Skip to content

NXNJZ

Linux and Security

  • BLOG
  • Cowsay Fortune
  • Contact
  • Gitlab
  • Company Homepage

Tag: apache

How to Install VtigerCRM on Debian 10 Buster

Posted on September 22, 2019 - September 23, 2019 by nxnjz

Vtiger CRM is a popular Customer Relationship Management web application which can help enterprises grow sales, deliver customer service, and increase profits. This article will guide you through the installation of Vtiger open source edition on a Debian 10 system with the Apache web server, MariaDB, and PHP.

Prerequisites

  • A newly deployed Debian 10 instance (4GB+ of memory recommended)
  • Root access to your server, via SSH or console.
  • A domain name pointing to your Vultr IP address. crm.example.net will be used as an example.

Installation

Step 1: Update the system.

First, update your system:

apt update
apt upgrade -y

Once that is done, reboot and login again:

reboot

Step 2: Setup a swap file (optional)

If your system has less than 4GB of memory, you can setup a virtual memory file to potentially improve performance. The following commands will create a 4GB swap file, instruct the system to use it as swap space, and create a corresponding entry in /etc/fstab for automatic mounting at boot.

dd if=/dev/zero of=/swapfile bs=1k count=4M
chmod 0600 /swapfile
mkswap /swapfile
swapon /swapfile
echo "/swapfile swap swap defaults 0 0" | tee -a /etc/fstab

Step 3: Install Apache, PHP and MariaDB.

Use the following command to install the needed packages and tools:

apt install -y apache2 libapache2-mod-php mariadb-server mariadb-client php-imap php-curl php-xml php php-common php-mysql unzip

Once the installation is complete, make sure that the Apache and MariaDB services are enabled and running:

systemctl enable --now apache2.service mariadb.service

Step 4: Configure PHP.

Using a text editor of your choice, open the file /etc/php/7.3/apache2/php.ini and make the following changes:

memory_limit = 512M
max_execution_time = 240
error_reporting = E_WARNING & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
display_errors = On
log_errors = Off

Step 5: Setup MariaDB.

We’ll start by securing our MariaDB installation using the command:

mysql_secure_installation

Answer all of the questions as shown below and be sure to choose a strong password for the root user:

Enter current password for root: Press :key_enter:
Set root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

We’ll now create a database and a MariaDB user, both of which will be dedicated to the Vtiger web application. Login to the MySQL CLI (mysql -u root -p) and use the following commands:

CREATE DATABASE vtigercrm;
CREATE USER 'vtigercrm'@'localhost' IDENTIFIED BY 'StrongPasswordHere';
GRANT ALL PRIVILEGES ON vtigercrm.* TO 'vtigercrm'@'localhost';
QUIT;

Next, open the file /etc/mysql/my.cnf in a text editor and add the following lines:

[mysqld]
sql_mode = ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Save the changes and restart MariaDB:

systemctl restart mariadb.service

Step 6: Download Vtiger CRM:

Go to the Vtiger download page and click “Download Open Source”, then copy the download link for the latest stable TAR.GZ version, and download it on your server:

cd /tmp
wget -O vtiger.tgz DOWNLOAD_LINK

For example:

wget -O vtiger.tgz https://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%207.1.0/Core%20Product/vtigercrm7.1.0.tar.gz/

Go back to the download page and copy the download link for any corresponding hotfix package, and download it as well:

wget -O hotfix.zip https://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%207.1.0/Core%20Product/Hotfixes/vtigercrm7.1.0-hotfix2.zip/download

Now unpack and move the directory to the web root:

tar -xzf vtiger.tgz
rm vtiger.tgz
mv vtigercrm/ /var/www/ 

Apply the hotfix:

unzip -o -f -d /var/www/vtigercrm hotfix.zip
rm hotfix.zip

Since write permissions are needed, we’ll give the apache process user ownership of the directory:

chown -R www-data:www-data /var/www/vtigercrm

Due do what appears to be a minor bug in the open source version of Vtiger, it will incorrectly report the PHP error_reporting directive as NOT RECOMMENDED. To resolve this, open the file /var/www/vtigercrm/modules/Install/views/Index.php in a text editor such as vim or nano, and find the following line (32):

version_compare(PHP_VERSION, '5.5.0') <= 0 ? error_reporting(E_ERROR & ~E_NOTICE & ~E_DEPRECATED) : error_reporting(E_ERROR & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT);

Replace it with:

version_compare(PHP_VERSION, '5.5.0') <= 0 ? error_reporting(E_ERROR & ~E_NOTICE & ~E_DEPRECATED) : error_reporting(~E_NOTICE & ~E_DEPRECATED & ~E_STRICT & E_WARNING);

Step 7: Apache configuration.

Before configuring Apache, let’s obtain an SSL certificate from “Let’s Encrypt” using certbot:

apt install -y certbot
certbot certonly --webroot --agree-tos -m youremail@domain.tld -d crm.example.net

When prompted to input the webroot for your domain, type in /var/www/html. Certbot will verify that you own your domain and that it correctly resolves to your server’s IP address before creating and saving your certificate and key file.

To keep things organized, create two configurations files for your VtigerCRM instance, vtigercrm80.conf and vtigercrm443.conf for HTTP and HTTPS, respectively. Both files should be created in /etc/apache2/sites-available.

nano /etc/apache2/sites-available/vtigercrm80.conf

And paste the following, which will instruct Apache to redirect all incoming HTTP requests to HTTPS :

<VirtualHost *:80>

  DocumentRoot /var/www/vtigercrm
  ServerName crm.example.net

  ErrorLog /var/log/apache2/vtigercrm-error.log
  CustomLog /var/log/apache2/vtigercrm-access.log common

  RewriteEngine on
  RewriteCond %{SERVER_NAME} =crm.example.net
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

</VirtualHost>

For the HTTPS version:

nano /etc/apache2/sites-available/vtigercrm443.conf

Below is a sensible configuration that you can tweak if you have more specific needs:

<VirtualHost *:443> 

  DocumentRoot /var/www/vtigercrm
  ServerName crm.example.net

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/crm.example.net/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/crm.example.net/privkey.pem
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  SSLHonorCipherOrder on
  SSLCompression off
  SSLOptions +StrictRequire

  <Directory /var/www/vtigercrm>
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  ErrorLog /var/log/apache2/vtigercrm-error.log
  CustomLog /var/log/apache2/vtigercrm-access.log common

</VirtualHost>

Enable both virtual host files:

a2ensite vtigercrm80.conf
a2ensite vtigercrm443.conf

And enable the rewrite and SSL apache modules:

a2enmod rewrite
a2enmod ssl

Finally, restart the apache service to apply changes:

systemctl restart apache2.service

Step 8: Web Installation Wizard

Navigate to https://crm.example.net/, you’ll be greeted with the installation wizard. Click “Install” to begin, and follow these steps:

1. First, you’ll have to agree to the Vtiger Public License before proceeding.

2. The wizard will check your PHP configuration. All tests should pass if you followed this guide. Click “Next”

3. You’ll be asked to enter your database information:

  • Host Name: localhost
  • User Name: vtigercrm
  • Password: The password you chose during user creation in the MySQL console.
  • Database Name: vtigercrm
  • Create new database: Yes. (Check the checkbox. Even though we already create a database, this currently is required in order for the installer to create all tables.)
  • Root User Name: vtigercrm
  • Root Password: The password you chose during user (vtigercrm) creation in the MySQL console. Do not enter the password for the root user.

The system information and admin user information forms should be filled according to your requirements.

