Christine Plumejeaud

Those configuration indications are given for a Linux server running under Ubuntu 16.04 LTS Server. All of this can be adapted to other Linux distributions. However, nothing is planned to explain how to set-up the application on a windows server, even though, it is theorytically possible.

Configuring Apache

The following modules must be activated :

a2enmod ssl
a2enmod headers
a2enmod rewrite

PHP modules needed :

  • php-mbstring
  • php-pgsql
  • php7.0-xml ou php-simplexml
  • php-xdebug pour les phases de mise au point
  • php-curl pour l’identification via un serveur CAS.

The generation of labels requires the following packages :

  • php-gd
  • fop (qui inclut des bibliothèques java)

Storing and displaying photos requires:

  • php-imagick

Install PHP7 in a Debian 8 distribution

For issues of performance and upcoming obsolescence of PHP versions 5, it is better to install version 7 of PHP.

In the Debian 8 distribution, only the PHP5 version is available: you have to add the dotdeb repository to get version 7.

The commands shown here come from the document created by Stanislas Lange (https://angristan.fr/installer-php-7-debian-8-jessie-depot-dotdeb).

Add the Dotdeb repository :

echo "deb http://packages.dotdeb.org jessie all" > /etc/apt/sources.list.d/dotdeb.list
wget -O- https://www.dotdeb.org/dotdeb.gpg | apt-key add -
apt update

Delete php5 :

apt-get autoremove --purge php5*

Then install the corresponding packages to PHP7:

apt install php7.0 libapache2-mod-php7.0 php7.0-pgsql php7.0-curl php7.0-json php7.0-gd php7.0-mcrypt php7.0-mbstring \
 php7.0-xml php7.0-zip php7.0-imagick php7.0-xdebug fop

Configure the antivirus

Downloaded parts can be analyzed with CLAMAV antivirus. At first, Clamav must be installed. The simplest is to use the packages of the distribution.

Follow the instructions in the document https://wiki.archlinux.org/index.php/ClamAV for installation and verification of proper operation.

Configure the host and SSL

Enable SSL mode

The application only works in SSL mode, session cookies are not transmitted on unencrypted links. Here is an example configuration to insert into the file /etc/apache2/sites-available/default-ssl

<Directory /var/www/html>
 Options FollowSymLinks MultiViews
 AllowOverride all
 Order allow,deny
 allow from all
 </Directory>

SSLCompression off
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

The channel SSLCipherSuite is given as an example (and valid for Apache2 v. 2.2.22 and Openssl 1.0.1t). Other more modern configurations can be implemented. ANSSI has published a document summarizing the headings to be used (http://www.ssi.gouv.fr/uploads/2016/09/guide_tls_v1.1.pdf). There is also a configurator, made available by the Mozilla Foundation (https://mozilla.github.io/server-side-tls/ssl-config-generator), which allows you to set these parameters correctly depending on the server and level of compatibility sought.

Then enable the SSL mode in Apache :

chmod -R g+r /etc/ssl/private
usermod www-data -a -G ssl-cert
a2ensite default-ssl
service apache2 restart

Declare the virtual site in Apache

Create the file /etc/apache2/sites-available/collec.conf, with the following content :

<VirtualHost *:80>
# redirection en https
 ServerName collec.masociete.com
 ServerPath /collec.masociete.com
 RewriteEngine On
 RewriteRule ^ https://collec.masociete.com%{REQUEST_URI} [R]
</VirtualHost>
<VirtualHost *:443>
 ServerName collec.masociete.com
 ServerPath /collec.masociete.com
 SSLEngine on
# chemin d'acces aux certificats
# Cle publique :
 SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# cle privee :
 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Activer la ligne suivante si vous disposez d'un certificat d'une
# autorite de certification
# SSLCACertificateFile /etc/ssl/certs/cacert.crt
# Chemin d'acces a l'application
 DocumentRoot /var/www/html/collec
</VirtualHost>
<Directory /var/www/html/collec>
 RewriteEngine On
 RewriteBase /
 RewriteCond "/%{REQUEST_FILENAME}" !-f
 RewriteCond "/%{REQUEST_FILENAME}" !-d
 RewriteRule "(.*)" "/index.php?$1" [PT,QSA]
</Directory>

Change the server name, check the application path, and the certificates used.

