centos:mail_c7:horde_1

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
centos:mail_c7:horde_1 [19.09.2014 06:45. ] – [PHP Einstellungen anpassen] djangocentos:mail_c7:horde_1 [20.04.2018 10:46. ] (aktuell) – Externe Bearbeitung 127.0.0.1
Zeile 1345: Zeile 1345:
 </WRAP> </WRAP>
  
-   # yum localinstall http://rpms.famillecollet.com/enterprise/7/remi/x86_64/php-horde-horde-lz4-1.0.6-1.el7.remi.5.4.x86_64.rpm -y+   # yum localinstall http://rpms.famillecollet.com/enterprise/7/remi/x86_64/php-horde-horde-lz4-1.0.7-1.el7.remi.5.4.x86_64.rpm -y
  
 Anschließend starten wir unseren http-Daemon 1x durch. Anschließend starten wir unseren http-Daemon 1x durch.
    # systemctl restart httpd.service    # systemctl restart httpd.service
  
-===== Installationsdokumentation =====+===== Dokumentation ===== 
 +==== Installation ====
  
    # cat /usr/share/doc/pear/horde/INSTALL    # cat /usr/share/doc/pear/horde/INSTALL
  
-<code>==============================+<file /usr/share/doc/pear/horde/INSTALL>==============================
  Installing Horde Framework 5  Installing Horde Framework 5
 ============================== ==============================
Zeile 2243: Zeile 2244:
 .. _`session.gc_divisor`: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor .. _`session.gc_divisor`: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
 .. _`session.gc_maxlifetime`: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime .. _`session.gc_maxlifetime`: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
-</code>+</file>
  
-===== PHP Einstellungen anpassen===== +==== Sicherheit ==== 
-Gemäß den angaben in der Installationsdokumentation //**[[http://www.horde.org/apps/horde/docs/INSTALL|/usr/share/doc/pear/horde/INSTALL]]**// passen wir nun noch den Wert **session.gc_divisor** in der PHP-Konfigurationsdatei //**/etc/php.ini**// an:+   # cat /usr/share/doc/pear/horde/SECURITY 
 + 
 +<file /usr/share/doc/pear/horde/SECURITY>====================== 
 + Horde Security Notes 
 +====================== 
 + 
 +:Contact: horde@lists.horde.org 
 + 
 +.. contents:: Contents 
 +.. section-numbering:: 
 + 
 + 
 +Temporary files 
 +=============== 
 + 
 +Horde applications make extensive use of temporary files.  In order to make 
 +sure these files are secure, you should make sure your installation meets the 
 +following criteria. 
 + 
 +Sites may gain increased security by defining a temporary directory in the 
 +Horde configuration which is writable by the web server, but not writable by 
 +other users.  Since the temporary files may contain sensitive information it 
 +is best to also make these file unreadable by other users.  That is, they can 
 +be made readable and writable only by the web server user. 
 + 
 + 
 +PHP Sessions 
 +============ 
 + 
 +For the most security, you should enable PHP session cookies by enabling the 
 +PHP setting ``session.use_cookies``. When doing so, be sure to set an 
 +appropriate cookie path and cookie domain in the Horde configuration also to 
 +secure your cookies. You should even force session cookie usage in the Horde 
 +configuration, which is the default setting in all Horde versions now. 
 + 
 +If you want to use HTTPS connections, consider forcing users to HTTPS in the 
 +Horde configuration. This will force cookies to be sent over secure connections 
 +only and helps to prevent sidejacking. 
 + 
 +If PHP sessions are set to use the ``files`` save_handler, then these files 
 +should be secured properly. Sites can increase security by setting the PHP 
 +setting ``session.save_path`` to a directory that is only readable and 
 +writable by the web server process. 
 + 
 +Sites with a large user base should consider setting the 
 +``session.entropy_file`` and ``session.entropy_length`` to appropriate values. 
 + 
 +Horde will encrypt the user credentials before storing them in the session. 
 +Thus, a compromised sessions will not reveal the user's stored credentials. 
 + 
 + 
 +Default database passwords 
 +========================== 
 + 
 +The Horde documentation and sample database creation scripts create a default 
 +user and password for accessing the horde database.  Using this password in a 
 +production environment is a security hole, since an attacker will easily guess 
 +it. 
 + 
 +It is very important that sites change at least the password to something 
 +secure. 
 + 
 + 
 +Prevent configuration file reading and writing 
 +============================================== 
 + 
 +The configuration files may contain sensitive data (such as database 
 +passwords) that should not be read or written by local system users or remote 
 +web users. 
 + 
 +If you use a Unix system, one way to make the configuration files and 
 +directories accessible only to the web server is as follows.  Here we assume 
 +that the web server runs as the user ``apache`` and the files are located in 
 +``/home/httpd/html`` -- substitute the correct user or file path if needed:: 
 + 
 +$ chown -R apache /home/httpd/html/horde/config 
 +$ chown -R apache /home/httpd/html/horde/*/config 
 +$ chmod -R go-rwx /home/httpd/html/horde/config 
 +$ chmod -R go-rwx /home/httpd/html/horde/*/config 
 + 
 +For completely fascist permissions, you can make the entire Horde tree 
 +inaccessible by anyone except the web server user (and root):: 
 + 
 +$ chown -R apache /home/httpd/html/horde 
 +$ chmod -R go-rwx  /home/httpd/html/horde 
 +$ chmod -R a-w   /home/httpd/html/horde/ 
 + 
 +Note that the last line makes all files unwritable by any user (only root can 
 +override this).  This makes the site secure, but may make it more difficult to 
 +administrate.  In particular, it will defeat the Horde administrative 
 +configuration interface, forcing you to update the Horde configuration files 
 +manually (as per the INSTALL_ instructions). 
