This documentation can be used as a reference to create both your Production Application Server and Staging Application Server on a single Red Hat Enterprise or CentOS 7 virtual machine. This is achieved by using SNI within Apache 2.
The hostnames that will be referenced throughout this document will be elentra.med.university.edu
and staging.med.university.edu
. These hostnames should be replaced by your actual DNS hostnames.
SSH into server and sudo
to root:
ssh service@elentra.med.university.edusudo -s
Change the SELINUX variable in /etc/selinux/config
to permissive to prevent unforeseen and difficult to diagnose issues:
SELINUX=permissive
Add the following lines to /etc/hosts
file:
127.0.0.1 elentra.med.university.edu127.0.0.1 staging.med.university.edu
Edit the hostname of the virtual machine in the /etc/hostname
file:
elentra.med.university.edu
Install screen
, update RHEL, and reboot:
yum install screenscreenyum updatereboot
SSH back into server, and install the Inline with Upstream Stable (IUS Community) package.
ssh service@elentra.med.university.edusudo -sscreen​yum -y install https://repo.ius.io/ius-release-el7.rpm \https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Install Apache, OpenSSL, PHP, Git, HTMLDoc, mariadb (client), ClamAV, and NTP packages:
yum -y install git \htmldoc \curl \wget \unzip \openssl \httpd \mod_ssl \mod_php73 \php73-cli \php73-gd \php73-devel \php73-mysqlnd \php73-intl \php73-mbstring \php73-bcmath \php73-ldap \php73-imap \php73-soap \php73-xmlrpc \php73-tidy \php73-opcache \php73-json \php73-sodium \php73-pecl-redis \mariadb103 \clamav \ntp \supervisor
Install wkhtmltopdf
from the binary package because the yum package provided by EPEL is broken:
curl -SL https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz | tar -xJC /root && cp /root/wkhtmltox/bin/* /usr/bin
Start Apache and Supervisor, and set to start on system startup:
systemctl enable httpd
systemctl start httpd
systemctl enable supervisord
systemctl start supervisord
Create a new file called /etc/php.d/elentra.ini
and add the following:
date.timezone = America/Torontodisplay_errors = Offerror_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICTexpose_php = Offmemory_limit = 512Mpost_max_size = 512Msession.cookie_secure = 1session.cookie_httponly = 1session.cookie_samesite = Strictupload_max_filesize = 512M
Create an Elentra system user called production
, which is used for production deployments:
useradd -m productionpasswd production
Create and permission the SSH authorized_keys
file for the production
user.
cd /home/productionmkdir /home/production/.sshtouch /home/production/.ssh/authorized_keyschown -R production:production /home/production/.sshchmod 700 /home/production/.sshchmod 600 /home/production/.ssh/authorized_keys
Add all developers' SSH public keys (i.e. cat ~/.ssh/id_rsa.pub
) that are allowed to deploy Elentra to your production environment to the new authorized_keys
file.
vim /home/production/.ssh/authorized_keys
Create an Elentra system user called staging
, which is used for staging deployments:
useradd -m stagingpasswd staging
Create and permission the SSH authorized_keys
file for the staging
user.
cd /home/stagingmkdir /home/staging/.sshtouch /home/staging/.ssh/authorized_keyschown -R staging:staging /home/staging/.sshchmod 700 /home/staging/.sshchmod 600 /home/staging/.ssh/authorized_keys
Add all developers' SSH public keys (i.e. cat ~/.ssh/id_rsa.pub
) that are allowed to deploy Elentra to your staging environment to the new authorized_keys
file.
vim /home/staging/.ssh/authorized_keys
Create and appropriately permission the Apache document root and Elentra storage directories for production.
