catch (err) {
callback(err, null)
}
}
}
}
function getXHR () {
return window.XMLHttpRequest ? new window.XMLHttpRequest() : new ActiveXObject('Microsoft.XMLHTTP')
}
'use strict'
var _$OptionsValidator_3 = function OptionsValidator (params) {
if (!validateParams(params)) {
throw new Error('-- OptionsValidator: required options missing')
}
if (!(this instanceof OptionsValidator)) {
return new OptionsValidator(params)
}
const requiredOptions = params.required
this.getRequiredOptions = function () {
return requiredOptions
}
this.validate = function (parameters) {
const errors = []
requiredOptions.forEach(function (requiredOptionName) {
if (typeof parameters[requiredOptionName] === 'undefined') {
errors.push(requiredOptionName)
}
})
return errors
}
function validateParams (params) {
if (!params) {
return false
}
return typeof params.required !== 'undefined' && params.required instanceof Array
}
}
'use strict'
var _$utils_9 = {
merge: merge,
isJSON: isJSON
}
function merge (defaultParams, mergeParams) {
const mergedOptions = {}
for (const option in defaultParams) {
mergedOptions[option] = defaultParams[option]
if (typeof mergeParams[option] !== 'undefined') {
mergedOptions[option] = mergeParams[option]
}
}
return mergedOptions
}
function isJSON (json) {
try {
if (json instanceof Object && JSON.parse(JSON.stringify(json))) {
return true
}
return false
} catch (err) {
return false
}
}
var _$src_8 = {};
(function (window) {
'use strict'
let options = {
searchInput: null,
resultsContainer: null,
json: [],
success: Function.prototype,
searchResultTemplate: '<li><a href="{url}" title="{desc}">{title}</a></li>',
templateMiddleware: Function.prototype,
sortMiddleware: function () {
return 0
},
noResultsText: 'No results found',
limit: 10,
fuzzy: false,
debounceTime: null,
exclude: []
}
let debounceTimerHandle
const debounce = function (func, delayMillis) {
if (delayMillis) {
clearTimeout(debounceTimerHandle)
debounceTimerHandle = setTimeout(func, delayMillis)
} else {
func.call()
}
}
const requiredOptions = ['searchInput', 'resultsContainer', 'json']
/* removed: const _$Templater_7 = require('./Templater') */;
/* removed: const _$Repository_4 = require('./Repository') */;
/* removed: const _$JSONLoader_2 = require('./JSONLoader') */;
const optionsValidator = _$OptionsValidator_3({
required: requiredOptions
})
/* removed: const _$utils_9 = require('./utils') */;
window.SimpleJekyllSearch = function (_options) {
const errors = optionsValidator.validate(_options)
if (errors.length > 0) {
throwError('You must specify the following required options: ' + requiredOptions)
}
options = _$utils_9.merge(options, _options)
_$Templater_7.setOptions({
template: options.searchResultTemplate,
middleware: options.templateMiddleware
})
_$Repository_4.setOptions({
fuzzy: options.fuzzy,
limit: options.limit,
sort: options.sortMiddleware,
exclude: options.exclude
})
if (_$utils_9.isJSON(options.json)) {
initWithJSON(options.json)
} else {
initWithURL(options.json)
}
const rv = {
search: search
}
typeof options.success === 'function' && options.success.call(rv)
return rv
}
function initWithJSON (json) {
_$Repository_4.put(json)
registerInput()
}
function initWithURL (url) {
_$JSONLoader_2.load(url, function (err, json) {
if (err) {
throwError('failed to get JSON (' + url + ')')
}
initWithJSON(json)
})
}
function emptyResultsContainer () {
options.resultsContainer.innerHTML = ''
}
function appendToResultsContainer (text) {
options.resultsContainer.innerHTML += text
}
function registerInput () {
options.searchInput.addEventListener('input', function (e) {
if (isWhitelistedKey(e.which)) {
emptyResultsContainer()
debounce(function () { search(e.target.value) }, options.debounceTime)
}
})
}
function search (query) {
if (isValidQuery(query)) {
emptyResultsContainer()
render(_$Repository_4.search(query), query)
}
}
function render (results, query) {
const len = results.length
if (len === 0) {
return appendToResultsContainer(options.noResultsText)
}
for (let i = 0; i < len; i++) {
results[i].query = query
appendToResultsContainer(_$Templater_7.compile(results[i]))
}
}
function isValidQuery (query) {
return query && query.length > 0
}
function isWhitelistedKey (key) {
return [13, 16, 20, 37, 38, 39, 40, 91].indexOf(key) === -1
}
function throwError (message) {
throw new Error('SimpleJekyllSearch --- ' + message)
}
})(window)
}());
</script>
<!-- Configuration -->
<script>
SimpleJekyllSearch({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
json: '/search.json',
//searchResultTemplate: '<li><a href="https://static.rnmkcy.eu{url}">{date}&nbsp;{title}</a></li>'
searchResultTemplate: '<li><a href="{url}">{date}&nbsp;{title}</a></li>'
})
</script>
<!-- Fin déclaration champ de recherche --></div><nav class="navigation">
<ul><li class="navigation__item"><a href="/archive.html">Etiquettes</a></li><li class="navigation__item"><a href="/htmldoc.html">Documents</a></li><li class="navigation__item"><a href="/liens_ttrss.html">Liens</a></li><li class="navigation__item"><a href="/aide-jekyll-text-theme.html">Aide</a></li></ul>
</nav></div>
</header>
</div><div class="page__content"><div class ="main"><div class="grid grid--reverse">
<div class="col-main cell cell--auto"><!-- start custom main top snippet --><div id="results-container" class="search-result js-search-result"></div><!-- end custom main top snippet -->
<article itemscope itemtype="http://schema.org/Article"><div class="article__header"><header><h1 style="color:Tomato;">KVM Debian Stretch serveur de messagerie complet avec iRedMail</h1></header></div><meta itemprop="headline" content="KVM Debian Stretch serveur de messagerie complet avec iRedMail"><div class="article__info clearfix"><ul class="left-col menu"><li>
2024-11-08 14:10:33 +01:00
<a class="button button--secondary button--pill button--sm" style="color:#00FFFF" href="/archive.html?tag=debian">debian</a>
2024-10-31 20:18:37 +01:00
</li><li>
2024-11-08 14:10:33 +01:00
<a class="button button--secondary button--pill button--sm" style="color:#00FFFF" href="/archive.html?tag=serveur">serveur</a>
2024-10-31 20:18:37 +01:00
</li></ul><ul class="right-col menu"><li>
<i class="far fa-calendar-alt"></i>&nbsp;<span title="Création" style="color:#FF00FF">23&nbsp;nov.&nbsp;&nbsp;2018</span>
<span title="Modification" style="color:#00FF7F">&nbsp;7&nbsp;sept.&nbsp;2017</span></li></ul></div><meta itemprop="datePublished" content="2017-09-07T00:00:00+02:00">
<meta itemprop="keywords" content="debian,serveur"><div class="js-article-content">
<div class="layout--article"><!-- start custom article top snippet -->
<style>
#myBtn {
display: none;
position: fixed;
bottom: 10px;
right: 10px;
z-index: 99;
font-size: 12px;
font-weight: bold;
border: none;
outline: none;
background-color: white;
color: black;
cursor: pointer;
padding: 5px;
border-radius: 4px;
}
#myBtn:hover {
background-color: #555;
}
</style>
<button onclick="topFunction()" id="myBtn" title="Haut de page">&#8679;</button>
<script>
//Get the button
var mybutton = document.getElementById("myBtn");
// When the user scrolls down 20px from the top of the document, show the button
window.onscroll = function() {scrollFunction()};
function scrollFunction() {
if (document.body.scrollTop > 20 || document.documentElement.scrollTop > 20) {
mybutton.style.display = "block";
} else {
mybutton.style.display = "none";
}
}
// When the user clicks on the button, scroll to the top of the document
function topFunction() {
document.body.scrollTop = 0;
document.documentElement.scrollTop = 0;
}
</script>
<!-- end custom article top snippet -->
<div class="article__content" itemprop="articleBody"><details>
<summary><b>Afficher/cacher Sommaire</b></summary>
<!-- affichage sommaire -->
<div class="toc-aside js-toc-root"></div>
</details><h2 id="kvm-debian-stretch">KVM Debian Stretch</h2>
<p>Package: 4 GB Mémoire, 2 CPU, 30 GB SSD, 100 Mbps<br />
Selected Location: Paris<br />
Debian Stretch 64<br />
Livraison : vps-26381 93.115.96.97</p>
<ul>
<li>Domaine : xoyize.xyz</li>
<li>IPv4 du serveur : 93.115.96.97</li>
<li>IPv6 du serveur : 2a03:75c0:35:670d::1</li>
<li>Courrier entrant : imap.xoyize.xyz sur port 993 (imaps)</li>
<li>Courrier sortant : mail.xoyize.xyz sur port 587 (smtp submission)</li>
<li>Compte courrier : xyz@xoyize.xyz</li>
<li>Certificats : Lets Encrypt</li>
</ul>
<h3 id="première-connexion-ssh">Première connexion SSH</h3>
<p>Via SSH<br />
<code class="language-plaintext highlighter-rouge">ssh root@93.115.96.97</code><br />
Màj<br />
<code class="language-plaintext highlighter-rouge">apt update &amp;&amp; apt upgrade</code><br />
Installer rsync, jq, figlet, curl et tmux<br />
<code class="language-plaintext highlighter-rouge">apt install rsync curl tmux jq figlet p7zip-full</code></p>
<h3 id="locales">Locales</h3>
<p>Locales : <strong>fr_FR.UTF-8</strong><br />
<code class="language-plaintext highlighter-rouge">dpkg-reconfigure locales</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Generating locales <span class="o">(</span>this might take a <span class="k">while</span><span class="o">)</span>...
fr_FR.UTF-8... <span class="k">done
</span>Generation complete.
</code></pre></div></div>
<h3 id="timezone">TimeZone</h3>
<p>Europe/Paris<br />
<code class="language-plaintext highlighter-rouge">dpkg-reconfigure tzdata</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Current default <span class="nb">time </span>zone: <span class="s1">'Europe/Paris'</span>
Local <span class="nb">time </span>is now: Wed Sep 6 15:05:31 CEST 2017.
Universal Time is now: Wed Sep 6 13:05:31 UTC 2017.