 + 
 +The above will not secure the files if other user's on the same machine can 
 +run scripts as the apache user.  If you need to protect against this you 
 +should make other user's scripts run under their own account with some 
 +facility such as apache's suexec module.  You need to watch out not only for 
 +cgi scripts, but also for other modules like mod_php, mod_perl, mod_python, 
 +etc. that may be in use on your server. 
 + 
 +.. _INSTALL: ?f=INSTALL.html 
 + 
 + 
 +Restricting the test script 
 +=========================== 
 + 
 +The test script (``horde/test.php``) provides a wealth of information that can 
 +be used against the site by attackers.  This script is disabled by default for 
 +this reason. 
 + 
 +This script is configured via the 'testdisable' configuration option. 
 + 
 +After manually enabling the script, and once you have confirmed that 
 +everything is working, you should disable access to the test script. 
 + 
 + 
 +Preventing Apache from serving configuration and source files 
 +============================================================== 
 + 
 +The Horde configuration files may contain sensitive data (such as database 
 +passwords) that should not be served by the web server. Other directories 
 +contain PHP source code that isn't intended for viewing by end-users. The 
 +Horde group has provided ``.htaccess`` files in various directories to help 
 +protect these files.  However, that depends on your web server honoring 
 +``.htacess`` files (which is a performance hit, and may not be available in 
 +all web servers). 
 + 
 +An Apache site can also prevent the web server from serving these 
 +files by adding sections to ``httpd.conf`` such as the following:: 
 + 
 +   <Directory "/home/httpd/html/horde/config"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/lib"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/locale"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/po"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/scripts"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/templates"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 + 
 +Repeat this pattern for each Horde application.  For example, for IMP you 
 +would then add:: 
 + 
 +   <Directory "/home/httpd/html/horde/imp/config"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/imp/lib"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/imp/locale"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/imp/po"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/imp/scripts"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 +   <Directory "/home/httpd/html/horde/imp/templates"> 
 +       order deny,allow 
 +       deny from all 
 +   </Directory> 
 + 
 + 
 +Setup scripts 
 +============= 
 + 
 +There are various scripts use to setup or configure Horde.  If you allow other 
 +users on the web server machine, you should protect these files from being 
 +accessed by them.  On a unix system, you might restrict these files to root 
 +access by using the following type of commands:: 
 + 
 +$ chown -R root /home/httpd/html/horde/scripts 
 +$ chown -R root /home/httpd/html/horde/*/scripts 
 +$ chmod -R go-rwx /home/httpd/html/horde/scripts 
 +$ chmod -R go-rwx /home/httpd/html/horde/*/scripts 
 + 
 + 
 +Using a chroot web server setup 
 +=============================== 
 + 
 +Unix users may want to consider using a chroot environment for their web 
 +server.  How to do this is beyond the scope of this document, but sufficient 
 +information exists on the world wide web and/or in your server documentation 
 +to complete this task. 
 + 
 + 
 +Hiding PHP info from the user 
 +============================= 
 + 
 +You should consider setting the following PHP variables in your ``php.ini`` 
 +file to prevent information leak to the user, or global insertion by the 
 +user:: 
 + 
 +   expose_php = Off 
 +   display_errors = Off 
 +   log_errors = On 
 +   register_globals = Off 
 + 
 +You should also set up error logging (using the PHP ``error_log`` variable) 
 +to log to a file, syslog, or other log destination. 
 + 
 + 
 +Using a secure web server 
 +========================= 
 + 
 +Horde depends on passing sensitive information (such as passwords and session 
 +information) between the web server and the web client.  Using a secure 
 +(SSL-enabled) web server will help protect this information as it traversing 
 +the network. 
 + 
 + 
 +Using a secure POP3/IMAP server 
 +=============================== 
 + 
 +If you are using a POP3/IMAP server with Horde (e.g. for authentication or for 
 +IMP) then Horde is passing the user's login credentials between the web server 
 +and the mail server. 
 + 
 +If your web server and IMAP server are on the same host, you can increase 
 +security by forcing all traffic over the loopback or localhost interface so 
 +that it is not exposed to your network. 
 + 
 +In cases where that is not possible, we recommend using a secure mail 
 +connection such as IMAP-SSL or POP3-SSL to ensure that passwords remain safe. 
 + 
 + 
 +LDAP Security 
 +============= 
 + 
 +LDAP security is similar to the above POP3/IMAP server security issue.  If you 
 +are using LDAP, you should make sure that you are not exposing ldap passwords 
 +or any sensitive data in your LDAP database. 
 + 
 + 
 +Database socket security 
 +======================== 
 + 
 +If your database (e.g. MySQL or PostgreSQL) is on the same host as your web 
 +server, you may use unix sockets rather than tcp connections to help improve 
 +your security (and performance).  If it doesn't support unix sockets, you can 
 +achieve some better security by restricting the tcp support to the loopback or 
 +localhost interface. 
