March 22, 2024

Configuring GLPI on Apache (HTTPS) on OmniOSce

Today we'll deploy GLPI on OmniOSce

GLPI is an open-source IT asset management and helpdesk software. It helps organizations efficiently manage their IT resources, track assets, and provide support services.

GLPI is widely used for its versatility and customizable features.

For this installation, we will create a internal website 'www.myglpi.lan' with a self-signed SSL certificate for HTTPS and also configure a HTTP -> HTTPS redirection.

Adapt the procedure to your needs, change the passwords (etc..), off course.

┌ Open a terminal and switch to root

su -

┌ Install Apache

pkg install pkg:/ooce/server/apache-24

mkdir /etc/opt/ooce/apache-2.4/SSL

┌ Install wget

pkg install pkg:/web/wget

┌ Install MariaDB

pkg install pkg:/ooce/database/mariadb-1011

svcadm enable svc:/ooce/database/mariadb1011:default && sleep 10

┌ Create an SQL database for GLPI

mysqladmin -uroot create "glpidb"

┌ Create a privileged user (adminglpi) for managing the glpidb database

mysql -uroot -e"CREATE USER 'adminglpi'@'localhost' IDENTIFIED BY 'password'"

mysql -uroot -e"GRANT ALL ON \`glpidb\`.* TO 'adminglpi'@'localhost'"

┌ Install PHP

pkg install pkg:/ooce/application/php-83

┌ Configure PHP

cp /etc/opt/ooce/php-8.3/php.ini /etc/opt/ooce/php-8.3/php.ini.BAK

The following commands allow uncommenting necessary extensions to activate them and also applying some additional security measures.

sed -i 's/;extension=curl/extension=curl/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=gd/extension=gd/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=mbstring/extension=mbstring/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=zip/extension=zip/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=exif/extension=exif/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=openssl/extension=openssl/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=fileinfo/extension=fileinfo/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;zend_extension=opcache/zend_extension=opcache/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=mysqli/extension=mysqli/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=bz2/extension=bz2/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=ldap/extension=ldap/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;extension=sodium/extension=sodium/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/;session.cookie_secure =/session.cookie_secure = 1/' /etc/opt/ooce/php-8.3/php.ini

sed -i 's/session.cookie_httponly =/session.cookie_httponly = 1/' /etc/opt/ooce/php-8.3/php.ini

Sodium extension is missing from pkg:/ooce/application/php-83 package. If you need it, you can get it from pkgsrc repository.
(see another newsletter 'Install additional repositories on OmniOS ce and OpenIndiana' to install pkgsrc repository).
You'll probably have to define a complete PATH in extension_dir in php.ini in order to use sodium extension

┌ Restart PHP

svcadm disable svc:/application/php83:default && sleep 5 && svcadm enable svc:/application/php83:default

┌ Add the php user to the webservd group

usermod -G webservd php

┌ Install GLPI 10.0.14

mkdir /var/www

wget https://github.com/glpi-project/glpi/releases/download/10.0.14/glpi-10.0.14.tgz -P /var/www/

tar -xvzf /var/www/glpi-10.0.14.tgz -C /var/www/

rm /var/www/glpi-10.0.14.tgz

mv /var/www/glpi/ /var/www/www.myglpi.lan

┌ Apply TEMPORARY permissions to the DocumentRoot
This is very permissive.
You'll have to change this after the initialization.

chown -R webservd:webservd /var/www/www.myglpi.lan

chmod -R 777 /var/www/www.myglpi.lan/config

chmod -R 777 /var/www/www.myglpi.lan/files

chmod -R 777 /var/www/www.myglpi.lan/marketplace

┌ Configure Apache Logs

mkdir -p /opt/ooce/apache-2.4/logs/

chown webservd:webservd /opt/ooce/apache-2.4/logs/

chmod 755 /opt/ooce/apache-2.4/logs/

┌ Create our own SSL certification authority for self-signing

cd /etc/opt/ooce/apache-2.4/SSL

openssl genrsa 4096 > ca.key

openssl req -new -x509 -days 365 -nodes -key ca.key > ca.crt

openssl genrsa 4096 > apacheprivatekey.key

┌ Create the SSL signature request and have it signed by our certification authority

For a real website, you'll have to send this request4signature.csr to a real SSL certification authority

openssl req -new -key apacheprivatekey.key > request4signature.csr

openssl x509 -req -in request4signature.csr -out apachecertificate.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

