BookStack @SLES16 (openSUSE v16.1) (with Internet access)
Let's deploy BookStack web application to the Internet reachable environment:
- Solution: BookStack (www, github)
- Resources: VM in the laptop lab.
- Stack:
- mbp7dox2: openSUSE 16.1 + nginx + MariaDB
Create VM.
Preparations:
sudo su
zypper install \
tmux \
git \
php \
php-gd \
php-zip \
php-mysqlnd \
php8-cli \
php8-phar \
php8-curl \
php8-fileinfo \
php8-mbstring \
php8-pdo \
php8-mysql \
Install MariaDB and perform recommended post-install
zypper install mariadb-server
systemctl enable --now mariadb
systemctl status mariadb
Secure the fresh setup
mariadb-secure-installation
Create database and application user
export db_pass="Very-Strong-Password123"
mariadb -u root --execute="CREATE DATABASE bookstack;"
mariadb -u root --execute="CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '${db_pass}';"
mariadb -u root --execute="GRANT ALL ON bookstack.* TO 'bookstack'@'localhost'; FLUSH PRIVILEGES;"
Verify freshly created user can login
mariadb -u bookstack -p
Setup nginx, enable SSL
zypper install nginx
systemctl enable --now nginx
systemctl status nginx
ss -ntap | grep nginx
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=14387,fd=6),("nginx",pid=14386,fd=6))
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=14387,fd=7),("nginx",pid=14386,fd=7))
Create of self-signed certificates and Enable SSL
We have local running environment (virtualized local VM) and will use self-signed certificate in this scenario), alternatively, point cert and key accordingly.
sudo su
export dir="/data/certs/"
export fqdn="dox.$(hostname)"
echo ${fqdn}
mkdir -p ${dir}/${fqdn}/current/
mkdir -p ${dir}/${fqdn}/archive/
openssl req -x509 \
-nodes \
-days 365 \
-newkey rsa:2048 \
-subj "/C=FI/ST=State/L=City/O=Home/OU=IT/CN=${fqdn}" \
-out ${dir}/${fqdn}/current/${fqdn}.crt \
-keyout ${dir}/${fqdn}/current/${fqdn}.key
ls -la ${dir}/${fqdn}/current/
Modify Nginx webserver's config
Open Nginx's default config file. SLES has different Nginx's config structure.
export fqdn="$(hostname)"
echo ${fqdn}
vi /etc/nginx/vhosts.d/${fqdn}.conf
It is highly recommended to stop using and promote usage of unencrypted HTTP. Do not disable it, but use forwarders instead.
Before I used to disable (=comment or remove) "Server { Listen 80; }" definition (upper block) and enable (=uncomment) "Server { Listen 443 ssl http2; }" definition lower block.
But later felt in the trap, that some browsers does initiate first connections unencrypted, I have replaced comments with forwarders. Depending on the environment and use-cases.
for BookStack like this (using $request_uri variable)
Shortly, config should look like this
```bash
server {
listen 80;
server_name mbp7dox2;
access_log /var/log/nginx/mbp7dox2.access.log;
error_log /var/log/nginx/mbp7dox2.error.log;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name _;
access_log /var/log/nginx/mbp7dox2.access.log;
error_log /var/log/nginx/mbp7dox2.error.log;
root /usr/share/nginx/html;
ssl_certificate "/data/certs/mbp7dox2/current/mbp7dox2.crt";
ssl_certificate_key "/data/certs/mbp7dox2/current/mbp7dox2.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
}
SElinux
! TODO:fix context
Test config and reload it:
nginx -t
nginx -s reload
ss -ntap | grep nginx
Test it, requesting to show headers only, '-k' - will skip cert checks, as they will fail for not matching the CN (common name). Using local address to avoid DNS lookup.
curl -I https://127.0.0.1 -k
Open firewall (create security policies to pass the traffic in)
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
firewall-cmd --list-all
Foundation is done. We can proceed with application setup.
Install PHP-FPM
zypper install php-fpm
systemctl enable --now php-fpm
systemctl status php-fpm
We need to know, where PHP-FPM is listening, to point requests correctly from webserver below:
fgrep -irn listen /etc/php8/fpm/
port 9000 we shall be using and not local file socket
/etc/php8/fpm/php-fpm.d/www.conf:43:listen = 127.0.0.1:9000
Let's see which user and group is owning the php.
fgrep -irn user /etc/php8/fpm/ | grep -v \;
fgrep -irn group /etc/php8/fpm/ | grep -v \;
these are
user=wwwrun
group=www
Let's see which user and group nginx is running with
fgrep -irn user /etc/nginx/
ss -ntap | grep nginx
-"Aha!". Let's change PHP-FPM be run as nginx
vi /etc/php8/fpm/php-fpm.d/www.conf
Should be like this, using nginx user:
; user = wwwrun
user = nginx
; group = www
group = nginx
Remember to restart the service
systemctl restart php-fpm
Install Composer and make available globally.
