Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:mail_c7:horde_1 [19.09.2014 06:54. ] – [Installationsdokumentation] django
+++ centos:mail_c7:horde_1 [20.04.2018 10:46. ] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 1345: / Zeile 1345: @@
 </WRAP>
-   # yum localinstall http://rpms.famillecollet.com/enterprise/7/remi/x86_64/php-horde-horde-lz4-1.0.6-1.el7.remi.5.4.x86_64.rpm -y
+   # yum localinstall http://rpms.famillecollet.com/enterprise/7/remi/x86_64/php-horde-horde-lz4-1.0.7-1.el7.remi.5.4.x86_64.rpm -y
 Anschließend starten wir unseren http-Daemon 1x durch.
@@ Zeile 2775: / Zeile 2775: @@
 </file>
-===== PHP Einstellungen anpassen=====
+===== Konfiguration =====
-Gemäß den angaben in der Installationsdokumentation //**[[http://www.horde.org/apps/horde/docs/INSTALL|/usr/share/doc/pear/horde/INSTALL]]**// passen wir nun noch den Wert **session.gc_divisor** in der PHP-Konfigurationsdatei //**/etc/php.ini**// an:
+==== PHP Einstellungen ====
+Gemäß den Angaben in der Installationsdokumentation //**[[http://www.horde.org/apps/horde/docs/INSTALL|/usr/share/doc/pear/horde/INSTALL]]**// passen wir nun noch den Wert **session.gc_divisor** in der PHP-Konfigurationsdatei //**/etc/php.ini**// an:
    # vim /etc/php.ini
@@ Zeile 2791: / Zeile 2792: @@
 </code>
-  * [[centos:mail_c6:horde_2|Basiskonfiguration von horde]]
+Den Hinweisen aus der Sicherheitsdokumentation //**[[http://www.horde.org/apps/horde/docs/SECURITY#hiding-php-info-from-the-user|/usr/share/doc/pear/horde/SECURITY]]**// entsprechend kontrollieren wir die Einstellungen in der PHP-Konfigurationsdatei //**/etc/php.ini**// und passen den Parameter **expose_php**an.
-  * **horde Groupware - Anwendungen**
+   # vim /etc/php.ini
-    * [[centos:mail_c6:horde_3|Webmailer - imp]]
+<code php /etc/php.ini>...
-    * [[centos:mail_c6:horde_4|Aufgaben - nag]]
-    * [[centos:mail_c6:horde_5|Adressbuch - turba]]
+; Decides whether PHP may expose the fact that it is installed on the server
-    * [[centos:mail_c6:horde_6|Notizen - mnemo]]
+; (e.g. by adding its signature to the Web server header).  It is no security
-    * [[centos:mail_c6:horde_7|Kalender - kronolith]]
+; threat in any way, but it makes it possible to determine whether you use PHP
-    * [[centos:mail_c6:horde_8|Filter-Regeln (IMAP) - ingo]]
+; on your server or not.
-    * [[centos:mail_c6:horde_9|Passwort-Änderungen - passwd]]
+; http://php.net/expose-php
+; Django : 2014-09-19
+;          horde's security hints: http://www.horde.org/apps/horde/docs/SECURITY#hiding-php-info-from-the-user
+; default: expose_php = On
+expose_php = Off
+...
+</code>
+Zur Aktivierung der Anpassungen führen wir einen Reload des Apache-Daemon durch.
+   # systemctl reload httpd.service
+===== Apache vHost =====
+==== vHost Definition ====
+Für unsere WEB-Applikation richten wir uns nun einen geeigneten **[[centos:web_c7:apache_2|SSL-Name Based Virtual Host]]** ein.
+Im Konfigurationsverzeichnis unseres [[centos:web_c7:apache_1|Apache-Webservers 2.4]] legen wir uns eine neue vHOST-Konfigurationsdatei an.