┌ Apply permissions for the private key and SSL certificate

chown webservd:webservd apacheprivatekey.key

chmod 640 apacheprivatekey.key

chown webservd:webservd apachecertificate.crt

chmod 644 apachecertificate.crt

┌ Creation of the VirtualHost for GLPI

Create a /etc/opt/ooce/apache-2.4/extra/www.myglpi.lan.conf vhost configuration with :

#### VHOST GLPI #### 

Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/opt/ooce/apache-2.4/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
#REDIRECTION HTTP -> HTTPS
<VirtualHost 192.168.10.115:80>
  ServerName www.myglpi.lan
  Redirect permanent / https://www.myglpi.lan:443/
</VirtualHost>
<VirtualHost 192.168.10.115:443>
  ServerAdmin admin@www.myglpi.lan
  DocumentRoot "/var/www/www.myglpi.lan/public"
  ServerName www.myglpi.lan:443
  ErrorLog "/opt/ooce/apache-2.4/logs/www.myglpi.lan-error_log"
  CustomLog "/opt/ooce/apache-2.4/logs/www.myglpi.lan-access_log" common
  SSLEngine on
  SSLCertificateFile "/etc/opt/ooce/apache-2.4/SSL/apachecertificate.crt
  SSLCertificateKeyFile "/etc/opt/ooce/apache-2.4/SSL/apacheprivatekey.key
  <Directory "/var/www/www.myglpi.lan/public">
    Require all granted 
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.+)$
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php [QSA,L]
    DirectoryIndex index.php index.html index.htm
  </Directory>
  <FilesMatch ".(cgi|shtml|phtml|php)$">
    SetHandler "proxy:unix:/var/opt/ooce/php/run/www-8.3.sock|fcgi://localhost/"
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory "/var/opt/ooce/apache-2.4/cgi-bin">
    SSLOptions +StdEnvVars
  </Directory>
  CustomLog "/var/log/opt/ooce/apache-2.4/ssl_request_log" combined
</VirtualHost>
┌ Add the virtualhost to the apache configuration
Open /etc/opt/ooce/apache-2.4/httpd.conf, go to the end of the file and paste this :
#-------------------------#
VHOST www.myglpi.lan
Include /etc/opt/ooce/apache-2.4/extra/www.myglpi.lan.conf 
┌ Configure Apache for PHP
sed -i 's/#LoadModule proxy_module libexec/mod_proxy.so/LoadModule proxy_module libexec/mod_proxy.so/' /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/#LoadModule proxy_fcgi_module libexec/mod_proxy_fcgi.so/LoadModule proxy_fcgi_module libexec/mod_proxy_fcgi.so/' /etc/opt/ooce/apache-2.4/httpd.conf
┌ Activate Rewrite module
sed -i 's/#LoadModule rewrite_module libexec/mod_rewrite.so/LoadModule rewrite_module libexec/mod_rewrite.so/' /etc/opt/ooce/apache-2.4/httpd.conf
┌ Configure Apache for SSL
sed -i 's/#LoadModule socache_shmcb_module libexec/mod_socache_shmcb.so/LoadModule socache_shmcb_module libexec/mod_socache_shmcb.so/' /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/#LoadModule ssl_module libexec/mod_ssl.so/LoadModule ssl_module libexec/mod_ssl.so/' /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/#LoadModule setenvif_module libexec/mod_setenvif.so/LoadModule setenvif_module libexec/mod_setenvif.so/' /etc/opt/ooce/apache-2.4/httpd.conf
sed -i 's/#LoadModule log_config_module libexec/mod_log_config.so/LoadModule log_config_module libexec/mod_log_config.so/' /etc/opt/ooce/apache-2.4/httpd.conf
┌ Start Apache
svcadm disable svc:/network/http:apache24 && sleep 5 && svcadm enable svc:/network/http:apache24 && sleep 5
┌ Check Apache service
svcs svc:/network/http:apache24
if anything wrong :
cat /var/svc/log/network-http:apache24.log

From a client computer on the same network, after registering the correspondence between the IP of your GLPI server and the name of its website (here: 192.168.10.115 www.myglpi.lan) in the hosts file of the client PC, you will be able to proceed with the initialization of GLPI via the web browser.
Further security steps are absolutely necessary before deployment into production.
Please consult the GLPI documentation on this subject :


https://glpi-install.readthedocs.io/en/latest/install/index.html#installation

This particular step of using /etc/glpi and /var/lib/glpi instead of the folders in the DocumentRoot must be done AFTER the initialization of GLPI via the web browser or you'll be stuck !
Good luck !