Horde Framework 5 unter CentOS 7.x - Grundinstallation und Konfiguration
Horde Groupware ist eine freie browserbasierte Kommunikationsplattform für den professionellen Einsatz. Die Anwender haben so die Möglichkeiten Ihre täglichen Aufgaben(-planungen) und Nachrichten komfortabel über einen Webbrowser oder von einem Smartphone/Tablett von überall her durchzuführen.
So bietet die Horde-Portalseite eine kurze Übersicht über alle wichtigen Informationen. Dort kann angezeigt werden, wie viele neue eMails aufgelaufen sind, welche Termine demnächst anstehen, welche Aufgaben noch zu erledigen sind oder auch die neuesten Nachrichten. Viele dieser Übersichten enthalten eine schnelle Zugriffsmöglichkeit auf häufig benötigte Funktionen, wie das Schreiben neuer eMails oder dem Anlegen neuer Kalendereinträge oder Aufgaben. Auch können gemeinsam genutzte Kalender, Kontakte, Aufgaben und Notizen mit Standard Komponenten des Horde-Projekts realisiert werden.
Die nachfolgende Beschreibung zeigt, wie unter Centos 7.x ein Horde 5-Groupware-Server installiert und konfiguriert werden kann. Wichtige weiterführende Informationen hierzu findet man auch in der Installations-Dokumentation auf der Horde Projektseite.
Installation der RPM-Pakete
Für die Installation des Horde Framworks in der Version 5 benötigen wir neben des Grundpaketes zusätzliche Pakete, die wir Danke der Intergration des epel-Repositories mit Hilfe von yum automatisch installieren können.
# yum install php-horde-horde -y
Wie immer kann man sich mit Hilfe des Aufrufes rpm -qil <Paketname> anzeigen lassen, was jedes einzelne Paket mit in das System gebracht hat.
# rpm -qil php-horde-horde
Name : php-horde-horde
Version : 5.2.1
Release : 1.el7
Architecture: noarch
Install Date: Wed 10 Sep 2014 10:36:23 PM CEST
Group : Development/Libraries
Size : 4538753
License : LGPLv2
Signature : RSA/SHA256, Fri 08 Aug 2014 01:05:03 AM CEST, Key ID 6a2faea2352c64e5
Source RPM : php-horde-horde-5.2.1-1.el7.src.rpm
Build Date : Mon 04 Aug 2014 04:01:37 PM CEST
Build Host : buildvm-02.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : http://www.horde.org/apps/horde
Summary : Horde Application Framework
Description :
The Horde Application Framework is a flexible, modular, general-purpose web
application framework written in PHP. It provides an extensive array of
components that are targeted at the common problems and tasks involved in
developing modern web applications. It is the basis for a large number of
production-level web applications, notably the Horde Groupware suites. For
more information on Horde or the Horde Groupware suites, visit
fehlende PECL-Pakete installieren
Gemäß den Empfehlungen aus der INSTALL-Dokumentation, installieren wir nun noch die fehlenden PECL-Pakete php-pecl-imagick
Zum Manipulieren von Graphiken wird vom Horde-Team empfohlen (siehe INSTALL-Dokumentation), das RPM-Paket php-pecl-imagick zu installieren.
Die Installation des benötigten Paketes holen wir nun noch nach.
# yum install php-pecl-imagick -y
Ferner wird noch laut der INSTALL-Dokumentation noch dringend empfohlen, die horde_lz4-Erweiterung, mit deren Hilfe Horde Caching- und Session-Daten in Echtzeit komprimieren und so die Speicherbelastung des Servers reduzieren kann.
Bis des Horde-Maintainer Remi Collet das RPM in's offizielle EPEL-Repository aufgenimmt, greifen wir auf die Vorabversion1) zurück.
# yum localinstall http://rpms.famillecollet.com/enterprise/7/remi/x86_64/php-horde-horde-lz4-1.0.7-1.el7.remi.5.4.x86_64.rpm -y
Anschließend starten wir unseren http-Daemon 1x durch.
# systemctl restart httpd.service
# cat /usr/share/doc/pear/horde/INSTALL
============================== Installing Horde Framework 5 ============================== :Contact: horde@lists.horde.org .. contents:: Contents .. section-numbering:: This document contains instructions for installing the Horde Framework on your system. The Horde Framework, by itself, does not provide any significant end user functionality; it provides a base for other applications and tools for developers. When you have installed Horde as described below, you will probably want to install some of the available Horde applications, such as IMP_ (a webmail client), or Kronolith_ (a calendar). There is a list of Horde applications and projects at http://www.horde.org/apps. If you are interested in developing applications for Horde, there is developer documentation and references available at http://dev.horde.org/, and some tutorials and papers on Horde available at http://www.horde.org/community/papers. For information on the capabilities and features of Horde, see the file README_ in the top-level directory of the Horde distribution. .. _IMP: http://www.horde.org/apps/imp .. _Kronolith: http://www.horde.org/apps/kronolith Quick Install ============= These are very terse instructions how to install Horde and its prerequisites on a LAMP_ (Linux, Apache, MySQL, PHP) sytem. They are addressed to experienced administrators who know exactly what they are doing. For more detailed instructions, start reading below at Prerequisites_. 1. Compiling PHP for Apache 2:: cd php-x.x.x/ ./configure --with-apxs2=/usr/sbin/apxs2 \ --with-gettext --enable-mbstring --with-gd \ --with-png-dir=/usr --with-jpeg-dir=/usr \ [--with-mysql|--with-pgsql|--with-ldap] [--with-tidy] make make install 2. Restart Apache. 3. Make sure your PEAR package is up-to-date:: pear upgrade PEAR 4. Register Horde PEAR channel:: pear channel-discover pear.horde.org 5. Set Horde installation directory:: pear install horde/horde_role pear run-scripts horde/horde_role 6. Install Horde:: pear install -a -B horde/horde 7. Configure Horde:: cd config/ cp conf.php.dist conf.php 8. Finish configuration:: http://your-server/horde/ Go to Administration => Configuration => Horde (Or navigate to http://your-server/horde/admin/config) 9. Create database tables Go to Administration => Configuration. Click ``Update All DB Schemas``. 10. Test Horde (optional) Enable the test script in the Horde configuration at the ``General`` in the ``PHP Settings`` section, or edit ``horde/config/conf.php`` and set ``'testdisable'`` to false. Go to:: http://your-server/horde/test.php .. Important:: Disable the test script again after you are done. .. _LAMP: http://www.wikipedia.org/wiki/LAMP_(software_bundle) Prerequisites ============= The following prerequisites are **REQUIRED** for Horde to function properly. 1. A webserver that supports PHP. Horde is primarily developed under the Apache and Lighttpd webservers, which we recommend. These servers are available from: - http://httpd.apache.org/ - http://www.lighttpd.net/ 2. PHP 5.3.0 or above. PHP is the interpreted language in which Horde is written. You can obtain PHP sources at:: http://www.php.net/ .. Note:: Although the PHP 5.3 API is supported, for stability, performance, and security reasons it is **HIGHLY RECOMMENDED** to use a version of PHP >= 5.4.0. .. Note:: While it may be possible to install PHP using the package manager for your operating system, it is not recommended to do so if your distribution (e.g. Debian) does NOT update the actual PHP version in its package updates. Otherwise, you will be stuck with a PHP version that does not contain the most recent bug and security patches. On these systems, it is **HIGHLY RECOMMENDED** to either install PHP from source OR use a 3rd party package repository that contains the most recently released PHP version on the branch (5.4, 5.5, etc.) that you want to use. Follow the instructions in the PHP package to build PHP for your system. If you use Apache, be sure to build PHP as a library with one of the following options:: --with-apache --with-apxs --with-apxs2 options to ``./configure``, and not as a standalone executable. The following PHP extensions respective options are **REQUIRED** by Horde (listed with their own prerequisites and configure options). In many cases, the required libraries and tools can be obtained as packages from your operating system vendor. a. Gettext support. ``--with-gettext`` Gettext is the GNU Translation Project's localization library. Horde uses gettext to provide local translations of text displayed by applications. Information on obtaining the gettext package is available at http://www.gnu.org/software/gettext/gettext.html See also note below on configuring Translations_. All Horde translations are stored in UTF-8, so your underlying system MUST support UTF-8 for all locales that you wish to provide translation support for. b. XML and DOM support. XML and DOM support are enabled in PHP 5 by default. You only have to make sure that you do **not** use ``--disable-dom``, ``--disable-simplexml``, or ``--disable-xml``. Make sure you are using a newer (v2.7 or greater) version of libxml. Older versions of libxml are broken when handling certain charsets. The following PHP options are **RECOMMENDED** to enable advanced features in Horde: a. File Upload Support File upload support is **REQUIRED** by many applications to allow advanced features to work. To enable file upload support: 1. In your php.ini file, the following line **must** be present:: file_uploads = On 2. Your temporary upload directory **must** be writable to the user the web server is running as. If you leave the configuration option ``upload_tmp_dir`` blank in ``php.ini``, PHP will use the default directory compiled into it (normally ``/tmp`` on Unix-like systems). 