Server - Contents

SQL-Ledger Extras

Greater security and significant tips

revised: 27-Apr-2023

The risk of an Internet hack is steadily increasing. The tips 1 - 7 below are to make the ledger more secure and are highly recommended.

Tip#01: Password for user: sql-ledger
Set a strong password for the user: sql-ledger during the setup of SQL-ledger (via Webmin -> PostgresSQL -> Users). In doing so, the creation of any dataset via admin.pl will require that password (using alphanumeric characters only - no special characters). Should one wish to set this user password later, all earlier datasets need to be backupped and then restored after the password has been put into place.
Tip#02 - Simplifying ledger access to a server with a sub-domain
Note: Most modern browsers now required SSL links to have a domain by with one can at least get a certificate via Let'sEncrypt (recommended) and thus this note below is not recommended.

It is possible to create in the domain's DNS settings a new 'A' record for the ledger, eg. ledger.myexample.com, pointing to the IP address associated with this site. One can simplify access on each computer to the server via its IP-address alone. On that record is establish, create in Apache2 a new virtual host associated with this new sub-domain. Include then this sub-domain in the creation of the Let'sEncrypt certificate

Tip#03 - Replace the default webpage.

As the Apache default webpage gives information about one's system, it best to hide that info and simplify the page as follows:

Via PuTTY, logon on the server with a regular, sudo-enabled user (eg. sammy) and enter the following command:

sammy@imega:$ sudo rm /var/www/html/index.html
sammy@imega:$ sudo nano /var/www/html/index.html

In the index.html file, write/paste in the following:<html> It works!</html> Then Ctl+s to save, Ctl+x to exit and, via Webmin, restart the webserver.

Tip#04 - Activating SSL for encrypted transfer of information:

Via PuTTY, logon on the server with a regular, sudo-enabled user (eg. sammy) and enter the following commands for the Apache webserver:

Note: This use of self-signed certificates are nolonger acceptable with most modern browsers and thus not recommended.
sammy@imega:$ sudo a2enmod ssl
sammy@imega:$ sudo systemctl restart apache2
sammy@imega:$ sudo openssl genrsa -out ca.key 2048   Note: generate a private key (ca.key)
sammy@imega:$ sudo openssl req -nodes -new -key ca.key -out ca.csr   Note: generate a certificate signing request
sammy@imega:$ sudo openssl x509 -req -days 999 -in ca.csr -signkey ca.key -out ca.crt   Note: generate a self-signed certificate
sammy@imega:$ sudo mkdir /etc/apache2/ssl  //Note: Create a directory to place the certificate
sammy@imega:$ sudo cp ca.crt ca.key ca.csr /etc/apache2/ssl/  Note: copy files to the "/etc/apache2/ssl" directory.

The above command sequence will have created a self-signed certificate and placed the files in a directory.

To check the expiry date of this certificate:
sammy@imega:$ sudo openssl x509 -noout -dates -in /etc/apache2/ssl/ca.crt

Now to set the Apache Webserver to use SSL, by modifying the default webpage configuration:

Open Webmin and go to [Servers]->[Apache Webserver]. Create a new virtual host with these settings: Port: enter the number 443 and activate the button on its left-hand side. For document root, enter: /var/www/html and save.

Webmin-443

Go to this host's "Edit Directives" and replace/overwrite all the text therein, by 'copy paste', these settings
Click on 'Save and close' then in the top right hand corner, click on the 'Apply changes' button.
In the browser, enter: https://[IP-address] and a warning should pop-up 'Connection is Untrusted'- choose 'I understand the risks'. Often one has to click the 'Refresh' button on the browser to finally enter the site.
Reference: Make Tech Easier - SSL

Tip#05 - Allow only SSL Access:
Users to have only SSL (https) access the server.

Similar to the last part of Tip#3, open Webmin and go to [Servers]->[Apache Webserver] and open the virtual host for port:80 then open "Edit Directives", add the following line after the directive: 'DocumentRoot /var/www/html':
Redirect 301 / https://ledger.myexample.com

Tip#06 - Activating .htacces Authentication:
Assumption: SQL-ledger has the first dataset created and Tip#03 has been implemented.
Via PuTTY, logon on the server with a regular, sudo-enabled user (eg. sammy) and enter the following commands:
sammy@imega:$ sudo htpasswd -c /usr/local/.htpasswd sammy
Note:
a. for the second user and others onwards, remove the '-c'
b. Note to reset a password (the example below will delete sammy's password, thereafter set a new one) with the above command
sammy@imega:$ sudo htpasswd -D /usr/local/.htpasswd sammy

Open Webmin and go to [Servers]->[Apache Webserver]->[Virtual host-Port:443]->[Edit Directives]. Add these extra lines at the bottom and restart the webserver. Now a pop-up will appear when entering the application - eg.https://ledger.myexample.com- requesting for a username and its password.

Reference: DigitalOcean how-to-set-up-password-authentication-with-apache-on-ubuntu-14-04

Tip#07: Hide the Apache Webserver Banner

In any misdirected requests towards the website, the Apache Webserver gives an error message plus information about the server. Turn off this information banner by entering Webmin: [Servers]->[Apache Webserver]->[Global Configuration]->[Edit Config files] then, at the bottom of the file [/etc/apache2/apache2.conf], add these two lines and save then restart the server:
ServerTokens Prod
ServerSignature Off

Tip#08: SQL-ledger v2.8.33

The setup for SQL-ledger 3.2.9 can also be used should one wish to install the simpler verion (SQL-ledger v2.8.33)**Enhanced Version by - Armaghan Saqib (ledger123: an enhanced SQL-ledger) The main difference in version 2 is where all users are set in the admin.pl
It is the humble opinion of the writer that the earlier version (SQL-ledger v2.8.33) as described herein is more suitable for small enterprises, like at bookstore.

The SQL-ledger v2.8.33 (Enhanced)can be downloaded (4Mb) HERE

Tip#09: SQL-Ledger with Nginx Browser

With reference to this source: SQL-Ledger on Nginx but up-dated below.

The setup is very similar to the one for Apache2 describe in the earlier page and its steps are referred to here: Ledger-Home and it is assumed that one has done the following:

  1. Step01: all the dependencies installed but replacing 'apache2' with 'Nginx' - see Step03 Basic Site-Part B- Step03 to activate Nginx Module for Webmin
  2. Step02: PostgresSQL Server with user: sql-ledger setup
  3. Step03:Enhance Nginx with fcgiwrap: sudo apt-get install fcgiwrap

Step04: Upload SQL-ledger and install it

a. Via the Setup Programme
Do the following commands and if successful, jump to Step05:

sammy@imega:$ sudo mkdir /usr/share/nginx/www
sammy@imega:$ sudo mkdir /usr/share/nginx/www/sql-ledger
sammy@imega:$ cd /usr/share/nginx/www/sql-ledger
sammy@imega:/usr.../sql-ledger$ sudo wget https://sql-ledger.com/source/setup.pl
sammy@imega:/usr.../sql-ledger$ sudo perl setup.pl // select 'i' to install and when it reads: /sql-ledger-httpd.conf, use 'Ctl-c' to exit.
sammy@imega:/usr.../sql-ledger$ ls -ls // verify that the files have be installed.
sammy@imega:/usr.../sql-ledger$ sudo chown -hR www-data:www-data users templates css spool doc
sammy@imega:/usr.../sql-ledger$ sudo chmod -R 775 users templates css spool doc
Note: Sql-ledger can always be upgraded using the above setup.pl application within always the sql-ledger directory.

b. Manual Install

The SQL-ledger v3.2.12 can be downloaded (4Mb) HERE

a. Using FTP (Filezilla), upload the enhanced SQL-ledger application (~4Mb) to the home directory of your regular user (eg.sammy)

b. Using PuTTY, logon as your regular user (eg.sammy)and move the SQL-ledger application to the /usr/local directory then go to that directory:

sammy@imega:$ sudo mkdir /usr/share/nginx/www/
sammy@imega:$ sudo mv sql-ledger-3.2.12.tar.gz /usr/share/nginx/www/
sammy@imega:$ cd /usr/share/nginx/www/
sammy@imega:/usr.../www$ ls -ls  Note: to list the files therein
Decompress the tar file and, after entering the sql-ledger sub-directory, create the spool directory and to spool, users, css and tempates directories. Finally give writing permissions to the sql-ledger sub-directory:
sammy@imega:/usr.../www$ sudo tar xzvf sql-ledger-3.2.12.tar.gz
sammy@imega:/usr.../www$ cd sql-ledger
sammy@imega:/usr.../www/sql-ledger$ sudo chown -hR www-data:www-data users templates css spool doc
sammy@imega:/usr.../www/sql-ledger$ touch users/members.default
sammy@imega:/usr.../www/sql-ledger$ sudo cp sql-ledger.conf.default sql-ledger.conf
sammy@imega:/usr.../www/sql-ledger$ sudo chmod -R 775 users templates css spool doc
Note: Edit sql-ledger.conf and change the parameter $divpdf=1; to $divpdf=0; as to enable the rendering of .pdf files.

Step05: Adapting SQL-ledger to Nginx Webserver

a. Establishing the link, do the following:

Via Webmin->Servers->Nginx Webserver->Create Virtual host, named with your domain (eg. example2.com) and place this text, subsituting the domain according: nginx-example2.txt sammy@imega:$ sudo systemctl restart nginx //restart Nginx
sammy@imega:$ sudo systemctl start fcgiwrap
To check these services are running: replace 'start' with 'status' - Ctl-c to exit.
Note Final Step: Return to Ledger-Home- Step06 to complete the setup.
Ledger-Home Ledger-Extras
Ledger-Backup Ledger-Restore