 + 
 +If the database keeps its socket file (e.g. ``mysql.sock``) in a directory 
 +like ``/tmp`` or ``/var/tmp``, you should set permissions carefully to ensure 
 +that local users (if you have any) can't delete the socket.  The unix "sticky" 
 +bit should already be sent on the temporary directory itself, but you also 
 +need to make sure the socket itself isn't writable by "other" or users can 
 +delete it. 
 + 
 +You might consider moving the socket file to another location such as 
 +``/var/run`` or the top-level directory of your database program (e.g. 
 +``/var/lib/mysql`` or ``/var/lib/pgsql``). 
 + 
 + 
 +Sendmail or SMTP considerations 
 +=============================== 
 + 
 +In some cases, you can increase security by sending mail via the local 
 +command-line sendmail program on your web server, rather than using SMTP. 
 +However, there may be reasons to use SMTP instead, such as if your smtp server 
 +does spam or virus checking which would be skipped using the local sendmail 
 +program. 
 + 
 + 
 +Additional Notes 
 +================ 
 + 
 +This is by far not a complete security HOWTO. This is just a compiled list of 
 +what people have contributed so far. If you have tips, ideas, suggestions or 
 +anything else that you think could help others in securing their Horde 
 +installation, please let us know. 
 +</file> 
 +http://www.horde.org/apps/horde/docs/SECURITY 
 + 
 +==== Performance ==== 
 +  # cat /usr/share/doc/pear/horde/PERFORMANCE 
 + 
 +<file /usr/share/doc/pear/horde/PERFORMANCE>========================= 
 + Horde Performance Guide 
 +========================= 
 + 
 +:Contact: horde@lists.horde.org 
 + 
 +.. contents:: Contents 
 + 
 + 
 +Some tips on performance tuning systems for Horde.  This does not cover 
 +hardware tuning or even low level system (network, filesystem, etc) tuning. 
 + 
 +Don't apply the following tuning hints blindly.  Test your applications before 
 +and after the changes under the conditions that are important for you.  For 
 +some people it's more important to make them as fast as possible for a small 
 +user base, others require the applications to scale well under a high load. 
 +Some of these hints might even make the applications slower under certain 
 +conditions or using a certain hardware. 
 + 
 + 
 +Linux Tuning 
 +============ 
 + 
 +* Recompile RPMS for your architecture (e.g. i586, i686, athlon, etc). 
 +  This applies most to your Apache, PHP, IMAP, and POP3 packages. 
 + 
 + 
 +Webserver/PHP tuning 
 +==================== 
 + 
 +* Consider a PHP accelerator program.  See for example `The Zend Performance 
 +  Suite`_, the `Alternative PHP Cache`_, eAccelerator_, or XCache_.  These 
 +  accelerators speed up access by caching the compiled PHP code, eliminating 
 +  the need to recompile the code for every single page load. **This is probably 
 +  the easiest way to improve the performance of Horde**. See Autoloading_ 
 +  further down to get even more out of some of those accelerators. 
 + 
 +* Enable PHP output compression in the Horde configuration. Do not enable 
 +  compression in the PHP configuration (i.e. in ``php.ini``), because certain 
 +  scripts don't work well with compression and Horde takes care of disabling 
 +  compression conditionally. 
 + 
 +* Keep the include path defined in ``php.ini`` as short as possible, with the 
 +  most frequently used library paths first.  You don't need to include the 
 +  local directory ``.`` because Horde always uses full paths instead of 
 +  relative paths. 
 + 
 +* Use an optimized ``php.ini``: start with ``php.ini-recommended`` in your PHP 
 +  dsitribution. 
 + 
 +* Don't run PHP session garbage collection too often if using a slow storage 
 +  medium (like SQL). (See ``session.gc_probability`` in ``php.ini``) 
 + 
 +* If you have a large number of sessions and are using PHP's default file 
 +  based session handler, consider storing them in hashed directory levels. 
 +  (See ``session.save_path`` at http://www.php.net/session) 
 + 
 +* Consider using a faster storage medium for sessions, such as a tmpfs 
 +  (if storing sessions locally) or memcache (for storing session information 
 +  that can be accessed by multiple servers). 
 + 
 +* Only load as many Apache and PHP extensions as needed (to reduce memory 
 +  usage). 
 + 
 +* Use statically compiled Apache modules, including the PHP module. 
 + 
 +* Use compiler optimizations (--prefer-non-pic, -O3, -march -mcpu, -msse, 
 +  -mmmx, -mfpmath=sse, etc.) 
 + 
 +* If using SSL with a large site, consider a hardware SSL accelerator. 
 + 
 +* Use shared memory for the Apache SSL cache if possible. 
 + 
 +* To improve caching of static content if accessing Apache SSL with Internet 
 +  Explorer, try setting longer expiration periods:: 
 + 
 +    ExpiresActive On 
 +    ExpiresByType image/png "now plus 1 month" 
 +    ExpiresByType image/gif "now plus 1 month" 
 +    ExpiresByType text/javascript "now plus 1 month" 
 +    ExpiresByType application/x-javascript "now plus 1 month" 
 +    ExpiresByType text/css "now plus 1 month" 
 + 
 +  .. Note:: You must compile the ``mod_expires`` extension into Apache in 
 +            order to use these directives. 