4. Confirm your configuration and proceed.

5. Specify your industry and click “Next”. The wizard will begin the setup process, which may take some time.

6. Select the features you’d like to enable. The installation process is now complete.

Further Reading

  • Vtiger Documentation
  • SuiteCRM Installation guide
Posted in LinuxTagged apache, crm, linux, mariadb, php2 Comments

How to Install Postmill on Ubuntu 18.04 LTS with Apache or Nginx

Posted on September 16, 2019 - September 19, 2019 by nxnjz

postmill banner

Introduction

Postmill is a free and open-source web-based social link aggregator with voting and nested comments, similar to the popular Reddit platform. This article will explain the full installation process on a Vultr Ubuntu 18.04 LTS system, including the setup of Nginx and Apache as replacements for the Symfony web server.

Requirements

  • A Ubuntu 18.04 instance (2GB+ of physical memory recommended)
  • Access to a user with sudo privileges, we’ll assume this user is user1 in the rest of this guide.

Swap file

If your system has less than 2 gigabytes of memory, you may run into memory allocation errors during the installation process. We’ll create a 4GB swap file to avoid such issues, but keep in mind that swap space performs very poorly in comparison to physical memory.

 sudo dd if=/dev/zero of=/swap bs=1k count=4M
sudo chmod 0600 /swap
sudo mkswap /swap
sudo swapon /swap
echo "/swap swap swap defaults 0 0" | sudo tee -a /etc/fstab

Installation

Preparing the system

First, we’ll update the system and install a few needed packages.

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl apt-transport-https

Then we’ll install package repositories for Node.js and yarn, in order to get the needed package versions.

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
curl -sL https://deb.nodesource.com/setup_12.x | sudo bash -

And install the needed packages (which consists of php libraries, the PostgreSQL database server and client, Node.js and other tools.)

sudo apt update
sudo apt install -y nodejs yarn php php-curl php-gd php-common php-intl php-mbstring php-xml php-json php-pgsql postgresql postgresql-client php-zip unzip php-symfony-polyfill-intl-icu

Downloading Postmill and building its components

Clone the postmill gitlab repository to /var/www/, and give yourself ownership of the resulting directory:

sudo mkdir /var/www
cd /var/www
sudo git clone https://gitlab.com/postmill/Postmill.git
sudo chown -R user1:user1 Postmill/
cd Postmill

Keep in mind that the rest of this guide assumes your working directory is /var/www/Postmill/.
Then, install composer (a tool for managing PHP dependencies) in the current directory:

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php

And build the frontend assets with the following commands:

yarn install
yarn run build-prod

Using composer, we will now download and setup the PHP dependencies of Postmill.

php composer.phar install

Database Setup

Postmill requires access to a postgresql database. Create a new PostgreSQL user:

sudo -u postgres createuser --pwprompt postmill

You will be asked to enter a password for the new user, make sure you choose a secure and unique password. We’ll now create a database named ‘postmill’, owned by the user ‘postmill’.

sudo -u postgres createdb -O postmill postmill

Postmill Configuration

Copy the default configuration file .env to .env.local(cp .env .env.local). Changes will be made in the latter to override default values. Open .env.local in a text editor of your choice, and find the following line:

DATABASE_URL=pgsql://db_user:db_password@localhost:5432/db_name?serverVersion=9.6

Replace db_user and db_name with postmill; db_password with the password chosen during user creation in the previous step; and 9.6 with your currently installed version. You can run the following PostgreSQL query to determine which version is installed on your system:

sudo -u postgres psql postgres -c 'SELECT version()' | grep PostgreSQL | cut -d' ' -f3

The database URL should now look like the following:

DATABASE_URL=pgsql://postmill:thisisastrongpassword@localhost:5432/postmill?serverVersion=10.9

You’ll also need to provide a secret string (on line 23 of the same file) such as:

 APP_SECRET="Df4wgdwrt4PQv9AUMmLkempHTMmULG6a3kwa5nQj"

Do Not use the value provided in this article. You can use the following command to generate a random 40-character string instead:

 cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 40 | head -1

We can now close that file, and we’ll make sure that the environment meets the necessary requirements:

vendor/bin/requirements-checker

You should fix any issues that arise from this check before proceeding with the installation.