</code></pre></div></div>
<h3 id="définir-hôte-et-fqdn">Définir hôte et FQDN</h3>
<p>Votre serveur reçoit les noms: un nom dhôte et un nom de domaine complet (nom de domaine entièrement qualifié).</p>
<ul>
<li>Nom dhôte local: pour identifier votre serveur dans votre infrastructure locale. Par exemple. “mail”.</li>
<li>FQDN (Nom de domaine entièrement qualifié): pour identifier votre serveur sur Internet.Par exemple “mail.mysystems.tld”</li>
</ul>
<p>Vous navez pas besoin dadapter le FQDN de votre serveur de messagerie à nimporte quel domaine auquel vous souhaitez servir.<br />
Ces domaines nont pas besoin dêtre identiques ou similaires. Définissez votre nom dhôte local comme suit:
<code class="language-plaintext highlighter-rouge">hostnamectl set-hostname --static mail</code></p>
<p>Le fichier de configuration <strong>/etc/hosts</strong> contient FQDN et le nom dhôte local à côté de lautre. Il devrait être similaire à celui-ci:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>127.0.0.1 localhost
127.0.1.1 mail.serveur.tld mail
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
</code></pre></div></div>
<p>Si vous entrez les commandes “hostname” et “hostname -fqdn”, ceci devrait être votre sortie:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># hostname</span>
mail
<span class="c"># hostname --fqdn</span>
mail.serveur.tld
</code></pre></div></div>
<p>En outre, le FQDN (“mail.xoyize.xyz”) est copié dans <strong>/etc/mailname</strong>:<br />
<code class="language-plaintext highlighter-rouge">echo $(hostname -f) &gt; /etc/mailname</code><br />
(Le nom dhôte dans votre invite de shell sadaptera après un redémarrage)</p>
<h3 id="dns-ovh">DNS OVH</h3>
<p>Configuration des champs DNS domaine xoyize.xyz (OVH)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$TTL 3600
@ IN SOA dns106.ovh.net. tech.ovh.net. (2017081700 86400 3600 3600000 300)
IN NS dns106.ovh.net.
IN NS ns106.ovh.net.
IN A 93.115.96.97
IN AAAA 2a03:75c0:35:670d::1
IN MX 1 mail.xoyize.xyz.
imap IN A 93.115.96.97
imap IN AAAA 2a03:75c0:35:670d::1
mail IN A 93.115.96.97
mail IN AAAA 2a03:75c0:35:670d::1
</code></pre></div></div>
<h3 id="création-utilisateur">Création utilisateur</h3>
<p>Utilisateur <strong>adxo</strong><br />
<code class="language-plaintext highlighter-rouge">useradd -m -d /home/adxo/ -s /bin/bash adxo</code><br />
Mot de passe <strong>adxo</strong><br />
<code class="language-plaintext highlighter-rouge">passwd adxo</code> <br />
Visudo pour les accès root via utilisateur <strong>adxo</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt <span class="nb">install sudo
echo</span> <span class="s2">"adxo ALL=(ALL) NOPASSWD: ALL"</span> <span class="o">&gt;&gt;</span> /etc/sudoers
</code></pre></div></div>
<p>Déconnexion puis connexion ssh en mode utilisateur<br />
<code class="language-plaintext highlighter-rouge">ssh adxo@93.115.96.97</code></p>
<h3 id="ssh">SSH</h3>
<h4 id="connexion-avec-clé">connexion avec clé</h4>
<p><u>sur l'ordinateur de bureau</u>
Générer une paire de clé curve25519-sha256 (ECDH avec Curve25519 et SHA2) nommé <strong>kvm-xoyize</strong> pour une liaison SSH avec le serveur KVM.<br />
<code class="language-plaintext highlighter-rouge">ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/kvm-xoyize</code><br />
Envoyer la clé publique sur le serveur KVM <br />
<code class="language-plaintext highlighter-rouge">scp ~/.ssh/kvm-xoyize.pub adxo@93.115.96.97:/home/adxo/</code></p>
<p><u>sur le serveur KVM</u>
On se connecte<br />
<code class="language-plaintext highlighter-rouge">ssh adxo@93.115.96.97</code><br />
Copier le contenu de la clé publique dans /home/$USER/.ssh/authorized_keys<br />
<code class="language-plaintext highlighter-rouge">$ cd ~</code><br />
Sur le KVM ,créer un dossier .ssh</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">pwd</span> <span class="c">#pour vérifier que l'on est sous /home/$USER</span>
<span class="nb">mkdir</span> .ssh
<span class="nb">cat</span> /home/<span class="nv">$USER</span>/kvm-xoyize.pub <span class="o">&gt;&gt;</span> /home/<span class="nv">$USER</span>/.ssh/authorized_keys
</code></pre></div></div>
<p>et donner les droits<br />
<code class="language-plaintext highlighter-rouge">chmod 600 /home/$USER/.ssh/authorized_keys</code><br />
effacer le fichier de la clé<br />
<code class="language-plaintext highlighter-rouge">rm /home/$USER/kvm-xoyize.pub</code><br />
Modifier la configuration serveur SSH<br />
<code class="language-plaintext highlighter-rouge">sudo nano /etc/ssh/sshd_config</code></p>
<p>Vérifier les options par défaut, commentées par un #</p>
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#HostKey /etc/ssh/ssh_host_ed25519_key
#PubkeyAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
</span></code></pre></div></div>
<p>Modifier</p>
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Port</span> = <span class="m">55026</span>
<span class="n">PermitRootLogin</span> <span class="n">no</span>
<span class="n">PasswordAuthentication</span> <span class="n">no</span>
</code></pre></div></div>
<p><u>session SSH ne se termine pas correctement lors d'un "reboot" à distance</u><br />
Si vous tentez de <strong>redémarrer/éteindre</strong> une machine distance par <strong>ssh</strong>, vous pourriez constater que votre session ne se termine pas correctement, vous laissant avec un terminal inactif jusquà lexpiration dun long délai dinactivité. Il existe un bogue 751636 à ce sujet. Pour linstant, la solution de contournement à ce problème est dinstaller :<br />
<code class="language-plaintext highlighter-rouge">sudo apt-get install libpam-systemd #Installer par défaut sur debian stretch</code><br />
cela terminera la session ssh avant que le réseau ne tombe.<br />
Veuillez noter quil est nécessaire que PAM soit activé dans sshd.</p>
<p>Relancer openSSH<br />
<code class="language-plaintext highlighter-rouge">sudo systemctl restart sshd</code></p>
<p>Accès depuis le poste distant avec la clé privée<br />
<code class="language-plaintext highlighter-rouge">$ ssh -p 55026 -i ~/.ssh/kvm-xoyize adxo@93.115.96.97</code></p>
<h4 id="exécution-script-sur-connexion">Exécution script sur connexion</h4>
<p>Exécuter un fichier <em>utilisateur</em> nommé <strong>$HOME/.ssh/rc</strong> si <em>présent</em><br />
Pour <em>tous les utilisateurs</em> exécuter un fichier nommé <strong>/etc/ssh/sshrc</strong> si <em>présent</em><br />
Installer les utilitaires <em>curl jq figlet</em></p>
<p>Le batch<br />
<code class="language-plaintext highlighter-rouge">nano ~/.ssh/rc</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span>
<span class="c">#clear</span>
<span class="nv">PROCCOUNT</span><span class="o">=</span><span class="sb">`</span>ps <span class="nt">-Afl</span> | <span class="nb">wc</span> <span class="nt">-l</span><span class="sb">`</span> <span class="c"># nombre de lignes</span>
<span class="nv">PROCCOUNT</span><span class="o">=</span><span class="sb">`</span><span class="nb">expr</span> <span class="nv">$PROCCOUNT</span> - 5<span class="sb">`</span> <span class="c"># on ote les non concernées</span>
<span class="nv">GROUPZ</span><span class="o">=</span><span class="sb">`</span><span class="nb">users</span><span class="sb">`</span>
<span class="nv">ipinfo</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> ipinfo.io<span class="si">)</span> <span class="c"># info localisation format json</span>
<span class="nv">publicip</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ipinfo</span> | jq <span class="nt">-r</span> <span class="s1">'.ip'</span><span class="si">)</span> <span class="c"># extraction des données , installer préalablement "jq"</span>
<span class="nv">ville</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ipinfo</span> | jq <span class="nt">-r</span> <span class="s1">'.city'</span><span class="si">)</span>
<span class="nv">pays</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ipinfo</span> | jq <span class="nt">-r</span> <span class="s1">'.country'</span><span class="si">)</span>
<span class="nv">cpuname</span><span class="o">=</span><span class="sb">`</span><span class="nb">cat</span> /proc/cpuinfo |grep <span class="s1">'model name'</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f2</span> | <span class="nb">sed</span> <span class="nt">-n</span> 1p<span class="sb">`</span>
<span class="nb">echo</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[0m</span><span class="se">\0</span><span class="s2">33[1;31m"</span>
figlet <span class="s2">"xoyize.xyz"</span>
<span class="nb">echo</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[0m"</span>
<span class="nb">echo</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mHostname </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">hostname</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mWired Ip </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span>ip addr show eth0 | <span class="nb">grep</span> <span class="s1">'inet\b'</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span> | <span class="nb">cut</span> <span class="nt">-d</span>/ <span class="nt">-f1</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mKernel </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">uname</span> <span class="nt">-r</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mDebian </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">cat</span> /etc/debian_version<span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mUptime </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">uptime</span> | <span class="nb">sed</span> <span class="s1">'s/.*up ([^,]*), .*/1/'</span> | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/^[ \t]*//'</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mCPU </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">echo</span> <span class="nv">$cpuname</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m</span><span class="se">\0</span><span class="s2">33[1;37mMemory Use </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span>free <span class="nt">-m</span> | <span class="nb">awk</span> <span class="s1">'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mUsername </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">whoami</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m </span><span class="se">\0</span><span class="s2">33[1;37mSessions </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">who</span> | <span class="nb">grep</span> <span class="nv">$USER</span> | <span class="nb">wc</span> <span class="nt">-l</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[1;35m</span><span class="se">\0</span><span class="s2">33[1;37mPublic Ip </span><span class="se">\0</span><span class="s2">33[1;35m= </span><span class="se">\0</span><span class="s2">33[1;32m</span><span class="sb">`</span><span class="nb">echo</span> <span class="nv">$publicip</span> <span class="nv">$pays</span><span class="sb">`</span><span class="s2">
</span><span class="se">\0</span><span class="s2">33[0m"</span>
curl fr.wttr.in/Paris?0
</code></pre></div></div>
<p>Effacer motd<br />
<code class="language-plaintext highlighter-rouge">sudo rm /etc/motd</code><br />
Déconnexion puis connexion</p>
<h2 id="serveur-de-messagerie-iredmail">Serveur de messagerie (iRedMail)</h2>
<p>Logiciel Open Source utilisé dans iRedMail:</p>
<ul>
<li>Postfix</li>
<li>Dovecot</li>
<li>Nginx</li>
<li>OpenLDAP, ldapd</li>
<li>MySQL / MariaDB, PostgreSQL</li>
<li>Amavised-new</li>
<li>SpamAssassin</li>
<li>ClamAV</li>
<li>Webmail Roundcube</li>
<li>SOGo Groupware</li>
<li>Fail2ban</li>
<li>Awstats</li>
<li>iRedAPD</li>
</ul>
<p>Caractéristiques de iRedMail:</p>
<ul>
<li>Tous les composants sont open-source.</li>
<li>TLS est activé par défaut. SMTP / IMAP sur TLS, HTTPS webmail</li>
<li>Créez autant de boîtes aux lettres virtuelles que vous le souhaitez dans un panneau dadministration Web.</li>
<li>Stocke les comptes de messagerie dans OpenLDAP, MySQL / MariaDB ou PostgreSQL.</li>
</ul>
<p>Il est recommandé de suivre les instructions ci-dessous sur un système dinstallation propre Debian qui a au moins 2 Go de RAM.<br />
Au moment de lécriture, la dernière version diRedMail est 0.9.7, diffusée le 1 juillet 2017.<br />
Veuillez vous rendre sur la page de téléchargement iRedMail (http://www.iredmail.org/download.html) pour télécharger la dernière version.<br />
<code class="language-plaintext highlighter-rouge">wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.7.tar.bz2</code><br />
Extraction<br />
<code class="language-plaintext highlighter-rouge">tar xvf iRedMail-0.9.7.tar.bz2</code><br />
Aller dans le dossier<br />
<code class="language-plaintext highlighter-rouge">cd iRedMail-0.9.7</code><br />
Ajout des permissions en exécution sur le script<br />
<code class="language-plaintext highlighter-rouge">chmod +x iRedMail.sh</code><br />
Exécuter le script bash<br />
<code class="language-plaintext highlighter-rouge">sudo bash iRedMail.sh</code><br />
Message à la fin des opérations</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>********************************************************************
* URLs of installed web applications:
*
* - Roundcube webmail: httpS://mail.serveur.tld/mail/
*
* - Web admin panel (iRedAdmin): httpS://mail.serveur.tld/iredadmin/
*
* You can login to above links with below credential:
*
* - Username: postmaster@xoyize.xyz
* - Password: ****************
*
*
********************************************************************
* Congratulations, mail server setup completed successfully. Please
* read below file for more information:
*
* - /home/adxo/iRedMail-0.9.7/iRedMail.tips
*
* And it's sent to your mail account postmaster@xoyize.xyz.
