Debian 9 – Deploy Passbolt

微信扫一扫,分享到朋友圈

Debian 9 – Deploy Passbolt

Passbolt
is an open source password manager for teams. It allows you to share/manage passwords with different groups of people. This is especially useful for organizations, rather than individuals.

Installation Steps

Set up database

sudo apt-get install mariadb-server -y
sudo systemctl start mariadb

By default the database is not set up with a root password. Lets fix thiBY
creating a random password for the root user.

ROOT_PASSWORD=`openssl rand -base64 14`
sudo mysql --user="root" --execute="GRANT ALL ON *.* to 'root'@'localhost' identified by '$ROOT_PASSWORD';"
echo "Your database's root password is: $ROOT_PASSWORD"

Feel free to run this additional step to perform some security operations such as delete the test database etc.

sudo mysql_secure_installation

Then execute the following snippet that will create a passbolt database for a passbolt user and give you the password.

PASSBOLT_PASSWORD=`openssl rand -base64 14`
mysql --user="root" --password="$ROOT_PASSWORD" --execute="CREATE DATABASE passbolt;"
mysql --user="root" --password="$ROOT_PASSWORD" --execute="GRANT ALL ON *.* TO 'passbolt'@'localhost' IDENTIFIED BY '$PASSBOLT_PASSWORD'"
echo "Your passbolt user's password is $PASSBOLT_PASSWORD"

Make a note of the passbolt user’s password, you will need this later.

Install Packages

sudo apt update && sudo apt-get install -y 
  apache2 make git-core composer unzip g++ linux-headers-amd64 
  php7.0 php7.0-cli php7.0-common libapache2-mod-php7.0 
  php7.0-json php7.0-readline php7.0-mysqlnd libonig4 
  libqdbm14 php7.0-gd php7.0-intl php7.0-simplexml php7.0-curl 
  php7.0-dom php7.0-mbstring libgpgme11-dev php7.0-gnupg composer

Configure Apache

Copy and paste the following into /etc/apache2/sites-enabled/000-default.conf

    ServerAdmin webmaster@localhost
    ServerName passbolt.dev

    DocumentRoot /var/www/passbolt

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    

Enable url rewriting in apache and restart it.

sudo a2enmod rewrite && sudo systemctl restart apache2

Download Passbolt

sudo chown -R $USER:www-data /var/www
cd /var/www
sudo git clone https://github.com/passbolt/passbolt_api.git ./passbolt
sudo chown $USER:www-data -R /var/www/passbolt
cd /var/www/passbolt
git checkout v2.4

For the next section, we need to set ownership of /var/www to www-data.

sudo chown www-data:www-data -R /var/www

Initialize the Webserver GPG Keyring

In order for passbolt authentication to work your server key needs to be in the keyring used by the web server.

In Debian 9, the home directory of the web server user www-data
is /var/www
and we need to give ownership of this folder to www-data
, since it is not owned by default.

Unfortunately, generating GPG keys as the www-data is not as straightforward as you may hope
.
We need to make it so that we can SSH into the server as the www-data user.

SEARCH="www-data:/var/www:/usr/sbin/nologin"
REPLACE="www-data:/var/www:/bin/bash"
FILEPATH="/etc/passwd"
sudo sed -i "s;$SEARCH;$REPLACE;" $FILEPATH

Then we need to set a password for the www-data user:

sudo passwd www-data

After doing all that, logout of the server and then SSH in again with the www-data user.

ssh www-data@passbolt.mydomain.com

Generate your GPG key. Make sure not
to set a passphrase.

gpg --full-gen-key

For the sake of the rest of the commands, put in the email you specified for the key in the previous step.

EMAIL="my.name@gmail.com"

Output the fingerprint of the key. We will need this later during the installation steps so make a note of it.

gpg --list-keys --fingerprint

It should be something like:

54C6 4738 18D7 DB06 A133  E453 6531 F684 FED9 15E3

However, when you copy it into the config later, you need to take out the spaces
so it would look like:

54C6473818D7DB06A133E4536531F684FED915E3

Execute the following commands in order to have the keys put where passbolt is expecting them.

gpg --armor --export-secret-keys $EMAIL > /var/www/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export $EMAIL > /var/www/passbolt/config/gpg/serverkey.asc
chmod 640 /var/www/passbolt/config/gpg/serverkey*

Composer Install

Install dependencies through composer.

cd /var/www/passbolt && composer install --no-dev

Now we need to configure passbolt…

cp config/passbolt.default.php config/passbolt.php
editor config/passbolt.php

Set the following:

  • Application full base url (using http:// instead of https:// for now)
  • Database configuration
  • Server OpenPGP key fingerprint (you noted it down before)

Until you set up SSL, disable the forcing of ssl by adding the ssl section shown
below just above the demo configuration.

...
    'ssl' => [
        'force' => false,
    ],
/**
* DEMO CONFIGURATION EXAMPLE
*
...

