some nice hacks for ispconfig + stretch ( roundcube, enigma, munin, phpmyadmin using php-fpm )

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I'm not going too much into detail on how to enable some plugins or edit the config for those, so please bring a cup of coffe if you don't know what it is all about

    if you don't want to use mod_php because of apache mpm_prefork sucks you need to watch out
    roundcube / phpmyadmin / munin won't work that easy

    you could install it as ispapps with some hazzle or symlink to ispconfig web-folder but... that's not nice

    create a website in ispconfig with your hostname ( fqdn ) and enable letsencrypt/ssl + cgi + php-fpm for that.

    Add custom apache config to that website

    phpmyadmin
    Code:
    Alias /phpmyadmin /usr/share/phpmyadmin
    Directory /usr/share/phpmyadmin/setup>
        <IfModule mod_authz_core.c>
            <IfModule mod_authn_file.c>
                AuthType Basic
                AuthName "phpMyAdmin Setup"
                AuthUserFile /etc/phpmyadmin/htpasswd.setup
            </IfModule>
            Require valid-user
        </IfModule>
    </Directory>
    
    # Disallow web access to directories that don't need it
    <Directory /usr/share/phpmyadmin/templates>
        Require all denied
    </Directory>
    <Directory /usr/share/phpmyadmin/libraries>
        Require all denied
    </Directory>
    <Directory /usr/share/phpmyadmin/setup/lib>
        Require all denied
    </Directory>
    
    roundcube
    Code:
    Alias /webmail /var/lib/roundcube
    
    <Directory /var/lib/roundcube/>
      Options +FollowSymLinks
      # This is needed to parse /var/lib/roundcube/.htaccess. See its
      # content before setting AllowOverride to None.
      AllowOverride All
      <IfVersion >= 2.3>
        Require all granted
      </IfVersion>
      <IfVersion < 2.3>
        Order allow,deny
        Allow from all
      </IfVersion>
    </Directory>
    
    # Protecting basic directories:
    <Directory /var/lib/roundcube/config>
            Options -FollowSymLinks
            AllowOverride None
    </Directory>
    <Directory /var/lib/roundcube/temp>
            Options -FollowSymLinks
            AllowOverride None
            <IfVersion >= 2.3>
              Require all denied
            </IfVersion>
            <IfVersion < 2.3>
              Order allow,deny
              Deny from all
            </IfVersion>
    </Directory>
    
    <Directory /var/lib/roundcube/logs>
            Options -FollowSymLinks
            AllowOverride None
            <IfVersion >= 2.3>
              Require all denied
            </IfVersion>
            <IfVersion < 2.3>
              Order allow,deny
              Deny from all
            </IfVersion>
    </Directory>
    
    munin
    Code:
    Alias /munin /var/cache/munin/www
    <Directory /var/cache/munin/www>
       AuthType Basic
       AuthName "Members Only"
       AuthUserFile /etc/munin/munin-htpasswd
       <limit GET POST>
            require valid-user
        </limit>
            Options None
    </Directory>
    
    ScriptAlias /munin-cgi/munin-cgi-graph /var/www/<yourFQDN>/cgi-bin/munin-cgi-graph
    <Location /munin-cgi/munin-cgi-graph>
       AuthType Basic
       AuthName "Members Only"
       AuthUserFile /etc/munin/munin-htpasswd
       <limit GET POST>
           require valid-user
        </limit>
            <IfModule mod_fcgid.c>
                SetHandler fcgid-script
            </IfModule>
            <IfModule !mod_fcgid.c>
                SetHandler cgi-script
            </IfModule>
    </Location>
    
    change <yourFQDN> to your fqdn!
    copy /usr/lib/munin/cgi/munin-cgi-graph to /var/www/<yourFQDN>/cgi-bin/munin-cgi-graph ( check for updates when upgrading sys )
    give the cgi the owner/group ( webx/clienty ) of that domain and $chmod 550 munin-cgi-graph
    If you followed the tutorial for munin, you should have setup an password in /etc/munin/munin-htpasswd using htpasswd command...


    change links in ispconfig settings accordingly ( https://fqdn/phpmyadmin .... )


    ====

    if you want to run enigma-plugin ( pgp ) in roundcube on debian stretch you need to get some packages, preferable this way:
    modify /etc/apt/preferences , it could look like that ( I added additional repo for php 5.6, you can ignore sury.org )
    Code:
    Package: *
    Pin: release a=stable
    Pin-Priority: 700
    
    Package: *
    Pin: release a=testing
    Pin-Priority: 499
    
    Package: *
    Pin: origin packages.sury.org
    Pin-Priority: 498
    
    aswell as add buster to your /etc/apt/sources.list
    Code:
    deb http://ftp.de.debian.org/debian/ stretch main contrib non-free
    deb-src http://ftp.de.debian.org/debian/ stretch main contrib non-free
    
    deb http://ftp.de.debian.org/debian/ buster main contrib non-free
    deb-src http://ftp.de.debian.org/debian/ buster main contrib non-free
    
    deb http://security.debian.org/ stretch/updates main contrib non-free
    deb-src http://security.debian.org/ stretch/updates main contrib non-free
    
    # stretch-updates, previously known as 'volatile'
    deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
    deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
    
    now you can
    $apt-get update
    and
    $apt-get install php-crypt-gpg gpg gpgv2
    ( sorry, either gpg or gpgv2 should work, would have to double check now, both might work aswell )

    this is b/c crypt-pgp is not in stretch and the gpg version in stretch is broken.

    now edit /usr/share/roundcube/plugins/enigma/lib/enigma_driver_gnupg.php
    there's a require-line, which needs an addition, should look like that
    Code:
    ...
    require_once 'Crypt/GPG.php';
    require_once 'Crypt/GPG/KeyGenerator.php';
    
    class enigma_driver_gnupg extends enigma_driver
    ...
    
    now configure enigma as it should be... oh yeah enigma uses a home-directory, it needs r/w access for the web/client the php-fpm is running at, shouldn't be accessable by anyone else!
    I filed a bug report on debian mailing list for that but.. seems to take a while though.

    Besides, if you want to use message-hightlight ( I guess that was the plugin ) and it's not working, don't give up, it's probably just a missing symlink from /var/lib/roundcube/plugins/pluginname to /usr/share/roundcube/plugins/pluginname


    Be also aware of if you use phpmyadmin feature to import/export databases to a folder on the server and you're using a shared environment .... well yeah, you shouldn't use the same folder configured for all users, doh ;)

    hope I didn't miss something, have a nice day



    edit: uhm sorry falko, wasn't sure where to put it, should've read your post before that, so sorry didn't see, eating my carrot - hoping to improve my eyesight *hug
     
    Last edited: Oct 5, 2017

Share This Page