The installed packages for Apache HTTP Server, PHP and MariaDB already include configuration files. It is recommended to save deviating settings in separate files instead of adapting the existing configuration files. With every package upgrade, the deviating settings would be rejected or overwritten. The settings of the standard configuration are supplemented or overwritten by the user-defined settings.
The memory_limit must be increased if necessary, e.g. for very large reports or extensive documents. The value (in seconds) of session.gc_maxlifetime should be greater than or equal to the session timeout in the system settings of i-doit. The date.timezone parameter should be adjusted to the local time zone (see List of supported time zones).
ServerName i-doit
<VirtualHost *:80>
ServerAdmin i-doit@example.net
DirectoryIndex index.php
DocumentRoot /srv/www/htdocs/i-doit
<Directory /srv/www/htdocs/i-doit>
## See https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
AllowOverride None
## Apache Web server configuration file for i-doit
##
## This file requires:
##
## - Apache HTTPD >= 2.4 with enabled modules:
## - rewrite
## - expires
## - headers
## - authz_core
##
## For performance and security reasons we put these settings
## directly into the VirtualHost configuration and explicitly set
## "AllowOverride None". After each i-doit update check if the .htaccess file, in the i-doit directory,
## has changed and add the changes in the VirtualHost configuration.
##
## See the i-doit Knowledge Base for more details:
## <https://kb.i-doit.com/>
## Disable directory indexes:
Options -Indexes +SymLinksIfOwnerMatch
<IfModule mod_authz_core.c>
RewriteCond %{REQUEST_METHOD} =GET
RewriteRule "^$" "/index.php"
## Deny access to meta files:
<Files "*.yml">
Require all denied
</Files>
## Deny access to hidden files:
<FilesMatch "^\.">
Require all denied
</FilesMatch>
## Deny access to bash scripts:
<FilesMatch "^(controller|.*\.sh)$">
Require all denied
</FilesMatch>
## Deny access to all PHP files…
<Files "*.php">
Require all denied
</Files>
## Deny access to wrongly created config backup files like ...inc.php.0123123 instead of ...inc.012341.php
<FilesMatch "\.php\.\d+$">
Require all denied
</FilesMatch>
## …except some PHP files in root directory:
<FilesMatch "^(index\.php|controller\.php|proxy\.php)$">
<IfModule mod_auth_kerb.c>
Require valid-user
</IfModule>
<IfModule !mod_auth_kerb.c>
Require all granted
</IfModule>
</FilesMatch>
## …except some PHP files in src/:
<Files "jsonrpc.php">
Require all granted
</Files>
## …except some PHP files in src/tools/php/:
<FilesMatch "^(rt\.php|barcode_window\.php|barcode\.php)$">
Require all granted
</FilesMatch>
## …except some PHP files in src/tools/php/qr/:
<FilesMatch "^(qr\.php|qr_img\.php)$">
Require all granted
</FilesMatch>
## …except some PHP files in src/tools/js/:
<FilesMatch "^js\.php$">
Require all granted
</FilesMatch>
</IfModule>
## Deny access to some directories:
<IfModule mod_alias.c>
RedirectMatch 403 /imports/.*$
RedirectMatch 403 /log/.*$
RedirectMatch 403 /temp/.*(?<!\.(css|xsl))$
RedirectMatch 403 /upload/files/.*$
RedirectMatch 403 /upload/images/.*$
RedirectMatch 403 /vendor/.*$
</IfModule>
## Cache static files:
<IfModule mod_expires.c>
ExpiresActive On
# A2592000 = 30 days
ExpiresByType image/svg+xml A2592000
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType image/ico A2592000
ExpiresByType text/css A2592000
ExpiresByType text/javascript A2592000
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 week"
<IfModule mod_headers.c>
Header append Cache-Control "public"
</IfModule>
</IfModule>
## Pretty URLs:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule favicon\.ico$ images/favicon.ico [L]
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L,QSA]
</IfModule>
## Deny access to all ini files…
<Files "*.ini">
Require all denied
</Files>
</Directory>
TimeOut 600
ProxyTimeout 600
LogLevel warn
ErrorLog /var/log/apache2/error_log
CustomLog /var/log/apache2/access_log combined
<FilesMatch "\\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/var/run/php-fpm/php8-fpm.sock|fcgi://localhost"
</If>
</FilesMatch>
</VirtualHost>
i-doit provides different Apache settings in files with the name .htaccess. These must be checked after each update and updated in the VirtualHost configuration.
With the next step you activate the necessary Apache modules php8, rewrite and mod_access_compat:
To ensure that MariaDB delivers good performance and can be operated securely, a few steps are necessary that should be carried out meticulously. This starts with a secure installation. The recommendations should be followed. The user root should be given a secure password:
1
sudomysql_secure_installation
To allow i-doit to use the root user during setup, call the MariaDB shell:
1
sudomysql-uroot
The following SQL statements are now executed in the MariaDB shell:
The mode for shutting down InnoDB still needs to be changed. The value 0 results in a complete cleanup and merging of the change buffers before MariaDB is shut down:
[mysqld]# This is the number 1 setting to look at for any performance optimization# It is where the data and indexes are cached: having it as large as possible will# ensure MySQL uses memory and not disks for most read operations.## Typical values are 1G (1-2GB RAM), 5-6G (8GB RAM), 20-25G (32GB RAM), 100-120G (128GB RAM).innodb_buffer_pool_size=1G# Use multiple instances if you have innodb_buffer_pool_size > 10G, 1 every 4GBinnodb_buffer_pool_instances=1# Redo log file size, the higher the better.# MySQL/MariaDB writes two of these log files in a default installation.innodb_log_file_size=512Minnodb_sort_buffer_size=64Msort_buffer_size=262144# defaultjoin_buffer_size=262144# defaultmax_allowed_packet=128Mmax_heap_table_size=32Mquery_cache_min_res_unit=4096query_cache_type=1query_cache_limit=5Mquery_cache_size=80Mtmp_table_size=32Mmax_connections=200innodb_file_per_table=1# Disable this (= 0) if you have only one to two CPU cores, change it to 4 for a quad core.innodb_thread_concurrency=0# Disable this (= 0) if you have slow harddisksinnodb_flush_log_at_trx_commit=1innodb_flush_method=O_DIRECTinnodb_lru_scan_depth=2048table_definition_cache=1024table_open_cache=2048# Only if your have MySQL 5.6 or higher, do not use with MariaDB!#table_open_cache_instances = 4innodb_stats_on_metadata=0sql-mode=""
Finally, MariaDB is restarted:
1
sudosystemctlrestartmysql
and connections via HTTP are permitted via the firewall:
Before i-doit can now be accessed, Apparmor, for PHP-FPM, must either be configured, disabled or set to the so-called complain mode. In this guide we use the complain mode, which should be configured correctly afterwards: