1、《鸟哥的私房菜(服务器架设篇)》30%

2、《黑客与画家》完!

3、《史蒂夫·乔布斯传完!

4、《黑客大曝光:Web应用程序安全(原书第三版)》30%

More...

仅作记录。

型号:烽火科技HG221GS

光猫有个配置文件未授权访问

http://192.168.1.1/cgi-bin/baseinfoSet.cgi

clip_image002

可以看到超管telecomadmin和普通帐户useradmin的密码

通过JS还原一下密码

var s= "120&105&112********"; //TELECOMPASSWORD的密码,已打码

for(var i in s){ res+=String.fromCharCode(s[i]);}

alert(res);

得到密码,使用超管帐户登录光猫

记得关掉DHCP,不然和PPPOE冲突,然后去掉配置同步更新

来到宽带设置->网络连接->连接名称:2_INTERNET_R_VID_1045

连接模式路由改成桥接

clip_image002[4]

Burp Collaborator.是从Burp suite v1.6.15版本添加的新功能,它几乎是一种全新的渗透测试方法。Burp Collaborator.会渐渐支持blind XSSSSRFasynchronous code injection等其他还未分类的漏洞类型。

本文主要介绍使用Burp Collaborator.对这几种类型漏洞进行探测。

概念:In-band attackout-band attack(带内与带外攻击)

首先介绍两个概念,带内与带外的区别核心在于是否使用不同的通信通道。

在一次攻击当中,只有一条通道,属于in-band(带内)攻击:

clip_image001

现在同一次攻击下,不止一条信道,则属于out-band(带外)攻击:

clip_image002

常规web测试模型

简单的讲,常规的web测试模型就是我们向目标发送payloads,然后分析目标返回的数据。

clip_image003

这个模型很容易建立并且容易理解,但是这个简单的模型漏掉很多bugs,比如:

§ “super-blind” injection。”blind SQL injection”表示当一个payload破坏了正常的sql查询然而应用程序返回的内容没有任何有帮助的错误信息。但是在有些情况下,一个成功的注入在目标应用的返回里面是完全看不到区别的,意思就是,不论返回的内容还是返回的时间,都没有任何区别。举个例子,注入asynchronous logging function就是一个典型的情况

§ 需要存储数据的情况。比如存储型xss理论上通过先提交payloads然后观察返回值是可以发现的。但是其他的存储型bugs很难发现,比如,stored (or second-order) SQL injection,数据先是以安全的方式存储在数据库中,然后再从数据库取出再拼接sql语句。要使用常规渗透模型发现这种漏洞,我们需要爆破每一种请求的组合,要先发送第一个request请求,然后在发送第二个request请求,然后观察返回值。

§ 我们还会漏掉一种漏洞,一次成功的攻击只发生在应用内部,对攻击者是不可见的。比如,存储型xss攻击成功要求管理员访问管理地址。

§ 还有很多涉及到内部系统与外部资源交互的情况,比如SSRF和RFI等漏洞。

加入Burp Collaborator后的web测试模型

Burp Collaborator 给传统web测试模型添加了一个新的部分,Burp Collaborator的功能有:

§ 捕捉由Burp发出的payloads触发的目标与外部系统发生数据交互行为

§ 把Burp Collaborator与目标数据交互行为产生的返回数据传回攻击者

§ 对很多新型漏洞进行可靠的探测。 clip_image004

Burp Collaborator模块包含如下特征:

§ Burp Collaborator 服务器通常运行在公网上。

§ 它使用自己的专用域名,并且这个服务器已注册为该域名的权威DNS服务器。

§ 它提供一个DNS服务,可以响应任何对他的dns请求

§ 它提供HTTP/HTTPS 服务,使用一个有效的SSL证书

§ 将来可以添加其他的服务,比如smtp和ftp。

探测external service interaction(外部服务交互攻击)

与外部服务交互行为发生在一个payload提交到目标应用上,导致目标通过某个网络协议和一个外部的域名进行信息交互。

clip_image005

这种行为有时候被称为SSRF,我们更偏向于称之为外部服务交互(”external service interaction”)攻击,因为这种情况里面,很多行为不仅仅通过HTTP协议触发,还有SMB或者FTP等。

外部服务交互可以代表一个严重的漏洞,因为他可以允许应用服务器作为一个代理来攻击其他的服务器。这包裹公网上面的第三方系统,同一个组织下的内部系统或者监听在本地的服务。根据网络结构,这可以将内部容易被攻击的系统暴露给外部的攻击者。

More...

