OpenBSD kao rješenje za e-trgovinu s PrestaShopom i Apacheom

Uvod

Ovaj vodič demonstrira OpenBSD kao rješenje za e-trgovinu koristeći PrestaShop i Apache.

Apache je potreban jer PrestaShop ima složene zahtjeve za prepisivanje URL-a koje ne podržava OpenBSD-ov ugrađeni web poslužitelj, httpd. Ovaj vodič koristi samopotpisane certifikate. Za proizvodnju koristite provjereni certifikat.

Pripremni zadaci

Privremeno stvorite običnog korisnika kojem je dopušteno korištenje doasbez lozinke. Ovaj pristup će se ukloniti nakon postavljanja.

user add -c "Example User" -m -G wheel -L staff auser
passwd auser
echo 'permit nopass keepenv :wheel' > /etc/doas.conf

Dodajte spremište OpenBSD paketa.

echo 'https://cdn.openbsd.org/pub/OpenBSD' > /etc/installurl

Proslijedite dnevne statusne i sigurnosne e-poruke na svoju adresu.

echo '[email protected]' > /root/.forward

Postavite naziv hosta poslužitelja.

echo 'www.example.com' > /etc/myname
hostname www.example.com

Dodajte FQDN i IP adresu vašeg poslužitelja u /etc/hosts.
Zamijenite 192.0.2.1svojom Vultr IP adresom.

127.0.0.1    localhost
::1          localhost
192.0.2.1    www.example.com

Dodajte potrebne pakete za PrestaShop i Apache. Odaberite najnovije verzije kada se to od vas zatraži.

doas su
pkg_add apache-httpd php php-curl php-gd php-intl php-pdo_mysql php-zip mariadb-client mariadb-server wget unzip

Izradio samopotpisani SSL certifikat za testiranje. Postavite Common Name na FQDN vašeg poslužitelja, npr. www.example.com.

openssl req -x509 -new -nodes -newkey rsa:4096 -keyout /etc/ssl/private/example.com.key -out /etc/ssl/example.com.crt -days 3650 -sha256
chmod 0600 /etc/ssl/private/example.com.key

Preuzmite i raspakirajte PrestaShop

Pronađite URL za najnoviju verziju PrestaShopa , preuzmite /tmpi raspakirajte u /var/www/htdocs/prestashop.

cd /tmp
wget <https://download.prestashop.com/download/releases/prestashop_1.7.6.4.zip>
unzip prestashop_1.7.6.4.zip -d /var/www/htdocs/prestashop
chown -R www:www /var/www/htdocs/prestashop

Konfigurirajte OpenBSD (pf) Firewall

Konfigurirajte vatrozid da blokira sav ulazni promet osim ssh , www i https .

Napravite sigurnosnu kopiju /etc/pf.conf.

cp /etc/pf.conf /etc/pf.conf.bak

Uredite /etc/pf.confkao što je prikazano.

set skip on lo

block in
pass out  

pass in on egress inet proto tcp to port {ssh, www, https} \
    flags S/SA keep state

Testirajte i aktivirajte pravila vatrozida.

doas pfctl -nf /etc/pf.conf
doas pfctl -f /etc/pf.conf

Konfigurirajte OpenSMTPD kao relej e-pošte

Napravite sigurnosnu kopiju vaše /etc/mail/smtpd.confdatoteke.

cp /etc/mail/smtpd.conf /etc/mail/smtpd.conf.bak

Uredite /etc/mail/smtpd.confkao što je prikazano u nastavku.

Napomene: * Definicija tablice za tajne sadrži korisničko ime i lozinku za prijenos pošte. * Izlazni akcija gleda korisničko ime i lozinku pod etiketom prestashopu /etc/mail/secretsi releji e kroz svoju e-mail poslužitelja.

    table aliases file:/etc/mail/aliases
    table secrets file:/etc/mail/secrets

    listen on lo0

    action "local_mail" mbox alias <aliases>
    action "outbound" relay host smtp+tls://[email protected]:587 \
        tls no-verify auth <secrets>

    match from local for local action "local_mail"
    match from local for any action "outbound"

Stvoriti /etc/mail/secrets

Zamijenite adresu e-pošte i lozinku vjerodajnicama koje koristite za svoj poslužitelj e-pošte.

echo "prestashop [email protected]:password" > /etc/mail/secrets

Postavite dopuštenja za sigurnost /etc/mail/secrets

chmod 0600 /etc/secrets

Provjerite konfiguracijsku datoteku za pogreške i ponovno pokrenite smtpd demon.

smtpd -n
rcctl restart smtpd

Konfigurirajte PHP i PHP-FPM okruženje

Konfigurirajte PHP-FPM proces za slušanje na TCP utičnici umjesto na UNIX domenskoj utičnici.

Napravite sljedeću promjenu u nastavku za /etc/php-fpm.confdatoteku.

...
; If using a TCP port, never expose this to a public network.
;listen = /var/www/run/php-fpm.sock
listen = 127.0.0.1:9000

Make some additional changes to the PHP environment in /etc/php-7.3.ini. This file name may change slightly if the version is newer than 7.3. These changes:

• Allow for larger files to be uploaded.
• Disable the chrooted environment.

• Configure PHP to send email via sendmail.

