1. Endian Firewall

1.1. Port Forwarding

  • Select Firewall > Port forwarding / NAT.

  • Select Port forwarding / Destination NAT tab.

Incoming IP Service Policy Translate to Remark

<public static IP>

TCP/80

ALLOW with IPS

10.10.0.1 : 80:443

ZendTo server

TCP/443

ALLOW with IPS from:

ANY

1.2. HTTP proxy

  • Select Proxy > HTTP.

  • Select Configuration tab.

    ORANGE   transparent

Bypass transparent proxy?
Bypass transparent proxy from SUBNET/IP/MAC
-------------------------------------------
10.10.0.0/24

2. Installation

2.1. Debian 10

2.2. ZendTo

  • Enter the following commands at a Command Line.

    sudo curl -O https://zend.to/files/install.ZendTo.tgz
sudo tar xzvf install.ZendTo.tgz
cd install.ZendTo
sudo ./install.sh

  • Press Enter for Debian release number.

  • Type x64 and press Enter.

  • Press Enter to install the web server.

  • Press Enter to install PHP and its modules.

  • Press Enter to install and set up ClamAV (with SELinux config if necessary).

  • Press Enter to add firewall rules for http and https.

  • Press Enter to create the ZendTo http and https websites in your Apache config and configure.

  • Press Enter for connections straight to the https site.

  • Press Enter for Asia/Bangkok time zone.

  • Press Enter to install the ZendTo package itself and configure email sending.

  • Type eu-smtp-outbound-1.mimecast.com and press Enter.

  • Type 587 and press Enter.

  • Press Enter.

  • Press Enter.

  • Type relay@shoklo-unit.com and press Enter.

  • Type the password and press Enter.

  • Type localhost or 110.77.143.117 and press Enter.

  • Press Enter for default ZendTo service.

  • Press Enter for the logo is ZendTo.

  • Type SMRU for the organization name and press Enter.

  • Type Research for organization type and press Enter.

  • Type noreply@shoklo-unit.com for ZendTo sender and press Enter.

  • Type https://localhost/ or https://110.77.143.117 for new ZendTo site and press Enter.

  • Press Enter to configure SELinux for ZendTo.

  • Reboot the server.

  • Type sudo /opt/zendto/bin/adduser /opt/zendto/config/preferences.php 'smru' 'surachard@shoklo-unit.com' 'Dah' 'SMRU' and press Enter.

  • Type level 2 password for smru user.

  • Type sudo chown -R www-data:www-data /var/log/zendto/zendto.log and press Enter.

2.3. Let’s Encrypt

  • Add the following lines in /etc/apt/sources.list file.

    deb http://mirrors.digitalocean.com/debian stretch-backports main
deb-src http://mirrors.digitalocean.com/debian stretch-backports main
deb http://deb.debian.org/debian stretch-backports main

  • Enter the following commands at a Command Line.

    sudo apt-get update
sudo apt-get upgrade
sudo apt-get  install python-certbot-apache -t stretch-backports

  • Edit the following line in /etc/apache2/sites-available/001-zendto-ssl.conf file.

    ServerName      zendto.shoklo-unit.com

  • Type sudo apache2ctl configtest and press Enter to verify the syntax of the configuration is correct.

    • If the output is Syntax OK then the configuration is correct.

  • Type sudo systemctl reload apache2 and press Enter to reload apache2 server.

  • Type sudo ufw status and press Enter.

  • Type sudo ufw allow 'WWW Full' and press Enter.

  • Type sudo ufw delete allow 'WWW' and press Enter.

  • Type sudo ufw status and press Enter.

    Status: active

To                         Action      From
--                         ------      ----
WWW Full                   ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
WWW Full (v6)              ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

Obtaining an SSL Certificate

  • Type sudo certbot --apache -d zendto.shoklo-unit.com -d www.zendto.shoklo-unit.com and press Enter.

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

  • Type smru-it@shoklo-unit.com and press Enter.

    Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

  • Type A and press Enter.

    Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

  • Type N and press Enter.

    We were unable to find a vhost with a ServerName or Address of zendto.shoklo-unit.com.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: 001-zendto-ssl.conf            | zendto.smru.shoklo-un | HTTPS | Enabled
2: 001-zendto.conf                | zendto.smru.shoklo-un |       | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

  • Type 1 and press Enter.

    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

  • Type 2 and press Enter.

    IMPORTANT NOTES:
 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zendto.shoklo-unit.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zendto.shoklo-unit.com-0001/privkey.pem
   Your cert will expire on 2020-03-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

Verifying Certbot Auto-renewal

  • Type sudo cp /etc/cron.d/certbot /etc/cron.d/certbot.org and press Enter.

  • Type sudo certbot renew --dry-run and press Enter.

    IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

  • Type sudo cp -arv /etc/letsencrypt /etc/letsencrypt.org and press Enter.

  • Type sudo cp -arv /etc/letsencrypt /etc/letsencrypt.2019-12-26 and press Enter.