Debian 8.3 Mate 下载地址
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
http://cdimage.debian.org/debian-cd/8.3.0-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-mate-desktop.iso
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-mate-desktop.iso
#Ubuntu Mate ISO http://cdimage.ubuntu.com/ubuntu-mate/releases/15.04/release/ubuntu-mate-15.04-desktop-amd64.iso

 

Debian 安装msf # ruby2.3.1

apt-get install pptp-linux network-manager-pptp build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev git-core postgresql curl nmap libsqlite3-dev default-jdk screen subversion –y   #必要组件

ruby用rvm装吧

$ curl -sSL https://rvm.io/mpapis.asc | gpg --import -
$ \curl -sSL https://get.rvm.io | bash -s stable
# 如果上面的连接失败,可以尝试:
$ curl -L https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
$ source /etc/profile.d/rvm.sh
rvm install ruby-2.3.1
#rvm install ruby-2.1.8
rvm use 2.3.1 --default
gem install bundler

 

apt-get install rubygems-integration rubygems
gem install wirble sqlite3 bundler
###下面各种报错都是国内网络不稳定造成,直接上vpn解决##
#报错Unable to download data from https://rubygems.org/ - Errno::ECONNRESET: Connection reset by peer - SSL_connect,解决如下

wget https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem
gem which rubygems
/usr/lib/ruby/2.1.0/rubygems.rb
cp ~/Downloads/AddTrustExternalCARoot-2048.pem /usr/lib/ruby/2.1.0/rubygems/ssl_certs/
gem install wirble sqlite3 bundler

排错:

#when download from https, may has SSL error, then: gem sources --removehttps://rubygems.org; gem sources --addhttp://rubygems.org or bundle config mirror.https://rubygems.org https://ruby.taobao.org
head -1 /path/to/metasploit-framework/Gemfile
source 'http://rubygems.org'

 

设置Postgresql数据库及用户

sudo -s
su postgres
createuser msf -P -S -R -D
Enter password for new role: ***
Enter it again: ***
createdb -O msf msf
exit

cd /opt/; git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework/
bundle install
bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
nano /opt/metasploit-framework/config/database.yml

production:
adapter: postgresql
database: msf
username: msf
password: msf
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5


sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"
### sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> ~/.bashrc"
source /etc/profile
安装中文输入法
apt-get install ibus ibus-googlepinyin ibus-sunpinyin

 

安装Armitage

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
tar -xvzf /tmp/armitage.tgz -C /opt
ln -s /opt/armitage/armitage /usr/local/bin/armitage
ln -s /opt/armitage/teamserver /usr/local/bin/armitage_teamserver
sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver

安装CobaltStrike
US代理,获取cobaltstrike

firefox https://www.cobaltstrike.com/download
tar -xvzf /tmp/cobaltstrike.tgz -C /opt
ln -s /opt/cobaltstrike/cobaltstrike /usr/local/bin/cobaltstrike
ln -s /opt/cobaltstrike/teamserver /usr/local/bin/cobaltstrike_teamserver
sh -c "echo java -jar /opt/cobaltstrike/cobaltstrike.jar \$\* > /opt/cobaltstrike/cobaltstrike"
#perl -pi -e 's/cobaltstrike.jar/\/opt\/cobaltstrike\/cobaltstrike.jar/g' /opt/cobaltstrike/teamserver

安装SQLMap

cd /usr/share/; git clone https://github.com/sqlmapproject/sqlmap.git
ln -s /usr/share/sqlmap/sqlmap.py /usr/bin/sqlmap

安装Bettercap

apt-get install build-essential ruby-dev libpcap-dev
gem install bettercap
gem update bettercap

安装 DNSEnum

DNSenum http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz
git clone https://github.com/fwaeytens/dnsenum.git
cd dnsenum/
安装缺失的模块:cpan XXX::xxx

安装 fierce

$ cd /usr/share
$ svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
$ cd fierce2/
$ perl Makefile.PL
$ make
$ make test
$ make install
$ ln -s /usr/local/bin/fierce /usr/share/fierce2/fierce
$ mkdir -p /pentest/enumeration/fierce/
$ ln -s /usr/local/bin/fierce /pentest/enumeration/fierce/fierce

cpan Net::DNS #安装缺失的库
cpan Net::DNS::Resolver #貌似可以解决报错 improperly terminated AXFR at D:\tools\fierce-0.9.9\fierce.pl line 228.