 + 
 +  .. Warning:: This might cause problems if you upgrade Horde and the users' 
 +               browsers still use the old file versions. 
 + 
 +* Disable DNS lookups in your Apache logging, or use a caching DNS server on 
 +  the web server host. 
 + 
 +* Enable Apache keepalives. 
 + 
 +* You can configure Horde to serve all images, style sheets and/or static 
 +  javascript files from a different server. This could be a very lightweight 
 +  server without PHP (and other CGI modules) builtin. If using SSL to serve 
 +  all pages, the images/js server will also have to serve SSL content or else 
 +  browsers will complain about non-secure content in a secure page. Since this 
 +  server does not need to handle dynamic content, it would be wise to use a 
 +  high-performance server with low memory and/or system resource requirements 
 +  (this `IBM Article`_ can provide further information). You need to set 
 +  the ``themesuri`` and/or ``jsuri`` parameters in ``config/registry.php`` for 
 +  all applications and copy all ``themes`` and/or ``js`` directories in the 
 +  same directory layout to the other server. 
 + 
 +* Your webserver should use Expires headers to make sure static content can 
 +  be cached on the user's browser.  For example, to make lighttpd set an 
 +  expiration date on all graphics, javascript files, and stylesheets, add 
 +  the following to ``lighttpd.conf``:: 
 + 
 +    $HTTP["url"] =~ "\.(jpg|gif|png|js|css)$"
 +        expire.url = ( "" => "access 1 months"
 +    } 
 + 
 +* Enable caching in horde. Several applications make heavy use of caching and, 
 +  if enabled, you will see a significant increase in performance. 
 + 
 +* Enable caching/compression of javascript and CSS. See `Yahoo's Analysis`_ 
 +  which concludes that "[r]educing the number of HTTP requests has the biggest 
 +  impact on reducing response time". Caching via filesystem is HIGHLY 
 +  RECOMMENDED: it is also the only way of caching that reliably works on all 
 +  browsers. Caching can also be done via horde caching, but the 
 +  cache-busters used to generate unique URLs when the cached content changes 
 +  do not work 100% reliably across all browsers. 
 + 
 +* It is highly recommended to install the horde_lz4 package to activate 
 +  compression for Horde data.  horde_lz4 is a minimal package that does 
 +  real-time compression. On modern CPUs, this compression is as fast as an 
 +  (unoptimized) memcpy action, making the compression essentially 'free' when 
 +  compared to uncompressed data. horde_lz4 can be installed via PECL (see 
 +  INSTALL for further details). 
 + 
 +.. _`The Zend Performance Suite`: http://www.zend.com/horde.php 
 +.. _`Alternative PHP Cache`: http://www.php.net/apc 
 +.. _eAccelerator: http://eaccelerator.net/ 
 +.. _XCache: http://xcache.lighttpd.net/ 
 +.. _`IBM Article`: http://www.ibm.com/developerworks/web/library/wa-ltwebserv/ 
 +.. _`Yahoo's Analysis`: http://yuiblog.com/blog/2006/11/28/performance-research-part-1/ 
 + 
 + 
 +Sending Mail 
 +============ 
 + 
 +* Generally using a local sendmail command to send mail will result in better 
 +  peformance than using a SMTP connection. 
 + 
 +* Some MTA servers may be faster or more efficient than others.  Consider 
 +  switching to a faster format if needed. 
 + 
 + 
 +PostgreSQL tuning 
 +================= 
 + 
 +* Do a ``VACUUM`` command periodically to tune your database. 
 + 
 +* Increase ``shared_buffers`` and ``sort_mem`` memory settings. 
 + 
 +* If web server and database is on the same unix host, use unix sockets 
 +  instead of network connections for database access. 
 + 
 + 
 +MySQL tuning 
 +============ 
 + 
 +* If web server and database is on the same unix host, use unix sockets 
 +  instead of network connections for database access. 
 + 
 +* Enable mysql query cache if you have sufficient RAM.  Edit your ``my.cnf`` 
 +  file and add the following to the ``[mysqld]`` section (change the memory 
 +  size to meet your needs):: 
 + 
 +    set-variable = query_cache_size=128M 
 + 
 + 
 +Horde tuning 
 +============ 
 + 
 +Autoloading 
 +----------- 
 + 
 +* Horde automatically loads PHP source files on demand which relies on the PHP 
 +  autoloading feature introduced with PHP 5 and the Horde Autoloader library. 
 +  Both allow to limit the set of source code files pulled into the system to 
 +  the minimal amount required to answer the current request. This saves memory 
 +  and time but at the same time the Autoloader library has to map each class 
 +  name to the path of the corresponding PHP file that holds the class 
 +  definition. This procedure is expensive and can slow the system down. 
 +  Fortunately the mapping is fixed unless files are added or removed which 
 +  usually only happens during an upgrade. 
 + 
 +  Thus Autoloading is amenable to caching and an easy way to improve the 
 +  performance of the Horde Autoloader library, is to install the Autoloader 
 +  Cache extension:: 
 + 
 +    pear install horde/horde_autoloader_cache 
 + 
 +  This library is not installed by default because it will unconditionally use 
 +  any of the following cache backends and does not allow for any further 
 +  configuration: `Alternative PHP Cache`_, XCache_, eAccelerator_, or the local 
 +  temporary filesystem. 
