1.) Install CentOS 7×64 minimal on 20GB drive
2.) Setup static IP and FQDN that you own so you can install security certificates (e.g. assets.domainname.com).
3.) Enable NTP and set timezone.
4.) Create parition scheme, 1GB /boot, 2xRAM swap, rest / on standard paritions.
5.) Software selection = minimal
6.) Set root and optionally user account passwords
7.) Reboot and perform a yum update
8.) Install PHP 7, MariaDB, Apache and utils
https://wiki.centos.org/HowTos/php7
yum -y install centos-release-scl.noarch yum -y install epel-release yum -y install rh-php71 rh-php71-php rh-php71-php-fpm rh-php71-php-bcmath rh-php71-php-mbstring rh-php71-php-mcrypt rh-php71-php-gd rh-php71-php-ldap rh-php71-php-mysqlnd mariadb-server httpd vim wget unzip git systemctl enable rh-php71-php-fpm.service systemctl start rh-php71-php-fpm.service
Add PHP7 to the system $PATH
echo 'pathmunge /opt/rh/rh-php71/root/usr/bin' > /etc/profile.d/rh-php71.sh chmod +x /etc/profile.d/rh-php71.sh
Reload your profile (yes, there is a space between the . and /etc)
. /etc/profile
Install Composer
cd ~ curl -sS https://getcomposer.org/installer | php mv composer.phar /usr/bin/composer
9.) Enable and start HTTPD, add firewall rules:
systemctl enable httpd ; systemctl start httpd firewall-cmd --add-service=http --permanent firewall-cmd --add-service=https --permanent firewall-cmd --reload
10.) Delete /etc/httpd/conf.d/welcome.conf
rm /etc/httpd/conf.d/welcome.conf
14.) Secure and setup the MariaDB installation
Create a root password and record it and accept all other defaults.
systemctl enable mariadb systemctl start mariadb mysql_secure_installation
15.) Create database for Snipe-IT Login to the database server, when prompted use the password you created during mysql_secure_installation
mysql -u root -p
Run the following commands to create the database, user, set permissions and apply (note: use a new unique password here)
CREATE DATABASE snipeit_db; CREATE USER 'snipeit_dbuser'@'localhost' IDENTIFIED BY 'StrongPassword'; GRANT ALL PRIVILEGES ON snipeit_db.* TO 'snipeit_dbuser'@'localhost'; FLUSH PRIVILEGES; EXIT;
16.) Download Snipe-IT via git
https://www.vultr.com/docs/how-to-install-snipe-it-on-centos-7
cd /var/www/ git clone https://github.com/snipe/snipe-it snipe-it
17.) Modify the environmental variables
cd /var/www/snipe-it cp .env.example .env vim .env
Set the following variables according to your install
APP_URL=http://snipe-it.domainname.com #Provide your domain name or IP address here APP_TIMEZONE='US/Pacific' #Change it according to your country DB_DATABASE=snipeit_db #Provide the database name you created earlier DB_USERNAME=snipeit_dbuser #Provide database user's username DB_PASSWORD=superSecretPW #Provide the DB user's password MAIL_DRIVER=smtp MAIL_HOST=mail.domain.name MAIL_PORT=587 MAIL_USERNAME=snipeit_notifications@maildomain.com MAIL_PASSWORD=someXcellentPW MAIL_ENCRYPTION=TLS MAIL_FROM_ADDR=snipeit_notifications@aildomain.com MAIL_FROM_NAME='Your Asset Management System' MAIL_REPLYTO_ADDR=noreply@maildomain.com MAIL_REPLYTO_NAME='noreply@maildomain.com'
11.) Create a php file to check php-fpm (Note: this is to check that php-fpm is activated and is use, we'll delete it later)
vim /var/www/snipe-it/public/index-fpm-test.php
Add the content:
<?php phpinfo() ?>
Set permissions
useradd snipe passwd snipe usermod -a -G apache snipe chown -R snipe:apache /var/www/snipe-it chmod -R 775 /var/www/snipe-it/storage chmod -R 775 /var/www/snipe-it/public/uploads chmod 640 /var/www/snipe-it/.env chcon -R -h -t httpd_sys_rw_content_t /var/www/snipe-it/storage/ chcon -R -h -t httpd_sys_rw_content_t /var/www/snipe-it/public/ setsebool -P httpd_can_connect_ldap on setsebool -P httpd_can_network_connect on setsebool -P httpd_can_sendmail on
Install PHP dependencies via Composer
Change to user snipe to run composer install then exit
su snipe cd /var/www/snipe-it composer install --no-dev --prefer-source exit
Set permissions on downloaded vendor files
chown -R snipe:apache /var/www/snipe-it/vendor
Generate app key
php artisan key:generate --force
Populate SQL database
php artisan migrate --force
20.) Create a virtual host for Snipe-IT
vim /etc/httpd/conf.d/snipe-it.domainname.com.conf
Add the following
<VirtualHost *:80>
ServerName snipe-it.domainname.com
DocumentRoot /var/www/snipe-it/public
<Directory /var/www/snipe-it/public>
Options Indexes FollowSymLinks MultiViews
DirectoryIndex index.php
AllowOverride All
Order allow,deny
allow from all
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</VirtualHost>
Restart Apache
systemctl restart httpd
13.) browse to ip.add.r.ess/index-fpm-test.php to verify php version and php-fpm is active
14.) Delete /var/www/snipe-it/public/index-fpm-test.php
rm /var/www/snipe-it/public/index-fpm-test.php
Web UI Setup
- Open a browser and go to snipe-it.domainname.com
- Check the .env permissions, you should get an error when trying to go the the link it references.