安装WPScan

Installing on Debian:
sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
cd /usr/share/; git clone https://github.com/wpscanteam/wpscan.git
cd wpscan

gem install bundler && bundle install --without test --path vendor/bundle
alias wpscan='ruby /usr/share/wpscan/wpscan.rb --enumerate u --enumerate p --enumerate t --url '

或者安装Docker后安装Docker的wpscan

docker pull wpscanteam/wpscan
docker run --rm wpscanteam/wpscan -u http://yourblog.com [options]

 

安装PPTP VPN支持

apt-get install network-manager-openvpn network-manager-pptp network-manager-pptp-gnome network-manager-vpnc
service network-manager restart

 

 

安装GuardScan

wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install tornado
#安装个lnmp
apt-get install screen
screen -S lnmp
wget -c http://soft.vpser.net/lnmp/lnmp1.2-full.tar.gz && tar zxf lnmp1.2-full.tar.gz && cd lnmp1.2-full && ./install.sh lnmp
#wget -c http://soft.vpser.net/lnmp/lnmp1.3beta-full.tar.gz && tar zxf lnmp1.3beta-full.tar.gz && cd lnmp1.3beta-full && ./install.sh lnmp

 

mysql

create database pscan;
use pscan;
source pscan.sql
CREATE USER 'pscan'@'%' IDENTIFIED BY 'RFwPauXUhF4sWtSq';GRANT USAGE ON *.* TO 'pscan'@'%' IDENTIFIED BY '***' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;GRANT ALL PRIVILEGES ON `pscan`.* TO 'pscan'@'%';

修改conn.php中的数据库信息
修改 ./proxy/isqlmap.py
self.webserver="http://localhost:88/"
改成你自己的主机地址和端口。
修改./proxy/task.py
def update():
url="http://localhost:88/api.php?type=sqlmap_update"
urllib2.urlopen(url).read()
def api_get():
url="http://localhost:88/api.php?type=api_get"
data=urllib2.urlopen(url).read()
改成你的host地址


配置
打开 http://localhost:88/config.php 在list里面添加sqlmapapi节点
格式为
http://127.0.0.1:8775 (不需要最后一个/)
浏览器设置代理,并且添加一个http header
User-Hash: youhash


使用
首先运行sqlmapapi,并且在config里面增加至少一个节点
cd proxy/
python proxy_io.py 8080&
python task.py&
然后将浏览器代理设置为
http 127.0.0.1 8080
然后一顿请求之后可以打开
http://localhost:88/config.php

 

仅作记录,呵呵 工具党。

Websocket聊天,不支持xmpp

 

Install Debian Jessie (x64)


1. Set up 3 machines with Debian Jessie with 2GB of RAM or more. The servers will be used for the Load Balancer, Mattermost (this must be x64 to use pre-built binaries), and Database.
2. This can also be set up all on a single server for small teams:• I have a Mattermost instance running on a single Debian Jessie server with 1GB of ram and 30 GB SSD
• This has been working in production for ~20 users without issue.
• The only difference in the below instructions for this method is to do everything on the same server
• Make sure the system is up to date with the most recent security patches.• sudo apt-get update
• sudo apt-get upgrade

