Create an Online Social Network with Elgg on Debian 9
In this tutorial, I will show you how to install and configure the latest Elgg version on Debian 9 in order to create a free online social network.
Elgg is a free open source social engine framework software written in PHP programming language. The Elgg framework can help individuals or organizations to create powerful social environments in Linux under Apache/Nginx web servers, PHP and MySQL/MariaDB database management system, also known as LAMP or LEMP stack. It also has built-in features that can power file sharing, blogging, social groups or educational platforms on public or private networks.
In order to successfully deploy the Elgg platform on your premises, you will need to meet the following requirements.
- A virtual machine or a virtual private server powered by Debian 9, preferably minimal installation
- Direct access to root account or a local user with root powers via server console or remote management via SSH
- The server needs a static IP address configured for the external network interface in order to access via its public IP address to visitors
- You might also need a public or private domain name configured for your server so visitors can access the platform via a domain name, such as www.yourdomain.com, although you can still access the platform via your server IP address.
- In order to use Elgg website registration via e-mail address, or use other platform features, you need to deploy a mail server at your premises or use a public mail server.
Pre-Requirements
As the first step, login to the Debian 9 server with root privileges or with a user having root powers and issue the following command in order to update your system with the latest security patches, software and kernel updates.
apt update
apt upgrade
Next, make sure you configure the name of your machine by executing the following commands. You should replace the hostname variable used in this example to match your own domain.
hostnamectl set-hostname www.socialnet.org
After you’ve configured the machine hostname, verify if the host has been properly configured by checking the hosts file with the following commands.
hostnamectl
cat /etc/hostname
hostname –s
hostname –f
Finally, in order to apply machine hostname and kernel updates, reboot the system by issuing the following command.
systemctl reboot
After the system reboots, login back to the console and run the following command to install some system utilities that will help us download software over internet and extract some archive files types
apt install wget zip unzip curl
Install LAMP Stack
In order to deploy the Elgg social network framework on our server, we need to install the LAMP stack components. The first component that we’ll install is the database - MariaDB - a fork of the popular MySQL database, as database backend. The MariaDB database will be used by the application to store users, sessions, contacts, posts, comments and other information. In order to install MariaDB database server and client software in Debian 9 via the official repositories, issue the command below in terminal.
apt install mariadb-server mariadb-client
After the database installation completes, log in to the MySQL console and issue the following commands in order to secure database root account, which can be accessed by default without supplying a password.
mysql -h localhost
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> update user set plugin='' where user='root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> exit
Bye
After you’ve completed the above step, execute the mysql_secure_installation script provided by Debian stretch repositories, in order to further secure MariaDB server and set up a strong password for database root account. Mainly, answer “yes” on all asked questions by the script, such as: to change MySQL root password, to remove anonymous users, to disable remote root logins and delete the test database, as illustrated in the below script excerpt.
mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
In order to test MariaDB security, try logging in to the database from the console with no root password. The access to the database should be denied if no password is provided for the root account, as illustrated in the below command excerpt:
mysql -h localhost -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
If the password is supplied, the login process should be granted to MySQL console, as shown in the command sample:
mysql -h localhost -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 15
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> exit
Bye
After you’ve installed and secured MariaDB database, it’s time to install the next components required to deploy the Elgg application: Apache HTTP server and PHP programming language processing gateway. In order to install Apache web server and the PHP interpreter alongside with all required PHP modules through which the server will execute the application scripts, execute the following command in your server console.
apt install apache2 libapache2-mod-php7.0 php7.0 php7.0-gd php7.0-opcache php7.0-mbstring php7.0-xml php7.0-mysql
Next, open and modify PHP default configuration file by altering the following PHP variables. Open /etc/php/7.0/apache2/php.ini file for editing and change the following lines. initially, make a backup of PHP configuration file.
cp /etc/php/7.0/apache2/php.ini{,.backup}
nano /etc/php/7.0/apache2/php.ini
Search, edit and change the following variables in php.ini configuration file:
file_uploads = On
default_charset = UTF-8
memory_limit = 128M
upload_max_filesize = 100M
date.timezone = Europe/London
Increase upload_max_file_size variable as suitable in order to support large file attachments for your application. Also, change PHP timezone setting to your system's geographical location by consulting the list of time zones provided by PHP docs at the following link http://php.net/manual/en/timezones.php
Enable OPCache plugin available for PHP7 in order to increase website load speed by appending the following OPCache settings at the bottom of the PHP interpreter configuration file, below the [opcache] statement, as detailed below:
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
After you’ve made all the above changes, save and close the php.ini configuration file, restart the Apache web server to apply PHP interpreter changes by issuing the below command.