3. Set the maximum size of the uploaded files via the ``upload_max_filesize`` configuration option in ``php.ini``. For example, to allow 5 MB attachments, place the following line in your ``php.ini`` file:: upload_max_filesize = 5M If either ``file_uploads`` is turned off, or your temporary upload directory is *not* writable by the server, all file upload functionality will be disabled by Horde and will not be available to the user. See the `File Uploads`_ FAQ entry for further information. b. A preferences container. Horde applications can store user preferences in an SQL database, an LDAP directory, an IMSP server, a Kolab server, or in PHP sessions. For SQL database preferences storage, Horde is thoroughly tested on MySQL(i) (``--with-mysql(i)``) and PostgreSQL (``--with-pgsql``), and has been reported to work with SQLite (enabled by default). Preferences can also be stored via LDAP (``--with-ldap``), Kolab (``--with-ldap``), and IMSP. Alternatively, preferences can be stored in PHP sessions, which requires no external programs or configure options, but which will not maintain preferences between sessions. While the LDAP, database, Kolab, or IMSP server need not be running on the machine onto which you are installing Horde, the appropriate client libraries to access the server must be available locally. If a preference container is not configured, no preference options will be configurable via Horde's web interface - the default values stored in each applications ``config/prefs.php`` file will be used. c. Multibyte character support (mbstring and iconv extensions) ``--enable-mbstring`` If these extensions are enabled, Horde can better support multibyte character sets. For iconv support you should use the GNU libiconv library, which is more stable and supports more charsets, compared to other iconv implementations, like Solaris', for example. Iconv support is enabled by default in PHP 5. You only have to make sure that you do **not** use ``--without-iconv`` d. GD support ``--with-gd`` Horde will use the GD extension to perform manipulations on image data through the Horde_Image library. If you want GD to be able to work with PNG images, you should use the ``--with-png-dir`` option to make sure PHP can find the PNG libraries it needs to compile. If you want GD to be able to work with JPEG images, you should use the ``--with-jpeg-dir`` option to make sure PHP can find the JPEG libraries it needs to compile. You can also use the imagick_ extension or the ImageMagick_ package to do these manipulations instead. The imagick_ extension is the recommended method for image manipulation. See the ``Image Manipulation`` tab of the Horde configuration for more details. ImageMagick version 6.5.7 or better is recommended. .. _imagick: http://pecl.php.net/package/imagick .. _ImageMagick: http://www.imagemagick.org e. tidy ``--with-tidy`` The tidy PHP extension is required to sanitize HTML data. .. Important:: Additionally, individual Horde applications may **REQUIRE** or **RECOMMEND** other options to be built into PHP also. Please check ``docs/INSTALL`` for all applications you wish to use to see if other PHP options are needed. f. fileinfo Allows Horde applications to guess the MIME type of files by analyzing their contents. This extension is automatically enabled by default. g. intl The intl extension is required to handle display of Internationalized Domain Names (see RFC 3490), e.g in e-mail addresses. This extension can be enabled by adding the ``--enable-intl`` option when compiling PHP. h. _`curl` ``--with-curl`` The `curl extension`_, if installed, will be used instead of PHP's fopen() when retrieving data from external HTTP servers (remote calendars, web APIs, etc.). This is much more reliable and flexible, so it is recommended to either enable it or install the http_ extension. This extension can be enabled by adding the ``--with-curl`` option when compiling PHP. 3. PEAR Modules PEAR is short for "PHP Extension and Application Repository". The goal of PEAR is to provide a means of distributing reusable code. For more information, see http://pear.php.net/ .. Important:: Make sure you are running a supported (i.e. new enough) version of PEAR: use the test script described below under "`Configuring Horde`_". Do **not** use the PEAR version from ftp.horde.org. Check that the path where the PEAR packages are installed are part of the ``include_path`` parameter that PHP uses to find PEAR packages. Run the command:: pear config-show You will see something like:: PEAR directory php_dir /usr/share/php Now open the php.ini file of your system, for example ``/etc/php.ini``, find the ``include_path`` and make sure that ``/usr/share/php`` is part of the list. If you had to change that value, restart the web server after saving ``php.ini``. .. Important:: If you are going to install Horde the recommended way, i.e. using the PEAR installer, you can skip the remainder of this section. Installing Horde through PEAR will automatically download and install all required PEAR packages. These PEAR packages are **RECOMMENDED** to be installed: a. Net_DNS2 If installed, it will be used instead of the built-in PHP function gethostbyaddr() for host name lookups. This has the advantage that Net_DNS2 has configurable timeouts and retries. To install, enter the following at the command prompt:: pear install Net_DNS2 b. Services_Weather (>= 1.3.1) **REQUIRED** only if you wish to use the weather.com block on the portal page. To install, enter the following at the command prompt:: pear install Services_Weather Additional steps are required if you want use the METAR weather block on the portal page. See the file ``data/Services_Weather/buildMetarDB.php`` in your PEAR directory for details. c. File_Fstab Required only if you use the localhost driver for the Accounts block. To install, enter the following at the command prompt:: pear install File_Fstab This method of installing PEAR packages requires that you have a PHP version that has been compiled as a static binary. All versions of PHP build both both a SAPI module (Apache, CGI, etc.) and a command-line (CLI) binary. Check if you have a php binary in ``/usr/local/bin`` (``/usr/bin`` if you installed from an operating system package) before recompiling. For more detailed directions on installing PEAR packages, see the PEAR documentation at http://pear.php.net/manual/ 4. PECL Modules PECL is short for "PHP Extension Community Library". The goal of PECL is to provide a means of easily distributing PHP extensions. For more information, see http://pecl.php.net/ PECL is the "sister" of PEAR and uses the same packaging and distribution system as PEAR, so the configuration/setup is essentially identical to the PEAR instructions above. When you install a PECL extension, you have to add it to your ``php.ini`` so it gets loaded. Add the following line to your ``php.ini`` file to load the extension (the extension should be installed in the directory specified by the ``extension_dir`` option in ``php.ini``):: extension=fileinfo.so Or on Windows:: extension=fileinfo.dll After that, restart your webserver. These PECL packages are **RECOMMENDED** to be installed: a. imagick The imagick extension can be used by Horde's image library to provide image manipulations. To install, enter the following at the command prompt:: pecl install imagick The imagick extension **must** be compiled against ImageMagick version 6.2.9 or better, though version 6.5.7 or better is recommended. b. horde_lz4 If the horde_lz4 extension is available, Horde can perform real-time compression on data, resulting in reduced storage load on the server for things like cache storage and session data. It is highly recommended. To install, enter the following at the command prompt:: pecl install horde_lz4 c. memcache If using memcache, the memcache PECL extension must be installed. To install, enter the following at the command prompt:: pecl install memcache d. _`http` The `http extension`_, if installed, will be used instead of PHP's fopen() when retrieving data from external HTTP servers (remote calendars, web APIs, etc.). This is much more reliable and flexible, so it recommended to either install this or enable the curl_ extension. To install, enter the following at the command prompt:: pecl install http For additional help on using the pear command-line program to install PECL extensions, see the PEAR installation section above. The following non-PHP prerequisites are **RECOMMENDED**. 1. aspell - Spelling Checker Aspell, a comand-line program, is used as Horde's spell-checking engine. You must install and configure aspell to use Horde's spell-check feature. Version 0.60 or higher is REQUIRED. You can obtain aspell from: http://aspell.sourceforge.net/ The following non-PHP prerequisites are optional. 1. Sendmail. It is highly **RECOMMENDED** that Horde be configured to use SMTP for sending e-mails. Alternatively, Horde can use the local sendmail program, or a program that implements the ``sendmail(8)`` API (as included with postfix, qmail, and exim, among others). However, local use of sendmail binaries to send mail is discouraged due to authentication/permission issues (since Horde will invoke the sendmail binary as the web/PHP user), and because it is not possible to reliably auto-configure sendmail since there is no unified API across platforms/sendmail variants. Installing Horde ================ The **RECOMMENDED** way to install Horde is using the PEAR installer. Alternatively, if you want to run the latest development code or get the latest not yet released fixes, you can install Horde from Git. Installing with PEAR ~~~~~~~~~~~~~~~~~~~~ Before beginning, make sure your PEAR package is up-to-date:: pear upgrade PEAR Next, you need to register the Horde PEAR channel server to your local PEAR system. This has to be done only **once** ever on a single PEAR system:: pear channel-discover pear.horde.org Next install a so-called "role" for Horde. This role defines where Horde is installed. This should be a directory in your web server's web root, e.g. ``/var/www/horde``. Again this has to be done only **once** ever on a single PEAR system:: pear install horde/horde_role pear run-scripts horde/horde_role When installing Horde through PEAR now, the installer will automatically install any dependencies of Horde too. If you want to install Horde with all optional dependencies, but without the binary PECL packages that have to be compiled, specify both the ``-a`` and the ``-B`` flag:: pear install -a -B horde/horde By default, only the required dependencies will be installed:: pear install horde/horde If you want to install Horde even with all binary dependencies, you need to remove the ``-B`` flag. Please note that this might also try to install PHP extensions through PECL that might need further configuration or activation in your PHP configuration:: pear install -a horde/horde Installing into separate PEAR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. Warning:: Unless you really know **why** you want to do this, you probably do **not** want to do this. Use the general PEAR installation instructions from above instead. If you want to create a separate PEAR installation for installing Horde, independent from the system-wide PEAR installation, this can be done with the following commands (in this example, ``/var/www/horde`` is used as the location of the web-accessible horde directory):: mkdir /var/www/horde pear config-create /var/www/horde /var/www/horde/pear.conf pear -c /var/www/horde/pear.conf install pear Then follow the regular installation steps, but use the ``pear`` command from the PEAR installation you just created, e.g.:: /var/www/horde/pear/pear -c /var/www/horde/pear.conf channel-discover \ pear.horde.org Finally configure your web server in some way to point PHP's ``include_path`` setting to the PEAR installation and the ``PHP_PEAR_SYSCONF_DIR`` environment variable to the web root:: php_value include_path /var/www/horde/pear/php SetEnv PHP_PEAR_SYSCONF_DIR /var/www/horde It is recommended to not use the .htaccess file in ``/var/www/horde/`` to set these values because it will be overwritten with every further update. Installing from Git ~~~~~~~~~~~~~~~~~~~ See http://www.horde.org/development/git Configuring Horde ================= 1. Configuring the web server Horde requires the following webserver settings. Examples shown are for Apache; other webservers' configurations will differ. a. PHP interpretation for files matching ``*.php``:: AddType application/x-httpd-php .php .. Note:: The above instructions may not work if you have specified PHP as an output filter with ``SetOutputFilter`` directive in Apache 2.x versions. In particular, Red Hat 8.0 and above Apache 2.x RPMS have the output filter set, and **MUST NOT** have the above ``AddType`` directive added. b. ``index.php`` as an index file (brought up when a user requests a URL for a directory):: DirectoryIndex index.php c. If you plan to provide ActiveSync support to your users, you have to create an alias of the ``/Microsoft-Servers-ActiveSync`` URL to ``/horde/rpc.php``. See http://wiki.horde.org/ActiveSync for details. c. If you plan to provide CardDAV support to users with iOS devices, you have to create an alias of the ``/.well-known/carddav`` URL to ``/horde/rpc.php``. See http://wiki.horde.org/CardDAV for details. 2. Configuring Horde To configure Horde, change to the ``config/`` directory of the installed distribution, and copy the ``conf.php.dist`` configuration file to ``conf.php``. Documentation on the format and purpose of the configuration files in the ``config/`` directory can be found in each file. The defaults will be correct for most sites. If you wish to customize Horde's appearance and behavior, create "local" files for the configuration file you want to change. For example if you want to change the default value and lock a preference, create a ``config/prefs.local.php`` file with the following content:: <?php $_prefs['prefname']['value'] = 'somedefault'; $_prefs['prefname']['locked'] = true; This works with any configuration file. .. Warning:: All configuration files in Horde are PHP scripts that are executed by the web server. If you make an error in one of these files, Horde might stop working. Thus it is always a good idea to test the configuration files after you edited them. If you want to test mime_drivers.local.php for example run:: php -l mime_drivers.local.php 3. Completing Configuration You can now access Horde without a password, and you will be logged in as an administrator. .. Important:: You should first configure a real authentication backend and designate which accounts in your real backend will be administrator accounts. Horde does **NOT** have a default administrator account - all users, including administrators, must exist in the actual authentication backend. Click on ``Configuration`` in the ``Administration`` menu and configure Horde. Start in the ``Authentication`` tab. Here is an example for configuring authentication against a remote IMAP server. Similar steps apply for authenticating against a database, an LDAP server, etc. a. In the ``Which users should be treated as administrators`` field enter a comma separated list of user names of your choosing. This will control who is allowed to make configuration changes, see passwords, potentially add users, etc. b. In the ``What backend should we use for authenticating users to Horde`` pulldown menu select ``IMAP authentication``. The page will reload and you will have specific options for IMAP authentication. c. In the ``Configuration type`` pulldown menu select ``Separate values``. The page will reload with additional options. Fill in the remaining three fields appropriately: - IP name/number of the IMAP server - For a secure connection, select port 993. - Select the secure connection protocol to use, if desired. Continue to configure Horde through all the tabs of the configuration interface and click on ``Generate Horde Configuration``. An important item that you probably want to configure is the ``Database Settings``, which defines the database configuration that is used, by default, for several different Horde sub-systems. .. Important:: By default Horde will be using database backends for most sub-systems. If you do not plan to use a database with Horde, you need to go through all tabs of the configuration screen and change the configuration for those systems from ``SQL`` to a suitable alternative. Configuration of applications in ``registry.php`` is documented in the ``INSTALL`` file of each application. Most applications require you to configure them with a "Horde administrator" account. A Horde administrator account is any normal Horde account that has been added to the administrator list in the ``Authentication`` tab of the Horde configuration. The other files in that directory need only be modified if you wish to customize Horde's appearance or behaviour -- the defaults will work at most sites. 