Set up Database Server


1. For the purposes of this guide we will assume this server has an IP address of 10.10.10.1
2. Install PostgreSQL 9.3+ (or MySQL 5.6+)• sudo apt-get install postgresql postgresql-contrib
• PostgreSQL created a user account called postgres. You will need to log into that account with:• sudo -i -u postgres
• You can get a PostgreSQL prompt by typing:• psql
• Create the Mattermost database by typing:• postgres=# CREATE DATABASE mattermost;
• Create the Mattermost user by typing:• postgres=# CREATE USER mmuser WITH PASSWORD 'mmuser_password';
• Grant the user access to the Mattermost database by typing:• postgres=# GRANT ALL PRIVILEGES ON DATABASE mattermost to mmuser;
• You can exit out of PostgreSQL by typing:• postgre=# \q
• You can exit the postgres account by typing:• exit
• Allow Postgres to listen on all assigned IP Addresses• sudo vi /etc/postgresql/9.3/main/postgresql.conf
• Uncomment ‘listen_addresses’ and change ‘localhost’ to ‘*’
• Alter pg_hba.conf to allow the mattermost server to talk to the postgres database• sudo vi /etc/postgresql/9.3/main/pg_hba.conf
• Add the following line to the ‘IPv4 local connections’
• host all all 10.10.10.2/32 md5
• Reload Postgres database• sudo /etc/init.d/postgresql reload
• Attempt to connect with the new created user to verify everything looks good• psql --host=10.10.10.1 --dbname=mattermost --username=mmuser --password
• mattermost=> \q

Set up Mattermost Server


1. For the purposes of this guide we will assume this server has an IP address of 10.10.10.1
2. Download the latest Mattermost Server by typing:
• wget https://github.com/mattermost/platform/releases/download/vX.X.X/mattermost.tar.gz
• Where vX.X.X is the latest Mattermost release version. For example, v2.0.0
• Install Mattermost under /opt
• Unzip the Mattermost Server by typing:
• tar -xvzf mattermost.tar.gz
• sudo mv mattermost /opt
• Create the storage directory for files. We assume you will have attached a large drive for storage of images and files. For this setup we will assume the directory is located at /opt/mattermost/data.
• Create the directory by typing:
• sudo mkdir -p /opt/mattermost/data
• Create a system user and group called mattermost that will run this service
• sudo useradd -r mattermost -U
• Set the mattermost account as the directory owner by typing:
• sudo chown -R mattermost:mattermost /opt/mattermost
• sudo chmod -R g+w /opt/mattermost
• Add yourself to the mattermost group to ensure you can edit these files:
• sudo usermod -aG mattermost USERNAME
• Configure Mattermost Server by editing the config.json file at /opt/mattermost/config
• cd /opt/mattermost/config
• Edit the file by typing:
• vi config.json
• replace DriverName": "mysql" with DriverName": "postgres"
• replace "DataSource": "mmuser:[email protected](dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8"with "DataSource": "postgres://mmuser:[email protected]:5432/mattermost?sslmode=disable&connect_timeout=10"• Assuming a default IP address of 10.10.10.1
• Optionally you may continue to edit configuration settings in config.json or use the System Console described in a later section to finish the configuration.
• Test the Mattermost Server
• cd /opt/mattermost/bin
• Run the Mattermost Server by typing:
• ./platform
• You should see a console log like Server is listening on :8065 letting you know the service is running.
• Stop the server for now by typing ctrl-c
• Setup Mattermost to use the systemd init daemon which handles supervision of the Mattermost process
• sudo touch /etc/init.d/mattermost
• sudo vi /etc/init.d/mattermost
• Copy the following lines into /etc/init.d/mattermost


#! /bin/sh
### BEGIN INIT INFO
# Provides: mattermost
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Mattermost Group Chat
# Description: Mattermost: An open-source Slack
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Mattermost"
NAME=mattermost
MATTERMOST_ROOT=/opt/mattermost
MATTERMOST_GROUP=mattermost
MATTERMOST_USER=mattermost
DAEMON="$MATTERMOST_ROOT/bin/platform"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
. /lib/lsb/init-functions
do_start() {
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet \
--chuid $MATTERMOST_USER:$MATTERMOST_GROUP --chdir $MATTERMOST_ROOT --background \
--pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet \
--chuid $MATTERMOST_USER:$MATTERMOST_GROUP --chdir $MATTERMOST_ROOT --background \
--make-pidfile --pidfile $PIDFILE --exec $DAEMON \
|| return 2
}
#
# Function that stops the daemon/service
#
do_stop() {
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
--pidfile $PIDFILE --exec $DAEMON
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 \
--exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
exit 0


• Make sure that /etc/init.d/mattermost is executable
• sudo chmod +x /etc/init.d/mattermost
• On reboot, systemd will generate a unit file from the headers in this init script and install it in/run/systemd/generator.late/
Note: This setup can also be done using a systemd unit, usable for non-Debian systems, such as Arch Linux. The unit file is as follows:
# cat /etc/systemd/system/mattermost.service


