Lewati ke isi

Instalasi iTop pada sistem operasi Linux

Persiapan

Spesifikasi

Komponen perangkat lunak:

  • Apache 2.4.x
  • MariaDB-client 10.4.x
  • PHP 7.4.x
  • iTop 2.7.x

Komponen perangkat keras:

Kebutuhan Rekomendasi
Ticket bulanan Pengguna CIs Peladen CPU Memori Penyimpanan
< 200 < 20 < 50k 1 peladen: Seluruh komponen 2vCPU 4Gb 10Gb
< 5000 < 50 < 200k 2 peladen: Web + App & DB 4vCPU 8Gb 20Gb
> 5000 > 50 > 200k 2 peladen: Web + App & DB 8vCPU 16Gb 50Gb
Matriks kompatibilitas
Komponen Minimum Didukung Disarankan
PHP 5.6 7.3 7.4
MySQL 5.6 5.7 -
MariaDB 10.1 10.3 10.4

Repositori Apache, PHP, & MariaDB

Variable
MARIADB_VER="10.4"
PHP_VER="7.4"

Repositori

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
yum update -y
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
dnf update -y
apt-get update && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \
    software-properties-common wget gnupg-curl && \
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
echo "deb http://packages.sury.org/php/ $(lsb_release -sc) main" \
    > /etc/apt/sources.list.d/php.list && \
apt-get update
apt-get update && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \
    software-properties-common wget gnupg && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER"
wget -O /etc/apt/trusted.gpg.d/apache2.gpg https://packages.sury.org/apache2/apt.gpg && \
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
echo "deb http://packages.sury.org/apache2/ $(lsb_release -sc) main" > \
    /etc/apt/sources.list.d/apache2.list && \
echo "deb http://packages.sury.org/php/ $(lsb_release -sc) main" > \
    /etc/apt/sources.list.d/php.list && \
apt-get update
apt-get update && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \
    software-properties-common gnupg-curl && \
add-apt-repository -y ppa:ondrej/apache2 && \
add-apt-repository -y ppa:ondrej/php && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get update
apt-get update && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \ 
    software-properties-common && \
add-apt-repository -y ppa:ondrej/apache2 && \
add-apt-repository -y ppa:ondrej/php && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | && \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get update

Instalasi Apache, PHP, & MariaDB

Instalasi

yum install -y httpd
yum-config-manager --enable remi-php73
yum install -y php php-{mysqlnd,xml,cli,soap,ldap,gd,zip,json,mbstring} graphviz
yum install -y MariaDB-server MariaDB-client
systemctl enable --now httpd mariadb
dnf module reset php
dnf module install -y php:remi-$PHP_VER
dnf install -y httpd
yum install -y php php-{mysqlnd,xml,cli,soap,ldap,gd,zip,json,mbstring} graphviz
dnf install -y MariaDB-server MariaDB-client
systemctl enable --now httpd mariadb
apt-get install -y apache2
apt-get install -y php$PHP_VER-{mysql,xml,cli,soap,ldap,gd,zip,json,mbstring} \
    libapache2-mod-php$PHP_VER graphviz
apt-get install -y mariadb-server-$MARIADB_VER
systemctl enable --now apache2 mariadb-server-$MARIADB_VER

Jika terpisah antara aplikasi web dan pangkalan data, cukup instal klien peladen pangkalan data pada peladen aplikasi web

Instalasi MariaDB-client

curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | && \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
yum update -y && yum install -y MariaDB-client
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | && \
    bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get update && apt-get install -y mariadb-client

Menguji instalasi Apache + PHP

PHP Info

echo "<?php phpinfo();?>" > /var/www/html/info.php

Buka peramban dan coba akses http://ALAMAT_IP/info.php

Konfigurasi pangkalan data

Eksekusi mysql_secure_installation

mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
    SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] 
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 
... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 
... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

itop.cnf

cat << EOF > /etc/my.cnf.d/itop.cnf
[mysqld]
innodb_buffer_pool_size = 512M
query_cache_size = 32M
query_cache_limit = 1M

innodb_default_row_format = DYNAMIC
innodb_large_prefix = true

# max_allowed_packet : should be set to a value bigger than upload_max_filesize in php.ini
max_allowed_packet = 

EOF
#
systemctl restart mariadb

Menyiapkan pangkalan data

Variabel
# variable
PELADEN_APLIKASI="%"
PELADEN_PANGKALAN_DATA="localhost"
PENGGUNA_APLIKASI="app_itop"
PANGKALAN_DATA_APLIKASI="app_itop"
SANDI_APLIKASI="app_itop"
CHARSET="utf8mb4"
COLLATION="utf8mb4_general_ci"