+   # vim /etc/httpd/conf.d/vhost_443_horde.conf
+<file apache /etc/httpd/conf.d/vhost_443_horde.conf>#
+# horde.sec-mail.guru (Horde Groupware Version 5)
+#
+<VirtualHost *:80>
+        ServerAdmin webmaster@nausch.org
+        ServerName horde.sec-mail.guru
+        ServerAlias xn--bro-hoa.sec-mail.guru
+        ServerPath /
+        <Location />
+                Options -Indexes +FollowSymLinks
+                Require all granted
+        </Location>
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+        DirectoryIndex index.php
+        ErrorLog logs/horde_error.log
+        CustomLog logs/horde_access.log combined
+</VirtualHost>
+<VirtualHost *:443>
+        ServerAdmin webmaster@nausch.org
+        ServerName horde.sec-mail.guru
+        ServerAlias xn--bro-hoa.sec-mail.guru
+        ServerPath /
+        DocumentRoot "/usr/share/horde"
+        <IfModule mod_ssl.c>
+                SSLEngine on
+                SSLProtocol -ALL +SSLv3 +TLSv1
+                SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
+                SSLHonorCipherOrder on
+                SSLCertificateFile /etc/pki/tls/certs/wildcard.sec-mail.guru.certificate_140920.pem
+                SSLCertificateKeyFile /etc/pki/tls/private/wildcard.sec-mail.guru.serverkey.pem
+                SSLCertificateChainFile /etc/pki/tls/certs/CAcert_certificate-chain.pem
+        </IfModule>
+        <IfModule mod_gnutls.c>
+                GnuTLSEnable on
+                GnuTLSPriorities SECURE:!MD5
+#               #GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:!MD5:+COMP-NULL
+                GnuTLSCertificateFile /etc/pki/tls/certs/horde.sec-mail.guru.certificate_140912.pem
+                GnuTLSKeyFile /etc/pki/tls/private/horde.sec-mail.guru.serverkey.pem
+        </IfModule>
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
+                AddOutputFilterByType DEFLATE application/javascript application/x-javascriptl
+                <Location />
+                        <IfModule mod_setenvif.c>
+                                SetOutputFilter DEFLATE
+                                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+                        </IfModule>
+                        <IfModule mod_headers.c>
+                                Header append Vary User-Agent env=!dont-vary
+                        </IfModule>
+                </Location>
+        </IfModule>
+        AddType application/x-httpd-php .php
+        # Link to system Javascript Libraries
+        Alias /horde/js/scriptaculous     /usr/share/scriptaculous
+        Alias /horde/js/prototype.js      /usr/share/prototype/prototype.js
+        Alias /horde/js/syntaxhighlighter /usr/share/syntaxhighlighter
+        # Link to Micro$oft stuff
+        Alias /Microsoft-Server-ActiveSync /usr/share/horde/rpc.php
+        Alias /autodiscover/autodiscover.xml /usr/share/horde/rpc.php
+        <Directory /usr/share/horde/>
+                # **IMPORTANT** By default, everyone accessing Horde is automatically logged
+                # in as 'Administrator'. This is a security risk! It is very important that
+                # you change the authentication backend under the 'Authentication' tab.
+                # For this reason, Horde is currently only accessible from localhost.
+                <IfModule mod_authz_core.c>
+                #       Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben
+                #       Require host vml000010.dmz.nausch.org
+                #       Zugriff generell erlauben
+                        Require all granted
+                </IfModule>
+                # Django : 2014-09-19
+                # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen
+                <IfModule mod_rewrite.c>
+                        RewriteEngine On
+                        RewriteBase   /horde/
+                        RewriteCond   %{REQUEST_FILENAME}  !-d
+                        RewriteCond   %{REQUEST_FILENAME}  !-f
+                        RewriteRule ^(.*)$ rampage.php [QSA,L]
+                </IfModule>
+                Options +FollowSymLinks
+                #Options All
+                #AllowOverride All
+                # Rewrite the requestet URI, when it is with german "Umlaute".
+                RewriteEngine On
+                RewriteCond %{REQUEST_URI} ^/$
+                RewriteCond %{HTTP_HOST} ^xn--bro-hoa.sec-mail.guru$ [NC]
+                RewriteRule ^$ https://horde.sec-mail.guru [L,R=301]
+                # Exclude file from password protection
+                SetEnvIf Request_URI "(rpc.php)$"  allow
+                SetEnvIf Request_URI "(rpc.php/turba/mailsystem/)$"  allow
+                SetEnvIf Request_URI "(rpc.php/nag/mailsystem/)$" allow
+                SetEnvIf Request_URI "(sapi/profile/client)$"  allow
+                SetEnvIf Request_URI "(devinfo)$"  allow
+                SetEnvIf Request_URI "(Microsoft-Server-ActiveSync)$"  allow
+                # ActiveSync
+                RewriteEngine On
+                RewriteRule ^/Microsoft-Server-ActiveSync /rpc.php [PT,L,QSA]
+                RewriteRule .* - [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
+                RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
+                RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+        </Directory>
+        # Deny access to the test.php files except from localhost
+        <Files "test.php">
+                # Django : 2014-09-19
+                #          Zugriff generell verbieten
+                #          Require all denied
+                #          Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben
+                Require host vml000010.dmz.nausch.org
+        </Files>
+        # Those directories should not be viewed by Web clients.