*
********************* WARNING **************************************
*
* Please reboot your system to enable all mail services.
*
********************************************************************
</code></pre></div></div>
<p>Redémarrage<br />
<code class="language-plaintext highlighter-rouge">sudo systemctl reboot</code></p>
<h3 id="modifier-structure-nginx">Modifier Structure nginx</h3>
<p>ON va simplifier la configuration nginx<br />
<code class="language-plaintext highlighter-rouge">nano /etc/nginx/nginx.conf</code></p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">user</span> <span class="s">www-data</span><span class="p">;</span>
<span class="k">worker_processes</span> <span class="mi">1</span><span class="p">;</span>
<span class="k">pid</span> <span class="n">/var/run/nginx.pid</span><span class="p">;</span>
<span class="k">events</span> <span class="p">{</span>
<span class="kn">worker_connections</span> <span class="mi">1024</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">http</span> <span class="p">{</span>
<span class="c1"># include /etc/nginx/conf-enabled/*.conf;</span>
<span class="kn">client_max_body_size</span> <span class="mi">12m</span><span class="p">;</span>
<span class="kn">default_type</span> <span class="nc">application/octet-stream</span><span class="p">;</span>
<span class="kn">gzip</span> <span class="no">on</span><span class="p">;</span>
<span class="kn">gzip_disable</span> <span class="s">"msie6"</span><span class="p">;</span>
<span class="kn">access_log</span> <span class="n">/var/log/nginx/access.log</span><span class="p">;</span>
<span class="kn">error_log</span> <span class="n">/var/log/nginx/error.log</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/mime.types</span><span class="p">;</span>
<span class="kn">upstream</span> <span class="s">php_workers</span> <span class="p">{</span>
<span class="kn">server</span> <span class="s">unix:/var/run/php-fpm.socket</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">sendfile</span> <span class="no">on</span><span class="p">;</span>
<span class="c1"># Hide Nginx version number</span>
<span class="kn">server_tokens</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">types_hash_max_size</span> <span class="mi">2048</span><span class="p">;</span>
<span class="c1"># include /etc/nginx/sites-enabled/*.conf;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/conf.d/*.conf</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Création configuration de base<br />
<code class="language-plaintext highlighter-rouge">mkdir -p /etc/nginx/conf.d/mail.serveur.tld.d</code><br />
Fichier de configuration serveur <strong>mail.serveur.tld.conf</strong><br />
<code class="language-plaintext highlighter-rouge">nano /etc/nginx/conf.d/mail.serveur.tld.conf</code></p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">server</span> <span class="p">{</span>
<span class="kn">index</span> <span class="s">index.php</span> <span class="s">index.html</span><span class="p">;</span>
<span class="c1"># Listen on ipv4</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="c1"># Listen on ipv6.</span>
<span class="c1"># Note: this setting listens on both ipv4 and ipv6 with Nginx release</span>
<span class="c1"># shipped in some Linux/BSD distributions.</span>
<span class="c1">#listen [::]:80;</span>
<span class="kn">root</span> <span class="n">/var/www/html</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">_</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/redirect_to_https.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/misc.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/php-catchall.tmpl</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">server</span> <span class="p">{</span>
<span class="kn">index</span> <span class="s">index.php</span> <span class="s">index.html</span><span class="p">;</span>
<span class="kn">listen</span> <span class="mi">443</span><span class="p">;</span>
<span class="kn">root</span> <span class="n">/var/www/html</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">_</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/ssl.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/awstats.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/iredadmin.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/roundcube.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/sogo.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/misc.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="n">/etc/nginx/templates/php-catchall.tmpl</span><span class="p">;</span>
<span class="kn">include</span> <span class="s">conf.d/mail.serveur.tld.d/*.conf</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Vérification et relance service<br />
<code class="language-plaintext highlighter-rouge">nginx -t</code><br />
<code class="language-plaintext highlighter-rouge">systemctl restart nginx</code></p>
<h3 id="dkim">Dkim</h3>
<p>On met la clé de celle qui est paramétrée dans la dns ovh<br />
<code class="language-plaintext highlighter-rouge">cp /var/lib/dkim/xoyize.xyz.pem /var/lib/dkim/xoyize.xyz.pem.sav</code><br />
On met en place la clé existante<br />
<code class="language-plaintext highlighter-rouge">nano /var/lib/dkim/xoyize.xyz.pem</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCsswhKO2pBS6i
UglTilZrUEZ6BPWPl+Y3LvIHByIE+tV+yDLsKcW6iyWqq58Ae4WLfZowFa8Ch0Nk
...
RaeHMqJdXeajanS0aq7qgpyw
-----END PRIVATE KEY-----
</code></pre></div></div>
<h2 id="certificats-ssl">Certificats SSL</h2>
<p>acme/Certificats SSL letsencrypt <br />
Installation client <strong>acme.sh</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cd</span> ~
<span class="nb">sudo</span> <span class="nt">-s</span> <span class="c"># en mode super utilisateur</span>
apt <span class="nb">install </span>netcat <span class="c"># prérequis</span>
git clone https://github.com/Neilpang/acme.sh.git
<span class="nb">cd </span>acme.sh
./acme.sh <span class="nt">--install</span> <span class="c"># --nocron </span>
<span class="c"># OK, Close and reopen your terminal to start using acme.sh</span>
<span class="nb">cd</span> .. <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> acme.sh/
</code></pre></div></div>
<blockquote>
<p>le client est installé dans <strong>/root/.acme.sh/</strong></p>
</blockquote>
<h3 id="création-des-certificats-avec-api-ovh">Création des certificats avec API OVH</h3>
<p><a href="https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api">How to use OVH domain api</a></p>
<ol>
<li>Create application key and secret</li>
</ol>
<p><a href="https://eu.api.ovh.com/createApp/">https://eu.api.ovh.com/createApp/</a> (un jeu de clés peut être utilisé pour plusieurs domaines)<br />
<strong>API OVH :</strong><br />
Création de clé , <a href="https://eu.api.ovh.com/createApp/">OVH : Création de clé API application</a><br />
Application Name : DNS-Api<br />
Application Description : certificats<br />
Application Key : MyBRE3Oq2FZrLC2N<br />
Application Secret : U8rSfBLK0OYNRoeaCZvatqxUcf5aE8bj</p>
<ol>
<li>Valider le jeu de clés (Key Secret) pour un domaine.</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo</span> <span class="nt">-s</span>
<span class="c"># application key</span>
<span class="nb">export </span><span class="nv">OVH_AK</span><span class="o">=</span><span class="s2">"MyBRE3Oq2FZrLC2N"</span>
<span class="c"># application secret</span>
<span class="nb">export </span><span class="nv">OVH_AS</span><span class="o">=</span><span class="s2">"U8rSfBLK0OYNRoeaCZvatqxUcf5aE8bj"</span>
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">/root/.acme.sh/acme.sh --dns dns_ovh --issue --keylength 4096 -d xoyize.xyz -d mail.xoyize.xyz -d imap.xoyize.xyz</code><br />
Le premier passage sort en erreur car i faut une authentification OVH par le lien donné dans le message<br />
<code class="language-plaintext highlighter-rouge">Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=nQ8atrKjW5S0NgeObISCSsUfNSO...</code><br />
Relancer la commande précédente pour obtenir les certificats avec loption <strong>force</strong> si problème<br />
<code class="language-plaintext highlighter-rouge">/root/.acme.sh/acme.sh --dns dns_ovh --force --issue --keylength 4096 -d xoyize.xyz -d mail.xoyize.xyz -d imap.xoyize.xyz</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>...
[jeudi 7 septembre 2017, 10:46:11 (UTC+0200)] Your cert is in /root/.acme.sh/xoyize.xyz/xoyize.xyz.cer
[jeudi 7 septembre 2017, 10:46:11 (UTC+0200)] Your cert key is in /root/.acme.sh/xoyize.xyz/xoyize.xyz.key
[jeudi 7 septembre 2017, 10:46:11 (UTC+0200)] The intermediate CA cert is in /root/.acme.sh/xoyize.xyz/ca.cer
[jeudi 7 septembre 2017, 10:46:11 (UTC+0200)] And the full chain certs is there: /root/.acme.sh/xoyize.xyz/fullchain.cer
</code></pre></div></div>
<p>Les liens symboliques vers les certificats :</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">rm</span> <span class="nt">-f</span> /etc/ssl/private/iRedMail.key
<span class="nb">rm</span> <span class="nt">-f</span> /etc/ssl/certs/iRedMail.crt
<span class="nb">ln</span> <span class="nt">-s</span> /root/.acme.sh/xoyize.xyz/fullchain.cer /etc/ssl/certs/iRedMail.crt
<span class="nb">ln</span> <span class="nt">-s</span> /root/.acme.sh/xoyize.xyz/xoyize.xyz.key /etc/ssl/private/iRedMail.key
<span class="nb">ln</span> <span class="nt">-s</span> /root/.acme.sh/xoyize.xyz/xoyize.xyz.cer /etc/ssl/private/xoyize-cert.pem
<span class="nb">ln</span> <span class="nt">-s</span> /root/.acme.sh/xoyize.xyz/ca.cer /etc/ssl/private/ca-cert.pem
</code></pre></div></div>
<p>Activer la mise à jour automatique des certificats si linstallation <strong>acme</strong> sest faite avec le paramètre <strong>nocron</strong><br />
<code class="language-plaintext highlighter-rouge">crontab -e</code><br />
28 0 * * * “/root/.acme.sh”/acme.sh cron home “/root/.acme.sh” &gt; /dev/null<br />
Vérification tous les jours à 00h028<br />
Test manuel<br />
<code class="language-plaintext highlighter-rouge">"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[jeudi 7 septembre 2017, 10:56:24 (UTC+0200)] ===Starting cron===
[jeudi 7 septembre 2017, 10:56:24 (UTC+0200)] Renew: 'xoyize.xyz'
[jeudi 7 septembre 2017, 10:56:24 (UTC+0200)] Skip, Next renewal time is: lundi 6 novembre 2017, 08:46:11 (UTC+0000)
[jeudi 7 septembre 2017, 10:56:24 (UTC+0200)] Add '--force' to force to renew.