 + 
 +  It also doesn't detect the rare case when the file paths of any PHP class in 
 +  Horde changes. In this case you either need to use the provided script to 
 +  empty the cache:: 
 + 
 +     horde-autoloader-cache-prune 
 + 
 +  or empty the cache manually, e.g. by restarting the web server or deleting 
 +  the cache file from the temporary directory. 
 + 
 +VFS 
 +--- 
 + 
 +* Try to avoid using a SQL backend for VFS. Many databases require binary data 
 +  to be heavily escaped, resulting in storage sizes that are many times 
 +  greater than the actual size of the data. File system VFS will normally 
 +  provide much improved performance. 
 + 
 + 
 +Application tuning 
 +================== 
 + 
 +* Some applications contain advanced features that might have a certain impact 
 +  on the performance.  These features can usually be turned off in the 
 +  application's configuration and are explicitly described as being a 
 +  performance hit in the configuration web frontend. 
 +</file> 
 + 
 +===== Konfiguration ===== 
 +==== PHP Einstellungen ==== 
 +Gemäß den Angaben in der Installationsdokumentation //**[[http://www.horde.org/apps/horde/docs/INSTALL|/usr/share/doc/pear/horde/INSTALL]]**// passen wir nun noch den Wert **session.gc_divisor** in der PHP-Konfigurationsdatei //**/etc/php.ini**// an:
  
    # vim /etc/php.ini    # vim /etc/php.ini
Zeile 2261: Zeile 2792:
 </code> </code>
  
-  * [[centos:mail_c6:horde_2|Basiskonfiguration von horde]] +Den Hinweisen aus der Sicherheitsdokumentation //**[[http://www.horde.org/apps/horde/docs/SECURITY#hiding-php-info-from-the-user|/usr/share/doc/pear/horde/SECURITY]]**// entsprechend kontrollieren wir die Einstellungen in der PHP-Konfigurationsdatei //**/etc/php.ini**// und passen den Parameter **expose_php**an. 
-  * **horde Groupware Anwendungen** +   # vim /etc/php.ini 
-    * [[centos:mail_c6:horde_3|Webmailer imp]] +<code php /etc/php.ini>... 
-    * [[centos:mail_c6:horde_4|Aufgaben nag]] + 
-    * [[centos:mail_c6:horde_5|Adressbuch turba]] +; Decides whether PHP may expose the fact that it is installed on the server 
-    [[centos:mail_c6:horde_6|Notizen mnemo]] +; (e.g. by adding its signature to the Web server header).  It is no security 
-    * [[centos:mail_c6:horde_7|Kalender - kronolith]] +; threat in any way, but it makes it possible to determine whether you use PHP 
-    * [[centos:mail_c6:horde_8|Filter-Regeln (IMAP) - ingo]] +; on your server or not. 
-    * [[centos:mail_c6:horde_9|Passwort-Änderungen - passwd]]+; http://php.net/expose-php 
 +; Django : 2014-09-19 
 +;          horde's security hints: http://www.horde.org/apps/horde/docs/SECURITY#hiding-php-info-from-the-user 
 +; default: expose_php = On 
 +expose_php = Off 
 + 
 +... 
 +</code> 
 + 
 +Zur Aktivierung der Anpassungen führen wir einen Reload des Apache-Daemon durch. 
 +   # systemctl reload httpd.service 
 + 
 +===== Apache vHost ===== 
 +==== vHost Definition ==== 
 +Für unsere WEB-Applikation richten wir uns nun einen geeigneten **[[centos:web_c7:apache_2|SSL-Name Based Virtual Host]]** ein.  
 +Im Konfigurationsverzeichnis unseres [[centos:web_c7:apache_1|Apache-Webservers 2.4]] legen wir uns eine neue vHOST-Konfigurationsdatei an. 