+        <DirectoryMatch /usr/share/horde/(ansel|imp|ingo|kronolith|mnemo|nag|sesha|trean|turba|passwd|wicked)/(config|lib|locale|scripts|templates)>
+                Require all denied
+        </DirectoryMatch>
+        <DirectoryMatch /usr/share/horde/(config|lib|locale|templates|scripts)>
+                Require all denied
+        </DirectoryMatch>
+        <Directory /usr/share/horde/rpc>
+                <IfModule mod_rewrite.c>
+                        RewriteEngine On
+                        RewriteCond   %{REQUEST_FILENAME}  !-d
+                        RewriteCond   %{REQUEST_FILENAME}  !-f
+                        RewriteRule   ^(.*)$ index.php/$1 [QSA,L]
+                </IfModule>
+        </Directory>
+        # Django : 2014-09-19
+        # aus der Konfigurationsdatei php-horde-content.conf übernommen
+        <Directory /usr/share/horde/content>
+                <IfModule mod_rewrite.c>
+                        RewriteEngine On
+                        RewriteCond   %{REQUEST_FILENAME}  !-d
+                        RewriteCond   %{REQUEST_FILENAME}  !-f
+                        RewriteRule ^(.*)$ index.php [QSA,L]
+                </IfModule>
+        </Directory>
+        # Django : 2014-09-19
+        # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen
+        <Directory /usr/share/horde/kronolith/feed/>
+                <IfModule mod_rewrite.c>
+                        RewriteEngine On
+                        RewriteCond   %{REQUEST_FILENAME}  !-d
+                        RewriteCond   %{REQUEST_FILENAME}  !-f
+                        RewriteRule   ^(.*)$ index.php?c=$1 [QSA,L]
+                </IfModule>
+        </Directory>
+        DirectoryIndex index.php
+        ErrorLog logs/horde_error.log
+        CustomLog logs/horde_access.log combined
+</VirtualHost>
+</file>
+<WRAP round important>**Wichtig:**
+Solange wir unseren vHost noch nicht in der Produktionsumgebung steht und fertig konfiguriert wurde, beschränken wir den Zugriff auf den vHost noch. Hierzu tragen wir in der **Directive //Directory//** folgendes ein:
+<code apache>...
+                <IfModule mod_authz_core.c>
+                        # Access-stuff (Zugriff von überall erlauben.)
+                	#Require all granted
+                        # Access-stuff (Zugriff nur vom Admin-Netz aus!)
+			Require host nausch.org
+                </IfModule>
+...
+</code>
+Nach erfolgter Konfiguration, geben wir dann den Zugriff für alle frei.
+<code apache>...
+                <IfModule mod_authz_core.c>
+                        # Access-stuff (Zugriff von überall erlauben.)
+                	Require all granted
+                        # Access-stuff (Zugriff nur vom Admin-Netz aus!)
+			#Require host nausch.org
+                </IfModule>
+...
+</code>
+</WRAP>
+==== Konfiguration aktivieren ====
+Bevor unseren Webserver starten, damit der neue vHost auch bedient werden kann, überprüfen wir die Konfiguration noch auf syntaktische Fehler.
+   # apachectl -t
+   Syntax OK
+Abschließend führen wir einen Reload sdes Daemon durch.
+   # systemctl reload httpd.service
+Bei Bedarf können wir auch den Status des Apche Webservers abfragen.
+   # systemctl status httpd.service
+<code>httpd.service - The Apache HTTP Server
+   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
+   Active: active (running) since Tue 2014-09-09 18:26:47 CEST; 1 day 15h ago
+  Process: 20019 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
+  Process: 22718 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
+ Main PID: 20024 (httpd)
+   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
+   CGroup: /system.slice/httpd.service
+           ├─20024 /usr/sbin/httpd -DFOREGROUND
+           ├─22721 /usr/sbin/httpd -DFOREGROUND
+           ├─22722 /usr/sbin/httpd -DFOREGROUND
+           ├─22723 /usr/sbin/httpd -DFOREGROUND
+           ├─22724 /usr/sbin/httpd -DFOREGROUND
+           └─22725 /usr/sbin/httpd -DFOREGROUND
+Sep 10 19:45:20 vml000097.dmz.nausch.org systemd[1]: Reloading The Apache HTTP Server.
+Sep 10 19:45:21 vml000097.dmz.nausch.org systemd[1]: Reloaded The Apache HTTP Server.