[jeudi 7 septembre 2017, 10:56:24 (UTC+0200)] Skipped xoyize.xyz
[jeudi 7 septembre 2017, 10:56:24 (UTC+0200)] ===End cron===
</code></pre></div></div>
<p>On relance le service<br />
<code class="language-plaintext highlighter-rouge">systemctl restart nginx</code><br />
On sort du mode su<br />
<code class="language-plaintext highlighter-rouge">exit</code></p>
<h2 id="nextcloud">Nextcloud</h2>
<p>Toutes les commandes sont exécutées après passage en mode <strong>su</strong><br />
Les modules php nécessaires à nextcloud<br />
<code class="language-plaintext highlighter-rouge">apt install php7.0 php7.0-fpm php7.0-mysql php7.0-curl php7.0-json php7.0-gd php7.0-mcrypt php7.0-tidy php7.0-intl php7.0-imagick php7.0-xml php7.0-mbstring php7.0-zip</code></p>
<h3 id="base-mysql-nextcloud">Base mysql nextcloud</h3>
<p>Créer une base mariadb Nextcloud<br />
<code class="language-plaintext highlighter-rouge">mysql -uroot -p</code><br />
sur le prompt <strong>MariaDB [(none)]&gt;</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost' IDENTIFIED BY 'mot-de-passe-base-nextcloud';
FLUSH PRIVILEGES;
quit
</code></pre></div></div>
<h3 id="installer-nextcloud">Installer nextcloud</h3>
<p>Se rendre dans le dossier <strong>/opt/www</strong> <br />
<code class="language-plaintext highlighter-rouge">cd /opt/www</code><br />
Télécharger la denière version de <strong>nextcloud</strong> (<a href="https://download.nextcloud.com/server/releases/">https://download.nextcloud.com/server/releases/</a>) <br />
<code class="language-plaintext highlighter-rouge">wget https://download.nextcloud.com/server/releases/nextcloud-12.0.2.zip</code> # Au 23 août 2017<br />
Extraction après téléchargement du fichier<br />
<code class="language-plaintext highlighter-rouge">unzip nextcloud-12.0.2.zip</code><br />
Effacer le zip<br />
<code class="language-plaintext highlighter-rouge">rm nextcloud-12.0.2.zip</code><br />
Créer le dossier <strong>data</strong><br />
<code class="language-plaintext highlighter-rouge">mkdir /opt/www/nextcloud/data</code></p>
<h3 id="droits-nextcloud">Droits nextcloud</h3>
<p><em>Lors du déploiement basique dun serveur HTTP, lutilisateur sous lequel fonctionne ce serveur (Apache, Nginx…) est la plupart du temps www-data, nobody ou apache. Cela signifie que si plusieurs sites existent sous la même instance de Nginx, tous utilisent le même utilisateur. Or si lun des sites savère corrompu par un utilisateur malveillant alors lassaillant peut profiter pleinement de tous les droits de lutilisateur sous lequel tourne le serveur web. Tous les sites savèrent donc vulnérables.</em></p>
<p><em>Pour des raisons évidentes de sécurité, il est donc recommandé de cloisonner ces utilisateurs et davoir un utilisateur dédié à la gestion du dossier nextcloud. Cet utilisateur aura des droits aussi restreints que possible à ce répertoire.</em></p>
<p>Par défaut, les fichiers de Nextcloud possèdent les permissions suivantes :<br />
répertoires : 755 (permission de lecture, décriture et dexécution pour le propriétaire et permission de lecture et dexécution pour le groupe et les autres)<br />
fichiers : 644 (permission de lecture et décriture pour le propriétaire et permission de lecture uniquement pour le groupe et les autres).</p>
<p>Nous allons donc modifier le propriétaire du répertoire <strong>/opt/www/nextcloud</strong> et lattribuer à un nouvel utilisateur dédié : <strong>nextcloud</strong>.</p>
<p>Par ailleurs, Nginx est lancé sous lutilisateur <strong>www-data</strong> et doit avoir accès en lecture au répertoire <strong>/opt/www/nextcloud</strong> pour lire les ressources statiques (HTML, CSS, JS, etc.). Nous allons donc attribuer le répertoire <strong>/opt/www/nextcloud</strong> au groupe <strong>www-data</strong>.<br />
Enfin nous retirerons toutes les permissions de ce répertoire aux autre utilisateurs.</p>
<p>Créez un utilisateur nextcloud :<br />
<code class="language-plaintext highlighter-rouge">useradd nextcloud --comment "limited nextcloud user" --no-create-home</code><br />
Modifiez le propriétaire et le groupe du répertoire /var/www/nextcloud :<br />
<code class="language-plaintext highlighter-rouge">chown -R nextcloud:www-data /opt/www/nextcloud</code><br />
Retirez toutes les permissions aux autres utilisateurs :<br />
<code class="language-plaintext highlighter-rouge">chmod -R o-rwx /opt/www/nextcloud</code></p>
<h3 id="php-fpm">Php-fpm</h3>
<p><em>Le module PHP-FPM permet la communication entre le serveur Nginx et PHP, basée sur le protocole FastCGI. Ce module, écoutant sur le port 9000 par défaut ou sur un socket UNIX, permet notamment lexécution de scripts PHP dans un processus indépendant de Nginx avec des UID et GID différents. Il sera alors possible, dans le cas de la gestion de plusieurs applications sur un même serveur, de créer et configurer un groupe (appelé aussi pool) par application. Un pool définit notamment le UID/GID des processus PHP et le nombre de processus minimum, maximum ou encore le nombre de processus en attente à lancer.</em></p>
<p><strong>[nextcloud]</strong> : nom du pool. Il est possible de créer plusieurs pools par fichier. Chaque pool doit commencer par cette directive.<br />
<strong>listen</strong> : interface découte des requêtes. Les syntaxes acceptées sont ADRESSE_IP:PORT (exemple : listen = 127.0.0.1:9000) et /path/to/unix/socket (exemple : listen = /var/run/nextcloud.sock). Le socket est représenté comme un simple fichier sur le système et permet dinterfacer des processus entre eux sans passer par la couche réseau du système, ce qui est inutile lorsque Nginx et PHP-FPM sont hébergés sur le même serveur. Je vous conseille donc dutiliser un socket.<br />
<strong>listen.owner &amp; listen.group</strong> : affecte lutilisateur et le groupe au socket Unix si utilisé. Ces deux paramètres peuvent être associés au paramètre listen.mode qui définit les permissions du socket (660 par défaut). Il est important que Nginx ait les droits de lecture sur le socket Unix.<br />
<strong>user &amp; group</strong> : utilisateur et groupe sous lesquels le pool de processus sera exécuté. Cet utilisateur et ce groupe doivent bien sûr exister sur votre système et surtout accéder aux fichiers PHP de votre Nextcloud. Cela veut dire aussi que chaque fichier et répertoire créé dans Nextcloud appartiendra à cet utilisateur et à ce groupe. Comme nous lavons vu dans le chapitre dédié aux droits Unix, chaque fichier devra appartenir à lutilisateur nextcloud et au groupe www-data.<br />
<strong>pm</strong> : directive acceptant les 3 valeurs suivantes : static, dynamic et ondemand.
<strong>pm = static</strong> : les processus, au nombre de <strong>pm.max_children</strong>, sont continuellement actifs (quelle que soit la charge et laffluence de votre Nextcloud) et sont susceptibles de consommer de la mémoire inutilement. Cette directive est recommandée si Nextcloud est lunique application de votre serveur.<br />
<strong>pm = dynamic</strong> : le nombre de processus fils pourra varier suivant la charge. Cependant, nous gardons le contrôle sur le nombre de processus fils à créer au démarrage du serveur, le nombre de processus maximum, en attente de requêtes, etc. Les directives suivantes deviennent obligatoires : <strong>pm.max_children, pm.start_servers, pm.min_spare_servers, pm.max_spare_servers</strong>. Cette directive est recommandée si vous avez plusieurs pools avec un fort trafic (plus de 10 000 requêtes/jour).<br />
<strong>pm = ondemand</strong> : aucun processus fils nest lancé au démarrage du serveur, les processus sactivent à la demande et auront une durée de vie définie par la directive <strong>pm.process_idle_timeout</strong>. Lintérêt de cette directive est de libérer de la mémoire en cas de faible charge mais celle-ci peut légèrement augmenter le temps de réponse de votre Nextcloud. Cette directive est recommandée si vous avez plusieurs pools avec potentiellement une faible affluence.</p>
<p><strong>pm.max_children</strong> : nombre maximum de processus fils. La valeur du paramètre pm.max_children varie dun système à lautre et est importante avec le paramètre <strong>pm = ondemand</strong>. <br />
Pour déterminer la valeur de ce paramètre ,arrêtez le service php-fpm :<br />
<code class="language-plaintext highlighter-rouge">sudo systemctl stop php7.0-fpm.service</code><br />
Affichez la mémoire disponible (colonne available) sur votre système :<br />
<code class="language-plaintext highlighter-rouge">free -m # available = 1630, le système dispose de 1630Mo de RAM disponible.</code><br />
La quantité de RAM que vous souhaitez allouer au maximum à Nextcloud est au maximum 768Mo de RAM pour Nextcloud.<br />
Affichez la mémoire utilisée par un processus fils php-fpm :<br />
<code class="language-plaintext highlighter-rouge">sudo systemctl start php7.0-fpm.service &amp;&amp; ps --no-headers -o "rss,cmd" -C php-fpm7.0 | awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'</code><br />
<code class="language-plaintext highlighter-rouge">14M</code><br />
Déterminez le nombre de <strong>pm.max_children</strong> en appliquant la méthode de calcul suivante : pm.max_children = mémoire allouée / mémoire utilisée par un processus fils , 768/14 = 54</p>
<p><strong>pm.process_idle_timeout</strong> : durée en secondes avant quun processus fils inactif soit détruit.<br />
<strong>pm.max_requests</strong> : nombre de requêtes que chaque processus fils devra exécuter avant dêtre détruit. Cette valeur ne doit pas être trop élevée afin de contourner déventuelles fuites mémoires, ni trop faible pour ne pas solliciter régulièrement le CPU à chaque création de processus fils. 500 reste une valeur recommandée.<br />
<strong>env[]</strong> : variables denvironnement nécessaires à PHP-FPM.</p>
<p>Création du pool dédié à Nextcloud <strong>/etc/php/7.0/fpm/pool.d/nextcloud.conf</strong> <br />
<code class="language-plaintext highlighter-rouge">nano /etc/php/7.0/fpm/pool.d/nextcloud.conf</code></p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">[nextcloud]</span>
<span class="s">listen</span> <span class="p">=</span> <span class="n">/var/run/php-fpm-nextcloud.socket</span>
<span class="p">;</span> <span class="k">Set</span> <span class="s">permissions</span> <span class="s">for</span> <span class="s">unix</span> <span class="s">socket,</span> <span class="s">if</span> <span class="s">one</span> <span class="s">is</span> <span class="s">used.</span>
<span class="s">listen.owner</span> <span class="p">=</span> <span class="s">nextcloud</span>
<span class="s">listen.group</span> <span class="p">=</span> <span class="s">www-data</span>
<span class="s">listen.mode</span> <span class="p">=</span> <span class="mi">0660</span>
<span class="p">;</span> <span class="k">Unix</span> <span class="nc">user/group</span> <span class="s">of</span> <span class="s">processes.</span>
<span class="s">user</span> <span class="p">=</span> <span class="s">nextcloud</span>
<span class="s">group</span> <span class="p">=</span> <span class="s">www-data</span>
<span class="s">pm</span> <span class="p">=</span> <span class="s">dynamic</span>
<span class="s">pm.max_children</span> <span class="p">=</span> <span class="mi">6</span>
<span class="s">pm.start_servers</span> <span class="p">=</span> <span class="mi">3</span>
<span class="s">pm.min_spare_servers</span> <span class="p">=</span> <span class="mi">3</span>
<span class="s">pm.max_spare_servers</span> <span class="p">=</span> <span class="mi">5</span>
<span class="s">pm.max_requests</span> <span class="p">=</span> <span class="mi">500</span>
<span class="s">pm.status_path</span> <span class="p">=</span> <span class="n">/fpm-status</span>
<span class="s">ping.path</span> <span class="p">=</span> <span class="n">/ping</span>
<span class="s">request_terminate_timeout</span> <span class="p">=</span> <span class="s">1d</span>
<span class="s">request_slowlog_timeout</span> <span class="p">=</span> <span class="s">5s</span>
<span class="s">slowlog</span> <span class="p">=</span> <span class="n">/var/log/nginx/nextcloud.slow.log</span>
<span class="s">rlimit_files</span> <span class="p">=</span> <span class="mi">4096</span>