Email

In that configuration file, you will see a section for the email configuration. By default it looks like this:

// Email configuration.
'EmailTransport' => [
    'default' => [
        'host' => 'localhost',
        'port' => 25,
        'username' => 'user',
        'password' => 'secret',
        // Is this a secure connection? true if yes, null if no.
        'tls' => null,
        //'timeout' => 30,
        //'client' => null,
        //'url' => null,
    ],
],
'Email' => [
    'default' => [
        // Defines the default name and email of the sender of the emails.
        'from' => ['passbolt@mydomain.com' => 'Passbolt'],
        //'charset' => 'utf-8',
        //'headerCharset' => 'utf-8',
    ],
],

I recommend that you set up SMTP with either Google or AWS.

For google this would be:

// Email configuration.
'EmailTransport' => [
    'default' => [
        'transport' => 'Smtp',
        'host' => 'smtp.gmail.com',
        'port' => 587,
        'username' => 'username@gmail.com',
        'password' => 'xxxxxxxxx',
        // Is this a secure connection? true if yes, null if no.
        'tls' => true,
        'timeout' => 30,
        //'client' => null,
        //'url' => null,
    ],
],
'Email' => [
    'default' => [
        // Defines the default name and email of the sender of the emails.
        'from' => ['passbolt@mydomain.com' => 'Passbolt'],
        //'charset' => 'utf-8',
        //'headerCharset' => 'utf-8',
    ],
],

For AWS SES (europe) this would be:

// Email configuration.
'EmailTransport' => [
    'default' => [
        'transport' => 'Smtp',
        'host' => 'email-smtp.eu-west-1.amazonaws.com',
        'port' => 587,
        'username' => 'xxxxxxxxxxxxxxxxxxxx',
        'password' => 'xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
        // Is this a secure connection? true if yes, null if no.
        'tls' => true,
        'timeout' => 30,
        //'client' => null,
        //'url' => null,
    ],
],
'Email' => [
    'default' => [
        // Defines the default name and email of the sender of the emails.
        'from' => ['passbolt@mydomain.com' => 'Passbolt'],
        //'charset' => 'utf-8',
        //'headerCharset' => 'utf-8',
    ],
],

At this point it would be a good idea to test your configuration with:

./bin/cake passbolt send_test_email --recipient=my.email@my.domain.com

Then check your email. If you didn’t get an email, re-check your configuration.

Email Cron

Unfortunately, Passbolt does not immediately fire off emails, instead they get queued up and you have to set up a cron to fire them off.
As the www-data user run:

crontab -e

Add the following line

* * * * * /var/www/passbolt/bin/cake EmailQueue.sender >> /var/log/passbolt.log

Migrations

Execute the following command to run migrations etc.

cd /var/www/passbolt
./bin/cake passbolt install

Finally, run a healthcheck to check that everything is fine:

./bin/cake passbolt healthcheck

You should get 1 error for not having set up https, we will sort that out another time.

Now navigate to your web browser to your server’s domain.

Click the link to download the plugin.

Once you have installed the plugin, when you go back to your webserver’s url, you need to click “recover your existing account”.

HTTPS

Copy your certificates over to:

  • /etc/ssl/certs/passbolt.crt
  • /etc/ssl/certs/ca.crt
  • /etc/ssl/certs/passbolt.key

Run the following commands as a non www-data user
to set permissions on those certificate files.

sudo chown $USER:www-data /etc/ssl/certs/passbolt.crt
sudo chown $USER:www-data /etc/ssl/certs/ca.crt
sudo chown $USER:www-data /etc/ssl/certs/passbolt.key
chmod 640 /etc/ssl/certs/passbolt.crt
chmod 640 /etc/ssl/certs/ca.crt
chmod 640 /etc/ssl/certs/passbolt.key

Enable SSL in apache

sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl

Now lets edit our apache SSL site configuration.

sudo vim /etc/apache2/sites-enabled/default-ssl.conf

Paste the following into it.

    
        ServerAdmin webmaster@localhost
        ServerName passbolt.dev

        DocumentRoot /var/www/passbolt

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/passbolt.crt
        SSLCertificateChainFile /etc/ssl/certs/ca.crt
        SSLCertificateKeyFile /etc/ssl/certs/passbolt.key

        
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        

        
            SSLOptions +StdEnvVars
        

        BrowserMatch “MSIE [2–6]” 
          nokeepalive ssl-unclean-shutdown 
          downgrade-1.0 force-response-1.0
        BrowserMatch “MSIE [17–9]” ssl-unclean-shutdown

    

Restart apache for the changes to take effect:

sudo systemctl reload apache2

Now let’s configure passbolt to force https…

sudo vim /var/www/passbolt/config/passbolt.php

Find the ssl section we added and change it from false
to true
.

'ssl' => [
    'force' => true,
],

Upgrading

  • Please refer here
    .

References

如何用产品思维找到奶茶店的增长点

上一篇

钛媒体Pro创投日报:10月25日收录投融资项目26起

下一篇

你也可能喜欢

Debian 9 – Deploy Passbolt

长按储存图像,分享给朋友