Differenze tra le versioni di "LimeSurvey/Technical documentation"
(→Filesystem: hardening) |
m (Fixes phabricator:T329430) |
||
(8 versioni intermedie di uno stesso utente non sono mostrate) | |||
Riga 1: | Riga 1: | ||
− | {{Server| | + | {{Server|intreccio}} |
Brief documentation for system administrators of the [[LimeSurvey]] instance in [https://www.wikimedia.it/ Wikimedia Italia]. | Brief documentation for system administrators of the [[LimeSurvey]] instance in [https://www.wikimedia.it/ Wikimedia Italia]. | ||
Riga 16: | Riga 16: | ||
== Overview == | == Overview == | ||
− | + | The LimeSurvey application is just a PHP/MySQL application served by Apache <code>mod_php</code>. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | </ | ||
− | |||
− | |||
− | |||
− | |||
== Filesystem == | == Filesystem == | ||
Riga 45: | Riga 27: | ||
<pre> | <pre> | ||
− | + | LIME=/var/www/limesurvey/production/ | |
+ | chown www-data: -R "$LIME" | ||
</pre> | </pre> | ||
Riga 51: | Riga 34: | ||
<pre> | <pre> | ||
− | # to upload new logo from the backend interface | + | LIME=/var/www/limesurvey/production/ |
− | chown www-data: | + | |
+ | # make the whole application read-only for everyone | ||
+ | chown root: -R "$LIME" | ||
+ | |||
+ | # allow to upload new logo from the backend interface | ||
+ | chown www-data: "$LIME"/upload/themes/survey/generalfiles | ||
# generic temporary directory for PHP | # generic temporary directory for PHP | ||
− | chown -R www-data: | + | chown -R www-data: "$LIME"/tmp |
− | chmod -R o= | + | chmod -R o= "$LIME"/tmp |
# user uploads | # user uploads | ||
− | chown -R www-data: | + | chown -R www-data: "$LIME"/upload |
# user configuration (required by installation wizard) | # user configuration (required by installation wizard) | ||
− | chown -R www-data: | + | chown -R www-data: "$LIME"/application/config |
</pre> | </pre> | ||
Riga 122: | Riga 110: | ||
LimeSurvey configuration: | LimeSurvey configuration: | ||
− | nano [[phabricator:diffusion/WIIN/browse/ | + | nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/public-config.php|/var/www/limesurvey/production/application/config/config.php]] |
Apache configuration: | Apache configuration: | ||
− | nano [[phabricator:diffusion/WIIN/browse/ | + | nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/apache2/it-wikimedia-survey-ssl.conf|/etc/httpd/sites-enabled/it-wikimedia-survey-ssl.conf]] |
− | nano [[phabricator:diffusion/WIIN/browse/ | + | nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/apache2/it-wikimedia-survey-txt.conf|/etc/httpd/sites-enabled/it-wikimedia-survey-txt.conf]] |
PHP-FPM configuration: | PHP-FPM configuration: | ||
− | nano [[phabricator:diffusion/WIIN/browse/ | + | nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/php-fpm/9002-limesurvey.conf|/etc/opt/rh/rh-php73/php-fpm.d/9002-limesurvey.conf]] |
To publish whatever change in Wikimedia Phabricator please run this: | To publish whatever change in Wikimedia Phabricator please run this: | ||
Riga 140: | Riga 128: | ||
== Log == | == Log == | ||
− | |||
− | |||
− | |||
− | |||
Generic Apache error log: | Generic Apache error log: | ||
− | tail -f /var/log/ | + | tail -f /var/log/apache2/error.log |
Generic Apache access log: | Generic Apache access log: | ||
− | tail -f /var/log/ | + | tail -f /var/log/apache2/access_log |
== Service == | == Service == | ||
Riga 255: | Riga 239: | ||
</pre> | </pre> | ||
− | == | + | == E-mail == |
− | + | This application uses an SMTP account <code>@wikimedia.it</code> with username <code>noreply</code>. | |
− | + | See [[#Configuration]]. | |
− | |||
