1. Utils
sudo apt update -y
sudo apt install -y lsb-release apt-transport-https ca-certificates wget unzip gnupg2
sudo apt install -y cron
2. Preparation - Create passwords to use further in the installation
yourJWTpassword
yourDBpassword
yourRISSecret
yourServerName - e.g. www.yourName.local
yourEmailSender - e.g. noreply@yourName.local
yourEmailAdmin - e.g. admin@yourName.local
yourEmailError - e.g. error@yourName.local
3. Nginx
sudo apt install -y nginx
Test
Test command:
systemctl status nginx
Expected result:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running)
Docs: man:nginx(8)
Process: 26921 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 26924 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 26925 (nginx)
Tasks: 3 (limit: 4687)
Memory: 2.4M
CPU: 24ms
CGroup: /system.slice/nginx.service
├─26925 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
├─26926 "nginx: worker process"
└─26927 "nginx: worker process"
4. Firewall
sudo apt install -y firewalld
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo systemctl reload firewalld
5. PostgreSQL
sudo apt update -y
sudo apt upgrade -y
sudo apt install -y postgresql postgresql-contrib
Test
Test command:
pg_config --version
Expected result:
PostgreSQL 15.6 (Debian 15.6-0+deb12u1)
6. Redis
sudo apt install -y redis
Test
Test command:
redis-server --version
Expected result:
Redis server v=7.0.15 ...
7 PHP v8.3
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sudo echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
sudo apt update -y
sudo apt install -y php8.3 \
php8.3-common \
php8.3-cli \
php8.3-fpm \
php8.3-xml \
php8.3-cli \
php8.3-bcmath \
php8.3-dba \
php8.3-gd \
php8.3-intl \
php8.3-mbstring \
php8.3-pgsql \
php8.3-pdo \
php8.3-soap \
php8.3-opcache \
php8.3-imagick \
php8.3-apcu \
php8.3-redis \
php8.3-ldap
Test
Test command:
php -v
Expected result:
Cannot load Zend OPcache - it was already loaded
PHP 8.3.4 (cli) (built: Mar 29 2024 05:24:33) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.4, Copyright (c) Zend Technologies
with Zend OPcache v8.3.4, Copyright (c), by Zend Technologies
8 PHP ris.so
export DOWNLOAD_USER=
export DOWNLOAD_PASSWORD=
cd ~
sudo wget -q --http-user=$DOWNLOAD_USER --http-passwd=$DOWNLOAD_PASSWORD https://www.rillsoft.de/download/ris/debian12/php83/ris.so
sudo mv ris.so /usr/lib/php/20230831/
sudo chmod 644 /usr/lib/php/20230831/ris.so
echo "extension=ris.so" | sudo tee -a /etc/php/8.3/mods-available/ris.ini
sudo chmod 644 /etc/php/8.3/mods-available/ris.ini
sudo phpenmod -v 8.3 ris
Test
Test command:
php -m
Expected result:
...
ris
...
9. user.ini (php.ini)
sudo vi /etc/php/8.3/00-user.ini
date.timezone = Europe/Berlin
engine = Off
output_buffering = 4096
realpath_cache_size = 4096k
realpath_cache_ttl = 600
expose_php = Off
max_execution_time = 900
max_input_time = 300
memory_limit = 256M
post_max_size = 30M
upload_max_filesize = 15M
max_file_uploads = 20
allow_url_fopen = on
user_agent="PHP"
mail.add_x_header = Off
cgi.fix_pathinfo = 0
log_errors_max_len = 8192
sudo ln -s /etc/php/8.3/00-user.ini /etc/php/8.3/cli/conf.d/00-user.ini
sudo ln -s /etc/php/8.3/00-user.ini /etc/php/8.3/fpm/conf.d/00-user.ini
Test
Test command:
php -r "phpinfo();" | grep -i timezone
Expected result:
...
date.timezone => Europe/Berlin => Europe/Berlin
...