Membuat pangkalan data, pengguna aplikasi dan memberikan aksesnya

mysql -uroot -hlocalhost -p <<EOF
CREATE DATABASE ${PANGKALAN_DATA_APLIKASI} CHARACTER SET = '${CHARSET}' COLLATE = '${COLLATION}';
GRANT ALL PRIVILEGES ON ${PANGKALAN_DATA_APLIKASI}.* TO '${PENGGUNA_APLIKASI}'@'${PELADEN_APLIKASI}' IDENTIFIED BY '${SANDI_APLIKASI}';
FLUSH PRIVILEGES;
EOF

Proses

Instalasi iTop

Ada beberapa pilihan dalam melakukan instalasi iTop, diantaranya adalah:

Pilihan instalasi

  1. Direktori root
    Dokumen aplikasi web berada pada direktori root dari peladen web, misalkan /var/www/html

  2. Sub direktori
    Pilihan ini dapat digunakan jika belum ingin menggunankan domain, dalam hal ini berarti mengakses instalasi dapat melalui alamat IP lalu subdirektori. Sebagai contoh http://10.20.30.40/itop

  3. Domain / sub domain
    Pilihan domain / sub domain dapat digunakan dengan sebelumnya sudah dipastikan peladen web dapat diakses menggunakan FQDN (Full Qualify Domain Name). Lalu perlu ditambahkan konfigurasi Virtualhost pada Apache2, agar instalasi dapat diakses. Sebagai contoh, http://itop.domain.tld

Variabel
TAUTAN_SUMBER_ITOP="https://sourceforge.net/projects/itop/files/itop"
VERSI_ITOP="2.7.5-1"
RILIS_ITOP="7770"
PENGGUNA_PELADEN_WEB="apache"
GRUP_PELADEN_WEB="apache"
PENGGUNA_PELADEN_WEB="www-data"
GRUP_PELADEN_WEB="www-data"

Unduh & instal

wget $TAUTAN_SUMBER_ITOP/$VERSI_ITOP/iTop-$VERSI_ITOP-$RILIS_ITOP.zip
mkdir $VERSI_ITOP
unzip iTop-$VERSI_ITOP-$RILIS_ITOP.zip -d $VERSI_ITOP
LOKASI_DIREKTORI="/var/www/html"
LOKASI_DIREKTORI="/var/www/html/itop"
NAMA_DOMAIN="itop.domain.tld"
LOKASI_DIREKTORI="/var/www/$NAMA_DOMAIN/html"
mkdir -p $LOKASI_DIREKTORI/{conf,data,env-production,log}
cp -aRv ./$VERSI_ITOP/web/* $LOKASI_DIREKTORI
chown -Rv $PENGGUNA_PELADEN_WEB:$GRUP_PELADEN_WEB $LOKASI_DIREKTORI
rm -rf $VERSI_ITOP

Apache2 - hos virtual

Variabel
# variable
NAMA_DOMAIN="itop.domain.tld"
NAMA_PENGGUNA="deploy"
SUREL_LE="[email protected]"

Sub domain

Membuat direktori dokumen dan log, serta memberikan akses kepada pengguna dan grup layanan pelden web

mkdir -p /var/www/$NAMA_DOMAIN/{html,log}
chown -R $NAMA_PENGGUNA:$NAMA_PENGGUNA /var/www/$NAMA_DOMAIN/html

Membuat contoh berkas HTML untuk menguji fungsional host virtual

cat << EOF | tee /var/www/$NAMA_DOMAIN/html/index.html
<html>
  <head>
    <title>Selamat datang pada laman situs Keren!</title>
  </head>
  <body>
    <h1>Sukses! Alamat virtual $NAMA_DOMAIN, telah berfungsi dengan baik!</h1>
  </body>
</html>
EOF
cat << EOF | tee /etc/httpd/conf.d/$NAMA_DOMAIN.conf
<VirtualHost *:80>
    ServerName $NAMA_DOMAIN
    ServerAlias $NAMA_DOMAIN
    DocumentRoot /var/www/$NAMA_DOMAIN/html
    ErrorLog /var/www/$NAMA_DOMAIN/log/error.log
    CustomLog /var/www/$NAMA_DOMAIN/log/requests.log combined
</VirtualHost>
EOF
cat << EOF | tee /etc/apache2/conf.d/$NAMA_DOMAIN.conf
<VirtualHost *:80>
    ServerName $NAMA_DOMAIN
    ServerAlias $NAMA_DOMAIN
    DocumentRoot /var/www/$NAMA_DOMAIN/html
    ErrorLog /var/www/$NAMA_DOMAIN/log/error.log
    CustomLog /var/www/$NAMA_DOMAIN/log/requests.log combined
</VirtualHost>
EOF