4. Creating databases Once you created the database configuration in the previous step, you can create all database tables by hitting the ``Update all DB schemas`` button in the configuration screen. Please note that this requires the database that you entered in the database configuration to already exist, and the configured database user to have sufficient permissions to create new tables in this database. Alternatively you can run the ``horde-db-migrate`` script in the Horde directory from the command line. If you installed Horde into the global PEAR system, this script should be in your command path. If the script cannot be found in your path, you need to specify the full path to the script, e.g.:: /var/www/horde/pear/horde-db-migrate You can use the ``pear`` command to find the place where the script has been installed:: pear config-get bin_dir If you installed into a local PEAR installation, you need to tell PHP and PEAR where to find the installation and the script, e.g.:: PHP_PEAR_SYSCONF_DIR=/var/www/horde php \ -d include_path=/var/www/horde/pear/php \ /var/www/horde/pear/horde-db-migrate 5. Setting up alarm emails If you want your users to be able to receive emails from the Horde_Alarm system, you must set up a cron entry for ``horde-alarms``, you must have at least one administrator specified in the Horde configuration, and you must have the PHP CLI installed (a CGI binary is not supported - ``php -v`` will report what kind of PHP binary you have). Running the job every 5 minutes is recommended:: # Horde Alarms */5 * * * * /usr/bin/horde-alarms If not installing Horde through PEAR or if PEAR's ``bin_dir`` configuration doesn't point to ``/usr/bin/``, replace ``/usr/bin/horde-alarms`` with the path to the ``horde-alarms`` script in your Horde installation. 6. Testing Horde Once you have configured your webserver, PHP, and Horde, bring up the included test page in your Web browser to ensure that all necessary prerequisites have been met. If you installed Horde as described above, the URL to the test page would be:: http://your-server/horde/test.php The test script is disabled by default for security reasons. To enable set the 'testdisable' configuration option to false. After testing is completed, the testdisable option should be reset to true. Check that your PHP and PEAR versions are acceptably recent, that all required capabilities are present, and that ``magic_quotes_runtime`` is set to ``Off``. Then note the ``Session counter: 1`` line under ``PHP Sessions``, and reload the page. The session counter should increment. If you get a warning like ``Failed opening '/path/to/test.php' for inclusion``, make sure that the web server has the permission to read the ``test.php`` file. 7. Securing Horde a. Passwords Some of Horde's configuration files contain passwords which local users could use to access your database. It is recommended to ensure that at least the Horde configuration files (in ``config/``) are not readable to system users. There are ``.htaccess`` files restricting access to directories that do not need to be accessed directly; before relying on those, ensure that your webserver supports ``.htaccess`` and is configured to use them, and that the files in those directories are in fact inaccessible via the browser. An additional approach is to make Horde's configuration files owned by the user ``root`` and by a group which only the webserver user belongs to, and then making them readable only to owner and group. For example, if your webserver runs as ``www.www``, do as follows:: chown -R root.www config/* find config/ -type f -exec chmod 0440 '{}' \; b. Sessions Session data -- including hashed versions of your users' passwords, in some applications -- may not be stored as securely as necessary. If you are using file-based PHP sessions (which are the default), be sure that session files are not being written into ``/tmp`` with permissions that allow other users to read them. Ideally, change the ``session.save_path`` setting in ``php.ini`` to a directory only readable and writeable by your webserver. Additionally, you can change the session handler of PHP to use any storage backend requested (e.g. SQL database) via the ``Custom Session Handler`` tab in the Horde configuration. For more information about securing your webserver, PHP and Horde, see the `docs/SECURITY`_ file. Dynamic View Troubleshooting ============================ Horde's dynamic, AJAX-based views differ from traditional Horde applications in that they require javascript support; in fact, javascript performs the bulk of the page display. As such, debugging the dynamic views is more complex than with other Horde applications. If you run into problems with the dynamic view, first follow the troubleshooting steps for Horde - namely checking PHP error logs and Horde debug logs to determine if the problem is located there. Server-based errors will be logged in the traditional manner. Only if traditional debugging is unsuccessful will you need to move to javascript debugging. It is highly recommended to use Mozilla Firefox with the `Firebug`_ extension installed in order to better track javascript errors - it is what the developers use and makes deciphering error codes and error line numbers much easier. You will also want to turn off javascript caching, if on, in ``horde/conf/conf.php``. If you do find a javascript error, it would be great if you could fix the issue and provide a patch :) Absent that, before reporting to the mailing list, IRC room, or bug tracker make sure you have a valid javascript error, the file the error is being caused in, the line number of the error, and a reliable way to reproduce the error. Developers/other interested folks will be much more likely to help you if all this information is provided. Configuring Applications ======================== A list of available Horde applications can be found at http://www.horde.org/apps Instructions on configuring Horde applications can be found in the ``INSTALL`` file in the application's ``docs/`` directory. Temporary Files =============== Various Horde applications will generate temporary files in PHP's temporary directory (see the ``General`` tab in the Horde configuration). For various reasons, some of these files may not be removed when the user's session ends. To reclaim this disk space, it may be necessary to periodically delete these old temporary files. An example cron-based solution can be found at ``horde/scripts/temp-cleanup.cron`` in PEAR's ``data_dir`` directory. Another possible solution is to use utilities like ``tmpwatch``, ``tmpreaper`` or anything similar to remove old files. Stale sessions are automatically pruned by PHP according to the `session.gc_probability`_, `session.gc_divisor`_, and `session.gc_maxlifetime`_ settings located in ``php.ini``. Translations ============ Note for international users: Horde uses GNU gettext to provide local translations of text displayed by applications; the translations are found in the po/ directory. If a translation is not yet available for your locale (and you wish to create one), or if you're having trouble using a provided translation, please see the docs/TRANSLATIONS_ file for instructions. Obtaining Support ================= If you encounter problems with Horde, help is available! The Horde Frequently Asked Questions List (FAQ), available on the Web at http://wiki.horde.org/FAQ The Horde Project runs a number of mailing lists, for individual applications and for issues relating to the project as a whole. Information, archives, and subscription information can be found at http://www.horde.org/community/mail Lastly, Horde developers, contributors and users may also be found on IRC, on the channel #horde on the Freenode Network (irc.freenode.net). Please keep in mind that Horde is free software written by volunteers. For information on reasonable support expectations, please read http://www.horde.org/community/support Thanks for using Horde! The Horde Team .. _README: README .. _docs/SECURITY: SECURITY .. _docs/TRANSLATIONS: TRANSLATIONS .. _`curl extension`: http://php.net/curl .. _`http extension`: http://php.net/http .. _`File Uploads`: http://wiki.horde.org/FAQ/Admin/FileUploads .. _`Firebug`: http://www.getfirebug.com/ .. _`session.gc_probability`: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability .. _`session.gc_divisor`: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor .. _`session.gc_maxlifetime`: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