mkdir -p /var/www/vhosts/elentra.med.university.edu/storage/mkdir /var/www/vhosts/elentra.med.university.edu/storage/annualreportsmkdir /var/www/vhosts/elentra.med.university.edu/storage/appmkdir /var/www/vhosts/elentra.med.university.edu/storage/app/publicmkdir /var/www/vhosts/elentra.med.university.edu/storage/cachemkdir /var/www/vhosts/elentra.med.university.edu/storage/cbme-uploadsmkdir /var/www/vhosts/elentra.med.university.edu/storage/cbme-uploads/advisor-filesmkdir /var/www/vhosts/elentra.med.university.edu/storage/community-discussionsmkdir /var/www/vhosts/elentra.med.university.edu/storage/community-galleriesmkdir /var/www/vhosts/elentra.med.university.edu/storage/community-sharesmkdir /var/www/vhosts/elentra.med.university.edu/storage/eportfoliomkdir /var/www/vhosts/elentra.med.university.edu/storage/event-filesmkdir /var/www/vhosts/elentra.med.university.edu/storage/exam-filesmkdir /var/www/vhosts/elentra.med.university.edu/storage/frameworkmkdir /var/www/vhosts/elentra.med.university.edu/storage/framework/cachemkdir /var/www/vhosts/elentra.med.university.edu/storage/framework/cache/datamkdir /var/www/vhosts/elentra.med.university.edu/storage/framework/sessionsmkdir /var/www/vhosts/elentra.med.university.edu/storage/framework/viewsmkdir /var/www/vhosts/elentra.med.university.edu/storage/logsmkdir /var/www/vhosts/elentra.med.university.edu/storage/lormkdir /var/www/vhosts/elentra.med.university.edu/storage/msprsmkdir /var/www/vhosts/elentra.med.university.edu/storage/resource-imagesmkdir /var/www/vhosts/elentra.med.university.edu/storage/secure-accessmkdir /var/www/vhosts/elentra.med.university.edu/storage/syllabimkdir /var/www/vhosts/elentra.med.university.edu/storage/user-photoschown -R production:production /var/www/vhosts/elentra.med.university.educhmod -R 777 /var/www/vhosts/elentra.med.university.edu/storage/*
Create and appropriately permission the Apache document root and Elentra storage directories for staging.
mkdir -p /var/www/vhosts/staging.med.university.edu/storage/mkdir /var/www/vhosts/staging.med.university.edu/storage/annualreportsmkdir /var/www/vhosts/staging.med.university.edu/storage/appmkdir /var/www/vhosts/staging.med.university.edu/storage/app/publicmkdir /var/www/vhosts/staging.med.university.edu/storage/cachemkdir /var/www/vhosts/staging.med.university.edu/storage/cbme-uploadsmkdir /var/www/vhosts/staging.med.university.edu/storage/cbme-uploads/advisor-filesmkdir /var/www/vhosts/staging.med.university.edu/storage/community-discussionsmkdir /var/www/vhosts/staging.med.university.edu/storage/community-galleriesmkdir /var/www/vhosts/staging.med.university.edu/storage/community-sharesmkdir /var/www/vhosts/staging.med.university.edu/storage/eportfoliomkdir /var/www/vhosts/staging.med.university.edu/storage/event-filesmkdir /var/www/vhosts/staging.med.university.edu/storage/exam-filesmkdir /var/www/vhosts/staging.med.university.edu/storage/frameworkmkdir /var/www/vhosts/staging.med.university.edu/storage/framework/cachemkdir /var/www/vhosts/staging.med.university.edu/storage/framework/cache/datamkdir /var/www/vhosts/staging.med.university.edu/storage/framework/sessionsmkdir /var/www/vhosts/staging.med.university.edu/storage/framework/viewsmkdir /var/www/vhosts/staging.med.university.edu/storage/logsmkdir /var/www/vhosts/staging.med.university.edu/storage/lormkdir /var/www/vhosts/staging.med.university.edu/storage/msprsmkdir /var/www/vhosts/staging.med.university.edu/storage/resource-imagesmkdir /var/www/vhosts/staging.med.university.edu/storage/secure-accessmkdir /var/www/vhosts/staging.med.university.edu/storage/syllabimkdir /var/www/vhosts/staging.med.university.edu/storage/user-photoschown -R staging:staging /var/www/vhosts/staging.med.university.educhmod -R 777 /var/www/vhosts/staging.med.university.edu/storage/*
Generate the SSL private keys required for each of your hostnames:
mkdir -p /root/certificates/2020cd /root/certificates/2020openssl genrsa -out elentra.med.university.edu.key 2048openssl genrsa -out staging.med.university.edu.key 2048
Generate the SSL certificate signing requests (CSRs) for your certificate authority for each of your hostnames:
openssl req -new -key elentra.med.university.edu.key -out elentra.med.university.edu.csropenssl req -new -key staging.med.university.edu.key -out staging.med.university.edu.csr
You will be asked a number of questions, answer accordingly, but do not answer enter anything for "Email Address", "A challenge password", or "An optional company name":
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CAState or Province Name (full name) []:OntarioLocality Name (eg, city) [Default City]:KingstonOrganization Name (eg, company) [Default Company Ltd]:Queen's UniversityOrganizational Unit Name (eg, section) []:Health Sciences Education Technology UnitCommon Name (eg, your name or your server's hostname) []:elentra.med.university.eduEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
If you have a valid Certificate Authority certificate, you should create a .crt file foreach hostname and paste in the certificate text:
vim /root/certificates/2020/elentra.med.university.edu.crtvim /root/certificates/20202020/staging.med.university.edu.crt
You will also likely have a certificate authority root chain certificate. Also paste this into a file called ca-certificate.crt
.
