This will be of interest only to admins who run a Libravatar master server using the libravatar-master package and who want to add a new slave.

Initial setup

Do this on the slave:

  1. install the apt-transport-https package
  2. add the Libravatar apt repository:

    echo "deb jessie main" >> /etc/apt/sources.list
    gpg --keyserver --recv 007c98d1
    gpg -a --export 007c98d1 | apt-key add -
  3. install the required packages on the slave:

    apt update
    apt install libravatar-{common,cdn-common,cdn,seccdn,slave}
  4. put the following global TLS config in /etc/apache2/conf-available/tls.conf:

    SSLHonorCipherOrder On
    SSLCompression Off
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
  5. enable the newly-added TLS config:

    a2enconf tls
  6. reduce apache log retention to 10 days in /etc/logrotate.d/apache and enable the removeip apache module:

    a2enmod removeip
    systemctl restart apache2
  7. make sure cron errors go somewhere by adding this to /etc/aliases:

  8. update the postfix config:

    /etc/init.d/postfix reload
  9. if running fcheck on the slave, add this to /etc/fcheck/fcheck.local.cfg:

    Exclusion      = /etc/libravatar/seccdn-chain.pem
    Exclusion      = /etc/libravatar/seccdn.crt
    Exclusion      = /etc/libravatar/seccdn.pem

Do this on the master:

  1. add the slave's ssh pubkey (in /var/lib/libravatar/slave/.ssh/ to /var/lib/libravatar/master/.ssh/authorized_keys using an entry that looks like this:

    from="",no-X11-forwarding,no-user-rc,no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3Nza...quq5x root@cdn3
  2. ensure that the sshuser user can connect via ssh:

    adduser libravatar-master sshuser

Within about 15 minutes, you should see these files pop up on the slave:

  • /var/lib/libravatar/slave/cert/chain.pem
  • /var/lib/libravatar/slave/cert/seccdn.pem
  • /var/lib/libravatar/slave/cert/seccdn.crt

Testing the new mirror

Given a new slave with an IP address of, then you can put this in your local /etc/hosts:

and then lookup images using the test tool.

Adding the new mirror to the DNS load-balancer

Add these two DNS records in the zone:

cdn      A    10
seccdn   A    10
cdn      AAAA 10   dead::beef
seccdn   AAAA 10   dead::beef

SSL testing

Once the DNS zone has been updated, use the SSL Labs tool to make sure that the SSL config for the new mirror matches the other ones.

If there are any problems, simply take the new mirror out of the seccdn CNAME group.

Basic monitoring

At the very least, add something like to your feed reader.

Enabling stats on the slave (optional)

  1. install awstats:

    apt-get install awstats
  2. add this to /etc/awstats/awstats.conf.local:

  3. make the reports available:

    ln -s /usr/share/awstats/icon/ /var/www/html/awstats-icon
    ln -s /var/cache/awstats/ /var/www/html/stats
  4. serve that directory using Apache by putting the following in /etc/apache/sites-enabled/000-default.conf:

    <Directory />
           Options FollowSymLinks
           AllowOverride None
    <Directory /var/www/html/>
           Options Indexes FollowSymLinks MultiViews
           AllowOverride None
           Require all granted

Enable automated deployments (optional)

  1. install the deployment package:

    apt-get install libravatar-deployment
  2. add your ssh user to the libravatar-deployment group:

    adduser francois libravatar-deployment