 +   # vim /etc/httpd/conf.d/vhost_443_horde.conf 
 + 
 +<file apache /etc/httpd/conf.d/vhost_443_horde.conf># 
 +horde.sec-mail.guru (Horde Groupware Version 5) 
 +
 +<VirtualHost *:80> 
 +        ServerAdmin webmaster@nausch.org 
 +        ServerName horde.sec-mail.guru 
 +        ServerAlias xn--bro-hoa.sec-mail.guru 
 +        ServerPath / 
 + 
 +        <Location /> 
 +                Options -Indexes +FollowSymLinks 
 +                Require all granted 
 +        </Location> 
 + 
 +        RewriteEngine on 
 +        RewriteCond %{HTTPS} off 
 +        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
 + 
 +        DirectoryIndex index.php 
 + 
 +        ErrorLog logs/horde_error.log 
 +        CustomLog logs/horde_access.log combined 
 +</VirtualHost> 
 +<VirtualHost *:443> 
 +        ServerAdmin webmaster@nausch.org 
 +        ServerName horde.sec-mail.guru 
 +        ServerAlias xn--bro-hoa.sec-mail.guru 
 +        ServerPath / 
 +        DocumentRoot "/usr/share/horde" 
 + 
 +        <IfModule mod_ssl.c> 
 +                SSLEngine on 
 +                SSLProtocol -ALL +SSLv3 +TLSv1 
 +                SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5 
 +                SSLHonorCipherOrder on 
 +                SSLCertificateFile /etc/pki/tls/certs/wildcard.sec-mail.guru.certificate_140920.pem 
 +                SSLCertificateKeyFile /etc/pki/tls/private/wildcard.sec-mail.guru.serverkey.pem 
 +                SSLCertificateChainFile /etc/pki/tls/certs/CAcert_certificate-chain.pem 
 + 
 +        </IfModule> 
 + 
 +        <IfModule mod_gnutls.c> 
 +                GnuTLSEnable on 
 +                GnuTLSPriorities SECURE:!MD5 
 +#               #GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:!MD5:+COMP-NULL 
 +                GnuTLSCertificateFile /etc/pki/tls/certs/horde.sec-mail.guru.certificate_140912.pem 
 +                GnuTLSKeyFile /etc/pki/tls/private/horde.sec-mail.guru.serverkey.pem 
 +        </IfModule> 
 + 
 +        <IfModule mod_deflate.c> 
 +                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript 
 +                AddOutputFilterByType DEFLATE application/javascript application/x-javascriptl 
 +                <Location /> 
 +                        <IfModule mod_setenvif.c> 
 +                                SetOutputFilter DEFLATE 
 +                                BrowserMatch ^Mozilla/4 gzip-only-text/html 
 +                                BrowserMatch ^Mozilla/4\.0[678no-gzip 
 +                                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html 
 +                                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary 
 +                        </IfModule> 
 +                        <IfModule mod_headers.c> 
 +                                Header append Vary User-Agent env=!dont-vary 
 +                        </IfModule> 
 +                </Location> 
 +        </IfModule> 
 + 
 + 
 +        AddType application/x-httpd-php .php 
 + 
 +        # Link to system Javascript Libraries 
 +        Alias /horde/js/scriptaculous     /usr/share/scriptaculous 
 +        Alias /horde/js/prototype.js      /usr/share/prototype/prototype.js 
 +        Alias /horde/js/syntaxhighlighter /usr/share/syntaxhighlighter 
 + 
 +        # Link to Micro$oft stuff 
 +        Alias /Microsoft-Server-ActiveSync /usr/share/horde/rpc.php 
 +        Alias /autodiscover/autodiscover.xml /usr/share/horde/rpc.php 
 + 
 +        <Directory /usr/share/horde/> 
 +                # **IMPORTANT** By default, everyone accessing Horde is automatically logged 
 +                # in as 'Administrator'. This is a security risk! It is very important that  
 +                # you change the authentication backend under the 'Authentication' tab.  
 +                # For this reason, Horde is currently only accessible from localhost.  
 +                <IfModule mod_authz_core.c> 
 +                #       Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben 
 +                #       Require host vml000010.dmz.nausch.org 
 +                #       Zugriff generell erlauben 
 +                        Require all granted 
 +                </IfModule> 
 + 
 +                # Django : 2014-09-19 
 +                # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen 
 +                <IfModule mod_rewrite.c> 
 +                        RewriteEngine On 
 +                        RewriteBase   /horde/ 
 +                        RewriteCond   %{REQUEST_FILENAME}  !-d 
 +                        RewriteCond   %{REQUEST_FILENAME}  !-f 
 +                        RewriteRule ^(.*)$ rampage.php [QSA,L
 +                </IfModule> 
 + 
 +                Options +FollowSymLinks 
 +                #Options All 
 +                #AllowOverride All 
 + 
 +                # Rewrite the requestet URI, when it is with german "Umlaute"
 +                RewriteEngine On 
 +                RewriteCond %{REQUEST_URI} ^/$ 
 +                RewriteCond %{HTTP_HOST} ^xn--bro-hoa.sec-mail.guru$ [NC] 
 +                RewriteRule ^$ https://horde.sec-mail.guru [L,R=301] 
 + 
 +                # Exclude file from password protection 
 +                SetEnvIf Request_URI "(rpc.php)$"  allow 
 +                SetEnvIf Request_URI "(rpc.php/turba/mailsystem/)$"  allow 
 +                SetEnvIf Request_URI "(rpc.php/nag/mailsystem/)$" allow 
 +                SetEnvIf Request_URI "(sapi/profile/client)$"  allow 
 +                SetEnvIf Request_URI "(devinfo)$"  allow 
 +                SetEnvIf Request_URI "(Microsoft-Server-ActiveSync)$"  allow 
 + 
 +                # ActiveSync 
 +                RewriteEngine On 
 +                RewriteRule ^/Microsoft-Server-ActiveSync /rpc.php [PT,L,QSA] 
 +                RewriteRule .- [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}] 
 +                RewriteRule .- [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}] 
 +                RewriteRule .- [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] 
 +        </Directory> 
 + 
 +        # Deny access to the test.php files except from localhost 
 +        <Files "test.php"> 
 +                # Django : 2014-09-19 
 +                #          Zugriff generell verbieten 
 +                #          Require all denied 
 +                #          Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben 
 +                Require host vml000010.dmz.nausch.org 
 +        </Files> 
 + 
 +        # Those directories should not be viewed by Web clients. 