Now run bin/console doctrine:migrations:migrate to load the database schema, followed by bin/console app:user:add admin1 --admin to create a default administrator account named ‘admin1’. You can choose any other username for this account, you can also create more than one administrator.

At this point, the postmill installation is complete. Further instructions are provided separately for develeopment and production instances.

Development Instances (Symfony web server)

For developing and testing Postmill, the symfony local web server is sufficient. It can be started by running bin/console server:run. By default, symfony will listen on localhost, port 8000/tcp. To access it, SSH port forwarding is recommended. You can read more about SSH port forwarding here.

Production Deployment

When running Postmill in a production environment, you’ll need to use either Apache or Nginx, trying to install both web servers on the same system will not work. Software-specific instructions are provided in subsequent sections.

Open the file we previously created (.env.local) in a text editor and change APP_ENV=dev to APP_ENV=prod. Or use sed to make that change: sed -i "s/APP_ENV=dev/APP_ENV=prod/" .env.local

Apache with mod_php

First, install Apache and make sure it is enabled and running:

sudo apt update
sudo apt install -y apache2
sudo systemctl enable --now apache2.service

Then install the symfony pack for Apache support:

php composer.phar require symfony/apache-pack

Create a new Apache configuration file under /etc/apache2/sites-available/ with a text editor of your choice. For example:

 sudo vim /etc/apache2/sites-available/postmill80.conf

And populate it with the following basic configuration (replace example.com with your domain name or IP address):

<VirtualHost *:80>

ServerName example.com
DocumentRoot /var/www/Postmill/public

<Directory /var/www/Postmill/public>
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>

<Directory /var/www/Postmill>
Options FollowSymlinks
</Directory>

ErrorLog /var/log/apache2/postmill_error.log
CustomLog /var/log/apache2/postmill_access.log combined

</VirtualHost>

Then enable this configuration: sudo a2ensite postmill80.conf
Some apache modules need to be enabled/disabled:

sudo a2dismod mpm_event
sudo a2enmod rewrite
sudo a2enmod php7.2

Finally, restart the apache service to apply the changes: sudo systemctl restart apache2.service

You should now be able to access your postmill installation by browsing to the domain name or IP address of your Vultr server.

Nginx with PHP-FPM

Start by installing the PHP FastCGI process manager and Nginx, and make sure both services are enabled and running:

sudo apt update
sudo apt install -y nginx php-fpm
sudo systemctl enable --now nginx.service php7.2-fpm.service

Create a new configuration file in /etc/nginx/sites-available/ with a text editor of your choice. For example:

 sudo vim /etc/nginx/sites-available/postmill80.conf

And enter the following minimal configuration (replace example.com with your domain name or IP address):

server {
server_name example.com;
root /var/www/Postmill/public;

location / {
try_files $uri /index.php$is_args$args;
}

location ~ ^/index\.php(/|$) {
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;

fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
}

location ~ \.php$ {
return 404;
}

error_log /var/log/nginx/postmill_error.log;
access_log /var/log/nginx/postmill_access.log;
}

We now need to enable it by creating a link in the ‘sites-enabled’ directory, and reload the Nginx service to apply the new configuration:

sudo ln -s /etc/nginx/sites-available/postmill80.conf /etc/nginx/sites-enabled/
sudo systemctl reload nginx.service

You should now be able to access your postmill installation by browsing to the domain name or IP address of your Vultr server.

Common problems

PostgreSQL errors such as [An exception occurred in driver: SQLSTATE[08006] [7] FATAL: password authentication failed for user "postmill"] are often caused by an incorrect database URL in the postmill configuration file (.env.local). Make sure you created a database and its respective user as shown in the postmill configuration section of this guide.

Posted in LinuxTagged apache, linux, nginx, ubuntu1 Comment

How to Install WallaBag on Ubuntu 18.04 LTS

Posted on February 21, 2019 - February 21, 2019 by nxnjz

Introduction

Wallabag is a self-hosted PHP web application allowing you to save web pages for later reading. It extracts content so that you can read it when you have time. This article will explain the installation of Wallabag on a Ubuntu 18.04 system.