If you are only creating self-signed certificates, you should do this for each hostname:
openssl x509 -req -days 365 -in elentra.med.university.edu.csr -signkey elentra.med.university.edu.key -out elentra.med.university.edu.crtopenssl x509 -req -days 365 -in staging.med.university.edu.csr -signkey staging.med.university.edu.key -out staging.med.university.edu.crt
Install the certificates in the Apache virtual host directory:
mkdir /var/www/vhosts/elentra.med.university.edu/cert/cp /root/certificates/2020/elentra.med.university.edu.crt /var/www/vhosts/elentra.med.university.edu/cert/cp /root/certificates/2020/elentra.med.university.edu.key /var/www/vhosts/elentra.med.university.edu/cert/mkdir /var/www/vhosts/staging.med.university.edu/cert/cp /root/certificates/2020/staging.med.university.edu.crt /var/www/vhosts/staging.med.university.edu/cert/cp /root/certificates/2020/staging.med.university.edu.key /var/www/vhosts/staging.med.university.edu/cert/
Create the Apache VirtualHosts by creating a file named 000-elentra.conf
and placing it /etc/httpd/conf.d/
.
This file should contain the following:
# This will limit what information Apache reveals about itself.ServerTokens ProdServerSignature OffTraceEnable Off​SSLStaplingCache "shmcb:logs/stapling-cache(150000)"​# Apache performance tuning options for more connections.#<IfModule mpm_prefork_module># MaxRequestWorkers 512# ServerLimit 512#</IfModule>​# Production<VirtualHost *:80>ServerName elentra.med.university.eduServerAdmin sysadmin@med.university.edu​RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}</VirtualHost><VirtualHost *:443>ServerName elentra.med.university.edu:443ServerAdmin sysadmin@med.university.edu​SSLEngine onSSLProtocol -all +TLSv1.2SSLHonorCipherOrder onSSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH​SSLCertificateFile /var/www/vhosts/elentra.med.university.edu/cert/elentra.med.university.edu.crtSSLCertificateKeyFile /var/www/vhosts/elentra.med.university.edu/cert/elentra.med.university.edu.key#SSLCACertificateFile /var/www/vhosts/elentra.med.university.edu/cert/ca-certificate.crt​SSLUseStapling on​Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"Header always set X-Frame-Options DENY​DocumentRoot /var/www/vhosts/elentra.med.university.edu/current/www-root<Directory "/var/www/vhosts/elentra.med.university.edu/current/www-root">Options FollowSymLinksRequire all grantedAllowOverride all</Directory></VirtualHost>​# Staging<VirtualHost *:80>ServerName staging.med.university.eduServerAdmin sysadmin@med.university.edu​RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}</VirtualHost><VirtualHost *:443>ServerName staging.med.university.edu:443ServerAdmin sysadmin@med.university.edu​SSLEngine onSSLProtocol -all +TLSv1.2SSLHonorCipherOrder onSSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH​SSLCertificateFile /var/www/vhosts/staging.med.university.edu/cert/staging.med.university.edu.crtSSLCertificateKeyFile /var/www/vhosts/staging.med.university.edu/cert/staging.med.university.edu.key#SSLCACertificateFile /var/www/vhosts/staging.med.university.edu/cert/ca-certificate.crt​SSLUseStapling on​Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"Header always set X-Frame-Options DENY​DocumentRoot /var/www/vhosts/staging.med.university.edu/current/www-root<Directory "/var/www/vhosts/staging.med.university.edu/current/www-root">Options FollowSymLinksRequire all grantedAllowOverride all</Directory></VirtualHost>
Create a new file in the /etc/supervisor.d
directory called elentra.ini
, and use the following template snippet as a reference to create your own file.
Please make sure that you have the correct path in command
and stdout_logfile
, and that user
is the correct system account that your existing cron jobs are run as.
[program:staging]process_name=%(program_name)s_%(process_num)02dcommand=php /var/www/vhosts/staging.elentra.med.university.edu/current/www-root/core/library/vendor/elentrapackages/elentra-1x-api/artisan queue:work --queue=high,emails,default,low --env=stagingautostart=trueautorestart=trueuser=stagingnumprocs=1redirect_stderr=truestdout_logfile=/var/www/vhosts/staging.elentra.med.university.edu/storage/logs/worker.log​[program:production]process_name=%(program_name)s_%(process_num)02dcommand=php /var/www/vhosts/elentra.med.university.edu/current/www-root/core/library/vendor/elentrapackages/elentra-1x-api/artisan queue:work --queue=high,emails,default,low --env=productionautostart=trueautorestart=trueuser=productionnumprocs=1redirect_stderr=truestdout_logfile=/var/www/vhosts/elentra.med.university.edu/storage/logs/worker.log​[group:elentra]programs=staging,production
Test your new Apache configuration, then restart Apache and Supervisor.
apachectl configtestsystemctl restart httpdsystemctl restart supervisord