New Server Setup - CustodesTechnologia/System Wiki

Bolter and Chainsword

New Server Setup

To get the hardware ready for running the Invision software, they recommend running a PHP script to test the compatibility of the site.

Typically, most vendors of bare-metal servers will not have all of the packages pre-installed. Here is the list of the packages to install. If they are already installed, the tool will tell you and there is nothing to do for that package.

The Invision Software recommends a certain baseline of software to be setup on the host.

After some trial and error, this is the set of packages that must be installed:

# baseline the host reference to packages
apt update

# get apache
apt install apache

# in order to get the recommended version of 5.6 MySQL
add-apt-repository 'deb xenial main' -y
add-apt-repository 'deb trusty universe' -y
apt-get update
apt-get install mysql-server-5.6
apt-get install mysql-client-5.6

# Useful tools for the system
apt install net-tools

# these are all required by Invision
apt install php

apt install php7.2-xml
apt install php-dom php-gd php-mysqli php-mbstring
apt install php-gd
apt install php-mbstring
apt install php7.2-mysql
apt install php-curl php-zip

# This package lets you run the apache2 process for the server
# under a specific username.  Makes it easier to assign a new user
# to run the server as (not root!) and then allow maintainers to
# access files on the site.  The default user is `www-data` for Apache2
# and we don't want to make that a login user. Nor do we want to
# open the file permissions up for `o+w`.  There's no need for it.
# Just make a user, run the Apache2 instance (virtual host) under that
# user.
apt install libapache2-mpm-itk

Remember to enable the Apache mod_rewrite module and mpm_itk module if you use it.

# a2enmod rewrite
# a2enmod mpm_itk

Also pay attention to the php.ini suppression advice (re: exec,system,passthru,popen,proc_open,shell_exec)

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,system,passthru,popen,proc_open,shell_exec

Having done that and restart Apache

# systemctl restart apache2

Then you can retest the compatibility script.

Ignore the error that it cannot reach the MySQL server -- of course it can't -- we didn't instruct the script how to access any databases on the MySQL server. Don't worry about it. It'll work.

Apache2 Config

<VirtualHost *:80>
        ServerName DOMAIN_NAME
        ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log
        DocumentRoot /var/www/USER
        CustomLog ${APACHE_LOG_DIR}/DOMAIN_access.log combined
        ServerAdmin [email protected]

        <IfModule mpm_itk_module>
           AssignUserID USER GROUP

        <Directory /var/www/USER>
            Options FollowSymLinks MultiViews
            AllowOverride All
            Require all granted

            ## These lines are used for password protecting the site
            ## during development.  They can be removed once the site is
            ## ready for production
            AuthType Basic
            AuthName "Restricted Content"
            AuthUserFile GLOBAL_APACHE_PASSWD_FILE
            Require valid-user

Document Root Config

If you need to put a barrier between the users and the development that comes before whatever "door" Invision Software provides, use htaccess:

In the DocumentRoot you'll need to put a .htaccess file.

The contents will vary depending on how your site is configured, but to protect the site away from visitors while the development is done, it usually starts out like this:

(Add this to the .htacces file. You may already have other .htaccess settings that are present -- like mod re-write rules, etc..)

ErrorDocument 401 /Not_Online_Yet.html

AuthType Basic
AuthName "Restricted Content"
Require user USER

Make the page Not_Online_Yet.html in DocumentRoot (rename to suit your taste).

Now you can work with relative peace with the software/site.

⚠️ ** Fallback** ⚠️