− | + | See [[Associazione:Mail/Caselle tecniche|technical addresses]]. | |
− | == | + | == Automatic update == |
+ | |||
+ | Just visit this page: | ||
+ | |||
+ | https://survey.wikimedia.it/index.php/admin/update | ||
− | + | If the key is not valid anymore, copy and paste this page to request another one and have more than 120 updates: | |
− | + | * [[Microgrant/2021/Supporto WMI-LimeSurvey]] | |
− | + | After the update see [[#Logo]]. | |
− | == | + | == Manual update == |
− | + | # backup files | |
+ | # backup database | ||
+ | # see [[#Filesystem]] to remove hardening | ||
+ | # now: | ||
+ | ## Option 1 without command line | ||
+ | ### You can use the ComfortUpdate from the web interface (but you need to pay the license - that is good to support LimeSurvey) | ||
+ | ## Option 2 with command line | ||
+ | ### see [[#Deploy]] | ||
+ | ### update the database: | ||
+ | ###: <code>su www-data -s /bin/bash --command='php /var/www/limesurvey/production/application/commands/console.php updatedb'</code> | ||
+ | # see [[#Filesystem]] to restore hardening | ||
− | + | Notes: | |
− | + | * to see the new version online you can just replace the symbolic link at <code>/var/www/limesurvey/production</code>. | |
+ | * remember to copy the <code>/application/config</code> inside your new version (both config.php and secret.php) | ||
Then follow the official guide. | Then follow the official guide. | ||
https://manual.limesurvey.org/upgrading_from_a_previous_version | https://manual.limesurvey.org/upgrading_from_a_previous_version | ||
+ | |||
+ | After the update see [[#Logo]]. | ||
== Security == | == Security == | ||
− | + | * [[Infrastruttura#Sicurezza]] | |
− | + | * [[phabricator:T275574]] | |
− | * | ||
== Deploy == | == Deploy == | ||
Riga 328: | Riga 327: | ||
Now see [[#Filesystem]] and [[#Database]]. | Now see [[#Filesystem]] and [[#Database]]. | ||
+ | |||
+ | Also see [[#Logo]]. | ||
+ | |||
+ | == Logo == | ||
+ | |||
+ | You may need to change a couple of lines in this configuration file to change the logo: | ||
+ | |||
+ | <pre> | ||
+ | /etc/apache2/sites-enabled/it-wikimedia-survey-ssl.conf | ||
+ | </pre> | ||
+ | |||
+ | Here the lines: | ||
+ | |||
+ | <pre> | ||
+ | # | ||
+ | # Update the logo | ||
+ | # | ||
+ | # https://commons.wikimedia.org/wiki/File:WikiSurvey_Logo_(lettering).svg | ||
+ | # | ||
+ | # https://phabricator.wikimedia.org/T275919 | ||
+ | # | ||
+ | # cd /var/www/limesurvey/wmi-images/ | ||
+ | # wget "https://upload.wikimedia.org/wikipedia/commons/thumb/0/03/WikiSurvey_Logo_(lettering).svg/350px-WikiSurvey_Logo_(lettering).svg.png" | ||
+ | # | ||
+ | # ↓ CHANGE THIS | ||
+ | Alias /tmp/assets/369bd233/survey_list_header.png /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png | ||
+ | Alias /tmp/assets/11637359/logo.png /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png | ||
+ | </pre> | ||
+ | |||
+ | After you have done, just reload apache: | ||
+ | |||
+ | <pre> | ||
+ | apachectl graceful | ||
+ | </pre> | ||
== Phabricator == | == Phabricator == | ||
* [[phabricator:search/query/EefnawXAoEzx/#R|phabricator:search]] - search recent activity | * [[phabricator:search/query/EefnawXAoEzx/#R|phabricator:search]] - search recent activity | ||
− | * [[phabricator:diffusion/WIIN/browse/ | + | * [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/]] - public configuration |
[[Categoria:LimeSurvey]] | [[Categoria:LimeSurvey]] | ||
+ | [[Categoria:Documentazione tecnica|LimeSurvey]] |
Versione attuale delle 20:47, 13 feb 2023
Brief documentation for system administrators of the LimeSurvey instance in Wikimedia Italia.