Prerequisites

  • A Ubuntu 18.04 VPS.
  • Root access to your server (via a user with sudo privileges.)
  • A web server with PHP (Instructions below.)
  • A MySQL database (Instructions below.)

Preparations

Update your system and install required software.

sudo apt update
sudo apt upgrade -y
sudo apt install -y git make composer

Git will be used to download Wallabag from its github repository and composer, via the make command, to install PHP libraries.

Installing a web server stack:

We will be using Apache with PHP, and MariaDB for the database. Execute the following to install the required packages:

sudo apt install -y apache2 php7.2 php7.2-common php7.2-xml php7.2-mbstring php7.2-mysql php7.2-json php7.2-pdo php7.2-gd php7.2-tidy php7.2-curl php7.2-bcmath php7.2-zip mariadb-server mariadb-client

Make sure Apache and MariaDB are enabled and running:

sudo systemctl enable --now apache2.service mariadb.service

Configuring Apache

Using a text editor of your choice, create a new Apache configuration file. For instance:

sudo vim /etc/apache2/sites-available/wallabag.conf

Populate it with the following (insert your Vultr IP address or a domain name pointing to your IP for ServerName):

<VirtualHost *:80>
    ServerName IP_or_DOMAIN_NAME 
    DocumentRoot /var/www/wallabag/web
    <Directory /var/www/wallabag/web>
        AllowOverride None
        Order Allow,Deny
        Allow from All
        <IfModule mod_rewrite.c>
            Options -MultiViews
            RewriteEngine On
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*)$ app.php [QSA,L]
        </IfModule>
    </Directory>
 <Directory /var/www/wallabag/web/bundles>
        <IfModule mod_rewrite.c>
            RewriteEngine Off
        </IfModule>
    </Directory>
    ErrorLog /var/log/apache2/wallabag_error.log
    CustomLog /var/log/apache2/wallabag_access.log combined
</VirtualHost>

Save, exit, and enable this virtual host:

sudo a2ensite wallabag.conf

Enable the rewrite apache module:

sudo a2enmod rewrite

Restart Apache to apply changes:

sudo systemctl restart apache2.service

Configuring MariaDB for WallaBag

Start by securing your MySQL installation with this command:

sudo mysql_secure_installation

Answer the questions as shown:

Enter current password for root (enter for none): Enter
Set root password? [Y/n]: Y
New password: <your-password>
Re-enter new password: <your-password>
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y

Make sure you use a strong password.

Configuring MariaDB

Create a database and user for Wallabag:

sudo mysql -u root -p

MariaDB [(none)]> CREATE DATABASE wallabag; 
MariaDB [(none)]> CREATE USER 'wallabaguser'@'localhost' IDENTIFIED BY 'wallabagpassword';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON wallabag.* TO 'wallabaguser'@'localhost';
MariaDB [(none)]> exit;

Make sure you replace wallabagpassword with a secure password. It should be different from the password you chose for the MariaDB root user.

Installing Wallabag

Since Wallabag is hosted on github, we’ll clone the repository locally:

cd /var/www/
sudo git clone https://github.com/wallabag/wallabag.git 

And transfer ownership to the apache user:

sudo chown -R www-data:www-data /var/www/wallabag

It is not recommended to run the installation scripts as root, so we will use the apache user:

sudo -u www-data /bin/bash
cd /var/www/wallabag/
make install

You will be asked several questions regarding desired configuration:

database_driver (pdo_mysql): pdo_mysql
database_driver_class (null): Press Enter
database_host (127.0.0.1): 127.0.0.1
database_port (null): 3306
database_name (wallabag): wallabag
database_user (root): wallabaguser
database_password (null): wallabagpassword
database_path (null): Press Enter
database_table_prefix (wallabag_): Prefix of your choice or Press Enter for the default.
database_socket (null): Press Enter
database_charset (utf8mb4): Press Enter
domain_name ('https://your-wallabag-url-instance.com'): http://IP_or_DOMAIN_NAME 

Choose the default (press Enter) for the remaining questions.