 +        <DirectoryMatch /usr/share/horde/(ansel|imp|ingo|kronolith|mnemo|nag|sesha|trean|turba|passwd|wicked)/(config|lib|locale|scripts|templates)> 
 +                Require all denied 
 +        </DirectoryMatch> 
 +        <DirectoryMatch /usr/share/horde/(config|lib|locale|templates|scripts)> 
 +                Require all denied 
 +        </DirectoryMatch> 
 + 
 + 
 +        <Directory /usr/share/horde/rpc> 
 +                <IfModule mod_rewrite.c> 
 +                        RewriteEngine On 
 +                        RewriteCond   %{REQUEST_FILENAME}  !-
 +                        RewriteCond   %{REQUEST_FILENAME}  !-f 
 +                        RewriteRule   ^(.*)$ index.php/$1 [QSA,L] 
 +                </IfModule> 
 +        </Directory> 
 + 
 +        # Django : 2014-09-19 
 +        # aus der Konfigurationsdatei php-horde-content.conf übernommen  
 +        <Directory /usr/share/horde/content> 
 +                <IfModule mod_rewrite.c> 
 +                        RewriteEngine On 
 +                        RewriteCond   %{REQUEST_FILENAME}  !-d 
 +                        RewriteCond   %{REQUEST_FILENAME}  !-f 
 +                        RewriteRule ^(.*)$ index.php [QSA,L] 
 +                </IfModule> 
 +        </Directory> 
 + 
 +        # Django : 2014-09-19 
 +        # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen 
 +        <Directory /usr/share/horde/kronolith/feed/> 
 +                <IfModule mod_rewrite.c> 
 +                        RewriteEngine On 
 +                        RewriteCond   %{REQUEST_FILENAME}  !-d 
 +                        RewriteCond   %{REQUEST_FILENAME}  !-f 
 +                        RewriteRule   ^(.*)$ index.php?c=$1 [QSA,L] 
 +                </IfModule> 
 +        </Directory> 
 + 
 +        DirectoryIndex index.php 
 +        ErrorLog logs/horde_error.log 
 +        CustomLog logs/horde_access.log combined 
 +</VirtualHost> 
 +</file> 
 + 
 +<WRAP round important>**Wichtig:** 
 + 
 +Solange wir unseren vHost noch nicht in der Produktionsumgebung steht und fertig konfiguriert wurde, beschränken wir den Zugriff auf den vHost noch. Hierzu tragen wir in der **Directive //Directory//** folgendes ein: 
 +<code apache>... 
 +                <IfModule mod_authz_core.c> 
 +                        # Access-stuff (Zugriff von überall erlauben.) 
 +                #Require all granted 
 +                        # Access-stuff (Zugriff nur vom Admin-Netz aus!) 
 + Require host nausch.org 
 +                </IfModule> 
 +... 
 +</code> 
 +Nach erfolgter Konfiguration, geben wir dann den Zugriff für alle frei. 
 +<code apache>... 
 +                <IfModule mod_authz_core.c> 
 +                        # Access-stuff (Zugriff von überall erlauben.) 
 +                Require all granted 
 +                        # Access-stuff (Zugriff nur vom Admin-Netz aus!) 
 + #Require host nausch.org 
 +                </IfModule> 
 +... 
 +</code> 
 +</WRAP> 
 + 
 +==== Konfiguration aktivieren ==== 
 +Bevor unseren Webserver starten, damit der neue vHost auch bedient werden kann, überprüfen wir die Konfiguration noch auf syntaktische Fehler. 
 +   # apachectl -t 
 + 
 +   Syntax OK 
 + 
 +Abschließend führen wir einen Reload sdes Daemon durch. 
 +   # systemctl reload httpd.service 
 + 
 +Bei Bedarf können wir auch den Status des Apche Webservers abfragen. 
 +   # systemctl status httpd.service 
 + 
 +<code>httpd.service - The Apache HTTP Server 
 +   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) 
 +   Active: active (running) since Tue 2014-09-09 18:26:47 CEST; 1 day 15h ago 
 +  Process: 20019 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) 
 +  Process: 22718 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) 
 + Main PID: 20024 (httpd) 
 +   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec" 
 +   CGroup: /system.slice/httpd.service 
 +           ├─20024 /usr/sbin/httpd -DFOREGROUND 
 +           ├─22721 /usr/sbin/httpd -DFOREGROUND 
 +           ├─22722 /usr/sbin/httpd -DFOREGROUND 
 +           ├─22723 /usr/sbin/httpd -DFOREGROUND 
 +           ├─22724 /usr/sbin/httpd -DFOREGROUND 
 +           └─22725 /usr/sbin/httpd -DFOREGROUND 
 + 
 +Sep 10 19:45:20 vml000097.dmz.nausch.org systemd[1]Reloading The Apache HTTP Server. 
 +Sep 10 19:45:21 vml000097.dmz.nausch.org systemd[1]: Reloaded The Apache HTTP Server. 
 +</code> 
 + 
 + 
 + 
 +===== mySQL Datenbank ===== 
 +Ein Großteil der Benutzer-Konfigurationsdaten werden in einer **[[centos:mysql|mySQL-Datenbank]]** /* FIXME */ gespeichert und vorgehalten.  
 + 
 +==== Datenbank anlegen ==== 
 +Diese **[[centos:mysql|mySQL-Datenbank]]** /* FIXME */ und der zugehörige Datenbankuser werden wird nun im ersten Schritt anlegen. 