[Unit]
Description=Mattermost
After=network.target
[Service]
User=mattermost
ExecStart=/home/mattermost/mattermost/bin/platform
WorkingDirectory=/home/mattermost/mattermost
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target

# systemctl start mattermost
# systemctl enable mattermost

Set up Nginx Server


1. For the purposes of this guide we will assume this server has an IP address of 10.10.10.3
2. We use Nginx for proxying request to the Mattermost Server. The main benefits are:
• SSL termination
• http to https redirect
• Port mapping :80 to :8065
• Standard request logs
• Install Nginx on Debian with
• sudo apt-get install nginx
• Verify Nginx is running
• curl http://10.10.10.3
• You should see a Welcome to nginx! page
• You can manage Nginx with the following commands
• sudo service nginx stop
• sudo service nginx start
• sudo service nginx restart
• Map a FQDN (fully qualified domain name) like mattermost.example.com to point to the Nginx server.
• Configure Nginx to proxy connections from the internet to the Mattermost Server
• Create a configuration for Mattermost
• sudo touch /etc/nginx/sites-available/mattermost
• Below is a sample configuration with the minimum settings required to configure Mattermost


server {
server_name mattermost.example.com;
location / {
client_max_body_size 50M;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://10.10.10.2:8065;
}
}


• Remove the existing file with
• sudo rm /etc/nginx/sites-enabled/default
• Link the mattermost config by typing:
• sudo ln -s /etc/nginx/sites-available/mattermost /etc/nginx/sites-enabled/mattermost
• Restart Nginx by typing:
• sudo service nginx restart
• Verify you can see Mattermost thru the proxy by typing:
• curl http://localhost
• You should see a page titles Mattermost - Signup

Set up Nginx with SSL (Recommended)


1. You can use a free and an open certificate security like let’s encrypt, this is how to proceed
• sudo apt-get install git
• git clone https://github.com/letsencrypt/letsencrypt
• cd letsencrypt
• Be sure that the port 80 is not use by stopping nginx
• sudo service nginx stop
• netstat -na | grep ':80.*LISTEN'
• ./letsencrypt-auto certonly --standalone
• This command will download packages and run the instance, after that you will have to give your domain name
• You can find your certificate in /etc/letsencrypt/live
• Modify the file at /etc/nginx/sites-available/mattermost and add the following lines:


server {
listen 80;
server_name mattermost.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name mattermost.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/yourdomainname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomainname/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
gzip off;
proxy_set_header X-Forwarded-Ssl on;
client_max_body_size 50M;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://10.10.10.2:8065;
}
}


• Be sure to restart nginx
• sudo service nginx start
• Add the following line to cron so the cert will renew every month
• crontab -e
• @monthly /home/YOURUSERNAME/letsencrypt/letsencrypt-auto certonly --reinstall -d yourdomainname&& sudo service nginx reload

Finish Mattermost Server setup


1. Navigate to https://mattermost.example.com and create a team and user.
2. The first user in the system is automatically granted the system_admin role, which gives you access to the System Console.
3. From the town-square channel click the dropdown and choose the System Console option
4. Update Email Settings. We recommend using an email sending service. The example below assumes AmazonSES.• Set Send Email Notifications to true
• Set Require Email Verification to true
• Set Feedback Name to No-Reply
• Set Feedback Email to [email protected]
• Set SMTP Username to AFIADTOVDKDLGERR
• Set SMTP Password to DFKJoiweklsjdflkjOIGHLSDFJewiskdjf
• Set SMTP Server to email-smtp.us-east-1.amazonaws.com
• Set SMTP Port to 465
• Set Connection Security to TLS
• Save the Settings
• Update File Settings• Change Local Directory Location from ./data/ to /mattermost/data
• Update Log Settings.• Set Log to The Console to false
• Update Rate Limit Settings.• Set Vary By Remote Address to false
• Set Vary By HTTP Header to X-Real-IP
• Feel free to modify other settings.
• Restart the Mattermost Service by typing:• sudo restart mattermost

http://docs.mattermost.com/install/prod-debian.html