+</code>
+===== mySQL Datenbank =====
+Ein Großteil der Benutzer-Konfigurationsdaten werden in einer **[[centos:mysql|mySQL-Datenbank]]** /* FIXME */ gespeichert und vorgehalten.
+==== Datenbank anlegen ====
+Diese **[[centos:mysql|mySQL-Datenbank]]** /* FIXME */ und der zugehörige Datenbankuser werden wird nun im ersten Schritt anlegen.
+Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.
+    # mysql -h mysql.dmz.nausch.org -u root -p
+<code>Enter password:
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 217075
+Server version: 5.1.73 Source distribution
+Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+mysql>
+</code>
+Dort legen wir als aller erst einmal eine Datenbank mit dem Namen **horde** an.
+   mysql> create database horde5;
+   Query OK, 1 row affected (0.00 sec)
+==== Datenbankuser anlegen ====
+Anschließend legen wir uns einen Datenbankuser an, denen wir entsprechende Rechte an der, gerade angelegten Datenbank **horde** einräumen. Als Namen nehme wir einfach **hode_admin_user**.
+   mysql> CREATE USER 'horde_admin_user'@'10.0.0.97' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd';
+   Query OK, 0 rows affected (0.00 sec)
+und
+   mysql> CREATE USER 'horde_admin_user'@'vml000097.dmz.nausch.org' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd';
+   Query OK, 0 rows affected (0.00 sec)
+==== Nutzerberechtigungen setzen ====
+Dem gerade angelebtem Datenbankuser für **[[http://horde.org|Horde]]** gewähren wir nun die nötigen Rechte, damit dieser vom Webserver aus, Tabellen anlegen, befüllen und verändern darf.
+   mysql> GRANT ALL PRIVILEGES ON horde5.* TO 'horde_admin_user'@'10.0.0.97' IDENTIFIED BY 'rbgsDKMS39DeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
+   Query OK, 0 rows affected (0.00 sec)
+und
+   mysql> GRANT ALL PRIVILEGES ON horde5.* TO 'horde_admin_user'@'vml000097.dmz.nausch.org' IDENTIFIED BY 'rbgsDKMS39DeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
+   Query OK, 0 rows affected (0.00 sec)
+==== Nutzerberechtigungen zuweisen ====
+Zum Ende unserer mySQL-Userkonfiguration weisen wir unserem Nutzer die Berechtigungen zu.
+   mysql> FLUSH PRIVILEGES;
+   Query OK, 0 rows affected (0.00 sec)
+Wir können uns nun vom Datenbank-Server wieder abmelden.
+   mysql> quit
+   Bye
+==== Zugriff testen ====
+Als nächstes überprüfen wir, ob der zuvor angelegt User/Zugang vom WEB-Server aus auch funktioniert.
+     # mysql -D horde5 -h mysql.dmz.nausch.org -u horde_admin_user -p
+<code>Enter password:
+Welcome to the MariaDB monitor.  Commands end with ; or \g.
+Your MySQL connection id is 217265
+Server version: 5.1.73 Source distribution
+Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+MySQL [horde5]>
+</code>
+Die Verbindung klappt schon mal, daher lassen wir uns mal ansehen, welche Datenbanken der administrative Horde-User sehen kann.
+MySQL [horde5]> show databases;
+<code>+--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| horde5             |
++--------------------+
+rows in set (0.01 sec)
+MySQL [horde5]>
+</code>
+Auch dieser Test fiel positiv aus, wir können uns daher die Verbindung zum Datenbank-Server beenden und uns der weiteren konfiguration widmen.
+   MySQL [horde5]> quit
+   Bye
+===== weitere Schritte zur Einrichtung =====
+Nach der erfolgreichen Einrichtung des [[centos:mail_c7:horde_1?&#apache_vhost|Apache vHosts]] und der [[centos:mail_c7:horde_1?&#mysql_datenbank|Datenbankanbindung und -einrichtung]], können wir uns nun mit der Konfiguration des Frameworks Horde 5 unter CentOS 7 sowie der [[centos:mail_c7:start?&#horde_5_groupware_-_anwendungen_unter_centos_7x|Einrichtung einzelner Applikationen]] beschäftigen.
+====== Links ======
+  * **⇒ [[centos:mail_c7:horde_2|Weiter zum Kapitel "Basiskonfiguration des Frameworks Horde 5 unter CentOS 7.x"]]**
+  * **[[centos:mail_c7:start|Zurück zum Kapitel >>Mailserverinstallation unter CentOS 7<<]]**
+  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**