  ; Default Value: not set
  ;chroot = /var/www
  ...
  ; Maximum allowed size for uploaded files.
  ; <http://php.net/upload-max-filesize>
  upload_max_filesize = 6M
  ...
  ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
  ; <http://php.net/sendmail-path>
  ;sendmail_path =
  sendmail_path = /usr/sbin/sendmail -t -i
  ...
  ; Whether to allow the treatment of URLs (like <http://> or <ftp://)> as files.
  ; <http://php.net/allow-url-fopen>
  allow_url_fopen = On
  ...
  ; Maximum size of POST data that PHP will accept.
  ; Its value may be 0 to disable the limit. It is ignored if POST data reading
  ; is disabled through enable_post_data_reading.
  ; <http://php.net/post-max-size>
  post_max_size = 12M
  

  Enable the PHP plugins.

  cp /etc/php-7.3.sample/* /etc/php-7.3/.

Enable and start the PHP-FPM daemon. The daemon name might be slightly different if the version is newer.

rcctl enable php73_fpm
rcctl start php73_fpm

Configuring MariaDB

MariaDB provides the database backend for PrestaShop. Because MariaDB needs more open files than the default class allows, create a special class in /etc/login.conf.

At the bottom of the file, add the following lines:

mysqld:\
      :openfiles-cur=1024:\
      :openfiles-max=2048:\
      :tc=daemon:

Install MariaDB.

 doas su
 mysql_install_db
 rcctl enable mysqld
 rcctl start mysqld

Configure MariaDB security.

 mysql_secure_installation

Create the PrestaShop database. Use a strong password.

mysql -u root
CREATE DATABASE prestashop;
GRANT ALL PRIVILEGES ON prestashop.* TO 'prestashop'@'localhost' IDENTIFIED BY 'password123';
FLUSH PRIVILEGES;
EXIT

Configuring Apache

Back up /etc/apache2/httpd2.conf

cp /etc/apache2/httpd2.conf /etc/apache2/httpd2.conf.bak

Napravite sljedeće promjene u /etc/apache2/httpd2.conf, koristeći #za omogućavanje i onemogućavanje modula.

Listen 443
...
LoadModule mpm_event_module /usr/local/lib/apache2/mod_mpm_event.so
#LoadModule mpm_prefork_module /usr/local/lib/apache2/mod_mpm_prefork.so
LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
LoadModule ssl_module /usr/local/lib/apache2/mod_ssl.so
LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so
...
ServerAdmin [email protected]
ServerName 192.0.2.1:80

• Još nekoliko promjena /etc/apache2/httpd2.confdolazi do dna datoteke. Uklonite #iz navedenih izjava o uključivanju.

• Posljednje dodajte linije virtualnog hostinga.

  # Server-pool management (MPM specific)
  Include /etc/apache2/extra/httpd-mpm.conf
  ...
  # Virtual Hosts
  IncludeOptional /etc/apache2/sites/*.conf
  

Stvorite /etc/apache2/sitesimenik.

mkdir /etc/apache2/sites

Kreirajte /etc/apache2/sites/example.confsa sljedećim podacima:

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin [email protected]
  DocumentRoot "/var/www/htdocs/prestashop"

  <Directory "/var/www/htdocs/prestashop">
    Options -Indexes +Multiviews +FollowSymLinks
    AllowOverride All
    <Limit GET POST OPTIONS>
    </Limit>
    Require all granted
  </Directory>

</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin [email protected]
  DocumentRoot "/var/www/htdocs/prestashop"

  <Directory "/var/www/htdocs/prestashop">
    Options -Indexes +Multiviews +FollowSymLinks
    AllowOverride All
    <Limit GET POST OPTIONS>
    </Limit>
    Require all granted
  </Directory>

  SSLEngine On
  SSLCertificateFile "/etc/ssl/example.com.crt"
  SSLCertificateKeyFile "/etc/ssl/private/example.com.key"
  SSLCipherSuite HIGH:!aNULL

</VirtualHost>

Konfigurirajte Apacheov proxy modul dodavanjem sljedećeg u /etc/apache2/sites/example.conf

<IfModule proxy_module>
  <IfModule dir_module>
    DirectoryIndex index.php
  </IfModule>
  <FilesMatch "\.php$">
    SetHandler "proxy:fcgi://127.0.0.1:9000"
  </FilesMatch>
</IfModule>

Testirajte konfiguraciju, zatim omogućite i pokrenite Apache.

apachectl configtest
rcctl enable apache2
rcctl start apache2

Provjerite sluša li Apache portove 80 i 443.

netstat -ln -finet

Active Internet connections (only servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  *.443                  *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.22                   *.*                    LISTEN
tcp          0      0  *.80                   *.*                    LISTEN
tcp          0      0  127.0.0.1.3306         *.*                    LISTEN
tcp          0      0  127.0.0.1.9000         *.*                    LISTEN

Instalirajte PrestaShop

Pregledajte svoju web stranicu na adresi http://www.example.com. Pokrenut će se čarobnjak za instalaciju PrestaShopa.

Nakon što dovršite instalaciju, zabilježite naslovnicu trgovine i administrativne veze i izbrišite direktorij /var/www/htdocs/prestashop/install.

Omogući SSL.

• Kliknite Shop Parameters
• Kliknite Općenito
• Omogućite SSL za sve dijelove vaše trgovine

Promijenite svoju administrativnu lozinku.

• Kliknite Napredni parametri
• Kliknite Tim
• Promjeni lozinku.

Neki završni zadaci

Sigurnosno kopirajte svoju trgovinu i njezinu bazu podataka:

cd /var/www/htdocs
doas tar cvfz /home/auser/prestashop.tar.gz prestashop/
doas mysqldump -u prestashop -p prestashop | gzip -4 > /home/auser/prestashop.sql.tar.gz
doas chown auser:auser /home/auser/prestashop*

Uklonite doas pristup za svoj korisnički račun ponovno kreiranjem doas.confdatoteke.

echo 'permit keepenv :wheel' > /etc/doas.conf