Server access
ssh fabula.wikimedia.it
ssh intreccio.wikimedia.it
To request access:
Overview
The LimeSurvey application is just a PHP/MySQL application served by Apache mod_php
.
Filesystem
The whole application is in read-only (writable only by root
) apart from some temporary locations and the upload directory.
The while application is world-readable apart from the file config-secret.php
and the directory for PHP sessions.
Before any update:
LIME=/var/www/limesurvey/production/ chown www-data: -R "$LIME"
After any update, harden the application:
LIME=/var/www/limesurvey/production/ # make the whole application read-only for everyone chown root: -R "$LIME" # allow to upload new logo from the backend interface chown www-data: "$LIME"/upload/themes/survey/generalfiles # generic temporary directory for PHP chown -R www-data: "$LIME"/tmp chmod -R o= "$LIME"/tmp # user uploads chown -R www-data: "$LIME"/upload # user configuration (required by installation wizard) chown -R www-data: "$LIME"/application/config
Here an overview of the application directory.
# ls -l /var/www/limesurvey/production total 84 drwxr-xr-x 2 root root 4096 16 feb 10.50 admin drwxr-xr-x 15 root root 4096 21 feb 19.45 application drwxr-xr-x 7 root root 4096 16 feb 10.50 assets -rw-r--r-- 1 root root 1131 16 feb 10.50 composer.json -rw-r--r-- 1 root root 3273 16 feb 10.50 CONTRIBUTING.md drwxr-xr-x 4 root root 4096 16 feb 10.50 docs drwxr-xr-x 19 root root 4096 16 feb 10.50 framework -rw-r--r-- 1 root root 6621 16 feb 10.50 index.php drwxr-xr-x 5 root root 4096 16 feb 10.50 installer drwxr-xr-x 110 root root 4096 16 feb 10.50 locale -rw-r--r-- 1 root root 80 16 feb 10.50 manifest.yml -rw-r--r-- 1 root root 1140 16 feb 10.50 phpci.yml -rw-r--r-- 1 root root 984 16 feb 10.50 phpunit.xml drwxr-xr-x 4 root root 4096 16 feb 10.50 plugins -rw-r--r-- 1 root root 2595 16 feb 10.50 README.md drwxr-xr-x 13 root root 4096 16 feb 10.50 tests drwxr-xr-x 5 root root 4096 16 feb 10.50 themes drwxr-xr-x 37 root root 4096 16 feb 10.50 third_party drwxrwxr-x 5 apache-limesurvey apache-limesurvey 4096 17 feb 10.24 tmp drwxrwxr-x 7 apache-limesurvey apache-limesurvey 4096 16 feb 10.50 upload
This is the configuration directory:
# ls -l /var/www/limesurvey/production/application/config total 156 ... lrwxrwxrwx 1 root root 77 21 feb 19.44 config.php -> /etc/wmit-infrastructure/servers/fabula/projects/limesurvey/public-config.php ...
Dependencies
apt install -y php-zip php-imap php-gd
Admin
This is the admin panel:
The enabled users are listed in:
Configuration
LimeSurvey configuration:
nano /var/www/limesurvey/production/application/config/config.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-survey-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-survey-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9002-limesurvey.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Generic Apache error log:
tail -f /var/log/apache2/error.log
Generic Apache access log:
tail -f /var/log/apache2/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Database
$ mysql limesurvey > SHOW TABLES; +-----------------------------------------------+ | Tables_in_limesurvey | +-----------------------------------------------+ | lime_answers | | lime_assessments | | lime_asset_version | | lime_boxes | | lime_conditions | | lime_defaultvalues | | lime_expression_errors | | lime_failed_login_attempts | | lime_groups | | lime_labels | | lime_labelsets | | lime_map_tutorial_users | | lime_notifications | | lime_old_survey_272925_20210218220912 | | lime_old_survey_272925_20210218222604 | | lime_old_survey_272925_20210218232807 | | lime_old_survey_272925_20210219171305 | | lime_old_survey_272925_timings_20210218220912 | | lime_old_survey_272925_timings_20210218222604 | | lime_old_survey_272925_timings_20210218232807 | | lime_old_survey_272925_timings_20210219171305 | | lime_participant_attribute | | lime_participant_attribute_names | | lime_participant_attribute_names_lang | | lime_participant_attribute_values | | lime_participant_shares | | lime_participants | | lime_permissions | | lime_plugin_settings | | lime_plugins | | lime_question_attributes | | lime_questions | | lime_quota | | lime_quota_languagesettings | | lime_quota_members | | lime_saved_control | | lime_sessions | | lime_settings_global | | lime_settings_user | | lime_survey_272925 | | lime_survey_272925_timings | | lime_survey_856642 | | lime_survey_856642_timings | | lime_survey_links | | lime_survey_url_parameters | | lime_surveymenu | | lime_surveymenu_entries | | lime_surveys | | lime_surveys_groups | | lime_surveys_languagesettings | | lime_template_configuration | | lime_templates | | lime_tutorial_entries | | lime_tutorial_entry_relation | | lime_tutorials | | lime_user_groups | | lime_user_in_groups | | lime_users | +-----------------------------------------------+ 58 rows in set (0.00 sec)
Created with:
# copy a password pwgen 40 # create database mysql CREATE DATABASE limesurvey; CREATE USER limesurvey@localhost IDENTIFIED BY '<omissis>'; GRANT ALL PRIVILEGES ON limesurvey.* TO limesurvey@localhost; quit
This application uses an SMTP account @wikimedia.it
with username noreply
.
See #Configuration.
See technical addresses.
Automatic update
Just visit this page:
https://survey.wikimedia.it/index.php/admin/update
If the key is not valid anymore, copy and paste this page to request another one and have more than 120 updates:
After the update see #Logo.
Manual update
- backup files
- backup database
- see #Filesystem to remove hardening
- now:
- Option 1 without command line
- You can use the ComfortUpdate from the web interface (but you need to pay the license - that is good to support LimeSurvey)
- Option 2 with command line
- see #Deploy
- update the database:
su www-data -s /bin/bash --command='php /var/www/limesurvey/production/application/commands/console.php updatedb'
- Option 1 without command line
- see #Filesystem to restore hardening
Notes:
- to see the new version online you can just replace the symbolic link at
/var/www/limesurvey/production
. - remember to copy the
/application/config
inside your new version (both config.php and secret.php)
Then follow the official guide.
https://manual.limesurvey.org/upgrading_from_a_previous_version
After the update see #Logo.
Security
Deploy
# info latest_stable=https://download.limesurvey.org/lts-releases/limesurvey3.25.17+210309.zip version=3.25.17 # download mkdir -p /var/www/limesurvey cd /var/www/limesurvey wget "$latest_stable" -O stable.zip # checks sha256sum stable.zip # e528de65e48bb30ccfa581f975d9e989b9eb3ee1b65ab43aa80ef7e02b713b65 stable.zip md5sum stable.zip # 492d553ed00911b8c0e7ccfb45be0830 stable.zip du stable.zip # 77052 stable.zip # extract apt install --yes unzip unzip stable.zip rm stable.zip # give a meaningful name mv limesurvey limesurvey-"$version" # create symlink ln -fs limesurvey-"$version" production # create temporary locations mkdir -p tmp chown www-data: tmp chmod 770 tmp
Now see #Filesystem and #Database.
Also see #Logo.
Logo
You may need to change a couple of lines in this configuration file to change the logo:
/etc/apache2/sites-enabled/it-wikimedia-survey-ssl.conf
Here the lines:
# # Update the logo # # https://commons.wikimedia.org/wiki/File:WikiSurvey_Logo_(lettering).svg # # https://phabricator.wikimedia.org/T275919 # # cd /var/www/limesurvey/wmi-images/ # wget "https://upload.wikimedia.org/wikipedia/commons/thumb/0/03/WikiSurvey_Logo_(lettering).svg/350px-WikiSurvey_Logo_(lettering).svg.png" # # ↓ CHANGE THIS Alias /tmp/assets/369bd233/survey_list_header.png /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png Alias /tmp/assets/11637359/logo.png /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png
After you have done, just reload apache:
apachectl graceful
Phabricator
- phabricator:search - search recent activity
- phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/ - public configuration