10. www.conf Replace content
sudo vi /etc/php/8.3/fpm/pool.d/www.conf
[www]
user = www-data
group = www-data
listen = 9000
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
pm = dynamic
pm.max_children = 20
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 20
pm.max_requests = 100
pm.status_path = /status
11. Create DB
sudo -u postgres psql
CREATE DATABASE ris;
CREATE USER ris WITH ENCRYPTED PASSWORD 'yourDBpassword';
GRANT ALL PRIVILEGES ON DATABASE ris TO ris;
ALTER DATABASE ris OWNER TO ris;
12. RIS
cd ~
sudo rm -R -f /var/www/
sudo mkdir -p /var/www/
sudo wget -q --http-user=$DOWNLOAD_USER --http-passwd=$DOWNLOAD_PASSWORD https://www.rillsoft.de/download/ris/ris9_pgsql_on_premise.zip
sudo unzip -o ris9_pgsql_on_premise.zip -d /var/www >&-
rm -f ris9_pgsql_on_premise.zip
cd /var/www/
sudo openssl genrsa -passout pass:yourJWTpassword -out config/jwt/private.pem -aes256 4096
sudo openssl rsa -passin pass:yourJWTpassword -pubout -in config/jwt/private.pem -out config/jwt/public.pem
sudo vi /var/www/.env
###> symfony/framework-bundle ###
APP_ENV=prod
APP_SECRET=yourRISSecret
###< symfony/framework-bundle ###
###> skyfox/propel-bundle ###
DATABASE_DNS=pgsql:host=localhost;dbname=ris
DATABASE_DRIVER=pgsql
DATABASE_PASSWORD=yourDBpassword
DATABASE_USER=ris
###< skyfox/propel-bundle ###
###> lexik/jwt-authentication-bundle ###
JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
JWT_PASSPHRASE=yourJWTpassword
###< lexik/jwt-authentication-bundle ###
REDIS_HOST=localhost
REDIS_PORT=6379
EMAIL_SENDER=yourEmailSender
EMAIL_ADMIN=yourEmailAdmin
EMAIL_ERROR=yourEmailError
###> symfony/mailer ###
MAILER_DSN=smtp://localhost
#MAILER_DSN=smtp://user:pass@host:port/?timeout=60&encryption=ssl&auth_mode=login
#https://symfony.com/doc/5.x/mailer.html
###< symfony/mailer ###
###> symfony/amazon-mailer ###
# MAILER_DSN=ses://ACCESS_KEY:SECRET_KEY@default?region=eu-west-1
# MAILER_DSN=ses+smtp://ACCESS_KEY:SECRET_KEY@default?region=eu-west-1
###< symfony/amazon-mailer ###
###> symfony/messenger ###
MESSENGER_MAILER_TRANSPORT_DSN=redis://localhost:6379/mailer?delete_after_ack=true
###< symfony/messenger ###
## OpenLdap
LDAP_URI=ldaps://openldap
LDAP_BASE_DN=dc=rillsoft,dc=local
LDAP_LOGIN_DN=uid=%s,ou=people,dc=rillsoft,dc=local
LDAP_ATTRS=uid,givenName,sn,mail
LDAP_FILTER=(objectClass=person)
# # Micrisoft AD
# LDAP_URI=ldap://192.168.181.231
# LDAP_BASE_DN=dc=ldap,dc=jenkins,dc=local
# LDAP_LOGIN_DN=%s@ldap.jenkins.local
# LDAP_ATTRS=samAccountName,givenName,sn,mail,department,company,telephonenumber
# LDAP_FILTER=(objectClass=user)(samaccounttype=805306368)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
In work LDAPS
? sudo echo "TLS_CACERT /etc/openldap/certs/cert.pem" >> /etc/openldap/ldap.conf
? export LDAPTLS_CACERT=/etc/ssl/certs/ca-certificates.crt.
