qrz.is/content/post/cloudlog-on-openbsd.md
2023-03-27 17:22:18 +02:00

8.3 KiB

title type author date tags url
Installing Cloudlog on OpenBSD post micha 2023-01-24T16:00:00+02:00
Ham Radio
Logging
/cloudlog-on-openbsd/

This page will guide you through the steps required to install Cloudlog onto an OpenBSD web server that is using the OHMP stack (that's OpenBSD, httpd, MariaDB and PHP). Most of the text has been taken from the page Installation on a FreeBSD Server and adapted to OpenBSD. You can find this guide also in the Cloudlog wiki.

Prerequisites

Installation

1. Prepare Server Stack

Installing OpenBSD, database server and web server are tasks that are outside the scope of this guide but there are plenty of resources to help you get started. Have a look at this guide or at the corresponding man pages.

Once you have your server stack installed, make sure that the required additionally packages are available. Example of installing PHP80 and required packages:

# doas pkg_add php-mysqli mariadb-server curl php-curl

Please choose version 8.0 when asked by the installer.

2. Download Cloudlog using Git

For ease of installation and updating, it is recommended to acquire the Cloudlog application files using Git. If GIT is not yet installed on your system use pkg_add git to obtain it.

The git clone command is used to fetch the latest build of Cloudlog from the repository on GitHub. This command downloads the application files in their current state on the master branch:

# doas git clone https://github.com/magicbug/Cloudlog.git [output_directory]

Replace output_directory with the full path to the directory where you'd like the application files to be created locally (don't include the square brackets). In this example, we use the DocumentRoot directory "/var/www/htdocs/cloudlog":

# doas git clone https://github.com/magicbug/Cloudlog.git /var/www/htdocs/cloudlog

3. Set Directory Ownership and Permissions

During normal operation, Cloudlog will need to write to certain files and directories within the root Cloudlog directory (i.e. where you extracted the files in the previous step). You'll need to set the permissions and ownership on these directories appropriately.

The following folders need to be writable by PHP:

  • /application/config/
  • /application/logs
  • /assets/qslcard/
  • /backup
  • /updates
  • /uploads
  • /images/eqsl_card_images/

⚠️ Warning 1: The following commands assume that you are using the OpenBSD www webserver group. You should verify this is the case and modify the commands below appropriately if it is something different.

⚠️ Warning 2: Replace /var/www/htdocs/cloudlog in the below commands with the appropriate directory if you cloned the Git repository somewhere else in the previous step.

⚠️ Warning 3: It is your responsibility to ensure you protect your system from intruders/attacks. These commands and permissions are just examples used to get Cloudlog up and running and are not a guide on how to achieve a secure system. You should review these permissions after installation and make appropriate changes if you determine that finer-grained access control is needed.

First, set ownership using:

# doas chown -R root:www /var/www/htdocs/cloudlog/application/config/
# doas chown -R root:www /var/www/htdocs/cloudlog/application/logs
# doas chown -R root:www /var/www/htdocs/cloudlog/assets/qslcard/
# doas chown -R root:www /var/www/htdocs/cloudlog/backup
# doas chown -R root:www /var/www/htdocs/cloudlog/updates
# doas chown -R root:www /var/www/htdocs/cloudlog/uploads
# doas chown -R root:www /var/www/htdocs/cloudlog/images/eqsl_card_images/

Then grant write permissions on these directories to the group:

# doas chmod -R g+rw /var/www/htdocs/cloudlog/application/config/
# doas chmod -R g+rw /var/www/htdocs/cloudlog/application/logs
# doas chmod -R g+rw /var/www/htdocs/cloudlog/assets/qslcard/
# doas chmod -R g+rw /var/www/htdocs/cloudlog/backup
# doas chmod -R g+rw /var/www/htdocs/cloudlog/updates
# doas chmod -R g+rw /var/www/htdocs/cloudlog/uploads
# doas chmod -R g+rw /var/www/htdocs/cloudlog/images/eqsl_card_images/

More info about granting PHP write permissions can be read here

4. Create a SQL Database and User

Cloudlog needs a MySQL database to store application and user settings, along with user data such as logbooks.

We'll cover the basic steps for creating a blank database but we won't go into much detail for the specific steps relating to securing your database server. Please refer to the MySQL documentation as a starting point.

Anyhow, the following commands will help you set up the database system and perform some first security measures:

# doas /usr/local/bin/mysql_install_db
# doas rcctl start mysqld
# doas /usr/local/bin/mysql_secure_installation

After this, let's start by using the mysql command to connect as the root user. If your server is already configured for something else then you may have another user configured with the ability to create databases - you can substitute that username if so. Read more about connecting with the mysql client in the MySQL documentation.

# doas mysql -u root -p

Now issue the following command to create a database for Cloudlog, replacing db_name with a name of your choice. Note this name down as you'll need it later for the Cloudlog install wizard.

CREATE DATABASE db_name;

Next, create a user and grant it privileges on the Cloudlog database. Creating a new user is optional if you already have a valid non-root user on the MariaDB server. Remember to again replace db_name with the name you chose previously for the database, user1 with the name of the user to create and password1 with a strong password! Keep the username and password safe as you'll need these for the Cloudlog install wizard later.

CREATE USER 'user1'@localhost IDENTIFIED BY 'password1';
GRANT ALL PRIVILEGES ON db_name.* TO 'user1'@'localhost';
QUIT

5. Make some important file accessible to httpd

OpenBSD's httpd is running inside a chroot and therefore sees '/var/www/' as '/'. This again means that httpd's worker processes can't access files residing in '/etc', for example. We can make these certain files accessible by copying them into the chroot directory. It is probably also possible to link them but this has not been tested by me.

# doas mkdir -p /var/www/etc/ssl
# doas cp /etc/ssl/cert.pem /var/www/etc/ssl/
# doas cp /etc/resolv.conf /var/www/etc/
# doas cp /etc/services /var/www/etc/

Configure PHP and enable modules

We need to configure some items inside the file /etc/php-8.0.ini that are required by Cloudlog:

Please find and adapt the following line:

allow_url_fopen = On

Also uncomment the following modules inside the above mentioned file:

extension=bz2
extension=curl
extension=mbstring
extension=openssl

6. Run the Cloudlog Install Wizard

You need to run the install wizard. At this point, please open <url-to-cloudlog>/install and follow the guide.

When you have completed the install wizard, do the following:

  • Create a new admin account (Admin Dropdown) and delete the demo account

  • Update Country Files (Admin Dropdown)

  • Create a station profile (Admin Dropdown) and set it as active

  • If you want to know if the person you're working uses LoTW, run: https://<URL-To-Cloudlog>/index.php/lotw/load_users. This is the initial run, but we'll run this every week from cron momentarily.

Post-Install Tasks

The OpenBSD install tutorial ends here and refers to the probably more regularily updated Linux Installation Guide for the post-install tasks.