# cat /usr/share/doc/pear/horde/SECURITY
====================== Horde Security Notes ====================== :Contact: horde@lists.horde.org .. contents:: Contents .. section-numbering:: Temporary files =============== Horde applications make extensive use of temporary files. In order to make sure these files are secure, you should make sure your installation meets the following criteria. Sites may gain increased security by defining a temporary directory in the Horde configuration which is writable by the web server, but not writable by other users. Since the temporary files may contain sensitive information it is best to also make these file unreadable by other users. That is, they can be made readable and writable only by the web server user. PHP Sessions ============ For the most security, you should enable PHP session cookies by enabling the PHP setting ``session.use_cookies``. When doing so, be sure to set an appropriate cookie path and cookie domain in the Horde configuration also to secure your cookies. You should even force session cookie usage in the Horde configuration, which is the default setting in all Horde versions now. If you want to use HTTPS connections, consider forcing users to HTTPS in the Horde configuration. This will force cookies to be sent over secure connections only and helps to prevent sidejacking. If PHP sessions are set to use the ``files`` save_handler, then these files should be secured properly. Sites can increase security by setting the PHP setting ``session.save_path`` to a directory that is only readable and writable by the web server process. Sites with a large user base should consider setting the ``session.entropy_file`` and ``session.entropy_length`` to appropriate values. Horde will encrypt the user credentials before storing them in the session. Thus, a compromised sessions will not reveal the user's stored credentials. Default database passwords ========================== The Horde documentation and sample database creation scripts create a default user and password for accessing the horde database. Using this password in a production environment is a security hole, since an attacker will easily guess it. It is very important that sites change at least the password to something secure. Prevent configuration file reading and writing ============================================== The configuration files may contain sensitive data (such as database passwords) that should not be read or written by local system users or remote web users. If you use a Unix system, one way to make the configuration files and directories accessible only to the web server is as follows. Here we assume that the web server runs as the user ``apache`` and the files are located in ``/home/httpd/html`` -- substitute the correct user or file path if needed:: $ chown -R apache /home/httpd/html/horde/config $ chown -R apache /home/httpd/html/horde/*/config $ chmod -R go-rwx /home/httpd/html/horde/config $ chmod -R go-rwx /home/httpd/html/horde/*/config For completely fascist permissions, you can make the entire Horde tree inaccessible by anyone except the web server user (and root):: $ chown -R apache /home/httpd/html/horde $ chmod -R go-rwx /home/httpd/html/horde $ chmod -R a-w /home/httpd/html/horde/ Note that the last line makes all files unwritable by any user (only root can override this). This makes the site secure, but may make it more difficult to administrate. In particular, it will defeat the Horde administrative configuration interface, forcing you to update the Horde configuration files manually (as per the INSTALL_ instructions). The above will not secure the files if other user's on the same machine can run scripts as the apache user. If you need to protect against this you should make other user's scripts run under their own account with some facility such as apache's suexec module. You need to watch out not only for cgi scripts, but also for other modules like mod_php, mod_perl, mod_python, etc. that may be in use on your server. .. _INSTALL: ?f=INSTALL.html Restricting the test script =========================== The test script (``horde/test.php``) provides a wealth of information that can be used against the site by attackers. This script is disabled by default for this reason. This script is configured via the 'testdisable' configuration option. After manually enabling the script, and once you have confirmed that everything is working, you should disable access to the test script. Preventing Apache from serving configuration and source files ============================================================== The Horde configuration files may contain sensitive data (such as database passwords) that should not be served by the web server. Other directories contain PHP source code that isn't intended for viewing by end-users. The Horde group has provided ``.htaccess`` files in various directories to help protect these files. However, that depends on your web server honoring ``.htacess`` files (which is a performance hit, and may not be available in all web servers). An Apache site can also prevent the web server from serving these files by adding sections to ``httpd.conf`` such as the following:: <Directory "/home/httpd/html/horde/config"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/lib"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/locale"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/po"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/scripts"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/templates"> order deny,allow deny from all </Directory> Repeat this pattern for each Horde application. For example, for IMP you would then add:: <Directory "/home/httpd/html/horde/imp/config"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/imp/lib"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/imp/locale"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/imp/po"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/imp/scripts"> order deny,allow deny from all </Directory> <Directory "/home/httpd/html/horde/imp/templates"> order deny,allow deny from all </Directory> Setup scripts ============= There are various scripts use to setup or configure Horde. If you allow other users on the web server machine, you should protect these files from being accessed by them. On a unix system, you might restrict these files to root access by using the following type of commands:: $ chown -R root /home/httpd/html/horde/scripts $ chown -R root /home/httpd/html/horde/*/scripts $ chmod -R go-rwx /home/httpd/html/horde/scripts $ chmod -R go-rwx /home/httpd/html/horde/*/scripts Using a chroot web server setup =============================== Unix users may want to consider using a chroot environment for their web server. How to do this is beyond the scope of this document, but sufficient information exists on the world wide web and/or in your server documentation to complete this task. Hiding PHP info from the user ============================= You should consider setting the following PHP variables in your ``php.ini`` file to prevent information leak to the user, or global insertion by the user:: expose_php = Off display_errors = Off log_errors = On register_globals = Off You should also set up error logging (using the PHP ``error_log`` variable) to log to a file, syslog, or other log destination. Using a secure web server ========================= Horde depends on passing sensitive information (such as passwords and session information) between the web server and the web client. Using a secure (SSL-enabled) web server will help protect this information as it traversing the network. Using a secure POP3/IMAP server =============================== If you are using a POP3/IMAP server with Horde (e.g. for authentication or for IMP) then Horde is passing the user's login credentials between the web server and the mail server. If your web server and IMAP server are on the same host, you can increase security by forcing all traffic over the loopback or localhost interface so that it is not exposed to your network. In cases where that is not possible, we recommend using a secure mail connection such as IMAP-SSL or POP3-SSL to ensure that passwords remain safe. LDAP Security ============= LDAP security is similar to the above POP3/IMAP server security issue. If you are using LDAP, you should make sure that you are not exposing ldap passwords or any sensitive data in your LDAP database. Database socket security ======================== If your database (e.g. MySQL or PostgreSQL) is on the same host as your web server, you may use unix sockets rather than tcp connections to help improve your security (and performance). If it doesn't support unix sockets, you can achieve some better security by restricting the tcp support to the loopback or localhost interface. If the database keeps its socket file (e.g. ``mysql.sock``) in a directory like ``/tmp`` or ``/var/tmp``, you should set permissions carefully to ensure that local users (if you have any) can't delete the socket. The unix "sticky" bit should already be sent on the temporary directory itself, but you also need to make sure the socket itself isn't writable by "other" or users can delete it. You might consider moving the socket file to another location such as ``/var/run`` or the top-level directory of your database program (e.g. ``/var/lib/mysql`` or ``/var/lib/pgsql``). Sendmail or SMTP considerations =============================== In some cases, you can increase security by sending mail via the local command-line sendmail program on your web server, rather than using SMTP. However, there may be reasons to use SMTP instead, such as if your smtp server does spam or virus checking which would be skipped using the local sendmail program. Additional Notes ================ This is by far not a complete security HOWTO. This is just a compiled list of what people have contributed so far. If you have tips, ideas, suggestions or anything else that you think could help others in securing their Horde installation, please let us know.
