Registry

TLD management software

From GitHub

TLD Management Software

Domain Registry

Full stack top-level domain (TLD) management.

• Documentation
• Installation
• Deployment
• Autotesting

Documentation

• EPP documentation
• EPP request-response examples
• REPP documentation

Installation

Registry app

Registry based on Rails 4 installation (rbenv install is under Debian build doc)

Manual demo install and database setup:

cd /home/registry
git clone [email protected]:internetee/registry.git demo-registry
cd demo-registry
rbenv local 2.2.2
bundle
cp config/application.yml.sample config/application.yml # and edit it
cp config/database.yml.sample config/database.yml # and edit it
bundle exec rake db:setup:all # for production, please follow deployment howto
bundle exec rake bootstrap
bundle exec rake assets:precompile

Apache (Debian 7/Ubuntu 14.04 LTS)

sudo apt-get install apache2

Enable ssl:

sudo a2enmod proxy_http
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
sudo a2enmod ssl
sudo nano /etc/apache2/sites-enabled/epp_ssl.conf

For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:

<VirtualHost *:443>
  ServerName your-domain
  ServerAdmin [email protected]

  PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  PassengerRuby /home/registry/.rbenv/shims/ruby
  PassengerEnabled on
  PassengerMinInstances 10
  PassengerMaxPoolSize 10
  PassengerPoolIdleTime 0
  PassengerMaxRequests 1000

  RailsEnv production # or staging
  DocumentRoot /home/registry/registry/current/public

  # Possible values include: debug, info, notice, warn, error, crit,
  LogLevel info
  ErrorLog /var/log/apache2/registry.error.log
  CustomLog /var/log/apache2/registry.access.log combined

  SSLEngine On
  SSLCertificateFile    /etc/ssl/certs/your.crt
  SSLCertificateKeyFile /etc/ssl/private/your.key
  SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
  SSLCACertificateFile /etc/ssl/certs/ca.pem

  SSLProtocol -all +TLSv1.2
  SSLHonorCipherOrder On
  SSLCompression off
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  RewriteEnginriteEngine on
  RedirectMatch ^/$ /admin
  RedirectMatch ^/login$ /admin/login

  <Directory /app/registry/registry/current/public>
      # for Apache older than version 2.4
      Allow from all

      # for Apache verison 2.4 or newer
      # Require all granted
      Options -MultiViews
  </Directory>

  <Location />
      Allow from none
      Deny from all
  </Location>

  <Location /admin>
      Allow from all
  </Location>

  <Location /assets>
      Allow from all
  </Location>
</VirtualHost>

Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follows:
```

ServerName your-registrar-domain
ServerAdmin [email protected]

PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
PassengerRuby /home/registry/.rbenv/shims/ruby
PassengerEnabled on
PassengerMinInstances 10
PassengerMaxPoolSize 10
PassengerPoolIdleTime 0
PassengerMaxRequests 1000

RailsEnv production # or staging
DocumentRoot /home/registry/registrar/current/public

# Possible values include: debug, info, notice, warn, error, crit,
LogLevel info
ErrorLog /var/log/apache2/registrar.error.log
CustomLog /var/log/apache2/registrar.access.log combined

SSLEngine On
SSLCertificateFile /etc/ssl/certs/your.crt
SSLCertificateKeyFile /etc/ssl/private/your.key
SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem

SSLProtocol -all +TLSv1.2
SSLHonorCipherOrder On
SSLCompression off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

RewriteEngine on
RedirectMatch ^/$ /registrar
RedirectMatch ^/login$ /registrar/login

# for Apache older than version 2.4
Allow from all

  # for Apache verison 2.4 or newer
  # Require all granted

  Options -MultiViews

Allow from none
Deny from all

Allow from all

Allow from all

SSLVerifyClient none
SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
SSLCARevocationPath /home/registry/registry/shared/ca/crl
# Uncomment in Apache 2.4
# SSLCARevocationCheck chain

RequestHeader set SSL_CLIENT_S_DN_CN ""
RequestHeader set SSL_CLIENT_CERT ""

SSLVerifyClient require
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

SSLVerifyClient require
Options Indexes FollowSymLinks MultiViews
SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData


```

Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as follows:
```

ServerName your-registrant-domain
ServerAdmin [email protected]

PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
PassengerRuby /home/registry/.rbenv/shims/ruby
PassengerEnabled on
PassengerMinInstances 10
PassengerMaxPoolSize 10
PassengerPoolIdleTime 0
PassengerMaxRequests 1000

RailsEnv production # or staging
DocumentRoot /home/registry/registrant/current/public

# Possible values include: debug, info, notice, warn, error, crit,
LogLevel info
ErrorLog /var/log/apache2/registrant.error.log
CustomLog /var/log/apache2/registrant.access.log combined

SSLEngine On
SSLCertificateFile    /etc/ssl/certs/your.crt
SSLCertificateKeyFile /etc/ssl/private/your.key
SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem

SSLProtocol -all +TLSv1.2
SSLHonorCipherOrder On
SSLCompression off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

RewriteEngine on
RedirectMatch ^/$ /registrant
RedirectMatch ^/login$ /registrant/login

<Directory /app/registry/registrant/current/public>
    # for Apache older than version 2.4
    Allow from all

    # for Apache verison 2.4 or newer
    # Require all granted

    Options -MultiViews
</Directory>

<Location />
    Allow from none
    Deny from all
</Location>

<Location /registrant>
    Allow from all
</Location>

<Location /assets>
    Allow from all
</Location>

SSLVerifyClient none
SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
SSLCARevocationPath /home/registry/registry/shared/ca/crl
# Uncomment in Apache 2.4
# SSLCARevocationCheck chain

RequestHeader set SSL_CLIENT_S_DN_CN ""
RequestHeader set SSL_CLIENT_CERT ""
<Location /registrant/sessions>
    SSLVerifyClient require
    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
</Location>

<Location /registrant/id>
    SSLVerifyClient require
    Options Indexes FollowSymLinks MultiViews
    SSLVerifyDepth 2
    SSLOptions +StdEnvVars +ExportCertData
</Location>

```

For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp.conf short example:
```

ServerName your-repp-domain
SSLEngine on
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'

SSLVerifyClient none
SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
SSLCARevocationPath /home/registry/registry/shared/ca/crl
# Uncomment this when upgrading to apache 2.4:
# SSLCARevocationCheck chain

RequestHeader set SSL_CLIENT_S_DN_CN ""
RequestHeader set SSL_CLIENT_CERT ""

<Location />
    Allow from none
    Deny from all
</Location>

<Location /repp>
    Allow from all
    SSLVerifyClient require
    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
</Location>

```

For Apache, epp goes to port 700.
Be sure to update paths to match your system configuration.
/etc/apache2/sites-enabled/epp.conf short example:
```apache

Listen 127.0.0.1:8080

ServerName your-epp-backend-domain
ServerAdmin [email protected]

    PassengerEnabled on
    PassengerMinInstances 10
    PassengerMaxPoolSize 10
    PassengerPoolIdleTime 0
    PassengerMaxRequests 1000
    PassengerRoot "/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini"
    PassengerRuby "/home/registry/.rbenv/shims/ruby"

    RailsEnv production # or staging
    DocumentRoot "/home/registry/registry/public"

    # Possible values include: debug, info, notice, warn, error, crit,
    LogLevel info
    ErrorLog "/var/log/apache2/eppback.error.log"
    CustomLog "/var/log/apache2/eppback.access.log" combined

    <Directory />
        Options +FollowSymLinks -Indexes
        AllowOverride None
    </Directory>

    <Directory /home/registry/registry/public>
        Order allow,deny
        Allow from all
        Options -MultiViews -Indexes
        AllowOverride all
    </Directory>
</VirtualHost>

```

Enable epp_ssl and restart apache

sudo a2ensite epp_ssl
sudo service apache2 restart

Now you should see registry admin at https://your-domain

All registry demo data can be found at:

db/seeds.rb

Initially you can use two type of users: admin users and EPP users.

For using EPP we are strongly recommend to install epp_proxy instead of mod_epp. You can get epp_proxy from https://github.com/internetee/epp_proxy

Wkhtmltopdf setup

sudo apt-get install libxext-dev libxrender1 fontconfig

Certificates setup

• Certificates setup

Deployment

• Application build and update

Autotesting

• Testing

Github Actions CI

• Github Actions CI is configured to build all the PRs.

EPP web client

Please follow EPP web client readme:

https://github.com/internetee/EPP-web-client

WHOIS server

Please follow WHOIS server readme:

https://github.com/internetee/whois