Hello everyone,
Here is a quick tutorial on how to deploy the ITSM GLPI on OmniOSce, with an SSL vhost (self-signed).
We will start from a basic http installation, then we will move to http with a rewrite (following GLPI security recommandations) and we will finish with a https (self-signed) installation with rewrite and http->https redirection
We log in as root for the entire procedure.
1) Install Apache
pkg install pkg:/ooce/server/apache-24
2) Install and configure MariaDB 11.4
pkg install pkg:/ooce/database/mariadb-114
svcadm enable svc:/ooce/database/mariadb114:default
mariadb-secure-installation
svcadm restart svc:/ooce/database/mariadb114:default
Create the GLPI DB and the privileged user :
mysqladmin -uroot create glpidb
mysql -uroot -e"GRANT ALL ON glpidb.* TO adminglpi@localhost IDENTIFIED BY 'EtAvpk62G,efoky40968'"
3) Install and configure PHP
pkg install pkg:/ooce/application/php-83
sed -i 's/;zend_extension=opcache/zend_extension=opcache/' /etc/opt/ooce/php-8.3/php.ini
sed -i 's/session.cookie_httponly =/session.cookie_httponly = 1/' /etc/opt/ooce/php-8.3/php.ini
usermod -G webservd php
svcadm disable svc:/application/php83:default
svcadm enable svc:/application/php83:default
4) Download and Install GLPI last version (10.0.17)
pkg install wget
cd /tmp
wget https://github.com/glpi-project/glpi/releases/download/10.0.17/glpi-10.0.17.tgz
tar -xvzf glpi*
mkdir -p /var/www/glpi
cp -r glpi/* /var/www/glpi
chown -R webservd:webservd /var/www/glpi
chmod -R 775 /var/www/glpi
5) Configure Apache
mkdir -p /opt/ooce/apache-2.4/logs/
chown webservd:webservd /opt/ooce/apache-2.4/logs/
chmod 775 /opt/ooce/apache-2.4/logs/
Create the vhost (http)
cat << EOF > /etc/opt/ooce/apache-2.4/extra/glpi.conf
<VirtualHost *:80>
DocumentRoot "/var/www/glpi"
<Directory "/var/www/glpi">
AllowOverride All
Require all granted
DirectoryIndex index.php index.html index.htm
</Directory>
<FilesMatch \.php\$>
SetHandler "proxy:unix:/var/opt/ooce/php/run/www-8.3.sock|fcgi://localhost/"
</FilesMatch>
ErrorLog "/opt/ooce/apache-2.4/logs/glpi-error_log"
CustomLog "/opt/ooce/apache-2.4/logs/glpi-access_log" common
</VirtualHost>
EOF
echo 'Include /etc/opt/ooce/apache-2.4/extra/glpi.conf' >> /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/#LoadModule proxy_module libexec\/mod_proxy.so/LoadModule proxy_module libexec\/mod_proxy.so/' /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/#LoadModule proxy_fcgi_module libexec\/mod_proxy_fcgi.so/LoadModule proxy_fcgi_module libexec\/mod_proxy_fcgi.so/' /etc/opt/ooce/apache-2.4/httpd.conf
svcadm enable svc:/network/http:apache24
6) IPF
You should configure IPF in order to open http port
echo "pass in log quick proto tcp from any to any port = 80 keep state" >> /etc/ipf/ipf.conf
ipf -Fa -f /etc/ipf/ipf.conf
7) Security recommandations with GLPI
cat >> /var/www/glpi/inc/downstream.php << EOF
<?php
define('GLPI_CONFIG_DIR', '/etc/glpi/');
if (file_exists(GLPI_CONFIG_DIR . '/local_define.php')) {
require_once GLPI_CONFIG_DIR . '/local_define.php';
}
?>
EOF
mkdir /etc/glpi
cat >> /etc/glpi/local_define.php << EOF
<?php
define('GLPI_VAR_DIR', '/var/lib/glpi');
define('GLPI_LOG_DIR', '/var/log/glpi');
?>
EOF
mkdir /var/lib/glpi /var/log/glpi
cp -r /var/www/glpi/files/* /var/lib/glpi/
rm -r /var/www/glpi/files /var/www/glpi/config
find /var/www/glpi -type f -exec chmod 664 {} \;
find /var/www/glpi -type d -exec chmod 775 {} \;
cat << EOF > /etc/opt/ooce/apache-2.4/extra/glpi.conf
<VirtualHost *:80>
DocumentRoot "/var/www/glpi/public"
<Directory /var/www/glpi/public>
AllowOverride All
Require all granted
DirectoryIndex index.php index.html index.htm
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*$ index.php [QSA,L]
</IfModule>
</Directory>
<FilesMatch \.php\$>
SetHandler "proxy:unix:/var/opt/ooce/php/run/www-8.3.sock|fcgi://localhost/"
</FilesMatch>
ErrorLog "/opt/ooce/apache-2.4/logs/glpi-error_log"
CustomLog "/opt/ooce/apache-2.4/logs/glpi-access_log" common
</VirtualHost>
EOF
sed -i 's/#LoadModule rewrite_module libexec\/mod_rewrite.so/LoadModule rewrite_module libexec\/mod_rewrite.so/' /etc/opt/ooce/apache-2.4/httpd.conf