 + 
 +Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an. 
 +    # mysql -h mysql.dmz.nausch.org -u root -p 
 + 
 +<code>Enter password:  
 +Welcome to the MySQL monitor.  Commands end with ; or \g. 
 +Your MySQL connection id is 217075 
 +Server version: 5.1.73 Source distribution 
 + 
 +Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 
 + 
 +Oracle is a registered trademark of Oracle Corporation and/or its 
 +affiliates. Other names may be trademarks of their respective 
 +owners. 
 + 
 +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
 + 
 +mysql> 
 +</code> 
 +Dort legen wir als aller erst einmal eine Datenbank mit dem Namen **horde** an. 
 +   mysql> create database horde5; 
 + 
 +   Query OK, 1 row affected (0.00 sec) 
 + 
 +==== Datenbankuser anlegen ==== 
 +Anschließend legen wir uns einen Datenbankuser an, denen wir entsprechende Rechte an der, gerade angelegten Datenbank **horde** einräumen. Als Namen nehme wir einfach **hode_admin_user**. 
 + 
 +   mysql> CREATE USER 'horde_admin_user'@'10.0.0.97' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd'; 
 + 
 +   Query OK, 0 rows affected (0.00 sec) 
 + 
 +und 
 +   mysql> CREATE USER 'horde_admin_user'@'vml000097.dmz.nausch.org' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd'; 
 + 
 +   Query OK, 0 rows affected (0.00 sec) 
 + 
 +==== Nutzerberechtigungen setzen ==== 
 +Dem gerade angelebtem Datenbankuser für **[[http://horde.org|Horde]]** gewähren wir nun die nötigen Rechte, damit dieser vom Webserver aus, Tabellen anlegen, befüllen und verändern darf. 
 +   mysql> GRANT ALL PRIVILEGES ON horde5.* TO 'horde_admin_user'@'10.0.0.97' IDENTIFIED BY 'rbgsDKMS39DeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0; 
 + 
 + 
 +   Query OK, 0 rows affected (0.00 sec) 
 + 
 +und 
 +   mysql> GRANT ALL PRIVILEGES ON horde5.* TO 'horde_admin_user'@'vml000097.dmz.nausch.org' IDENTIFIED BY 'rbgsDKMS39DeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0; 
 + 
 +   Query OK, 0 rows affected (0.00 sec)  
 + 
 +==== Nutzerberechtigungen zuweisen ==== 
 +Zum Ende unserer mySQL-Userkonfiguration weisen wir unserem Nutzer die Berechtigungen zu. 
 +   mysql> FLUSH PRIVILEGES; 
 + 
 +   Query OK, 0 rows affected (0.00 sec) 
 + 
 +Wir können uns nun vom Datenbank-Server wieder abmelden. 
 +   mysql> quit 
 + 
 +   Bye 
 + 
 +==== Zugriff testen ==== 
 +Als nächstes überprüfen wir, ob der zuvor angelegt User/Zugang vom WEB-Server aus auch funktioniert.  
 +     # mysql -D horde5 -h mysql.dmz.nausch.org -u horde_admin_user -p 
 +<code>Enter password 
 +Welcome to the MariaDB monitor.  Commands end with ; or \g. 
 +Your MySQL connection id is 217265 
 +Server version: 5.1.73 Source distribution 
 + 
 +Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others. 
 + 
 +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 
 + 
 +MySQL [horde5]> 
 +</code> 
 +Die Verbindung klappt schon mal, daher lassen wir uns mal ansehen, welche Datenbanken der administrative Horde-User sehen kann. 
 + 
 +    
 +MySQL [horde5]> show databases; 
 +<code>+--------------------+ 
 +Database           | 
 ++--------------------+ 
 +| information_schema | 
 +| horde5             | 
 ++--------------------+ 
 +2 rows in set (0.01 sec) 
 + 
 +MySQL [horde5]
 +</code> 
 +Auch dieser Test fiel positiv aus, wir können uns daher die Verbindung zum Datenbank-Server beenden und uns der weiteren konfiguration widmen. 
 +   MySQL [horde5]> quit 
 + 
 +   Bye 
 + 
 +===== weitere Schritte zur Einrichtung ===== 
 +Nach der erfolgreichen Einrichtung des [[centos:mail_c7:horde_1?&#apache_vhost|Apache vHosts]] und der [[centos:mail_c7:horde_1?&#mysql_datenbank|Datenbankanbindung und -einrichtung]], können wir uns nun mit der Konfiguration des Frameworks Horde 5 unter CentOS 7 sowie der [[centos:mail_c7:start?&#horde_5_groupware_-_anwendungen_unter_centos_7x|Einrichtung einzelner Applikationen]] beschäftigen.  
 + 
 +====== Links ====== 
 +  * **⇒ [[centos:mail_c7:horde_2|Weiter zum Kapitel "Basiskonfiguration des Frameworks Horde 5 unter CentOS 7.x"]]** 
 +  * **[[centos:mail_c7:start|Zurück zum Kapitel >>Mailserverinstallation unter CentOS 7<<]]** 
 +  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]** 
 +  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]** 
 + 
  • centos/mail_c7/horde_1.1411109100.txt.gz
  • Zuletzt geändert: 19.09.2014 06:45.
  • von django