systemctl restart apache2
Configure the Firewall
To add the required UFW firewall application rules to allow HTTP traffic to pass through system firewall, issue the following commands in the server console.
ufw allow WWW
or
ufw allow 80/tcp
In case you’re remotely connected to your server via SSH, add the rule below to open SSH port 22 in your firewall.
ufw allow 22/tcp
If you manage the firewall rules in your Debian server via iptables raw rules, add the following rules to allow port 80 and 22 inbound traffic to pass the firewall so that external clients can access the application. Open port 22/TCP only if you’re remotely connected to the server via SSH.
apt-get install -y iptables-persistent
iptables -I INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -I INPUT -p tcp --destination-port 22 -j ACCEPT
netfilter-persistent save
systemctl restart netfilter-persistent
systemctl status netfilter-persistent
systemctl enable netfilter-persistent.service
Configure Apache Web Server
On the next step, enable Apache rewrite module required for altering web server configurations on the fly via .htacccess file and the TLS module required to secure HTTP transactions, by issuing the below command.
a2enmod rewrite ssl
a2ensite default-ssl.conf
Next, open the Apache default SSL site configuration file for editing with your favorite text editor, and add the following URL rewrite rules after DocumentRoot directive:
nano /etc/apache2/sites-enabled/default-ssl.conf
SSL site configuration file excerpt:
<Directory /var/www/html>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
Also, make the change shown below to the VirtualHost line to make it look like what's shown in the excerpt that follows:
<VirtualHost *:443>
Add the same changes to Apache default configuration file by opening /etc/apache2/sites-enabled/000-default.conf file for editing. Insert the following lines of code after DocumentRoot statement as shown in the example below.
<Directory /var/www/html>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory
Finally, restart Apache daemon to apply all rules configured so far and visit your domain or server IP address via HTTP protocol.
systemctl restart apache2
Because you’re using the automatically Self-Signed certificates pairs issued by Apache at installation, for a certificate that is untrusted by the browser, an error warning should be displayed in the browser. Accept the warning in order to accept the untrusted certificate and continue to be redirected to Apache default web page, as illustrated in the below image.
https://yourdomain.tld
In order to allow HTTPS traffic to pass through the UFW firewall, you should add the following rule to allow incoming 443/TCP traffic by issuing the command below.
ufw allow 'WWW Full'
or
ufw allow 443/tcp
If iptables is the default firewall application installed to protect your Debian system at network level, add the following rule to allow port 443 inbound traffic in the firewall so that visitors can browse your domain name.
iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT
netfilter-persistent save
systemctl restart netfilter-persistent
systemctl status netfilter-persistent
Finally, create the PHP info file in your web server document root path by executing the following command.
echo '<?php phpinfo(); ?>'| tee /var/www/html/info.php
Visit the PHP info script file by opening a browser at the following URL:
https://yourdomain.tld/info.php
Verify PHP settings and scroll down to date configuration to check the PHP timezone configuration.
Install Elgg Software
In order to deploy the Elgg social network platform in your system, first visit the Elgg official download page at https://elgg.org/about/download and grab the latest zip package compressed archive by issuing the below command.
wget -O elgg-2.3.5.zip https://elgg.org/getelgg.php?forward=elgg-2.3.5.zip
ls
Next, extract the Elgg zip archive file to your current working directory and list the extracted files by issuing the following commands.
unzip elgg-2.3.5.zip
ls -al elgg-2.3.5
On the next step, delete the default index.html file installed by Apache web server to webroot path and the info.php file created earlier by issuing the below commands.
rm /var/www/html/index.html
rm /var/www/html/info.php
Next, copy all the content of the extracted Elgg directory, including the hidden .htaccess file, into your web server document root path by issuing the following command.
cp -rf elgg-2.3.5/* /var/www/html/
cp elgg-2.3.5/.htaccess /var/www/html/
After you’ve copied Elgg installation files to your domain webroot path, create a directory named data for Elgg application, one level up your domain webroot, by issuing the following command. The data directory will be used by Elgg application to store diverse user related files. This data directory can be created anywhere in your server filesystem hierarchy, with the remark that you must grant Apache runtime user the write permissions to this directory.
mkdir /var/www/data
chown www-data:www-data /var/www/data
Next, execute the below commands in order to grant Apache runtime user with full write permissions to the web root path. Use the ls command to list permissions for application’s installed files located in the /var/www/html/ directory.
chown -R www-data:www-data /var/www/html/
ls –al /var/www/html/
Before beginning with the installation process via a web browser, log in to the MariaDB database console and create the Elgg database and a user with a password that will be used to manage this database, by issuing the following commands. Make sure you replace the database name, user and password used in this tutorial accordingly.
mysql –u root -p
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database elgg_db;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on elgg_db.* to 'elgg_user'@'localhost' identified by 'password1234';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
Now, let’s proceed with Elgg installation. First open a browser and navigate to your server’s IP address or domain name or server FQDN via HTTPS protocol.
https://yourdomain.tld
On the welcome screen, the installer will display an introduction message that informs you that Elgg platform software will require six steps to follow in order to install the application. Just hit on Next button in order to start the installation process, as illustrated in the below screenshot.
