This will be of interest only to admins who run a Libravatar master server using the libravatar-master package and who want to add a new slave.

Initial setup

Do this on the slave:

  1. make sure NTP is installed and running
  2. add the Libravatar apt repository:

    echo "deb jessie main" >> /etc/apt/sources.list
    gpg --keyserver --recv 007c98d1
    gpg -a --export 007c98d1 | apt-key add -
  3. install the required packages on the slave:

    apt update
    apt install libravatar-{common,cdn-common,cdn,seccdn,slave}
  4. put the following global TLS config in /etc/apache2/conf-available/tls.conf:

    SSLHonorCipherOrder On
    SSLCompression Off
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
  5. enable the newly-added TLS config:

    a2enconf tls
  6. reduce apache log retention to 10 days in /etc/logrotate.d/apache and enable the removeip apache module:

    a2enmod removeip
    systemctl restart apache2
  7. create SSL certificate placeholders:

    touch /etc/libravatar/seccdn-chain.pem
    touch /etc/libravatar/seccdn.pem
    touch /etc/libravatar/seccdn.crt
  8. make sure cron errors go somewhere by adding this to /etc/aliases:

  9. update the postfix config:

    /etc/init.d/postfix reload
  10. if running fcheck on the slave, add this to /etc/fcheck/fcheck.local.cfg:

    Exclusion      = /etc/libravatar/seccdn-chain.pem
    Exclusion      = /etc/libravatar/seccdn.crt
    Exclusion      = /etc/libravatar/seccdn.pem

Do this on the master:

  1. add the slave's ssh pubkey (in /var/lib/libravatar/slave/.ssh/ to /var/lib/libravatar/master/.ssh/authorized_keys using an entry that looks like this:

    from="",no-X11-forwarding,no-user-rc,no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3Nza...quq5x root@cdn3
  2. ensure that the sshuser user can connect via ssh:

    adduser libravatar-master sshuser

Within about 15 minutes, you should see these files pop up on the slave:

  • /var/lib/libravatar/slave/cert/chain.pem
  • /var/lib/libravatar/slave/cert/seccdn.pem
  • /var/lib/libravatar/slave/cert/seccdn.crt

Testing the new mirror

Given a new slave with an IP address of, then you can put this in your local /etc/hosts:

and then lookup images using the test tool.

Adding the new mirror to the DNS load-balancer

  1. Add these two DNS records in the zone:

    cdn      A    10
    seccdn   A    10
    cdn      AAAA 10   dead::beef
    seccdn   AAAA 10   dead::beef
  2. Add the same records to the JSON zone file and then use namecoind to update the libravatar.bit zone:

    namecoind name_update d/libravatar "`xargs echo < config/dns.json`"

SSL testing

Once the DNS zone has been updated, use the SSL Labs tool to make sure that the SSL config for the new mirror matches the other ones. In particular, it is important that the new mirror does not require the use of SNI since it's not supported on old operating systems.

If there are any problems, simply take the new mirror out of the seccdn CNAME group. The bandwidth requirements for HTTP are much bigger, so it's fine to have fewer mirrors doing HTTPS.

Basic monitoring

At the very least, add something like to your feed reader.

Enabling stats on the slave (optional)

  1. install awstats:

    apt-get install awstats
  2. add this to /etc/awstats/awstats.conf.local:

  3. make the reports available:

    ln -s /usr/share/awstats/icon/ /var/www/html/awstats-icon
    ln -s /var/cache/awstats/ /var/www/html/stats
  4. serve that directory using Apache by putting the following in /etc/apache/sites-enabled/000-default.conf:

    <Directory />
           Options FollowSymLinks
           AllowOverride None
    <Directory /var/www/html/>
           Options Indexes FollowSymLinks MultiViews
           AllowOverride None
           Require all granted

Enable automated deployments (optional)

  1. install the deployment package:

    apt-get install libravatar-deployment
  2. add your ssh user to the libravatar-deployment group:

    adduser francois libravatar-deployment