# cat /usr/share/doc/pear/horde/PERFORMANCE
Horde Performance Guide
:Contact: horde@lists.horde.org
.. contents:: Contents
Some tips on performance tuning systems for Horde. This does not cover
hardware tuning or even low level system (network, filesystem, etc) tuning.
Don't apply the following tuning hints blindly. Test your applications before
and after the changes under the conditions that are important for you. For
some people it's more important to make them as fast as possible for a small
user base, others require the applications to scale well under a high load.
Some of these hints might even make the applications slower under certain
conditions or using a certain hardware.
Linux Tuning
* Recompile RPMS for your architecture (e.g. i586, i686, athlon, etc).
This applies most to your Apache, PHP, IMAP, and POP3 packages.
Webserver/PHP tuning
* Consider a PHP accelerator program. See for example `The Zend Performance
Suite`_, the `Alternative PHP Cache`_, eAccelerator_, or XCache_. These
accelerators speed up access by caching the compiled PHP code, eliminating
the need to recompile the code for every single page load. **This is probably
the easiest way to improve the performance of Horde**. See Autoloading_
further down to get even more out of some of those accelerators.
* Enable PHP output compression in the Horde configuration. Do not enable
compression in the PHP configuration (i.e. in ``php.ini``), because certain
scripts don't work well with compression and Horde takes care of disabling
compression conditionally.
* Keep the include path defined in ``php.ini`` as short as possible, with the
most frequently used library paths first. You don't need to include the
local directory ``.`` because Horde always uses full paths instead of
relative paths.
* Use an optimized ``php.ini``: start with ``php.ini-recommended`` in your PHP
* Don't run PHP session garbage collection too often if using a slow storage
medium (like SQL). (See ``session.gc_probability`` in ``php.ini``)
* If you have a large number of sessions and are using PHP's default file
based session handler, consider storing them in hashed directory levels.
(See ``session.save_path`` at http://www.php.net/session)
* Consider using a faster storage medium for sessions, such as a tmpfs
(if storing sessions locally) or memcache (for storing session information
that can be accessed by multiple servers).
* Only load as many Apache and PHP extensions as needed (to reduce memory
* Use statically compiled Apache modules, including the PHP module.
* Use compiler optimizations (--prefer-non-pic, -O3, -march -mcpu, -msse,
-mmmx, -mfpmath=sse, etc.)
* If using SSL with a large site, consider a hardware SSL accelerator.
* Use shared memory for the Apache SSL cache if possible.
* To improve caching of static content if accessing Apache SSL with Internet
Explorer, try setting longer expiration periods::
ExpiresActive On
ExpiresByType image/png "now plus 1 month"
ExpiresByType image/gif "now plus 1 month"
ExpiresByType text/javascript "now plus 1 month"
ExpiresByType application/x-javascript "now plus 1 month"
ExpiresByType text/css "now plus 1 month"
.. Note:: You must compile the ``mod_expires`` extension into Apache in
order to use these directives.
.. Warning:: This might cause problems if you upgrade Horde and the users'
browsers still use the old file versions.
* Disable DNS lookups in your Apache logging, or use a caching DNS server on
the web server host.
* Enable Apache keepalives.
* You can configure Horde to serve all images, style sheets and/or static
javascript files from a different server. This could be a very lightweight
server without PHP (and other CGI modules) builtin. If using SSL to serve
all pages, the images/js server will also have to serve SSL content or else
browsers will complain about non-secure content in a secure page. Since this
server does not need to handle dynamic content, it would be wise to use a
high-performance server with low memory and/or system resource requirements
(this `IBM Article`_ can provide further information). You need to set
the ``themesuri`` and/or ``jsuri`` parameters in ``config/registry.php`` for
all applications and copy all ``themes`` and/or ``js`` directories in the
same directory layout to the other server.
* Your webserver should use Expires headers to make sure static content can
be cached on the user's browser. For example, to make lighttpd set an
expiration date on all graphics, javascript files, and stylesheets, add
the following to ``lighttpd.conf``::
$HTTP["url"] =~ "\.(jpg|gif|png|js|css)$" {
expire.url = ( "" => "access 1 months" )
* Enable caching in horde. Several applications make heavy use of caching and,
if enabled, you will see a significant increase in performance.
* Enable caching/compression of javascript and CSS. See `Yahoo's Analysis`_
which concludes that "[r]educing the number of HTTP requests has the biggest
impact on reducing response time". Caching via filesystem is HIGHLY
RECOMMENDED: it is also the only way of caching that reliably works on all
browsers. Caching can also be done via horde caching, but the
cache-busters used to generate unique URLs when the cached content changes
do not work 100% reliably across all browsers.
* It is highly recommended to install the horde_lz4 package to activate
compression for Horde data. horde_lz4 is a minimal package that does
real-time compression. On modern CPUs, this compression is as fast as an
(unoptimized) memcpy action, making the compression essentially 'free' when
compared to uncompressed data. horde_lz4 can be installed via PECL (see
INSTALL for further details).