ref to
https://getcomposer.org/download/
as a normal user, not root
mkdir -p ~/utils/composer
cd ~/utils/composer/
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'c8b085408188070d5f52bcfe4ecfbee5f727afa458b2573b8eaaf77b3419b0bf2768dc67c86944da1544f06fa544fd47') { echo 'Installer verified'.PHP_EOL; } else { echo 'Installer corrupt'.PHP_EOL; unlink('composer-setup.php'); exit(1); }"
php composer-setup.php
php -r "unlink('composer-setup.php');"
php composer.phar
sudo mv composer.phar /usr/local/bin/composer
Prepare home for application
Naming convention: application.host, in my case it is. Always bear in mind, that one host may have more than one application. If there are direct FQDN, then use it to make management easier.
whoami
sudo su
# privileged user (you)
export pu="anton"
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}"
echo ${dir}
mkdir -p ${dir}
# permit priviledged user to own app directory
chown -R ${pu}:${pu} ${dir}
exit
# as priviledged user, not as root
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}"
cd ${dir}
Create application-specific configuration file in the webserver
sudo su
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}"
cat << _EOF_ > /etc/nginx/vhosts.d/${app}.conf
server {
listen 443 ssl;
server_name ${app};
access_log /var/log/nginx/${app}_access.log;
error_log /var/log/nginx/${app}_error.log;
ssl_certificate "/data/certs/${app}/current/${app}.crt";
ssl_certificate_key "/data/certs/${app}/current/${app}.key";
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
root ${dir}/BookStack/public;
index index.php;
client_max_body_size 1G;
fastcgi_buffers 64 4K;
location / {
try_files \$uri \$uri/ /index.php?\$query_string;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_param PATH_INFO \$fastcgi_path_info;
fastcgi_pass 127.0.0.1:9000;
}
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
access_log off;
}
location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README) {
deny all;
}
}
_EOF_
Verify
ls -la /etc/nginx/vhosts.d/${app}.conf
Prepare hostnames to match certificates CNs (for local usage)
vi /etc/hosts
127.0.0.1 localhost mbp7dox2 dox.mbp7dox2
Test and reload the webserver:
nginx -t
nginx -s reload
export host="$(hostname)"
export app="dox.${host}"
echo ${app}
curl https://${app} -k
Installation of BookStack application
Change directory before cloning the repo. As a normal user, not root
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}/"
cd ${dir}
pwd
/var/www/dox.lt58dox1
Clone repo
git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch
ls -la
Build an application
cd Bookstack
which composer
composer update
composer install --no-dev
Should be built successfully:
Creating missing directories
issue
#3 /var/www/dox.lt58dox1/BookStack/vendor/la...; PHP message: PHP Fatal error: Uncaught UnexpectedValueException: The stream or file "/var/www/dox.lt58dox1/BookStack/storage/logs/laravel.log" could not be opened in append mode: Failed to open stream: Permission denied
sudo su
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}/"
ls -la ${dir}/BookStack/storage/logs/
# Create an empty log and directory for views
touch ${dir}/BookStack/storage/logs/laravel.log
chown nginx:nginx ${dir}/BookStack/storage/logs/laravel.log
namei -mo ${dir}/BookStack/storage/logs/laravel.log
Configure application
Copy template, generate salt and configure .env
sudo su
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}"
cd ${dir}/BookStack/
pwd
cp .env.example .env
php artisan key:generate
Are you sure you want to run this command? Yes [Enter]
vi .env
Should be simple as
APP_KEY=base64:goKeJWQsFFboBGOSF5+eti2Yv1auP4rXvxVbQ4Iupgc=
APP_URL=https://dox.lt58dox1
DB_HOST=localhost
DB_DATABASE=bookstack
DB_USERNAME=bookstack
DB_PASSWORD=Very-Strong-Password123
# not in use
MAIL_DRIVER=smtp
MAIL_FROM_NAME="BookStack"
MAIL_FROM=bookstack@example.com
MAIL_HOST=localhost
MAIL_PORT=587
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
Create database schema
php artisan migrate
Set least necessary permissions for application
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}"
# not inside app dir, but level up (not to be affected by itself)
vi fixperm-${app}.sh
#!/bin/bash
export host="$(hostname)"
export app="dox.${host}"
export dir="/var/www/${app}/BookStack/"
# priviledged user
export pu="anton"
# webserver's user
export wsu="nginx"
chown -R ${wsu}:${pu} ${dir}
subdirs=("" "/storage/" "/bootstrap/cache/" "/public/uploads/")
for subdir in "${subdirs[@]}" ; do
echo "--[ subdir: ${subdir} ]--"
chown -R ${wsu}:${pu} ${dir}/${subdir}
done
for subdir in "${subdirs[@]}" ; do
echo "--[ subdir: ${subdir} ]--"
find ${dir}/${subdir} -type d -exec chmod 0770 {} \+
find ${dir}/${subdir} -type f -exec chmod 0660 {} \+
done
chmod +x ./fixperm.sh
./fixperm.sh
Application is ready
Used space:
Minimal openSUSE16.1 + webserver + PHP-FPM + MariaDB
df -hT | sort
date
export dir="/var/www/${app}"
df -hT ${dir}
du -h ${dir} --max-depth=1
No Comments