« Installation & paramétrages de GLPI » : différence entre les versions

Installation du système

Installation des tools nécessaires au bon fonctionnement

sudo apt-get install build-essential linux-headers-$(uname -r)

sudo apt-get install net-tools htop curl dos2unix tcpdump git

Installation de Webmin

curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh

sudo sh setup-repos.sh

sudo apt-get install --install-recommends webmin

• Penser au Firewall

sudo ufw allow 10000

Installation de Cockpit

Cockpit is available in Debian since version 10 (Buster).

To get the latest version, we recommend to enable the backports repository (as root):

. /etc/os-release
echo "deb http://deb.debian.org/debian ${VERSION_CODENAME}-backports main" > \
    /etc/apt/sources.list.d/backports.list
apt update

Install or update the package:

apt install -t ${VERSION_CODENAME}-backports cockpit

Installation du SD-WAN Zerotier

curl -s https://install.zerotier.com | sudo bash

curl -o Zerotier.sh https://raw.githubusercontent.com/Yakakliker37/Base_info/main/Zerotier.sh

sh Zerotier.sh

Installation de la prise de main à distance

wget https://www.dwservice.net/download/dwagent.sh

Installation du SD-WAN Netbird

curl -fsSL https://pkgs.netbird.io/install.sh | sh

netbird up

Installation des pré-requis nécessaires à GLPI

sudo apt-get install apache2 -y

sudo systemctl enable apache2

sudo apt-get install mariadb-server -y

sudo apt-get install php libapache2-mod-php -y

sudo apt-get install php-{ldap,imap,apcu,xmlrpc,curl,common,gd,json,mbstring,mysql,xml,intl,zip,bz2}

Configuration de la base de données

sudo mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB

      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current

password for the root user. If you've just installed MariaDB, and

haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):

OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody

can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] Y

Enabled successfully!

Reloading privilege tables..

... Success!

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] Y

New password:

Re-enter new password:

Password updated successfully!

Reloading privilege tables..

... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone

to log into MariaDB without having to have a user account created for

them.  This is intended only for testing, and to make the installation

go a bit smoother.  You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] Y

... Success!

Normally, root should only be allowed to connect from 'localhost'.  This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y

... Success!

By default, MariaDB comes with a database named 'test' that anyone can

access.  This is also intended only for testing, and should be removed

before moving into a production environment.

Remove test database and access to it? [Y/n] Y

- Dropping test database...

... Success!

- Removing privileges on test database...

... Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

Reload privilege tables now? [Y/n] Y

... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB

installation should now be secure.

Thanks for using MariaDB!

mysql -u root -p

create database glpidb character set utf8 collate utf8_bin;

grant all privileges on glpidb.* to glpi@localhost identified by 'votre_mot_de_passe';

flush privileges;

quit

Installation de GLPI

wget https://github.com/glpi-project/glpi/releases/download/10.0.6/glpi-10.0.6.tgz

sudo mkdir /var/www/glpi

sudo tar -xzvf glpi-10.0.6.tgz

sudo cp -R glpi/* /var/www/glpi/

sudo chown -R www-data:www-data /var/www/glpi/

sudo chmod -R 775 /var/www/glpi/

Configuration de PHP

sudo nano /etc/php/7.4/apache2/php.ini

Vérification des variables :

memory_limit = 64M

file_uploads = on

max_execution_time = 600

session.auto_start = 0

session.use_trans_sid = 0

Sécurisation du serveur web

sudo su

mkdir /etc/ssl/glpi/

cd /etc/ssl/glpi/

openssl genrsa -des3 -out glpiCA.key 2048

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

openssl req -x509 -new -nodes -key glpiCA.key -sha256 -days 3650 -out glpiCA.pem

Enter pass phrase for glpiCA.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:FR

State or Province Name (full name) [Some-State]:DS

Locality Name (eg, city) []:City

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERVICE

Organizational Unit Name (eg, section) []:IT

Common Name (e.g. server FQDN or YOUR name) []:glpi

Email Address []:admin@glpi.loc

openssl x509 -in glpiCA.pem -inform PEM -out glpiCA.crt

openssl genrsa -out wildcard.glpi.key 2048

openssl req -new -key wildcard.glpi.key -out wildcard.glpi.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:FR

State or Province Name (full name) [Some-State]:DS

Locality Name (eg, city) []:City

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERVICE

Organizational Unit Name (eg, section) []:IT

Common Name (e.g. server FQDN or YOUR name) []:glpi

Email Address []:admin@glpi.loc

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

nano wildcard.glpi.ext

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = *.glpi.yakakliker.org

openssl x509 -req -in wildcard.glpi.csr -CA glpiCA.pem -CAkey glpiCA.key -CAcreateserial -out wildcard.glpi.crt -days 3650 -sha256 -extfile wildcard.glpi.ext

Certificate request self-signature ok

subject=C = FR, ST = DS, L = City, O = SERVICE, OU = IT, CN = glpi, emailAddress = admin@glpi.loc

Enter pass phrase for domaintestCA.key:

Configuration du VHOST Apache

sudo nano /etc/apache2/sites-available/glpi.conf

<VirtualHost *:80>

DocumentRoot /var/www/glpi

ServerName glpi

Redirect permanent / https://glpi/

ErrorLog ${APACHE_LOG_DIR}/glpi_error.log

CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined

</VirtualHost>

<VirtualHost *:443>

ServerAdmin admin@example.com

DocumentRoot /var/www/glpi

ServerName glpi

SSLEngine On

SSLCertificateFile /etc/ssl/glpi/wildcard.glpi.crt

SSLCertificateKeyFile /etc/ssl/glpi/wildcard.glpi.key

<Directory /var/www/glpi>

Options FollowSymlinks

AllowOverride All

Require all granted

</Directory>

ErrorLog ${APACHE_LOG_DIR}/glpi_error.log

CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined

</VirtualHost>

sudo a2enmod ssl

sudo ln -s /etc/apache2/sites-available/glpi.conf /etc/apache2/sites-enabled/glpi.conf

sudo systemctl restart apache2

Configuration du Firewall IPTABLE

sudo apt-get install iptables-persistent

sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -P INPUT DROP

sudo iptables-save

Finalisation de l'installation de GLPI

Connexion à l'interface via l'adresse : https://glpi/ ou https://adresse IP du serveur/

Sources

https://remiflandrois.fr/2022/08/31/installation-de-glpi-10/

https://www.zerotier.com/download/

https://webmin.com/download/

https://glpi-project.org/fr/

https://netbird.io/

‎ ‎

‎ ‎