.. _`The Zend Performance Suite`: http://www.zend.com/horde.php
.. _`Alternative PHP Cache`: http://www.php.net/apc
.. _eAccelerator: http://eaccelerator.net/
.. _XCache: http://xcache.lighttpd.net/
.. _`IBM Article`: http://www.ibm.com/developerworks/web/library/wa-ltwebserv/
.. _`Yahoo's Analysis`: http://yuiblog.com/blog/2006/11/28/performance-research-part-1/
Sending Mail
* Generally using a local sendmail command to send mail will result in better
peformance than using a SMTP connection.
* Some MTA servers may be faster or more efficient than others. Consider
switching to a faster format if needed.
PostgreSQL tuning
* Do a ``VACUUM`` command periodically to tune your database.
* Increase ``shared_buffers`` and ``sort_mem`` memory settings.
* If web server and database is on the same unix host, use unix sockets
instead of network connections for database access.
MySQL tuning
* If web server and database is on the same unix host, use unix sockets
instead of network connections for database access.
* Enable mysql query cache if you have sufficient RAM. Edit your ``my.cnf``
file and add the following to the ``[mysqld]`` section (change the memory
size to meet your needs)::
set-variable = query_cache_size=128M
Horde tuning
* Horde automatically loads PHP source files on demand which relies on the PHP
autoloading feature introduced with PHP 5 and the Horde Autoloader library.
Both allow to limit the set of source code files pulled into the system to
the minimal amount required to answer the current request. This saves memory
and time but at the same time the Autoloader library has to map each class
name to the path of the corresponding PHP file that holds the class
definition. This procedure is expensive and can slow the system down.
Fortunately the mapping is fixed unless files are added or removed which
usually only happens during an upgrade.
Thus Autoloading is amenable to caching and an easy way to improve the
performance of the Horde Autoloader library, is to install the Autoloader
Cache extension::
pear install horde/horde_autoloader_cache
This library is not installed by default because it will unconditionally use
any of the following cache backends and does not allow for any further
configuration: `Alternative PHP Cache`_, XCache_, eAccelerator_, or the local
temporary filesystem.
It also doesn't detect the rare case when the file paths of any PHP class in
Horde changes. In this case you either need to use the provided script to
empty the cache::
or empty the cache manually, e.g. by restarting the web server or deleting
the cache file from the temporary directory.
* Try to avoid using a SQL backend for VFS. Many databases require binary data
to be heavily escaped, resulting in storage sizes that are many times
greater than the actual size of the data. File system VFS will normally
provide much improved performance.
Application tuning
* Some applications contain advanced features that might have a certain impact
on the performance. These features can usually be turned off in the
application's configuration and are explicitly described as being a
performance hit in the configuration web frontend.
PHP Einstellungen
Gemäß den Angaben in der Installationsdokumentation /usr/share/doc/pear/horde/INSTALL passen wir nun noch den Wert session.gc_divisor in der PHP-Konfigurationsdatei /etc/php.ini an:
# vim /etc/php.ini
- /etc/php.ini
... ; Django : 2010-09-15 ; default: session.gc_divisor = 1000 ; PHP automatically garbage collects old session information, as long as this setting ; (and session.gc_probability) are set to non-zero. It is recommended that this value ; be "10000" or higher (see /usr/share/doc/pear/horde/INSTALL). session.gc_divisor = 10000 ...
Den Hinweisen aus der Sicherheitsdokumentation /usr/share/doc/pear/horde/SECURITY entsprechend kontrollieren wir die Einstellungen in der PHP-Konfigurationsdatei /etc/php.ini und passen den Parameter expose_phpan.
# vim /etc/php.ini
- /etc/php.ini
... ; Decides whether PHP may expose the fact that it is installed on the server ; (e.g. by adding its signature to the Web server header). It is no security ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. ; http://php.net/expose-php ; Django : 2014-09-19 ; horde's security hints: http://www.horde.org/apps/horde/docs/SECURITY#hiding-php-info-from-the-user ; default: expose_php = On expose_php = Off ...
Zur Aktivierung der Anpassungen führen wir einen Reload des Apache-Daemon durch.
# systemctl reload httpd.service
Apache vHost
vHost Definition
Für unsere WEB-Applikation richten wir uns nun einen geeigneten SSL-Name Based Virtual Host ein. Im Konfigurationsverzeichnis unseres Apache-Webservers 2.4 legen wir uns eine neue vHOST-Konfigurationsdatei an.
# vim /etc/httpd/conf.d/vhost_443_horde.conf
- /etc/httpd/conf.d/vhost_443_horde.conf
# # horde.sec-mail.guru (Horde Groupware Version 5) # <VirtualHost *:80> ServerAdmin webmaster@nausch.org ServerName horde.sec-mail.guru ServerAlias xn--bro-hoa.sec-mail.guru ServerPath / <Location /> Options -Indexes +FollowSymLinks Require all granted </Location> RewriteEngine on RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} DirectoryIndex index.php ErrorLog logs/horde_error.log CustomLog logs/horde_access.log combined </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@nausch.org ServerName horde.sec-mail.guru ServerAlias xn--bro-hoa.sec-mail.guru ServerPath / DocumentRoot "/usr/share/horde" <IfModule mod_ssl.c> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5 SSLHonorCipherOrder on SSLCertificateFile /etc/pki/tls/certs/wildcard.sec-mail.guru.certificate_140920.pem SSLCertificateKeyFile /etc/pki/tls/private/wildcard.sec-mail.guru.serverkey.pem SSLCertificateChainFile /etc/pki/tls/certs/CAcert_certificate-chain.pem </IfModule> <IfModule mod_gnutls.c> GnuTLSEnable on GnuTLSPriorities SECURE:!MD5 # #GnuTLSPriorities NONE:+AES-128-CBC:+3DES-CBC:+ARCFOUR-128:+RSA:+DHE-RSA:+DHE-DSS:+SHA1:!MD5:+COMP-NULL GnuTLSCertificateFile /etc/pki/tls/certs/horde.sec-mail.guru.certificate_140912.pem GnuTLSKeyFile /etc/pki/tls/private/horde.sec-mail.guru.serverkey.pem </IfModule> <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript AddOutputFilterByType DEFLATE application/javascript application/x-javascriptl <Location /> <IfModule mod_setenvif.c> SetOutputFilter DEFLATE BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary </IfModule> <IfModule mod_headers.c> Header append Vary User-Agent env=!dont-vary </IfModule> </Location> </IfModule> AddType application/x-httpd-php .php # Link to system Javascript Libraries Alias /horde/js/scriptaculous /usr/share/scriptaculous Alias /horde/js/prototype.js /usr/share/prototype/prototype.js Alias /horde/js/syntaxhighlighter /usr/share/syntaxhighlighter # Link to Micro$oft stuff Alias /Microsoft-Server-ActiveSync /usr/share/horde/rpc.php Alias /autodiscover/autodiscover.xml /usr/share/horde/rpc.php <Directory /usr/share/horde/> # **IMPORTANT** By default, everyone accessing Horde is automatically logged # in as 'Administrator'. This is a security