If you followed the steps correctly, you’ve successfully installed WallaBag on Ubuntu. You should now be able to access it on http://IP_or_DOMAIN_NAME. For better security/privacy, you should consider using a domain name with HTTPS, however this is beyond the scope of this guide.

 

Want to Install WallaBag on Fedora 29 instead?

Posted in LinuxTagged apache, ubuntu, wallabagLeave a comment

How to Install Wallabag on Fedora 29.

Posted on February 12, 2019 - February 20, 2019 by nxnjz

Introduction

Wallabag is a self-hosted PHP web application allowing you to save web pages for later reading. It extracts content so that you can read it when you have time. This article will explain the installation of Wallabag on a Fedora 29 system.

Prerequisites

  • Something running Fedora 29.
  • Root access to your system (via a user with sudo privileges.)
  • A web server with PHP 7 (Instructions below.)
  • A MySQL database (Instructions below.)

Preparations

Update your system:

sudo dnf update -y

Installing a web server stack:

We will be using Apache with PHP, and MariaDB for the database. Execute the following to install the required packages:

sudo dnf install -y httpd php php-common php-xml \
php-json php-curl php-zip php-mbstring php-mysqlnd \
php-pdo php-gd php-tidy php-bcmath mariadb-server mariadb

Make sure Apache and MariaDB are enabled and running:

sudo systemctl enable --now httpd.service mariadb.service

Install miscellaneous packages.

sudo dnf install -y git make composer unzip policycoreutils-python-utils

Git will be used to download Wallabag from its github repository and the make command, along with composer to complete the installation of Wallabag. The policy utilities package is needed for optional SELinux configuration (instructions below)

Configuring Apache

Using a text editor of your choice, create a new Apache configuration file. For instance:

sudo vim /etc/httpd/conf.d/wallabag.conf

Populate it with the following (insert your Vultr IP address or a domain name pointing to your IP for ServerName):

<VirtualHost *:80>
    ServerName IP_or_DOMAIN_NAME 
    DocumentRoot /var/www/wallabag/web
    <Directory /var/www/wallabag/web>
        AllowOverride None
        Order Allow,Deny
        Allow from All
        <IfModule mod_rewrite.c>
            Options -MultiViews
            RewriteEngine On
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*)$ app.php [QSA,L]
        </IfModule>
    </Directory>
 <Directory /var/www/wallabag/web/bundles>
        <IfModule mod_rewrite.c>
            RewriteEngine Off
        </IfModule>
    </Directory>
    ErrorLog /var/log/httpd/wallabag_error.log
    CustomLog /var/log/httpd/wallabag_access.log combined
</VirtualHost>

Save and exit.

Reload Apache configuration to apply changes:

sudo systemctl reload httpd.service

Configuring MariaDB

Start by securing your MySQL installation with this command:

sudo mysql_secure_installation

Answer the questions as shown:

Enter current password for root (enter for none): Enter
Set root password? [Y/n]: Y
New password: <your-password>
Re-enter new password: <your-password>
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y

Make sure you use a strong password.

Configuring MariaDB

Create a database and user for Wallabag:

sudo mysql -u root -p

MariaDB [(none)]> CREATE DATABASE wallabag; 
MariaDB [(none)]> CREATE USER 'wallabaguser'@'localhost' IDENTIFIED BY 'wallabagpassword';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON wallabag.* TO 'wallabaguser'@'localhost';
MariaDB [(none)]> exit;

Make sure you replace wallabagpassword with a secure password. It should be different from the password you chose for the MariaDB root user.