3. Update 2025

  • See https://zend.to/apt.php.

    dpkg -l | grep -i zendto
    ii  zendto                        6.13-3                                          all          Web-based system for replacing ftp sites, ...
ii  zendto-repo                   1.3-1                                           all          Location of APT repository for ZendTo.
    sudo wget -P /usr/share/keyrings/ https://zend.to/files/zendto.gpg.asc
wget https://zend.to/files/zendto-repo.deb
sudo dpkg -i zendto-repo.deb
sudo apt-get update
sudo apt-get upgrade zendto
sudo /opt/zendto/bin/upgrade

dpkg -l | grep -i zendto
    ii  zendto                        6.15-7                                          amd64        Web-based system for replacing ftp sites, ...
ii  zendto-repo                   2.0-1                                           amd64        Location of APT repository for ZendTo.

4. Configuration

4.1. DNS Record

  • Browse to https://www.lonex.com/members.html.

    Username:       shokloun
Password:       ********

  • Click LOGIN.

  • Click ADD A NEW RECORD.

    Hostname:       zendto                          .shoklo-unit.com
Type:           A
Value:          110.77.143.117
TTL:            3600
                □ Enable GeoIP

  • Click Add a New Record.

  • Close Browser.

4.2. ZendTo

  • Type sudo cp -a /opt/zendto/config/preferences.php /opt/zendto/config/preferences.php.org and press Enter.

  • Edit the /opt/zendto/config/preferences.php file as below.

    // The root URL of the ZendTo web app in your organisation.
// Make this "https" if you can.
// It must end with a "/".
'serverRoot'           => 'https://zendto.shoklo-unit.com',


// The max size for an entire drop-off,
'maxBytesForDropoff'   => 53687091200, // 50 GBytes = 20*1024*1024*1024
// and the max size for each individual file in a drop-off
'maxBytesForFile'      => 53687091200, // 50 GBytes = 20*1024*1024*1024

// Settings for the Google reCAPTCHA
//
// Get these 2 values from
// https://www.google.com/recaptcha/admin
'recaptchaPublicKey'   => '6LeDJ8kUAAAAAGNcqiphLF8LfiZwtYLD_hlR9W3D',
'recaptchaPrivateKey'  => '6LeDJ8kUAAAAAO8J9ltXRYqL7pHCSZtADA6FnL9V',

// ***********************
// **** Customise me! ****
// ***********************
// The file specified here (full path starting with '/') contains
// the list of the email domain names used by any of your
// "internal" users. People from outside your organisation (who
// cannot login) will only be able to send drop-offs to people
// whose email addresses are in 1 or more of these domains.
//
// The file will contain a list of domain names, one per line.
// Blank lines and comment lines starting wth '#' will be ignored.
// If, for example, a line contains "my-company.com" then the list of
// recipient email domains for un-authenticated users will contain
// "my-company.com" and "*.my-company.com".
//
// For backward compatibility reasons, this can also be a regular
// expression defining the set of valid domain names. In this case,
// it must start *and* end with a '/'.
// This example matches "soton.ac.uk" and "*.soton.ac.uk".
// 'emailDomainRegexp' => '/^([a-zA-Z\.\-]+\.)?soton\.ac\.uk$/i',
// 'emailDomainRegexp' => '/opt/zendto/config/internaldomains.conf',
'emailDomainRegexp' => '/^([a-zA-Z\.\-]+\.)?shoklo\-unit\.com$/i',

// Settings for the 3-forest/3-domain AD authenticator.
// Set
//     'authLDAPServers2' => array(),
//     'authLDAPServers3' => array(),
// if you only have to search 1 AD forest/domain.
//
// For help getting these settings right, and how to test them, see
// https://zend.to/activedirectory.php
//
// TLS will be used in preference to SSL, if both are enabled.
//
// If you want to search for your user in multiple OUs in any of the
// forests/domains, then make the authLDAPBaseDN1 (or 2 or 3) an
// array of OUs, such as in this example:
// 'authLDAPBaseDN1' => array('OU=Staff,DC=mycompany,DC=com', 'OU=Interns,DC=mycompany,DC=com'),
//
'authenticator'             => 'AD',
'authLDAPServers1'          => array('SMRU-AD02.smru.shoklo-unit.com'),
'authLDAPBaseDN1'           => 'OU=users,OU=smru,DC=smru,DC=shoklo-unit,DC=com',
'authLDAPAccountSuffix1'    => '@smru.shoklo-unit.com',
'authLDAPUseSSL1'           => false,
'authLDAPUseTLS1'           => false,
'authLDAPBindUser1'         => 'readADusers',
'authLDAPBindPass1'         => '********',
'authLDAPOrganization1'     => 'SMRU',

  • Append the following line in /opt/zendto/config/internaldomains.conf file.

    zendto.shoklo-unit.com

  • Type sudo cp -a /opt/zendto/config/locale/en_US/LC_MESSAGES/zendto.po /opt/zendto/config/locale/en_US/LC_MESSAGES/zendto.po.org and press Enter.