- Send yourself a test E-Mail to make sure it's working.
- Create Database tables (which were done already)
- Create User
- You should be in!
Enable Active Directory Sync
First be sure you're host OS is using the DNS of your AD domain controllers if you want to use the DNS name of the server.
- Create a regular/limited user in AD to use as a sync account, name it accordingly and make notes
- Click on the “Gears” in the top right of the Snipe-IT UI, click on LDAP.
- Check “LDAP Enabled”, “This is an Active Directory Server” and “LDAP Password Sync”
- “Active Directory Name should be your AD domain name: internal.companyname.com
- “LDAP Server” should be: ldap://domaincontroller.internal.companyname.com (or ldap://ip.add.re.ss)
- “LDAP Bind Username” should be the AD account you just created and enter it as: ADaccountName@internal.companyname.com
- “Base Bind DN” is the the base AD folder where you store your users: OU=Users,OU=CompanyName,DC=internal,DC=companyname,DC=com
- “LDAP Filter”: &(cn=*)
- “Username Field”: samaccountName
- “LDAP Authentication query”: SAMAccountName= (note: this is different from the default)
- Leave everything else as is and click on “Save” at the bottom.
- Go back into the LDAP options and click on “Test LDAP; if that's successful then enter a different username and password in the “Test LDAP Login” fields and click “Test LDAP”. Note: the username doesn't need the @internal.companyname.com appended to it.
- Go to “People” on the left hand menu, then click on “LDAP Sync”
- Click on “Syncronize”.
Install Lets Encrypt Certificate
https://github.com/ladybirdweb/faveo-helpdesk/wiki/Install-Let’s-Encrypt-SSL-on-CentOS-7-Running-Apache-Web-Server
Install dependent modules
yum install epel-release mod_ssl
Install the Let’s Encrypt client
yum install python-certbot-apache
Setup the certificate
certbot --apache -d example.com
Setup crontab to auto-renew the certificate
crontab -e
And enter something like
0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log
then add -SSLv3 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 to SSLProtocol
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
then add !RC4:!3DES to SSLCipherSuite
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!3DES
then disable http in firewalld
firewall-cmd --remove-service=http --permanent firewall-cmd --reload
Install Commercial Certificate
yum install mod_ssl mkdir /root/certs/ && cd /root/certs/ openssl req -new -newkey rsa:4096 -days 1095 -nodes -keyout domain.name.com.key -out domain.name.com.csr
when asked for common name put full domain name you are trying to secure
Go to namecheap.com and get a positiveSSL certificate for 2 years, upload the contents of the CSR file for the request.
download and unzip the file in /root
then merge the bundle and crt files
cat domain.name_com.ca-bundle >> domain.name_com.crt
copy the domain.name_com.crt to /etc/pki/tls/certs copy the domain.name.com.key to /etc/pki/tls/private
Set proper permissions for files
chmod 600 /etc/pki/tls/certs/domain.name_com.crt chmod 600 /etc/pki/tls/private/domain.name.com.key restorecon -RvF /etc/pki/tls/certs restorecon -RvF /etc/pki/tls/private
Configure ssl.conf
vim /etc/httpd/conf.d/ssl.conf
find SSLCertificateFile and replace what comes after with
/etc/pki/tls/certs/domain.name_com.crt
find SSLCertificateKeyFile and replace what comes after with
/etc/pki/tls/private/domain.name.com.key
then add -SSLv3 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 to SSLProtocol
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
then add !RC4:!3DES to SSLCipherSuite
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!3DES
vim /etc/httpd/conf.d/snipe-it.domainname.com.conf
Change the following
<VirtualHost *:80> <code> to <code> <VirtualHost *:443>
and add under Virtual Host line (replacing xxx.cert and xxx.key with your files of course!)
SSLEngine on SSLCertificateFile /etc/pki/tls/certs/xxx.crt SSLCertificateKeyFile /etc/pki/tls/private/xxx.key
Restart Apache
systemctl restart httpd
Test the website at https://...
then disable http in firewalld
firewall-cmd --remove-service=http --permanent firewall-cmd --reload