Initialize GLPI with MariaDB DB directly from CLI (I do not use the web wizard)
cd /var/www/glpi
php ./bin/console db:install --db-host=127.0.0.1 --db-name="glpidb" --db-user="adminglpi" --db-password="EtAvpk62G,efoky40968" --no-telemetry --force --no-interaction
rm /var/www/glpi/install/install.php
svcadm restart apache24
chown -R webservd:webservd /var/log/glpi
chmod -R 775 /var/log/glpi
chown -R webservd:webservd /var/lib/glpi
chmod -R 775 /var/lib/glpi
8) https
pkg list -q pkg:/library/security/openssl || pkg install pkg:/library/security/openssl
mkdir /etc/opt/ooce/apache-2.4/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/opt/ooce/apache-2.4/ssl/glpi.key -out /etc/opt/ooce/apache-2.4/ssl/glpi.crt
chown root:webservd /etc/opt/ooce/apache-2.4/ssl/glpi.key
chmod 640 /etc/opt/ooce/apache-2.4/ssl/glpi.key
cat << EOF > /etc/opt/ooce/apache-2.4/extra/glpi.conf
# -------------------------------------------------------------------
# Unique file with http and https : glpi.conf
# No need of httpd-ssl.conf
# -------------------------------------------------------------------
# --- Listen on port 80 (httpd.conf is already listening on, but anyway...) ---
# Listen 80
# --- Listen on port 443 ---
Listen 443
# -------------------------------------------------------------------
# SSL Global Configuration
# -------------------------------------------------------------------
SSLSessionCache "shmcb:/var/opt/ooce/apache-2.4/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
# -------------------------------------------------------------------
# GLPI HTTP (80) VirtualHost
# -------------------------------------------------------------------
<VirtualHost *:80>
#ServerName mon-serveur.example.com
DocumentRoot "/var/www/glpi/public"
# --- Option : redirection to HTTPS ---
RewriteEngine On
# If you don't want to redirect everything to HTTPS, comment the following :
RewriteRule ^(.*)$ https://mon-serveur.example.com\$1 [R=301,L]
<Directory "/var/www/glpi/public">
AllowOverride All
Require all granted
DirectoryIndex index.php index.html index.htm
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*$ index.php [QSA,L]
</IfModule>
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/opt/ooce/php/run/www-8.3.sock|fcgi://localhost/"
</FilesMatch>
ErrorLog "/opt/ooce/apache-2.4/logs/glpi-http-error_log"
CustomLog "/opt/ooce/apache-2.4/logs/glpi-http-access_log" common
</VirtualHost>
# -------------------------------------------------------------------
# GLPI HTTPS (443) VirtualHost
# -------------------------------------------------------------------
<VirtualHost *:443>
#ServerName mon-serveur.example.com
DocumentRoot "/var/www/glpi/public"
# --- Activate SSL ---
SSLEngine on
# --- Your certs ---
SSLCertificateFile "/etc/opt/ooce/apache-2.4/ssl/glpi.crt"
SSLCertificateKeyFile "/etc/opt/ooce/apache-2.4/ssl/glpi.key"
<Directory "/var/www/glpi/public">
AllowOverride All
Require all granted
DirectoryIndex index.php index.html index.htm
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*$ index.php [QSA,L]
</IfModule>
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/opt/ooce/php/run/www-8.3.sock|fcgi://localhost/"
</FilesMatch>
ErrorLog "/opt/ooce/apache-2.4/logs/glpi-ssl-error_log"
CustomLog "/opt/ooce/apache-2.4/logs/glpi-ssl-access_log" common
</VirtualHost>
EOF
sed -i 's/#LoadModule ssl_module libexec\/mod_ssl.so/LoadModule ssl_module libexec\/mod_ssl.so/' /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/#LoadModule socache_shmcb_module libexec\/mod_socache_shmcb.so/LoadModule socache_shmcb_module libexec\/mod_socache_shmcb.so/' /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/;session.cookie_secure =/session.cookie_secure = 1/' /etc/opt/ooce/php-8.3/php.ini
svcadm disable svc:/application/php83:default
svcadm enable svc:/application/php83:default
svcadm restart apache24
9) IPF
Open the https port.
echo "pass in log quick proto tcp from any to any port = 443 keep state" >> /etc/ipf/ipf.conf
ipf -Fa -f /etc/ipf/ipf.conf
It's over.
Now you have a https GLPI working on OmniOSce.
Good luck :-).