This will guide through basic installation of HEANET's product, jagger in Ubuntu 18.04 based on Jagger Documentation and Terry Smith's (@trsau) Google Doc for Backfire project
This guide assumes you have pre installed Ubuntu 18.04 server with default configurations and have a public IP connectivity including DNS setup.
All Commands will be run as the root user. You may use sudo su
to become root.
apt install apache2
a2enmod rewrite
a2enmod unique_id
service apache2 restart
apt install mysql-server
mysql_secure_installation
Securing the MySQL server deployment.
Connecting to MySQL using a blank password.
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No: y
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
Please set the password for root here.
New password:
Re-enter new password:
Estimated strength of the password: 50
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
- Dropping test database...
Success.
- Removing privileges on test database...
Success.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.
All done!
apt install php libapache2-mod-php
edit php settings as
vim /etc/php/7.X/apache2/php.ini
date.timezone = Asia/Colombo
memory_limit = 256M
max_execution_time = 60
vim /etc/php/7.2/cli/php.ini
date.timezone = Asia/Colombo
max_execution_time = 60
apt install php-apcu
apt install php-mysql
apt install php-xml
apt install php-memcached
apt install php-amqplib
service apache2 restart
follow these steps to install php7.X deprecated php-mcrypt from here
curl -sS https://getcomposer.org/installer | php
cp composer.phar /usr/local/bin/composer
apt-get install memcached
apt-get install gearman-job-server
apt-get install php-gearman
cd /opt
wget https://github.com/bcit-ci/CodeIgniter/archive/3.1.9.zip
apt install unzip
unzip 3.1.9.zip
mv CodeIgniter-3.1.9 codeigniter
git clone https://github.com/Edugate/Jagger /opt/rr3
cd /opt/rr3/application
composer install
Note: Ignore the warning about running composer as root/super user!
cp /opt/codeigniter/index.php /opt/rr3/
Open /opt/rr3/index.php
file and find
$system_path = 'system';
and change to
$system_path = '/opt/codeigniter/system';
You may also want to set production environment. To do it find the line
define('ENVIRONMENT', isset($_SERVER['CI_ENV']) ? $_SERVER['CI_ENV'] : 'development');
and change to
define('ENVIRONMENT', isset($_SERVER['CI_ENV']) ? $_SERVER['CI_ENV'] : 'production ');
Disable the default configuration
cd /etc/apache2/sites-available/
a2dissite 000-default.conf
systemctl reload apache2
Create a new conf file for RR3 as rr3.conf
cp 000-default.conf rr3.conf
Edit rr3.conf
with following
vim rr3.conf
<VirtualHost *:80>
ServerName YOUR-DOMAIN
ServerAdmin YOUR-Email
DocumentRoot /opt/rr3/
Alias /rr3 /opt/rr3
<Directory /opt/rr3>
Require all granted
RewriteEngine On
RewriteBase /rr3
RewriteCond $1 !^(Shibboleth\.sso|index\.php|logos|signedmetadata|flags|images|app|schemas|fonts|styles|images|js|robots\.txt|pub|includes)
RewriteRule ^(.*)$ /rr3/index.php?/$1 [L]
</Directory>
<Directory /opt/rr3/application>
Order allow,deny
Deny from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Enable rr3 site by,
a2ensite rr3
and restart Apache
systemctl reload apache2
Log in to MYSQL as root
mysql -u root -p
CREATE DATABASE rr3 CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL ON rr3.* to rr3user@'localhost' IDENTIFIED BY 'rr3@PasS';
FLUSH PRIVILEGES;
cd /opt/rr3
./install.sh
Next, copy the default configurations as samples
cd application/config
cp config-default.php config.php
cp config_rr-default.php config_rr.php
cp database-default.php database.php
cp email-default.php email.php
cp memcached-default.php memcached.php
Give permission to Apache User www-data
as following
chgrp www-data /opt/rr3/application/models/Proxies
chmod 755 /opt/rr3/application/models/Proxies
chgrp www-data /opt/rr3/application/cache
chmod 755 /opt/rr3/application/cache
vim config.php
$config['base_url'] = 'https://YOUR-DOMAIN/rr3/';
$config['log_path'] = '/var/log/rr3/';
You must also create this directory and make it writable by the Apache user www-data
mkdir /var/log/rr3
chown www-data:www-data /var/log/rr3
chmod 750 /var/log/rr3
get a copy of following random output and put it back on config.php
tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
as
$config['encryption_key'] = '8mixahy22evqp4k6wbzce16oglg1zlyr';
vim config_rr.php
rr_setup_allowed - it should be always be set to FALSE. TRUE only when setup is initialized
$config['rr_setup_allowed'] = TRUE;
Note: This will be changed back to FALSE later in the setup.
site_logo - set filename to be used as main logo in top-left corner. File should be stored in /opt/rr3/images/ folder (Optional)
Note: The default logo is 515 pixels wide and 146 pixels high. Your own site logo should be about the same size.
$config['site_logo'] = 'your_logo.png';
syncpass - please generate strong key. It’s used by synchronization - interfederation tool
tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
then assign generated value to attr like:
$config['syncpass'] = 'qp7zwgm6vqzptb87uoe7zzfiq1gx1oa6';
support_mailto - set support email. For example this email is displayed as contact mail.
$config['support_mailto'] = 'support@example.com';
nameids - array of allowed NameID in JAGGER remove it from config
/*
$config['nameids'] = array(
'urn:mace:shibboleth:1.0:nameIdentifier' => 'urn:mace:shibboleth:1.0:nameIdentifier',
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'=>'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
);
*/
Note: The above config has been commented out!
$config['protocol'] = 'smtp';
$config['smtp_host'] = "SMTP_HOST";
$config['smtp_port'] = 25;
$config['smtp_user'] = 'USER';
$config['smtp_pass'] = 'PASS';
$config['smtp_crypto'] = 'tls';
$db['default']['hostname'] = '127.0.0.1';
$db['default']['username'] = 'rr3user';
$db['default']['password'] = 'rr3@PasS';
$db['default']['database'] = 'rr3';
$db['default']['dsn'] = 'mysql:host=127.0.0.1;port=3306;dbname=rr3';
To populate tables we are going to use doctrine tool.
cd /opt/rr3/application
edit composer.json to add
"doctrine/common": "2.8.1",
in to the beginning of the require
section
then run,
composer update
./doctrine orm:schema-tool:create
If you going to run application in production mode then you also need to regenerate proxies:
./doctrine orm:generate-proxies
and verify owner of application/models/Proxies/* - apache user should be owner
or
chown -R www-data models/Proxies/
In the future after every update you will need to run
./doctrine orm:schema-tool:update --force
./doctrine orm:generate-proxies
add-apt-repository ppa:certbot/certbot
apt install python-certbot-apache
certbot --apache -d YOUR-DOMAIN
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): YOU@YOUR-DOMAIN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for YOUR_DOMAIN
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/rr3-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/rr3-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/rr3-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/rr3.conf to ssl vhost in /etc/apache2/sites-available/rr3-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://YOUR-DOMAIN
Open page https://YOUR-DOMAIN/rr3/setup and fill the form.
Once the default user is created switch OFF the setup mode on config_rr.php
by
$config['rr_setup_allowed'] = FALSE;
Please refer: http://pyff.io/
Check : Configure EDS