Installing Wallabag

Since Wallabag is hosted on github, we’ll clone the repository locally:

cd /var/www/
sudo git clone https://github.com/wallabag/wallabag.git 

And transfer ownership to the apache user:

sudo chown -R apache:apache /var/www/wallabag

It is not recommended to run the installation scripts as root, so we will use the apache user:

sudo -u apache /bin/bash
cd /var/www/wallabag/
make install

You will be asked several questions regarding desired configuration:

database_driver (pdo_mysql): pdo_mysql
database_driver_class (null): Press Enter
database_host (127.0.0.1): 127.0.0.1
database_port (null): 3306
database_name (wallabag): wallabag
database_user (root): wallabaguser
database_password (null): wallabagpassword
database_path (null): Press Enter
database_table_prefix (wallabag_): Prefix of your choice or Press Enter for the default.
database_socket (null): Press Enter
database_charset (utf8mb4): Press Enter
domain_name ('https://your-wallabag-url-instance.com'): http://IP_or_DOMAIN_NAME 

Choose the default (press Enter) for the remaining questions, then exit back to your own user shell session: exit

Security configuration:

SELinux (Security-Enhanced Linux) will interfere with the wallabag application. To disable it, open the file /etc/sysconfig/selinux and replace SELINUX=enforcing with SELINUX=disabled. Reboot to apply changes. If you do not wish to disable SELinux entirely, follow the instrucions below to configure SELinux contexts for web directories.

Five labels are required:

sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/wallabag(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/wallabag/data(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/wallabag/var(/.*)?"  
sudo semanage fcontext -a -t httpd_log_t "/var/www/wallabag/var/logs(/.*)?"  
sudo semanage fcontext -a -t httpd_cache_t "/var/www/wallabag/var/cache(/.*)"

And apply changes with:

sudo restorecon -R /var/www/wallabag

And set the following SELinux booleans to true:

sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_can_network_connect_db 1

Finally, enable HTTP traffic through the firewall:

sudo firewall-cmd --add-service http --permanent
sudo firewall-cmd --reload

You should now be able to access Wallabag on http://IP_or_DOMAIN_NAME. For better security/privacy, you should consider using a domain name with HTTPS, however this is beyond the scope of this guide.

If you’d like to host your own music streaming server, check out these guides.

Posted in LinuxTagged apache, fedora, linux, mariadb, php, wallabagLeave a comment

Monitoring system resources and Apache with Monit.

Posted on November 6, 2018 - November 6, 2018 by nxnjz

Introduction

Monit is a simple yet powerful monitoring tool that can automatically restart services/processes and send email alerts.
It has a clean web interface that runs on its own HTTP server. The steps described below should work on Debian and other Debian-based distros, including Ubuntu.

 

Installation and Configuration

Install Monit and stop it.

 

First, install Monit: apt install monit


Then stop it while we configure it: systemctl stop monit

 

Basic Configuration

 

By default, Monit configuration files are in /etc/monit.
monitrc is the main configuration file, others may be added in /etc/monit/conf.d and /etc/monit/conf-enabled

Monit can be configured to monitor any process/service/file. For this tutorial I’ll configure it to monitor system resources, network connectivity and bandwidth, and the apache2 service.

First, move to the configuration directory: cd /etc/monit

Then, make a backup of monitrc: cp monitrc monitrc.old

And clear the config file: echo "" > monitrc

We can now safely modify monitrc and we have a backup in case something goes wrong with the configuration. After every configuration change, it is recommended to run monit -t to check the monitrc file and others config files for errors. The output should be “Control file syntax OK”.

Open monitrc with a text editor of your choice.

If you want monit to have a web interface for monitoring, add the following lines:

set httpd port 2813
  allow username:password

Make sure you replace ‘username’ and ‘password’ with values of your choice. Make sure to choose a strong password.
Monit will now be able to serve a monitoring interface via http on port 2813. To access it, you would use http://your-ip:2813 and enter your login credentials. At the moment, the interface will be inaccessible.