<span class="s">rlimit_core</span> <span class="p">=</span> <span class="mi">0</span>
<span class="s">chdir</span> <span class="p">=</span> <span class="n">/opt/www/nextcloud/</span>
<span class="s">catch_workers_output</span> <span class="p">=</span> <span class="s">yes</span>
<span class="s">clear_env</span> <span class="p">=</span> <span class="s">no</span>
<span class="s">php_value[upload_max_filesize]</span> <span class="p">=</span> <span class="mi">10G</span>
<span class="s">php_value[post_max_size]</span> <span class="p">=</span> <span class="mi">10G</span>
<span class="s">php_value[default_charset]</span> <span class="p">=</span> <span class="s">UTF-8</span>
</code></pre></div></div>
<p>Redémarrez le service php-fpm afin dactiver le nouveau pool nextcloud :<br />
<code class="language-plaintext highlighter-rouge">systemctl restart php7.0-fpm.service</code></p>
<h3 id="nginx-nextcloud-virtualhost">Nginx nextcloud virtualhost</h3>
<p>Le fichier de configuration nginx <strong>/etc/nginx/conf.d/mail.serveur.tld.d/nextcloud.conf</strong><br />
<code class="language-plaintext highlighter-rouge">nano /etc/nginx/conf.d/mail.serveur.tld.d/nextcloud.conf</code></p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">location</span> <span class="s">^~</span> <span class="n">/nextcloud</span> <span class="p">{</span>
<span class="kn">alias</span> <span class="n">/opt/www/nextcloud/</span><span class="p">;</span>
<span class="kn">if</span> <span class="s">(</span><span class="nv">$scheme</span> <span class="p">=</span> <span class="s">http)</span> <span class="p">{</span>
<span class="kn">rewrite</span> <span class="s">^</span> <span class="s">https://</span><span class="nv">$server_name$request_uri</span><span class="s">?</span> <span class="s">permanent</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1"># Add headers to serve security related headers</span>
<span class="kn">add_header</span> <span class="s">X-Content-Type-Options</span> <span class="s">nosniff</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-XSS-Protection</span> <span class="s">"1</span><span class="p">;</span> <span class="kn">mode=block"</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Robots-Tag</span> <span class="s">none</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Download-Options</span> <span class="s">noopen</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Permitted-Cross-Domain-Policies</span> <span class="s">none</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">Strict-Transport-Security</span> <span class="s">'max-age=31536000</span><span class="p">;</span> <span class="kn">includeSubDomains</span><span class="p">;</span><span class="kn">'</span><span class="p">;</span>
<span class="c1"># Set max upload size</span>
<span class="kn">client_max_body_size</span> <span class="mi">10G</span><span class="p">;</span>
<span class="kn">fastcgi_buffers</span> <span class="mi">64</span> <span class="mi">4K</span><span class="p">;</span>
<span class="c1"># Disable gzip to avoid the removal of the ETag header</span>
<span class="kn">gzip</span> <span class="no">off</span><span class="p">;</span>
<span class="c1"># Errors pages</span>
<span class="kn">error_page</span> <span class="mi">403</span> <span class="n">/nextcloud/core/templates/403.php</span><span class="p">;</span>
<span class="kn">error_page</span> <span class="mi">404</span> <span class="n">/nextcloud/core/templates/404.php</span><span class="p">;</span>
<span class="c1"># The following 2 rules are only needed for the user_webfinger app.</span>
<span class="c1"># Uncomment it if you're planning to use this app.</span>
<span class="c1">#rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;</span>
<span class="c1">#rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;</span>
<span class="kn">location</span> <span class="n">/nextcloud</span> <span class="p">{</span>
<span class="kn">rewrite</span> <span class="s">^</span> <span class="n">/nextcloud/index.php</span><span class="nv">$uri</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">=</span> <span class="n">/nextcloud/robots.txt</span> <span class="p">{</span>
<span class="kn">allow</span> <span class="s">all</span><span class="p">;</span>
<span class="kn">log_not_found</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">access_log</span> <span class="no">off</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/</span> <span class="p">{</span>
<span class="kn">deny</span> <span class="s">all</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console)</span> <span class="p">{</span>
<span class="kn">deny</span> <span class="s">all</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/)</span> <span class="p">{</span>
<span class="kn">include</span> <span class="s">fastcgi_params</span><span class="p">;</span>
<span class="kn">fastcgi_split_path_info</span> <span class="s">^(.+</span><span class="err">\</span><span class="s">.php)(/.+)</span>$<span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$request_filename</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">PATH_INFO</span> <span class="nv">$fastcgi_path_info</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">HTTPS</span> <span class="no">on</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">modHeadersAvailable</span> <span class="s">true</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">REMOTE_USER</span> <span class="nv">$remote_user</span><span class="p">;</span>
<span class="kn">fastcgi_pass</span> <span class="s">unix:/var/run/php-fpm-nextcloud.socket</span><span class="p">;</span>
<span class="kn">fastcgi_intercept_errors</span> <span class="no">on</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">^/nextcloud/(?:updater|ocs-provider)(?:$|/)</span> <span class="p">{</span>
<span class="kn">try_files</span> <span class="nv">$uri</span><span class="n">/</span> <span class="p">=</span><span class="mi">404</span><span class="p">;</span>
<span class="kn">index</span> <span class="s">index.php</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1"># Adding the cache control header for js and css files</span>
<span class="kn">location</span> <span class="p">~</span><span class="sr">*</span> <span class="err">\</span><span class="s">.(?:css|js)</span>$ <span class="p">{</span>
<span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"public,</span> <span class="s">max-age=7200"</span><span class="p">;</span>
<span class="c1"># Add headers to serve security related headers</span>
<span class="kn">add_header</span> <span class="s">Strict-Transport-Security</span> <span class="s">"max-age=15768000</span><span class="p">;</span><span class="kn">"</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Content-Type-Options</span> <span class="s">nosniff</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-XSS-Protection</span> <span class="s">"1</span><span class="p">;</span> <span class="kn">mode=block"</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Robots-Tag</span> <span class="s">none</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Download-Options</span> <span class="s">noopen</span><span class="p">;</span>
<span class="kn">add_header</span> <span class="s">X-Permitted-Cross-Domain-Policies</span> <span class="s">none</span><span class="p">;</span>
<span class="c1"># Optional: Don't log access to assets</span>
<span class="kn">access_log</span> <span class="no">off</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span><span class="sr">*</span> <span class="err">\</span><span class="s">.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)</span>$ <span class="p">{</span>
<span class="c1"># Optional: Don't log access to other assets</span>
<span class="kn">access_log</span> <span class="no">off</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Vérifier nginx<br />
<code class="language-plaintext highlighter-rouge">nginx -t</code></p>
<h3 id="cache-php--opcache">Cache PHP : OPcache</h3>
<p><em>OPcache (qui signifie Optimizer Plus Cache) est introduit depuis la version 5.5.0 de PHP. Il sert à cacher lopcode de PHP, cest-à-dire les instructions de bas niveau générées par la machine virtuelle PHP lors de lexécution dun script. Autrement dit, le code pré-compilé est stocké en mémoire. Cela évite ainsi létape de compilation à chaque requête PHP. De plus, OPcache va optimiser lexécution du code afin den améliorer les performances.</em></p>
<p>Éditez le fichier /etc/php/7.0/fpm/php.ini, décommentez et modifiez les lignes suivantes dans la section [opcache] :<br />
<code class="language-plaintext highlighter-rouge">nano /etc/php/7.0/fpm/php.ini</code></p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">[</span><span class="n">opcache</span><span class="p">]</span>
<span class="n">opcache</span><span class="mf">.</span><span class="n">enable</span><span class="o">=</span><span class="mi">1</span>
<span class="n">opcache</span><span class="mf">.</span><span class="n">enable_cli</span><span class="o">=</span><span class="mi">1</span>
<span class="n">opcache</span><span class="mf">.</span><span class="n">interned_strings_buffer</span><span class="o">=</span><span class="mi">8</span>
<span class="n">opcache</span><span class="mf">.</span><span class="n">max_accelerated_files</span><span class="o">=</span><span class="mi">10000</span>
<span class="n">opcache</span><span class="mf">.</span><span class="n">memory_consumption</span><span class="o">=</span><span class="mi">128</span>
<span class="n">opcache</span><span class="mf">.</span><span class="n">save_comments</span><span class="o">=</span><span class="mi">1</span>
<span class="n">opcache</span><span class="mf">.</span><span class="n">revalidate_freq</span><span class="o">=</span><span class="mi">1</span>
</code></pre></div></div>
<p>La nouvelle configuration sera prise en compte après redémarrage du service PHP-FPM :<br />
<code class="language-plaintext highlighter-rouge">systemctl restart php7.0-fpm.service</code></p>
<h3 id="cache-de-données--apcu--redis">Cache de données : APCu &amp; Redis</h3>
<p><em>APCu permet notamment de mettre en cache les variables PHP et de les stocker en mémoire vive. Redis est un système de gestion de base de données NoSQL avec un système de clef-valeur scalable (sadapte à la charge). Une des principales caractéristiques de Redis est de conserver lintégralité des données en RAM. Cela permet dobtenir dexcellentes performances en évitant les accès disques, particulièrement coûteux.</em></p>
<p>Installez les paquets APCu et Redis :<br />
<code class="language-plaintext highlighter-rouge">apt install php-apcu redis-server php-redis -y</code><br />
Ajoutez les lignes suivantes dans le fichier <strong>/opt/www/nextcloud/config/config.php</strong> :<br />
<code class="language-plaintext highlighter-rouge">nano /opt/www/nextcloud/config/config.php</code></p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="s1">'memcache.local'</span> <span class="o">=&gt;</span> <span class="s1">'\\OC\\Memcache\\Redis'</span><span class="p">,</span>
<span class="s1">'filelocking.enabled'</span> <span class="o">=&gt;</span> <span class="s1">'true'</span><span class="p">,</span>
<span class="s1">'memcache.distributed'</span> <span class="o">=&gt;</span> <span class="s1">'\\OC\\Memcache\\Redis'</span><span class="p">,</span>
<span class="s1">'memcache.locking'</span> <span class="o">=&gt;</span> <span class="s1">'\\OC\\Memcache\\Redis'</span><span class="p">,</span>
<span class="s1">'redis'</span> <span class="o">=&gt;</span>
<span class="k">array</span> <span class="p">(</span>
<span class="s1">'host'</span> <span class="o">=&gt;</span> <span class="s1">'localhost'</span><span class="p">,</span>
<span class="s1">'port'</span> <span class="o">=&gt;</span> <span class="mi">6379</span><span class="p">,</span>
<span class="s1">'timeout'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span>
<span class="s1">'dbindex'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span>
<span class="p">),</span>
</code></pre></div></div>
<p>La nouvelle configuration sera prise en compte après redémarrage du service PHP-FPM :<br />