  • Edit the /opt/zendto/config/locale/en_US/LC_MESSAGES/zendto.po file as below.

    msgid ""
"This is a terms and conditions waiver that recipients must agree to.\n"
"    <br/>To disable it, see the settings <tt>showRecipientsWaiverCheckbox</tt> and <tt>defaultRecipientsWaiver</tt> in <tt>/opt/zendto/config/preferences.php</tt>.\n"
"    <br/>It can be long and may contain HTML tags.\n"
"    <br/>To change this text:\n"
"    <ol>\n"
"      <li>look for this text in the <tt>/opt/zendto/config/locale/*_*/LC_MESSAGES/zendto.po</tt> text files</li>\n"
"      <li>put your own text in <tt>msgstr&nbsp;\"...\"</tt> line(s) immediately following it</li>\n"
"      <li>run <tt>/opt/zendto/bin/makelanguages</tt> as root</li>\n"
"      <li>restart Apache (to ensure it really picks up the new text).</li>\n"
"    </ol>\n"
"    <p>This is exactly how you change the text for anything in the ZendTo interface. For more info, read <a href=\"https://zend.to/translators.php\">the translations page in the documentation</a>.</p>"
msgstr "<p>Do you know the sender?</p>"

msgid "I have read, understood and agree to the terms and conditions above."
msgstr "Yes, I know the sender."

4.3. Google reCAPTCHA

  • Browse to https://www.google.com/recaptcha/admin.

  • Type smru0it@gmail.com for the email and click Next.

  • Type the email password and click Next.

  • Type ZendTo in Label field.

  • Choose reCAPTCHA v2.

  • Choose "I’m not a robot" Checkbox.

  • Type 110.77.143.117 in Domains field.

  • Check Accept the reCAPTCHA Terms of Service.

  • Check Send alerts to owners.

  • Click SUBMIT.

  • Click COPY SITE KEY and save it to somewhere.

  • Click COPY SECRET KEY and save it to somewhere.

  • Click Google Account > Sign out.

  • Close Browser.

5. PHP

6. SMRU Portal

  • Log in as smru on tbhf-anc-mrm using PuTTY.

  • Enter the following commands at a Command Line.

    scp -p /var/www/html/docs/general/delta-portal.html smru@tbhf-web-mrm:
ssh -t smru@tbhf-web-mrm sudo cp delta-portal.html /opt/zendto/www

ssh -t smru@tbhf-web-mrm sudo mkdir -p /opt/zendto/www/help-pages
scp -p /var/www/html/docs/help-pages/How-to-use-Bridgeapp-for-mandatory-training.pdf smru@tbhf-web-mrm:
scp -p /var/www/html/docs/help-pages/IT-Introduction.pdf smru@tbhf-web-mrm:
ssh -t smru@tbhf-web-mrm sudo cp How-to-use-Bridgeapp-for-mandatory-training.pdf /opt/zendto/www/help-pages
ssh -t smru@tbhf-web-mrm sudo cp IT-Introduction.pdf /opt/zendto/www/help-pages

ssh -t smru@tbhf-ops-mrm sudo mkdir -p /var/www/html/docs/_images
ssh -t smru@tbhf-ops-mrm sudo scp -p smru@10.10.1.2:/var/www/html/docs/asciidoctor.css /var/www/html/docs
ssh -t smru@tbhf-ops-mrm sudo scp -p smru@10.10.1.2:/var/www/html/docs/networks/smru-local-servers.php /var/www/html/docs
ssh -t smru@tbhf-ops-mrm sudo scp -p smru@10.10.1.2:/var/www/html/docs/networks/smru-remote-servers.php /var/www/html/docs
ssh -t smru@tbhf-ops-mrm sudo scp -p smru@10.10.1.2:/home/delta/github/git/delta-software-labs/Documentation/_images/_wifi.png /var/www/html/docs/_images

  • Users can now browse to https://zendto.shoklo-unit.com/delta-portal.html.

7. SSH

  • Log in as smru on tbhf-anc-mrm using PuTTY.

  • Enter the following commands at a Command Line.

    scp -p /media/Windows/Software/_Delta/id_rsa-auto.pub smru@tbhf-web-mrm:

  • Log in as smru on tbhf-web-mrm using PuTTY.

  • Enter the following commands at a Command Line.

    cat ~delta/id_rsa-auto.pub >> ~delta/.ssh/authorized_keys
rm -f ~delta/id_rsa-auto.pub
sudo systemctl restart ssh

  • Log in as smru on tbhf-anc-mrm using PuTTY.

  • Enter the following commands at a Command Line.

    cp /media/Windows/Software/_Delta/id_rsa-auto ~delta/.ssh
chmod 600 ~delta/.ssh/id_rsa-auto
ssh -i ~delta/.ssh/id_rsa-auto smru@tbhf-web-mrm "echo \$HOSTNAME"

  • Log on as SMRU\Douwe on TBHFWS-IT01.

  • Enter the following commands at a Command Prompt.

    ssh.exe -i C:\Users\Douwe\id_rsa-auto smru@tbhf-web-mrm "echo $HOSTNAME"

8. Troubleshooting

8.1. SSL Certificate

  • If there is a problem with the auto-renewal of the certificate, check the /var/log/letsencrypt/letsencrypt.log file.

  • Run the sudo certbot renew --webroot -w /opt/zendto/www command to debug the renewal of the SSL certificate.