risk! It is very important that # you change the authentication backend under the 'Authentication' tab. # For this reason, Horde is currently only accessible from localhost. <IfModule mod_authz_core.c> # Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben # Require host vml000010.dmz.nausch.org # Zugriff generell erlauben Require all granted </IfModule> # Django : 2014-09-19 # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /horde/ RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ rampage.php [QSA,L] </IfModule> Options +FollowSymLinks #Options All #AllowOverride All # Rewrite the requestet URI, when it is with german "Umlaute". RewriteEngine On RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{HTTP_HOST} ^xn--bro-hoa.sec-mail.guru$ [NC] RewriteRule ^$ https://horde.sec-mail.guru [L,R=301] # Exclude file from password protection SetEnvIf Request_URI "(rpc.php)$" allow SetEnvIf Request_URI "(rpc.php/turba/mailsystem/)$" allow SetEnvIf Request_URI "(rpc.php/nag/mailsystem/)$" allow SetEnvIf Request_URI "(sapi/profile/client)$" allow SetEnvIf Request_URI "(devinfo)$" allow SetEnvIf Request_URI "(Microsoft-Server-ActiveSync)$" allow # ActiveSync RewriteEngine On RewriteRule ^/Microsoft-Server-ActiveSync /rpc.php [PT,L,QSA] RewriteRule .* - [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}] RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}] RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] </Directory> # Deny access to the test.php files except from localhost <Files "test.php"> # Django : 2014-09-19 # Zugriff generell verbieten # Require all denied # Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben Require host vml000010.dmz.nausch.org </Files> # Those directories should not be viewed by Web clients. <DirectoryMatch /usr/share/horde/(ansel|imp|ingo|kronolith|mnemo|nag|sesha|trean|turba|passwd|wicked)/(config|lib|locale|scripts|templates)> Require all denied </DirectoryMatch> <DirectoryMatch /usr/share/horde/(config|lib|locale|templates|scripts)> Require all denied </DirectoryMatch> <Directory /usr/share/horde/rpc> <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php/$1 [QSA,L] </IfModule> </Directory> # Django : 2014-09-19 # aus der Konfigurationsdatei php-horde-content.conf übernommen <Directory /usr/share/horde/content> <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php [QSA,L] </IfModule> </Directory> # Django : 2014-09-19 # aus der Konfigurationsdatei php-horde-kronolith.conf übernommen <Directory /usr/share/horde/kronolith/feed/> <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php?c=$1 [QSA,L] </IfModule> </Directory> DirectoryIndex index.php ErrorLog logs/horde_error.log CustomLog logs/horde_access.log combined </VirtualHost>
Solange wir unseren vHost noch nicht in der Produktionsumgebung steht und fertig konfiguriert wurde, beschränken wir den Zugriff auf den vHost noch. Hierzu tragen wir in der Directive Directory folgendes ein:
... <IfModule mod_authz_core.c> # Access-stuff (Zugriff von überall erlauben.) #Require all granted # Access-stuff (Zugriff nur vom Admin-Netz aus!) Require host nausch.org </IfModule> ...
Nach erfolgter Konfiguration, geben wir dann den Zugriff für alle frei.
... <IfModule mod_authz_core.c> # Access-stuff (Zugriff von überall erlauben.) Require all granted # Access-stuff (Zugriff nur vom Admin-Netz aus!) #Require host nausch.org </IfModule> ...
Konfiguration aktivieren
Bevor unseren Webserver starten, damit der neue vHost auch bedient werden kann, überprüfen wir die Konfiguration noch auf syntaktische Fehler.
# apachectl -t
Syntax OK
Abschließend führen wir einen Reload sdes Daemon durch.
# systemctl reload httpd.service
Bei Bedarf können wir auch den Status des Apche Webservers abfragen.
# systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Tue 2014-09-09 18:26:47 CEST; 1 day 15h ago Process: 20019 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) Process: 22718 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) Main PID: 20024 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─20024 /usr/sbin/httpd -DFOREGROUND ├─22721 /usr/sbin/httpd -DFOREGROUND ├─22722 /usr/sbin/httpd -DFOREGROUND ├─22723 /usr/sbin/httpd -DFOREGROUND ├─22724 /usr/sbin/httpd -DFOREGROUND └─22725 /usr/sbin/httpd -DFOREGROUND Sep 10 19:45:20 vml000097.dmz.nausch.org systemd[1]: Reloading The Apache HTTP Server. Sep 10 19:45:21 vml000097.dmz.nausch.org systemd[1]: Reloaded The Apache HTTP Server.
mySQL Datenbank
Ein Großteil der Benutzer-Konfigurationsdaten werden in einer mySQL-Datenbank gespeichert und vorgehalten.
Datenbank anlegen
Diese mySQL-Datenbank und der zugehörige Datenbankuser werden wird nun im ersten Schritt anlegen.
Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.
# mysql -h mysql.dmz.nausch.org -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 217075
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Dort legen wir als aller erst einmal eine Datenbank mit dem Namen horde an.
mysql> create database horde5;
Query OK, 1 row affected (0.00 sec)
Datenbankuser anlegen
Anschließend legen wir uns einen Datenbankuser an, denen wir entsprechende Rechte an der, gerade angelegten Datenbank horde einräumen. Als Namen nehme wir einfach hode_admin_user.
mysql> CREATE USER 'horde_admin_user'@'' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd';
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE USER 'horde_admin_user'@'vml000097.dmz.nausch.org' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd';
Query OK, 0 rows affected (0.00 sec)
Nutzerberechtigungen setzen
Dem gerade angelebtem Datenbankuser für Horde gewähren wir nun die nötigen Rechte, damit dieser vom Webserver aus, Tabellen anlegen, befüllen und verändern darf.
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Nutzerberechtigungen zuweisen
Zum Ende unserer mySQL-Userkonfiguration weisen wir unserem Nutzer die Berechtigungen zu.
Query OK, 0 rows affected (0.00 sec)
Wir können uns nun vom Datenbank-Server wieder abmelden.
mysql> quit
Zugriff testen
Als nächstes überprüfen wir, ob der zuvor angelegt User/Zugang vom WEB-Server aus auch funktioniert.
# mysql -D horde5 -h mysql.dmz.nausch.org -u horde_admin_user -p
Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 217265 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [horde5]>
Die Verbindung klappt schon mal, daher lassen wir uns mal ansehen, welche Datenbanken der administrative Horde-User sehen kann.
MySQL [horde5]> show databases;
+--------------------+ | Database | +--------------------+ | information_schema | | horde5 | +--------------------+ 2 rows in set (0.01 sec) MySQL [horde5]>
Auch dieser Test fiel positiv aus, wir können uns daher die Verbindung zum Datenbank-Server beenden und uns der weiteren konfiguration widmen.
MySQL [horde5]> quit
weitere Schritte zur Einrichtung
Nach der erfolgreichen Einrichtung des Apache vHosts und der Datenbankanbindung und -einrichtung, können wir uns nun mit der Konfiguration des Frameworks Horde 5 unter CentOS 7 sowie der Einrichtung einzelner Applikationen beschäftigen.