<code class="language-plaintext highlighter-rouge">systemctl restart php7.0-fpm.service</code><br />
Les fichiers log <strong>/opt/www/nextcloud/data/nextcloud.log</strong></p>
<p>Relancer nginx<br />
<code class="language-plaintext highlighter-rouge">systemctl restart nginx</code></p>
<p>Accès <a href="https://xoyize.xyz/nextcloud">https://xoyize.xyz/nextcloud</a><br />
Créer un compte administrateur <strong>admin</strong> + mot de passe <br />
Répertoire des données <strong>/var/www/nextcloud/data</strong><br />
Base MariaDb (MySql) <strong>nextcloud</strong> , utilisateur <strong>nextcloud</strong> + mot de passe accès</p>
<h2 id="sauvegarde-via-shuttle">Sauvegarde via shuttle</h2>
<p>Toutes les commandes sont exécutées après passage en mode <strong>su</strong></p>
<p>Ajout utilisateur <strong>backupuser</strong> qui ne peut exécuter que <strong>rsync</strong> et de la clé publique du “serveur de sauvegarde”<br />
Création utilisateur backup<br />
<code class="language-plaintext highlighter-rouge">useradd backupuser -c "limited backup user" -m -u 4210</code><br />
Ajout clé publique ssh dans le fichier <strong>authorized_keys</strong> du nouvel utilisateur</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mkdir /home/backupuser/.ssh
nano /home/backupuser/.ssh/authorized_keys #coller le contenu /home/backupuser/.ssh/id_rsa.pub copié sur terminal du serveur shuttle (yanspm.com)
</code></pre></div></div>
<p>Création script bash <strong>rsync-wrapper.sh</strong><br />
<code class="language-plaintext highlighter-rouge">nano /home/backupuser/rsync-wrapper.sh</code><br />
Contenu du script</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/sh</span>
<span class="nb">date</span> <span class="o">&gt;</span> /home/backupuser/backuplog
<span class="c">#echo $@ &gt;&gt; /home/backupuser/backuplog</span>
/usr/bin/sudo /usr/bin/rsync <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span><span class="p">;</span>
</code></pre></div></div>
<p>Droits sur le fichier</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo chown backupuser:backupuser /home/backupuser/rsync-wrapper.sh
sudo chmod 755 /home/backupuser/rsync-wrapper.sh
</code></pre></div></div>
<p>Edition fichier <strong>sudoers</strong> pour un accès root à lexécution de rsync<br />
Ajouter ligne suivante en fin de fichier,exécution en mode root de rsync</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "backupuser ALL=NOPASSWD: /usr/bin/rsync" &gt;&gt; /etc/sudoers
exit
</code></pre></div></div>
<h2 id="sécurisé-le-site">Sécurisé le site</h2>
<h3 id="modifier-la-configuration-nginx">Modifier la configuration nginx</h3>
<p>Modifier <strong>/etc/nginx/conf.d/mail.serveur.tld.conf</strong> pour accepter uniquement https</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server {
index index.php index.html;
# Listen on ipv4
listen 80;
# Listen on ipv6.
# Note: this setting listens on both ipv4 and ipv6 with Nginx release
# shipped in some Linux/BSD distributions.
#listen [::]:80;
root /var/www/html;
server_name _;
#include /etc/nginx/templates/redirect_to_https.tmpl;
#include /etc/nginx/templates/misc.tmpl;
#include /etc/nginx/templates/php-catchall.tmpl;
# redirect http to https www
return 301 https://$http_host$request_uri;
}
server {
index index.php index.html;
listen 443 ssl http2;
root /var/www/html;
server_name _;
include /etc/nginx/templates/ssl.tmpl;
include /etc/nginx/templates/awstats.tmpl;
include /etc/nginx/templates/iredadmin.tmpl;
include /etc/nginx/templates/roundcube.tmpl;
include /etc/nginx/templates/sogo.tmpl;
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
include conf.d/mail.serveur.tld.d/*.conf;
}
</code></pre></div></div>
<p><a href="https://developer.mozilla.org/fr/docs/HTTP/CSP">Politique de sécurité</a><br />
<a href="https://memo-linux.com/securiser-son-site-web-sous-nginx-avec-lajout-den-tetes-headers/">Sécuriser son site web sous nginx avec lajout den-têtes (headers)</a><br />
Modifier <strong>/etc/nginx/templates/ssl.tmpl</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Fix 'The Logjam Attack'.
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;
#HSTS est un dispositif de sécurité par lequel un site web peut déclarer aux navigateurs quils doivent communiquer avec lui en utilisant exclusivement le protocole HTTPS, au lieu du HTTP
add_header Strict-Transport-Security "max-age=31536000;";
#se protéger contre le détournement de clic (clickjacking)
add_header X-Frame-Options "SAMEORIGIN" always;
#faire une vérification stricte des types Mime. Elle naccepte quune seule directive : nosniff.
add_header X-Content-Type-Options nosniff;
#activer les filtres anti-xss incorporés dans certains navigateurs.
add_header X-XSS-Protection "1; mode=block";
#CSP permet dautoriser seulement les domaines déclarés à exécuter du script JavaScript, une feuille de style css, etc.
add_header Content-Security-Policy "default-src 'self';";
# To use your own ssl cert (e.g. LetsEncrypt), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/&lt;domain&gt;/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/&lt;domain&gt;/fullchain.pem /etc/ssl/certs/iRedMail.crt
#
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;
</code></pre></div></div>
<h3 id="vérifications">Vérifications</h3>
<p>Par le site de test <a href="https://observatory.mozilla.org/analyze.html?host=xoyize.xyz">https://observatory.mozilla.org/analyze.html?host=xoyize.xyz</a></p>
<table>
<thead>
<tr>
<th>Date</th>
<th>Score</th>
<th style="text-align: center">Grade</th>
</tr>
</thead>
<tbody>
<tr>
<td>September 11, 2017 6:34 PM</td>
<td>105/100</td>
<td style="text-align: center"><strong>A+</strong></td>
</tr>
</tbody>
</table>
<p>Détails</p>
<table>
<thead>
<tr>
<th>Test</th>
<th style="text-align: center">Pass</th>
<th style="text-align: center">Score</th>
<th style="text-align: left">Explanation</th>
</tr>
</thead>
<tbody>
<tr>
<td>Content Security Policy</td>
<td style="text-align: center">Y</td>
<td style="text-align: center">+5</td>
<td style="text-align: left">Content Security Policy (CSP) implemented without <code class="language-plaintext highlighter-rouge">'unsafe-inline'</code> or <code class="language-plaintext highlighter-rouge">'unsafe-eval'</code></td>
</tr>
<tr>
<td>Cookies</td>
<td style="text-align: center">-</td>
<td style="text-align: center">0</td>
<td style="text-align: left">No cookies detected</td>
</tr>
<tr>
<td>Cross-origin Resource Sharing</td>
<td style="text-align: center">Y</td>
<td style="text-align: center">0</td>
<td style="text-align: left">Content is not visible via cross-origin resource sharing (CORS) files or headers</td>
</tr>
<tr>
<td>HTTP Public Key Pinning</td>
<td style="text-align: center">-</td>
<td style="text-align: center">0</td>
<td style="text-align: left">HTTP Public Key Pinning (HPKP) header not implemented (optional)</td>
</tr>
<tr>
<td>HTTP Strict Transport Security</td>
<td style="text-align: center">Y</td>
<td style="text-align: center">0</td>
<td style="text-align: left">HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000)</td>
</tr>
<tr>
<td>Redirection</td>
<td style="text-align: center">Y</td>
<td style="text-align: center">0</td>
<td style="text-align: left">Initial redirection is to https on same host, final destination is https</td>
</tr>
<tr>
<td>Referrer Policy</td>
<td style="text-align: center">-</td>
<td style="text-align: center">0</td>
<td style="text-align: left">Referrer-Policy header not implemented (optional)</td>
</tr>
<tr>
<td>Subresource Integrity</td>
<td style="text-align: center">-</td>
<td style="text-align: center">0</td>
<td style="text-align: left">Subresource Integrity (SRI) is not needed since site contains no script tags</td>
</tr>
<tr>
<td>X-Content-Type-Options</td>
<td style="text-align: center">Y</td>
<td style="text-align: center">0</td>
<td style="text-align: left">X-Content-Type-Options header set to <code class="language-plaintext highlighter-rouge">"nosniff"</code></td>
</tr>
<tr>
<td>X-Frame-Options</td>
<td style="text-align: center">Y</td>
<td style="text-align: center">0</td>
<td style="text-align: left">X-Frame-Options (XFO) header set to <code class="language-plaintext highlighter-rouge">SAMEORIGIN</code> or <code class="language-plaintext highlighter-rouge">DENY</code></td>
</tr>
<tr>
<td>X-XSS-Protection</td>
<td style="text-align: center">Y</td>
<td style="text-align: center">0</td>
<td style="text-align: left">X-XSS-Protection header set to <code class="language-plaintext highlighter-rouge">"1; mode=block"</code></td>
</tr>
</tbody>
</table>
</div>
<div class="d-print-none"><footer class="article__footer"><meta itemprop="dateModified" content="2018-11-23T00:00:00+01:00"><!-- start custom article footer snippet -->
<!-- end custom article footer snippet -->
<!--
<div align="right"><a type="application/rss+xml" href="/feed.xml" title="S'abonner"><i class="fa fa-rss fa-2x"></i></a>
&emsp;</div>
-->
</footer>
<div class="article__section-navigator clearfix"><div class="previous"><span>PRÉCÉDENT</span><a href="/2018/11/23/ldap-Getting_started_with_OpenLDAP-2.html">KVM Debian Stretch serveur de messagerie xoyize.xyz (France)</a></div><div class="next"><span>SUIVANT</span><a href="/2018/11/23/shuttle.html">Yunohost Shuttle</a></div></div></div>
</div>
<script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
$(function() {
var $this ,$scroll;
var $articleContent = $('.js-article-content');
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
var scroll = hasSidebar ? '.js-page-main' : 'html, body';
$scroll = $(scroll);
$articleContent.find('.highlight').each(function() {
$this = $(this);
$this.attr('data-lang', $this.find('code').attr('data-lang'));
});
$articleContent.find('h1[id], h2[id], h3[id], h4[id], h5[id], h6[id]').each(function() {
$this = $(this);
$this.append($('<a class="anchor d-print-none" aria-hidden="true"></a>').html('<i class="fas fa-anchor"></i>'));
});
$articleContent.on('click', '.anchor', function() {
$scroll.scrollToAnchor('#' + $(this).parent().attr('id'), 400);
});
});
});
})();
</script>
</div><section class="page__comments d-print-none"></section></article><!-- start custom main bottom snippet -->
<!-- end custom main bottom snippet -->
</div>
</div></div></div></div>
</div><script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
var $body = $('body'), $window = $(window);
var $pageRoot = $('.js-page-root'), $pageMain = $('.js-page-main');
var activeCount = 0;
function modal(options) {
var $root = this, visible, onChange, hideWhenWindowScroll = false;
var scrollTop;
function setOptions(options) {
var _options = options || {};
visible = _options.initialVisible === undefined ? false : show;
onChange = _options.onChange;
hideWhenWindowScroll = _options.hideWhenWindowScroll;
}
function init() {
setState(visible);
}
function setState(isShow) {
if (isShow === visible) {
return;
}
visible = isShow;
if (visible) {
activeCount++;
scrollTop = $(window).scrollTop() || $pageMain.scrollTop();
$root.addClass('modal--show');
$pageMain.scrollTop(scrollTop);
activeCount === 1 && ($pageRoot.addClass('show-modal'), $body.addClass('of-hidden'));
hideWhenWindowScroll && window.hasEvent('touchstart') && $window.on('scroll', hide);
$window.on('keyup', handleKeyup);
} else {
activeCount > 0 && activeCount--;
$root.removeClass('modal--show');
$window.scrollTop(scrollTop);
activeCount === 0 && ($pageRoot.removeClass('show-modal'), $body.removeClass('of-hidden'));
hideWhenWindowScroll && window.hasEvent('touchstart') && $window.off('scroll', hide);
$window.off('keyup', handleKeyup);
}
onChange && onChange(visible);
}
function show() {
setState(true);
}
function hide() {
setState(false);
}
function handleKeyup(e) {
// Char Code: 27 ESC
if (e.which === 27) {
hide();
}
}
setOptions(options);
init();
return {
show: show,
hide: hide,
$el: $root
};
}
$.fn.modal = modal;
});
})();
</script><div class="modal modal--overflow page__search-modal d-print-none js-page-search-modal"><script>
(function () {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
// search panel
var search = (window.search || (window.search = {}));
var useDefaultSearchBox = window.useDefaultSearchBox === undefined ?
