Tony LaTorre's Home Page
Tony LaTorre's Home Page
Date: 2025-10-23
Last Edited: 2025-10-23
This is almost identical to my previous instructions for setting up a website with cgit on Fedora 34, but updated for Fedora 42 (and without cgit).
The first thing to do is to copy over an ssh key and disable remote login with a password. Assuming you already have an ssh key you can just run:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@[remote ip]
where [remote ip] is the ip address of the machine you want to host things on. After doing so you can log onto the remote machine and edit /etc/ssh/sshd_config and update the following line to
PasswordAuthentication no
and then restart sshd:
# systemctl restart sshd
Next, it's always a good idea to update everything on the remote machine:
# dnf update
Next, we need to install the web server and cgit
# dnf install git httpd vim rsync httpd-tools mod_ssl
By default, Fedora 42 uses firewalld to create a firewall. I prefer to use the simpler method of directly editing iptables, so I disabled firewalld:
# systemctl stop firewalld
# systemctl disable firewalld
# systemctl mask firewalld
Next, install iptables-services and activate it:
# yum install iptables-services
# systemctl enable iptables.service
# systemctl enable ip6tables.service
Next, I created the file rules.v4 to look like:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accept any packets which are associated with a connection
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
# Accept new tcp packets on ports 80 and 443 for the web interface on the local
# lan
-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# Accept new tcp packets on port 22 for SSH on the local lan
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Accept anything from localhost
-A INPUT -i lo -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
and the file rules.v6 to look like:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accept any packets which are associated with a connection
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
# Accept new tcp packets on ports 80 and 443 for the web interface on the local
# lan
-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
# Accept new tcp packets on port 22 for SSH on the local lan
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Accept anything from localhost
-A INPUT -i lo -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
Now, we copy these rules to the correct location and load them:
# cp rules.v4 /etc/sysconfig/iptables
# cp rules.v6 /etc/sysconfig/ip6tables
# ip6tables-restore /etc/sysconfig/ip6tables
# iptables-restore /etc/sysconfig/iptables
# systemctl enable httpd
# systemctl restart httpd
First, I created the file /etc/httpd/conf.d/webhost.example.com.conf
<VirtualHost *:80>
ServerAdmin user@example.com
ServerName www.example.com
DocumentRoot /var/www/html
<Directory /var/www/html>
Allowoverride all
</Directory>
</VirtualHost>
Then, we install and run the certbot:
# dnf install python3-certbot-apache
# certbot-3 --apache
Finally, we add it to our crontab with
crontab -e
:
0 * * * * certbot-3 renew