We now need to set up some things that allow monit to work properly. These are an ID file where monit stores a hash, a state file where it stores state information, a directory where events will be stored, and a log file where it can write logs. In this tutorial, we will use default locations. You generally will not need to change these. Add the following to the monitrc file:

set logfile /var/log/monit.log
set idfile /var/lib/monit/id
set statefile /var/lib/monit/state

set eventqueue
   basedir /var/lib/monit/events # set the base directory where events will be stored
   slots 100                     # optionally limit the queue size

You can choose how often you want monit to perform checks. For example, for checks to be performed every 30 seconds, add the following:

set daemon 30

Email/Alert Config

For emails, you need an email server running. Assuming you have that already and that you want email alerts, add the following lines (replacing “your-email@your-domain.your-tld” with your email address)


set mailserver localhost
set alert your-email@your-domain.your-tld

Monitoring of system and network resources.

For system load, CPU usage, memory (RAM) usage, network connectivity, bandwidth and swap file/partition usage to be monitored and alerts to be sent in case of excessive load/consumption, the following is needed:

check system $HOST
  if loadavg (1min) > 4 then alert
  if loadavg (5min) > 2 then alert
  if cpu usage > 95% for 10 cycles then alert
  if memory usage > 85% then alert
  if swap usage > 25% then alert
check network public with interface ens3
  if changed link then alert
  if saturation > 90% then alert
  if total uploaded > 1 GB in last hour then alert

Let’s explain these lines.

The first line tells monit to check the system and give it a name, $HOST, which equals the hostname of your VPS.

The second and third lines tells monit to send alerts if system load is higher than 2 for 5 minutes, or higher than 4 for one minute. If your server is under constant heavy load, you may choose to modify these values.

The following 3 lines instruct monit to send alert if CPU, memory, swap usage are higher than 95, 85, and 25% respectively. You can also modify these values to your liking, but the ones provided here and considered reasonable.
The last 4 lines direct monit to check the network interface (You may need to replace ‘ens3’ with your external network interface name) And to send alerts if connectivity goes down, or if the interface is saturated above 90%, or if more than 1GB was uploaded in the last hour. Change ‘1 GB’ according to your network activity.

Apache Monitoring

For apache, monitoring is simple: Check that apache is running and listening on the defined port. If not, restart it.

check process apache with pidfile /run/apache2/apache2.pid
group www
    start program = "/bin/systemctl start apache2"
    stop  program = "/bin/systemctl stop apache2"
if failed host localhost port 80 
    protocol HTTP request "/" then restart

Final checks and deployment

Almost done!

Since we stopped monit, we need to start it with systemctl start monit
Check that our configuration is fine with monit -t

If you followed this tutorial correctly, you should now be able to access the interface and receive alerts. The web interface should now look like the following:

 

monit web interface

Posted in LinuxTagged apache, cpu, linux, memory, monitLeave a comment

Recent Posts

  • CVE-2021-42052 full disclosure
  • How to Set Up an Interactive SSH Honeypot on CentOS 8.
  • HackTheBox.eu Jarvis Writeup
  • How to setup a simple proxy server with tinyproxy (Debian 10 Buster)
  • How to Install qdPM 9.1 on Debian 10 LEMP

Tags

802.11 ampache apache aspx bash cd centos cms crm cve debian exploits fedora fulldisclosure hackthebox honeypot http httpd ifconfig iw iwconfig labs lfi linux mariadb memory monit music nginx pastebin php privatebin privesc project management proxy reconnoitre selinux shopt ssh systemd txpower ubuntu wallabag wireless xxe

Categories

  • BASH (1)
  • CTF/Labs (2)
  • CVE / full disclosure (1)
  • Information Gathering (1)
  • Linux (25)
  • Password Cracking (1)
  • Privilege Escalation (2)
  • SQL Injection (1)
  • Web-Shells (1)
  • Wifi (2)
  • XXE (1)

Recent Comments

  • Bernard Martiny on How to Install PrivateBin on Ubuntu 18.04 LTS
  • VuCSA on List of security labs/challenges/CTFs
  • Brian on How to Install PrivateBin on Fedora 29.
  • Tyreeb on Installing Ampache on CentOS 7.
  • Christian Mora on Installing Ampache on CentOS 7.