true : window.useDefaultSearchBox ;
var $searchModal = $('.js-page-search-modal');
var $searchToggle = $('.js-search-toggle');
var searchModal = $searchModal.modal({ onChange: handleModalChange, hideWhenWindowScroll: true });
var modalVisible = false;
search.searchModal = searchModal;
var $searchBox = null;
var $searchInput = null;
var $searchClear = null;
function getModalVisible() {
return modalVisible;
}
search.getModalVisible = getModalVisible;
function handleModalChange(visible) {
modalVisible = visible;
if (visible) {
search.onShow && search.onShow();
useDefaultSearchBox && $searchInput[0] && $searchInput[0].focus();
} else {
search.onShow && search.onHide();
useDefaultSearchBox && $searchInput[0] && $searchInput[0].blur();
setTimeout(function() {
useDefaultSearchBox && ($searchInput.val(''), $searchBox.removeClass('not-empty'));
search.clear && search.clear();
window.pageAsideAffix && window.pageAsideAffix.refresh();
}, 400);
}
}
$searchToggle.on('click', function() {
modalVisible ? searchModal.hide() : searchModal.show();
});
// Char Code: 83 S, 191 /
$(window).on('keyup', function(e) {
if (!modalVisible && !window.isFormElement(e.target || e.srcElement) && (e.which === 83 || e.which === 191)) {
modalVisible || searchModal.show();
}
});
if (useDefaultSearchBox) {
$searchBox = $('.js-search-box');
$searchInput = $searchBox.children('input');
$searchClear = $searchBox.children('.js-icon-clear');
search.getSearchInput = function() {
return $searchInput.get(0);
};
search.getVal = function() {
return $searchInput.val();
};
search.setVal = function(val) {
$searchInput.val(val);
};
$searchInput.on('focus', function() {
$(this).addClass('focus');
});
$searchInput.on('blur', function() {
$(this).removeClass('focus');
});
$searchInput.on('input', window.throttle(function() {
var val = $(this).val();
if (val === '' || typeof val !== 'string') {
search.clear && search.clear();
} else {
$searchBox.addClass('not-empty');
search.onInputNotEmpty && search.onInputNotEmpty(val);
}
}, 400));
$searchClear.on('click', function() {
$searchInput.val(''); $searchBox.removeClass('not-empty');
search.clear && search.clear();
});
}
});
})();
</script><div class="search search--dark">
<div class="main">
<div class="search__header">Recherche</div>
<div class="search-bar">
<div class="search-box js-search-box">
<div class="search-box__icon-search"><i class="fas fa-search"></i></div>
<input id="search-input" type="text" />
<div class="search-box__icon-clear js-icon-clear">
<a><i class="fas fa-times"></i></a>
</div>
</div>
<button class="button button--theme-dark button--pill search__cancel js-search-toggle">
Annuler</button>
</div>
<div id="results-container" class="search-result js-search-result"></div>
</div>
</div>
<!-- Script pointing to search-script.js -->
<script>/*!
* Simple-Jekyll-Search
* Copyright 2015-2020, Christian Fei
* Licensed under the MIT License.
*/
(function(){
'use strict'
var _$Templater_7 = {
compile: compile,
setOptions: setOptions
}
const options = {}
options.pattern = /\{(.*?)\}/g
options.template = ''
options.middleware = function () {}
function setOptions (_options) {
options.pattern = _options.pattern || options.pattern
options.template = _options.template || options.template
if (typeof _options.middleware === 'function') {
options.middleware = _options.middleware
}
}
function compile (data) {
return options.template.replace(options.pattern, function (match, prop) {
const value = options.middleware(prop, data[prop], options.template)
if (typeof value !== 'undefined') {
return value
}
return data[prop] || match
})
}
'use strict';
function fuzzysearch (needle, haystack) {
var tlen = haystack.length;
var qlen = needle.length;
if (qlen > tlen) {
return false;
}
if (qlen === tlen) {
return needle === haystack;
}
outer: for (var i = 0, j = 0; i < qlen; i++) {
var nch = needle.charCodeAt(i);
while (j < tlen) {
if (haystack.charCodeAt(j++) === nch) {
continue outer;
}
}
return false;
}
return true;
}
var _$fuzzysearch_1 = fuzzysearch;
'use strict'
/* removed: const _$fuzzysearch_1 = require('fuzzysearch') */;
var _$FuzzySearchStrategy_5 = new FuzzySearchStrategy()
function FuzzySearchStrategy () {
this.matches = function (string, crit) {
return _$fuzzysearch_1(crit.toLowerCase(), string.toLowerCase())
}
}
'use strict'
var _$LiteralSearchStrategy_6 = new LiteralSearchStrategy()
function LiteralSearchStrategy () {
this.matches = function (str, crit) {
if (!str) return false
str = str.trim().toLowerCase()
crit = crit.trim().toLowerCase()
return crit.split(' ').filter(function (word) {
return str.indexOf(word) >= 0
}).length === crit.split(' ').length
}
}
'use strict'
var _$Repository_4 = {
put: put,
clear: clear,
search: search,
setOptions: __setOptions_4
}
/* removed: const _$FuzzySearchStrategy_5 = require('./SearchStrategies/FuzzySearchStrategy') */;
/* removed: const _$LiteralSearchStrategy_6 = require('./SearchStrategies/LiteralSearchStrategy') */;
function NoSort () {
return 0
}
const data = []
let opt = {}
opt.fuzzy = false
opt.limit = 10
opt.searchStrategy = opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = NoSort
opt.exclude = []
function put (data) {
if (isObject(data)) {
return addObject(data)
}
if (isArray(data)) {
return addArray(data)
}
return undefined
}
function clear () {
data.length = 0
return data
}
function isObject (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Object]'
}
function isArray (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Array]'
}
function addObject (_data) {
data.push(_data)
return data
}
function addArray (_data) {
const added = []
clear()
for (let i = 0, len = _data.length; i < len; i++) {
if (isObject(_data[i])) {
added.push(addObject(_data[i]))
}
}
return added
}
function search (crit) {
if (!crit) {
return []
}
return findMatches(data, crit, opt.searchStrategy, opt).sort(opt.sort)
}
function __setOptions_4 (_opt) {
opt = _opt || {}
opt.fuzzy = _opt.fuzzy || false
opt.limit = _opt.limit || 10
opt.searchStrategy = _opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = _opt.sort || NoSort
opt.exclude = _opt.exclude || []
}
function findMatches (data, crit, strategy, opt) {
const matches = []
for (let i = 0; i < data.length && matches.length < opt.limit; i++) {
const match = findMatchesInObject(data[i], crit, strategy, opt)
if (match) {
matches.push(match)
}
}
return matches
}
function findMatchesInObject (obj, crit, strategy, opt) {
for (const key in obj) {
if (!isExcluded(obj[key], opt.exclude) && strategy.matches(obj[key], crit)) {
return obj
}
}
}
function isExcluded (term, excludedTerms) {
for (let i = 0, len = excludedTerms.length; i < len; i++) {
const excludedTerm = excludedTerms[i]
if (new RegExp(excludedTerm).test(term)) {
return true
}
}
return false
}
/* globals ActiveXObject:false */
'use strict'
var _$JSONLoader_2 = {
load: load
}
function load (location, callback) {
const xhr = getXHR()
xhr.open('GET', location, true)
xhr.onreadystatechange = createStateChangeListener(xhr, callback)
xhr.send()
}
function createStateChangeListener (xhr, callback) {
return function () {
if (xhr.readyState === 4 && xhr.status === 200) {
try {
callback(null, JSON.parse(xhr.responseText))
} catch (err) {
callback(err, null)
}
}
}
}
function getXHR () {
return window.XMLHttpRequest ? new window.XMLHttpRequest() : new ActiveXObject('Microsoft.XMLHTTP')
}
'use strict'
var _$OptionsValidator_3 = function OptionsValidator (params) {
if (!validateParams(params)) {
throw new Error('-- OptionsValidator: required options missing')
}
if (!(this instanceof OptionsValidator)) {
return new OptionsValidator(params)
}
const requiredOptions = params.required
this.getRequiredOptions = function () {
return requiredOptions
}
this.validate = function (parameters) {
const errors = []
requiredOptions.forEach(function (requiredOptionName) {
if (typeof parameters[requiredOptionName] === 'undefined') {
errors.push(requiredOptionName)
}
})
return errors
}
function validateParams (params) {
if (!params) {
return false
}
return typeof params.required !== 'undefined' && params.required instanceof Array
}
}
'use strict'
var _$utils_9 = {
merge: merge,
isJSON: isJSON
}
function merge (defaultParams, mergeParams) {
const mergedOptions = {}
for (const option in defaultParams) {
mergedOptions[option] = defaultParams[option]
if (typeof mergeParams[option] !== 'undefined') {
mergedOptions[option] = mergeParams[option]
}
}
return mergedOptions
}
function isJSON (json) {
try {
if (json instanceof Object && JSON.parse(JSON.stringify(json))) {
return true
}
return false
} catch (err) {
return false
}
}
var _$src_8 = {};
(function (window) {
'use strict'
let options = {
searchInput: null,
resultsContainer: null,
json: [],
success: Function.prototype,
searchResultTemplate: '<li><a href="{url}" title="{desc}">{title}</a></li>',
templateMiddleware: Function.prototype,
sortMiddleware: function () {
return 0
},
noResultsText: 'No results found',
limit: 10,
fuzzy: false,
debounceTime: null,
exclude: []
}
let debounceTimerHandle
const debounce = function (func, delayMillis) {
if (delayMillis) {
clearTimeout(debounceTimerHandle)
debounceTimerHandle = setTimeout(func, delayMillis)
} else {
func.call()
}
}
const requiredOptions = ['searchInput', 'resultsContainer', 'json']
/* removed: const _$Templater_7 = require('./Templater') */;
/* removed: const _$Repository_4 = require('./Repository') */;
/* removed: const _$JSONLoader_2 = require('./JSONLoader') */;
const optionsValidator = _$OptionsValidator_3({
required: requiredOptions
})
/* removed: const _$utils_9 = require('./utils') */;
window.SimpleJekyllSearch = function (_options) {
const errors = optionsValidator.validate(_options)
if (errors.length > 0) {