Init
cd /var/www/
sudo php bin/console cache:clear --env=prod --no-debug
sudo php bin/console assets:install --env=prod --no-debug
sudo php bin/console propel:sql:insert --force
sudo php bin/console propel:fixtures:load --dir=data/fixtures --yml
sudo php bin/console rillsoft:update --env=prod
Update opcache.ini
sudo vi /etc/php/8.3/mods-available/opcache.ini
zend_extension=opcache.so
opcache.jit=off
opcache.enable=1
opcache.preload_user=www-data
opcache.preload=/var/www/var/cache/prod/App_KernelProdContainer.preload.php
opcache.memory_consumption=1024
opcache.interned_strings_buffer=256
opcache.max_accelerated_files=30000
opcache.validate_timestamps=0
opcache.huge_code_pages=1
Update nginx conf
sudo vi /etc/nginx/sites-available/ris.conf
server {
server_name yourServerName;
listen 80 default;
client_max_body_size 108M;
root /var/www/public;
location / {
# try to serve file directly, fallback to index.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/(service)\.php(/|$) {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 900;
fastcgi_send_timeout 900;
fastcgi_connect_timeout 900;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ ^/index\.php(/|$) {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 900;
fastcgi_send_timeout 900;
fastcgi_connect_timeout 900;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# optionally set the value of the environment variables used in the application
# fastcgi_param APP_ENV prod;
# fastcgi_param APP_SECRET <app-secret-id>;
# fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|bat|html?|git|ini|sh|svn[^.]*|txt|tpl|xml|conf|yml)|~)$ {
access_log off;
log_not_found off;
deny all;
}
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
}
sudo rm -f /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/ris.conf /etc/nginx/sites-enabled/ris
Test
Test command:
sudo nginx -t
Expected result:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Permission
sudo chown -R www-data:www-data /var/www/
sudo chmod -R 755 /var/www/
13. CronJobs
sudo vi /etc/cron.d/ris
*/5 * * * * root php /var/www/bin/console messenger:consume --time-limit=280 --memory-limit=512M >> /dev/null 2>&1
*/5 * * * * root php /var/www/bin/console rillsoft:notification --env=prod >> /var/www/var/log/notification.log
*/5 * * * * root php /var/www/bin/console rillsoft:timesheet:notification --env=prod >> /var/www/var/log/timesheet_notification.log
*/10 * * * * root php /var/www/bin/console rillsoft:globallink --env=prod >> /var/www/var/log/globallink.log
0 1 * * * root php /var/www/bin/console rillsoft:clear --env=prod >> /var/www/var/log/clear.log
sudo service cron restart
14. Restart
sudo service php8.3-fpm restart
sudo service nginx restart
sudo service redis restart
15. Diagnostic
Log
sudo less /var/log/nginx/access.log
sudo less /var/log/nginx/error.log
sudo less /var/log/php8.3-fpm.log
sudo less /var/www/var/log/prod.log
Info
cd /var/www/
sudo php bin/console about
sudo php bin/console debug:container --env-vars
sudo php bin/console debug:router
SQL
sudo -u postgres psql
\c ris
\dt
SELECT * FROM rill_guard_client;
16. Update RIS
export DOWNLOAD_USER=
export DOWNLOAD_PASSWORD=
cd ~
sudo wget -q --http-user=$DOWNLOAD_USER --http-passwd=$DOWNLOAD_PASSWORD https://www.rillsoft.de/download/ris/ris9_pgsql_on_premise.zip
sudo unzip -o ris9_pgsql_on_premise.zip -d /var/www >&-
rm -f ris9_pgsql_on_premise.zip
cd /var/www/
sudo php bin/console cache:clear --env=prod --no-debug
sudo php bin/console assets:install --env=prod --no-debug
sudo php bin/console rillsoft:update --env=prod
sudo chown -R www-data:www-data /var/www/
sudo chmod -R 755 /var/www/
sudo service php8.3-fpm restart
sudo service nginx restart
sudo service redis restart