Next, the Elgg installer will parse your system and check if PHP and web server requirements are met for installing the application. Hit on Next button, to continue the installation process, as shown in the below screenshot.
In the next installation screen, configure the MySQL database settings by supplying MySQL database name, server host (use localhost if the database is installed on the same node), the database username and the password created earlier for installing Elgg. Use the database table prefix as default or change it if you want to add an extra layer of security for your application. Finally, select your default timezone setting for the application and hit on Next button to move to the next installation screen. Use the below screenshot as a guide to configuring this step.
On the next step, configure the Elgg website by adding a name for the site and an email address for user communication. Also, change the site URL address if it was not correctly detected and add the full path to website data directory. Finally, setup your default website access level for newbies and hit on Next button to continue the installation process.
Next, create the first admin account for your website, by filling the Display Name field with the name of your admin account. Also, add the admin account email address, username and password, as illustrated in the below image. When you complete this step, hit on Next button to continue and finish the installation process.
After the installation process completes, hit on “Go to site” button in order to be redirected to the Elgg admin dashboard.
After you’ve been logged in to Elgg dashboard, navigate to Configure -> Plugins menu from right panel and start enabling your required Elgg plugins by hitting on the Activate button for the selected plugin.
You can also visit Elgg application by navigating to your server IP address or domain name via HTTPS protocol. Use the credentials configured for admin account during the installation process in order to log in to Elgg social engine application, as shown in the below screenshot.
https://yourdomain.tld
As the final step, if you want to force visitors to securely browse the Elgg website via HTTPS protocol that encrypts the traffic between the server and client browsers, return to the Debian server console and edit the .htaccess file located in your website document root path, by issuing the below command.
nano /var/www/html/.htaccess
In .htaccess file, search for the <IfModule mod_rewrite.c> line and add the below rules after RewriteEngine On statement in order to automatically redirect all your domain traffic to HTTPS.
RewriteEngine On
# Redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
Here, you can also change some PHP variables for your website. Search for <IfModule mod_php7.c> directive and under this line add your own PHP settings such as: increase the file upload size for the domain or disable some server default PHP configurations, as shown in the below excerpt:
# Alter web server PHP settings
php_value session.use_trans_sid 0
php_value register_globals 1
php_value upload_max_filesize 100M
php_value post_max_size 100M
In order for the Elgg application to send out queued notifications, rotate system logs in database and collect garbage in the database (compacting the database by removing entries that are no longer required), create a crontab file for with the below configurations. Also, this crontab job must be owned and executed by Apache runtime user.
crontab -u www-data –e
Crontab file excerpt. The cron task output of each job will be discarded to Linux /dev/null blackhole file. Replace the domain name variable ($ELGG) used in this script accordingly.
GET="curl -k"
ELGG="https://www.socialnet.org/"
OUT=" > /dev/null 2>&1"
* * * * * $GET ${ELGG}cron/minute/${OUT}
*/5 * * * * $GET ${ELGG}cron/fiveminute/${OUT}
15,30,45,59 * * * * $GET ${ELGG}cron/fifteenmin/${OUT}
30,59 * * * * $GET ${ELGG}cron/halfhour/${OUT}
@hourly $GET ${ELGG}cron/hourly/${OUT}
@daily $GET ${ELGG}cron/daily/${OUT}
@weekly $GET ${ELGG}cron/weekly/${OUT}
@monthly $GET ${ELGG}cron/monthly/${OUT}
@yearly $GET ${ELGG}cron/yearly/${OUT}
@reboot $GET ${ELGG}cron/reboot/${OUT}
Congratulations! The Elgg social media platform has been successfully installed and configured at your premises in a Debian 9 server. In case you’re using a registered public domain name to expose Elgg application to public-facing visitors, you should consider buying an SSL certificate issued by a trusted Certificate Authority or get a free certificate pair from Let’s Encrypt CA.
In order to further administer the Elgg application, visit the documentation pages at the following address: http://learn.elgg.org/en/stable/index.html