X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=INSTALL.txt;h=a9d42495bcc70d35f4c9b23ebc0a0bdf3077226b;hb=d33eeee3363226b4a489d58a717a3b46c20c4457;hp=053c339028c9f5bda2e55639003d8c6d449cd4ee;hpb=d49895a8a10442e1a585732e94230ac51e92396d;p=friendica.git diff --git a/INSTALL.txt b/INSTALL.txt index 053c339028..a9d42495bc 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -1,14 +1,14 @@ -Friendika Installation +Friendica Installation -We've tried very hard to ensure that Friendika will run on commodity hosting +We've tried very hard to ensure that Friendica will run on commodity hosting platforms - such as those used to host Wordpress blogs and Drupal websites. -But be aware that Friendika is more than a simple web application. It is a +But be aware that Friendica is more than a simple web application. It is a complex communications system which more closely resembles an email server than a web server. For reliability and performance, messages are delivered in the background and are queued for later delivery when sites are down. This kind of functionality requires a bit more of the host system than the typical -blog. Not every PHP/MySQL hosting provider will be able to support Friendika. +blog. Not every PHP/MySQL hosting provider will be able to support Friendica. Many will. But please review the requirements and confirm these with your hosting provider prior to installation. @@ -21,9 +21,9 @@ impact the installation requirements. Decide if you will use SSL and obtain an SSL cert. Communications with the Diaspora network MAY require both SSL AND an SSL cert signed by a CA which is -recognised by the major browsers. Friendika will work with self-signed certs +recognised by the major browsers. Friendica will work with self-signed certs but Diaspora communication may not. For best results, install your cert PRIOR -to installing Friendika and when visiting your site for the initial +to installing Friendica and when visiting your site for the initial installation in step 5, please use the https: link. (Use the http: or non-SSL link if your cert is self-signed). @@ -32,17 +32,16 @@ link if your cert is self-signed). - Apache with mod-rewrite enabled and "Options All" so you can use a local .htaccess file - - PHP 5.2+. The later the better. PHP 5.3 is required for communications -with the Diaspora network and improved security. + - PHP 5.4+. - PHP *command line* access with register_argc_argv set to true in the php.ini file [or see 'poormancron' in section 8] - - curl, gd, mysql, mbstring, mcrypt, and openssl extensions + - curl, gd (with at least jpeg support), mysql, mbstring, mcrypt, and openssl extensions - some form of email server or email gateway such that PHP mail() works - - Mysql 5.x + - Mysql 5.5.3+ or an equivalant alternative for MySQL (MariaDB, Percona Server etc.) - ability to schedule jobs with cron (Linux/Mac) or Scheduled Tasks (Windows) [Note: other options are presented in Section 8 of this document] @@ -51,7 +50,11 @@ php.ini file [or see 'poormancron' in section 8] directory/path component in the URL) is preferred. This is REQUIRED if you wish to communicate with the Diaspora network. -2. Unpack the Friendika files into the root of your web server document area. + + - For alternative server configurations (such as Nginx server and MariaDB + database engine), refer to the wiki at https://github.com/friendica/friendica/wiki + +2. Unpack the Friendica files into the root of your web server document area. - If you copy the directory tree to your webserver, make sure that you also copy .htaccess - as "dot" files are often hidden @@ -60,6 +63,8 @@ you wish to communicate with the Diaspora network. 3. Create an empty database and note the access details (hostname, username, password, database name). + - Friendica needs the permission to create and delete fields and tables in its own database. + 4. If you know in advance that it will be impossible for the web server to write or create files in your web directory, create an empty file called @@ -106,10 +111,15 @@ one shown, substituting for your unique paths and settings: You can generally find the location of PHP by executing "which php". If you have troubles with this section please contact your hosting provider for -assistance. Friendika will not work correctly if you cannot perform this step. +assistance. Friendica will not work correctly if you cannot perform this step. + +You should also be sure that $a->config['php_path'] is set correctly, it should +look like (changing it to the correct PHP location) + +$a->config['php_path'] = '/usr/local/php53/bin/php' Alternative: You may be able to use the 'poormancron' plugin to perform this -step if you are using a recent Friendika release. 'poormancron' may result in +step if you are using a recent Friendica release. 'poormancron' may result in perfomance and memory issues and is only suitable for small sites with one or two users and a handful of contacts. To do this, edit the file ".htconfig.php" and look for a line describing your plugins. On a fresh @@ -125,8 +135,25 @@ $a->config['system']['addon'] = 'js_upload,poormancron'; and save your changes. +9. (Optional) Reverse-proxying and HTTPS + +Friendica looks for some well-known HTTP headers indicating a reverse-proxy +terminating an HTTPS connection. While the standard from RFC 7239 specifies +the use of the `Forwaded` header. + + Forwarded: for=192.0.2.1; proto=https; by=192.0.2.2 + +Friendica also supports a number on non-standard headers in common use. + + + X-Forwarded-Proto: https + + Front-End-Https: on + + X-Forwarded-Ssl: on + +It is however preferable to use the standard approach if configuring a new server. - ##################################################################### If things don't work... @@ -168,7 +195,7 @@ generally be world-readable. Ensure that mod-rewite is installed and working, and that your .htaccess file is being used. To verify the latter, create a file test.out -containing the word "test" in the top directory of Friendika, make it world +containing the word "test" in the top directory of Friendica, make it world readable and point your web browser to http://yoursitenamehere.com/test.out @@ -217,3 +244,50 @@ Retry the installation. As soon as the database has been created, % chmod 755 .htconfig.php +##################################################################### +- Some configurations with "suhosin" security are configured without +an ability to run external processes. Friendica requires this ability. +Following are some notes provided by one of our members. +##################################################################### + +On my server I use the php protection system Suhosin +[http://www.hardened-php.net/suhosin/]. One of the things it does is to block +certain functions like proc_open, as configured in /etc/php5/conf.d/suhosin.ini: + + suhosin.executor.func.blacklist = proc_open, ... + +For those sites like Friendica that really need these functions they can be +enabled, e.g. in /etc/apache2/sites-available/friendica: + + + php_admin_value suhosin.executor.func.blacklist none + php_admin_value suhosin.executor.eval.blacklist none + + +This enables every function for Friendica if accessed via browser, but not for +the cronjob that is called via php command line. I attempted to enable it for +cron by using something like + + */10 * * * * cd /var/www/friendica/friendica/ && sudo -u www-data /usr/bin/php +-d suhosin.executor.func.blacklist=none -d suhosin.executor.eval.blacklist=none +-f include/poller.php + +This worked well for simple test cases, but the friendica-cron still failed with +a fatal error: +suhosin[22962]: ALERT - function within blacklist called: proc_open() (attacker +'REMOTE_ADDR not set', file '/var/www/friendica/friendica/boot.php', line 1341) + +After a while I noticed, that include/poller.php calls further php script via +proc_open. These scripts themselves also use proc_open and fail, because they +are NOT called with -d suhosin.executor.func.blacklist=none. + +So the simple solution is to put the correct parameters into .htconfig.php: + // Location of PHP command line processor + $a->config['php_path'] = '/usr/bin/php -d suhosin.executor.func.blacklist=none +-d suhosin.executor.eval.blacklist=none'; + + +This is obvious as soon as you notice that the friendica-cron uses proc_open to +execute php-scripts that also use proc_open, but it took me quite some time to +find that out. I hope this saves some time for other people using suhosin with +function blacklists.