Once the configuration has been corrected, run the following commands :

a2ensite collec
service apache2 reload

Special case of identification in HEADER mode

If you identify your users behind an identification proxy, such as LemonLdap, you will have to limit the application’s access to the proxy only. The Directory command becomes :

 <Directory /var/www/html>
 Options FollowSymLinks MultiViews
 AllowOverride all
 Order allow,deny
 allow from 10.1.2.3
 </Directory>

10.1.2.3 corresponds to the IP address to the identification proxy server.

Configure the install folder

Organization of the tree

General case : a single instance hosted in the server

  • create a collecApp folder in /var/www.
  • in this folder, create a folder corresponding to the current version, for example 1.2, as well as the param folder
  • unzip in this folder the code of the application
  • copy the file collecApp/1.2/param/param.inc.php.dist to param/param.inc.php
  • modify the file param.inc.php to adapt to your instance, especially if you want to connect from a ldap directory, or if the database is not hosted in the same server
  • in collecApp/1.2/param, create a link to the file collecApp/param/param.inc.php
  • in collecApp, create a link to the current version (1.2), you will name collec
  • in /var/www/html, create a link to /var/www/collecApp/collec (the link we just created)

By this mechanism, the previously declared virtual site points /var/www/html/collec, qui lui-même pointe vers /var/www/collecApp/collec, which points to the current version. This makes it easy to handle new versions. To install a new one :  

  • in collecApp, create a new folder, for example 1.3, and unzip the new version of the code
  • in 1.3/param, create a link to ../param/param.inc.php, to retrieve the local settings
  • delete the link collec in collecApp (which pointed to 1.2)
  • recreate the link collec so that it now points to 1.3

Special case : to make several instances coexist with the same code

It is possible to use the same application code to supply different databases (or data stored in different schemas). This feature is based on assigning different DNS entries.

 

In the setting of the DNS alias (in principle, dans /etc/apache2/sites-available), the application points to the folder /var/www/appliApp/appli1/bin. /var/www correspond at the root of the website, appliApp to the root folder of the application, appli1 to the specific folder of the DNS alias. This appli1 folder contains only two files: param.ini, which contains the specific parameters, and bin, which is a symbolic link to the ../bin folder.

The folder ../bin (thus, in var/www/appliApp) is also an alias which points to the actual code of the application, here code_appli} The file param.inc.php must contain the following commands so that the param.ini file is correctly loaded according to the context :

$chemin = substr($_SERVER["DOCUMENT_ROOT"],0, strpos($_SERVER["DOCUMENT_ROOT"],"/bin"));
$paramIniFile = "$chemin/param.ini";

The param.ini file will be searched in the parent folder of the application code, ie either in appli1 or in appli2 in this example. It only needs to contain the appropriate parameters to make the application usable in different contexts from the same initial code.

The param.ini file is the last one that will be processed to retrieve the parameters.

These are read in the following order :

param/param.default.inc.php > param/param.inc.php > ../param.ini

param.ini will contain the specific entries related to the DNS used to access the application, in principle all or part of them :

APPLI_titre="Gestion des collections d'EABX"
BDD_schema=col, public, gacl
BDD_login=compte_de_connexion
BDD_passwd=mot_de_passe_de_connexion
BDD_dsn=pgsql:host=serveur;dbname=base_de_donnees;sslmode=require
GACL_aco=col
APPLI_code=proto

If a label contains an apostrophe, the string must be inserted in double quotation marks, as here for the APPLI_titre variable.

Rights to be assigned to the web server

The web server must have read access to all the files of the application, and write to two folders:

  • display/templates_c : file used by Smarty to compile HTML document templates;
  • temp : folder for generating images and temporary files.

Here is an example of a script used to position rights :

#!/bin/bash
cp ../param/* param/
chmod -R 770 .
setfacl -R -m u:www-data:rx .
setfacl -R -m d:u:www-data:rx .
mkdir display/templates_c
setfacl -R -m u:www-data:rwx display/templates_c
setfacl -R -m d:u:www-data:rwx display/templates_c
setfacl -R -m u:www-data:rwx temp
setfacl -R -m d:u:www-data:rwx temp
setfacl -R -m d:o::- .
rm -Rf database
rm -Rf test
rm -f param.ini

 

In this example, the folder ../param contains the file param.inc.php, that has implementation-specific settings.

The script is to be launched at the root of the folder containing the application.