SELinux

Sistem operasi CentOS dan RHEL secara bawaan mengaktifkan SELinux sebagai

Kebijakan global log Apache2

LOKASI_DIREKTORI_LOG="/var/log/httpd"
LOKASI_DIREKTORI_LOG="/var/log/apache2"
# periksa sebelum
ls -dlZ $LOKASI_DIREKTORI_LOG
# terapkan konteks pada direktori log
semanage fcontext -a -t httpd_log_t "$LOKASI_DIREKTORI_LOG(/.*)?"
restorecon -Rv $LOKASI_DIREKTORI_LOG
# periksa sesudah
ls -dlZ $LOKASI_DIREKTORI_LOG
drwxr-xr-x. 2 root root unconfined_u:object_r:httpd_sys_content_t:s0 6 May 20 01:02 $LOKASI_DIREKTORI_LOG
drwxr-xr-x. 2 root root unconfined_u:object_r:httpd_log_t:s0 6 May 20 01:02 $LOKASI_DIREKTORI_LOG
systemctl restart httpd
ls -lZ $LOKASI_DIREKTORI_LOG
total 4
-rw-r--r--. 1 root root system_u:object_r:httpd_log_t:s0   0 May 20 01:24 error.log
-rw-r--r--. 1 root root system_u:object_r:httpd_log_t:s0 405 May 20 01:24 requests.log

SELinux

setsebool -P httpd_unified 1
matchpathcon -V $LOKASI_DIREKTORI/*
restorecon -Rv $LOKASI_DIREKTORI
systemctl restart httpd

Firewall

FirewallD & UFW

systemctl status firewalld
systemctl enable --now firewalld
firewall-cmd --get-default-zone
firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --list-service --zone=external
firewall-cmd --set-default-zone=external
firewall-cmd --change-interface=eth0 --zone=external
firewall-cmd --list-all --zone=external
#
nmcli c mod eth1 connection.zone external
firewall-cmd --get-active-zone
#
firewall-cmd --get-services
ls /usr/lib/firewalld/services
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
firewall-cmd --list-service
systemctl status ufw
systemctl enable --now ufw
# TODO

Penyelesaian

Optimasi & Pengamanan Instalasi

Ekstensi PHP

APCu
Variabel
PATH_PHPINI="/etc/php.ini"

Instalasi

yum install -y php-pecl-apcu
yum install -y php-pear httpd-devel pcre-devel gcc make
Variabel
PATH_PHPINI="/etc/php/7.4/mods-available/apcu.ini"

Instalasi

apt-get install php-acpu

php.ini / apcu.ini

cp $PATH_PHPINI{,.`date +"%Y%m%d%H%M"`}
cat << EOF >> $PATH_PHPINI
apc.enabled=1
# Memory Segments
apc.shm_size=512M
## PHP file cache 1 hour ##
apc.ttl=3600
## User cache 2 hour ##
apc.user_ttl=7200
## Garbage collection 1 hour ##
apc.gc_ttl=3600
EOF
#

Memuat ulang layanan peladen web

systemctl restart httpd
systemctl restart apache2

Diffie–Hellman key exchange

openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

LE Snippets

letsencrypt.conf

#
mkdir -p /var/lib/letsencrypt/.well-known
chgrp apache /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
#
cat << EOF > /etc/httpd/conf.d/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
EOF

#
cat << EOF > /etc/httpd/conf.d/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
EOF

Certbot / Let’s Encrypt

Variabel
SUREL_LE="[email protected]"
NAMA_DOMAIN="itop.domain.tld"

Instalasi Certbot

# bin
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
# cert
/usr/local/bin/certbot-auto --apache \
-m $SUREL_LE -d $NAMA_DOMAIN --agree-tos
/usr/local/bin/certbot-auto enhance --apache --redirect --hsts --uir
/usr/local/bin/certbot-auto enhance --auto-hsts
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null