throwError('You must specify the following required options: ' + requiredOptions)
}
options = _$utils_9.merge(options, _options)
_$Templater_7.setOptions({
template: options.searchResultTemplate,
middleware: options.templateMiddleware
})
_$Repository_4.setOptions({
fuzzy: options.fuzzy,
limit: options.limit,
sort: options.sortMiddleware,
exclude: options.exclude
})
if (_$utils_9.isJSON(options.json)) {
initWithJSON(options.json)
} else {
initWithURL(options.json)
}
const rv = {
search: search
}
typeof options.success === 'function' && options.success.call(rv)
return rv
}
function initWithJSON (json) {
_$Repository_4.put(json)
registerInput()
}
function initWithURL (url) {
_$JSONLoader_2.load(url, function (err, json) {
if (err) {
throwError('failed to get JSON (' + url + ')')
}
initWithJSON(json)
})
}
function emptyResultsContainer () {
options.resultsContainer.innerHTML = ''
}
function appendToResultsContainer (text) {
options.resultsContainer.innerHTML += text
}
function registerInput () {
options.searchInput.addEventListener('input', function (e) {
if (isWhitelistedKey(e.which)) {
emptyResultsContainer()
debounce(function () { search(e.target.value) }, options.debounceTime)
}
})
}
function search (query) {
if (isValidQuery(query)) {
emptyResultsContainer()
render(_$Repository_4.search(query), query)
}
}
function render (results, query) {
const len = results.length
if (len === 0) {
return appendToResultsContainer(options.noResultsText)
}
for (let i = 0; i < len; i++) {
results[i].query = query
appendToResultsContainer(_$Templater_7.compile(results[i]))
}
}
function isValidQuery (query) {
return query && query.length > 0
}
function isWhitelistedKey (key) {
return [13, 16, 20, 37, 38, 39, 40, 91].indexOf(key) === -1
}
function throwError (message) {
throw new Error('SimpleJekyllSearch --- ' + message)
}
})(window)
}());
</script>
<!-- Configuration -->
<script>
SimpleJekyllSearch({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
noResultsText: '<p>Aucun résultat!</p>',
json: '/search.json',
searchResultTemplate: '<li><a href="{url}">{date}&nbsp;{title}</a>&nbsp;(Création {create})</li>'
})
</script>
</div></div>
<script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function scrollToAnchor(anchor, duration, callback) {
var $root = this;
$root.animate({ scrollTop: $(anchor).position().top }, duration, function() {
window.history.replaceState(null, '', window.location.href.split('#')[0] + anchor);
callback && callback();
});
}
$.fn.scrollToAnchor = scrollToAnchor;
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function affix(options) {
var $root = this, $window = $(window), $scrollTarget, $scroll,
offsetBottom = 0, scrollTarget = window, scroll = window.document, disabled = false, isOverallScroller = true,
rootTop, rootLeft, rootHeight, scrollBottom, rootBottomTop,
hasInit = false, curState;
function setOptions(options) {
var _options = options || {};
_options.offsetBottom && (offsetBottom = _options.offsetBottom);
_options.scrollTarget && (scrollTarget = _options.scrollTarget);
_options.scroll && (scroll = _options.scroll);
_options.disabled !== undefined && (disabled = _options.disabled);
$scrollTarget = $(scrollTarget);
isOverallScroller = window.isOverallScroller($scrollTarget[0]);
$scroll = $(scroll);
}
function preCalc() {
top();
rootHeight = $root.outerHeight();
rootTop = $root.offset().top + (isOverallScroller ? 0 : $scrollTarget.scrollTop());
rootLeft = $root.offset().left;
}
function calc(needPreCalc) {
needPreCalc && preCalc();
scrollBottom = $scroll.outerHeight() - offsetBottom - rootHeight;
rootBottomTop = scrollBottom - rootTop;
}
function top() {
if (curState !== 'top') {
$root.removeClass('fixed').css({
left: 0,
top: 0
});
curState = 'top';
}
}
function fixed() {
if (curState !== 'fixed') {
$root.addClass('fixed').css({
left: rootLeft + 'px',
top: 0
});
curState = 'fixed';
}
}
function bottom() {
if (curState !== 'bottom') {
$root.removeClass('fixed').css({
left: 0,
top: rootBottomTop + 'px'
});
curState = 'bottom';
}
}
function setState() {
var scrollTop = $scrollTarget.scrollTop();
if (scrollTop >= rootTop && scrollTop <= scrollBottom) {
fixed();
} else if (scrollTop < rootTop) {
top();
} else {
bottom();
}
}
function init() {
if(!hasInit) {
var interval, timeout;
calc(true); setState();
// run calc every 100 millisecond
interval = setInterval(function() {
calc();
}, 100);
timeout = setTimeout(function() {
clearInterval(interval);
}, 45000);
window.pageLoad.then(function() {
setTimeout(function() {
clearInterval(interval);
clearTimeout(timeout);
}, 3000);
});
$scrollTarget.on('scroll', function() {
disabled || setState();
});
$window.on('resize', function() {
disabled || (calc(true), setState());
});
hasInit = true;
}
}
setOptions(options);
if (!disabled) {
init();
}
$window.on('resize', window.throttle(function() {
init();
}, 200));
return {
setOptions: setOptions,
refresh: function() {
calc(true, { animation: false }); setState();
}
};
}
$.fn.affix = affix;
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function toc(options) {
var $root = this, $window = $(window), $scrollTarget, $scroller, $tocUl = $('<ul class="toc toc--ellipsis"></ul>'), $tocLi, $headings, $activeLast, $activeCur,
selectors = 'h1,h2,h3', container = 'body', scrollTarget = window, scroller = 'html, body', disabled = false,
headingsPos, scrolling = false, hasRendered = false, hasInit = false;
function setOptions(options) {
var _options = options || {};
_options.selectors && (selectors = _options.selectors);
_options.container && (container = _options.container);
_options.scrollTarget && (scrollTarget = _options.scrollTarget);
_options.scroller && (scroller = _options.scroller);
_options.disabled !== undefined && (disabled = _options.disabled);
$headings = $(container).find(selectors).filter('[id]');
$scrollTarget = $(scrollTarget);
$scroller = $(scroller);
}
function calc() {
headingsPos = [];
$headings.each(function() {
headingsPos.push(Math.floor($(this).position().top));
});
}
function setState(element, disabled) {
var scrollTop = $scrollTarget.scrollTop(), i;
if (disabled || !headingsPos || headingsPos.length < 1) { return; }
if (element) {
$activeCur = element;
} else {
for (i = 0; i < headingsPos.length; i++) {
if (scrollTop >= headingsPos[i]) {
$activeCur = $tocLi.eq(i);
} else {
$activeCur || ($activeCur = $tocLi.eq(i));
break;
}
}
}
$activeLast && $activeLast.removeClass('active');
($activeLast = $activeCur).addClass('active');
}
function render() {
if(!hasRendered) {
$root.append($tocUl);
$headings.each(function() {
var $this = $(this);
$tocUl.append($('<li></li>').addClass('toc-' + $this.prop('tagName').toLowerCase())
.append($('<a></a>').text($this.text()).attr('href', '#' + $this.prop('id'))));
});
$tocLi = $tocUl.children('li');
$tocUl.on('click', 'a', function(e) {
e.preventDefault();
var $this = $(this);
scrolling = true;
setState($this.parent());
$scroller.scrollToAnchor($this.attr('href'), 400, function() {
scrolling = false;
});
});
}
hasRendered = true;
}
function init() {
var interval, timeout;
if(!hasInit) {
render(); calc(); setState(null, scrolling);
// run calc every 100 millisecond
interval = setInterval(function() {
calc();
}, 100);
timeout = setTimeout(function() {
clearInterval(interval);
}, 45000);
window.pageLoad.then(function() {
setTimeout(function() {
clearInterval(interval);
clearTimeout(timeout);
}, 3000);
});
$scrollTarget.on('scroll', function() {
disabled || setState(null, scrolling);
});
$window.on('resize', window.throttle(function() {
if (!disabled) {
render(); calc(); setState(null, scrolling);
}
}, 100));
}
hasInit = true;
}
setOptions(options);
if (!disabled) {
init();
}
$window.on('resize', window.throttle(function() {
init();
}, 200));
return {
setOptions: setOptions
};
}
$.fn.toc = toc;
});
})();
/*(function () {
})();*/
</script><script>
/* toc must before affix, since affix need to konw toc' height. */(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
var TOC_SELECTOR = window.TEXT_VARIABLES.site.toc.selectors;
window.Lazyload.js(SOURCES.jquery, function() {
var $window = $(window);
var $articleContent = $('.js-article-content');
var $tocRoot = $('.js-toc-root'), $col2 = $('.js-col-aside');
var toc;
var tocDisabled = false;
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
var hasToc = $articleContent.find(TOC_SELECTOR).length > 0;
function disabled() {
return $col2.css('display') === 'none' || !hasToc;
}
tocDisabled = disabled();
toc = $tocRoot.toc({
selectors: TOC_SELECTOR,
container: $articleContent,
scrollTarget: hasSidebar ? '.js-page-main' : null,
scroller: hasSidebar ? '.js-page-main' : null,
disabled: tocDisabled
});
$window.on('resize', window.throttle(function() {
tocDisabled = disabled();
toc && toc.setOptions({
disabled: tocDisabled
});
}, 100));
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
var $window = $(window), $pageFooter = $('.js-page-footer');
var $pageAside = $('.js-page-aside');
var affix;
var tocDisabled = false;
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
affix = $pageAside.affix({
offsetBottom: $pageFooter.outerHeight(),
scrollTarget: hasSidebar ? '.js-page-main' : null,
scroller: hasSidebar ? '.js-page-main' : null,
scroll: hasSidebar ? $('.js-page-main').children() : null,
disabled: tocDisabled
});
$window.on('resize', window.throttle(function() {
affix && affix.setOptions({
disabled: tocDisabled
});
}, 100));
window.pageAsideAffix = affix;
});
})();
</script><!---->
</div>
<script>(function () {
var $root = document.getElementsByClassName('root')[0];
if (window.hasEvent('touchstart')) {
$root.dataset.isTouch = true;
document.addEventListener('touchstart', function(){}, false);
}
})();
</script>
</body>
</html>