Installation & paramétrages de GLPI
Installation du système
Installation des tools nécessaires au bon fonctionnement
sudo apt-get install build-essential linux-headers-$(uname -r)
sudo apt-get install net-tools
Installation de Webmin
curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
sudo sh setup-repos.sh
sudo apt-get install --install-recommends webmin
- Penser au Firewall
sudo ufw allow 10000
Installation de Cockpit
Cockpit is available in Debian since version 10 (Buster).
To get the latest version, we recommend to enable the backports repository (as root):
. /etc/os-release
echo "deb http://deb.debian.org/debian ${VERSION_CODENAME}-backports main" > \
/etc/apt/sources.list.d/backports.list
apt update
Install or update the package:
apt install -t ${VERSION_CODENAME}-backports cockpit
Installation du SD-WAN Zerotier
curl -s https://install.zerotier.com | sudo bash
curl -o Zerotier.sh https://raw.githubusercontent.com/Yakakliker37/Base_info/main/Zerotier.sh
sh Zerotier.sh
Installation de la prise de main à distance
wget https://www.dwservice.net/download/dwagent.sh
Installation du SD-WAN Netbird
curl -fsSL https://pkgs.netbird.io/install.sh | sh
netbird up
Installation des pré-requis nécessaires à GLPI
sudo apt-get install apache2 -y
sudo systemctl enable apache2
sudo apt-get install mariadb-server -y
sudo apt-get install php libapache2-mod-php -y
sudo apt-get install php-{ldap,imap,apcu,xmlrpc,curl,common,gd,json,mbstring,mysql,xml,intl,zip,bz2}
Configuration de la base de données
sudo mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n] Y
Enabled successfully!
Reloading privilege tables..
... Success!
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
mysql -u root -p
create database glpidb character set utf8 collate utf8_bin;
grant all privileges on glpidb.* to glpi@localhost identified by 'votre_mot_de_passe';
flush privileges;
quit
Installation de GLPI
wget https://github.com/glpi-project/glpi/releases/download/10.0.6/glpi-10.0.6.tgz
sudo mkdir /var/www/glpi
sudo tar -xzvf glpi-10.0.6.tgz
sudo cp -R glpi/* /var/www/glpi/
sudo chown -R www-data:www-data /var/www/glpi/
sudo chmod -R 775 /var/www/glpi/
Configuration de PHP
sudo nano /etc/php/7.4/apache2/php.ini
Vérification des variables :
memory_limit = 64M
file_uploads = on
max_execution_time = 600
session.auto_start = 0
session.use_trans_sid = 0
Sécurisation du serveur web
sudo su
mkdir /etc/ssl/glpi/
cd /etc/ssl/glpi/
openssl genrsa -des3 -out glpiCA.key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
openssl req -x509 -new -nodes -key glpiCA.key -sha256 -days 3650 -out glpiCA.pem
Enter pass phrase for glpiCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:DS
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERVICE
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:glpi
Email Address []:admin@glpi.loc
openssl x509 -in glpiCA.pem -inform PEM -out glpiCA.crt
openssl genrsa -out wildcard.glpi.key 2048
openssl req -new -key wildcard.glpi.key -out wildcard.glpi.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:DS
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERVICE
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:glpi
Email Address []:admin@glpi.loc
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
nano wildcard.glpi.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.glpi.yakakliker.org
openssl x509 -req -in wildcard.glpi.csr -CA glpiCA.pem -CAkey glpiCA.key -CAcreateserial -out wildcard.glpi.crt -days 3650 -sha256 -extfile wildcard.glpi.ext
Certificate request self-signature ok
subject=C = FR, ST = DS, L = City, O = SERVICE, OU = IT, CN = glpi, emailAddress = admin@glpi.loc
Enter pass phrase for domaintestCA.key:
Configuration du VHOST Apache
sudo nano /etc/apache2/sites-available/glpi.conf
<VirtualHost *:80>
DocumentRoot /var/www/glpi
ServerName glpi
Redirect permanent / https://glpi/
ErrorLog ${APACHE_LOG_DIR}/glpi_error.log
CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin@example.com
DocumentRoot /var/www/glpi
ServerName glpi
SSLEngine On
SSLCertificateFile /etc/ssl/glpi/wildcard.glpi.crt
SSLCertificateKeyFile /etc/ssl/glpi/wildcard.glpi.key
<Directory /var/www/glpi>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/glpi_error.log
CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined
</VirtualHost>
sudo a2enmod ssl
sudo ln -s /etc/apache2/sites-available/glpi.conf /etc/apache2/sites-enabled/glpi.conf
sudo systemctl restart apache2
Configuration du Firewall IPTABLE
sudo apt-get install iptables-persistent
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables-save
Finalisation de l'installation de GLPI
Connexion à l'interface via l'adresse : https://glpi/ ou https://adresse IP du serveur/
Sources
https://remiflandrois.fr/2022/08/31/installation-de-glpi-10/
