Chat API on Ubuntu

This page needs reviewing and correcting. The Redhat version is valid and up to date.

Redis

PHP

Redis on Ubuntu

  • Install PHP Redis Module
sudo apt install php-redis
  • Install Curl Module
sudo apt install php-curl
  • Install XML Module
sudo apt install php-xml
  • Apache Logging
/var/log/apache2$

Certs and Keys

  • Store the private key in the /etc/ssl/private folder
  • Store the CA Cert on the /etc/ssl/certs folder
  • Store the signed cert in the above folder
  • Update the apache site conf file

Enable CORS

<code>sudo a2enmod headers</code>

Load Test

eceadmin@ubuntu100:/var/www/api$ ab -n 5000 -c 500 https://api.ubuntu100.lab1.mydomain.com/chatStatus.php?businessHoursId=5000&chatEntryId=1002
[1] 124932
eceadmin@ubuntu100:/var/www/api$ This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking api.ubuntu100.lab1.mydomain.com (be patient)
Completed 500 requests
Completed 1000 requests
Completed 1500 requests
Completed 2000 requests
Completed 2500 requests
Completed 3000 requests
Completed 3500 requests
Completed 4000 requests
Completed 4500 requests
Completed 5000 requests
Finished 5000 requests


Server Software:        Apache/2.4.41
Server Hostname:        api.ubuntu100.lab1.mydomain.com
Server Port:            443
SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Server Temp Key:        X25519 253 bits
TLS Server Name:        api.ubuntu100.lab1.mydomain.com

Document Path:          /chatStatus.php?businessHoursId=5000
Document Length:        145 bytes

Concurrency Level:      500
Time taken for tests:   10.642 seconds
Complete requests:      5000
Failed requests:        0
Total transferred:      1865000 bytes
HTML transferred:       725000 bytes
Requests per second:    469.84 [#/sec] (mean)
Time per request:       1064.188 [ms] (mean)
Time per request:       2.128 [ms] (mean, across all concurrent requests)
Transfer rate:          171.14 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        7  997 146.0   1021    1253
Processing:     0    9  10.1      6     110
Waiting:        0    7   7.7      4      81
Total:         92 1006 148.2   1028    1283

Percentage of the requests served within a certain time (ms)
  50%   1028
  66%   1054
  75%   1074
  80%   1091
  90%   1140
  95%   1165
  98%   1200
  99%   1213
 100%   1283 (longest request)

[1]+  Done                    ab -n 5000 -c 500 https://api.ubuntu100.lab1.mydomain.com/chatStatus.php?businessHoursId=5000

Example Apache Benmakr against the CCE Business Hours API

The below has Verbosity set to 4 - so you can see the response for each request. 

ab -v 4 -A [email protected]:Pa$$w0rd -n 1 -c 1 https://ucce-bizhours1.lab2.purplepi.ie/unifiedconfig/config/businesshour/5001/

Enable Root SSH

  • Set root password 
    sudo passwd root
  • Edit /etc/ssh/sshd_config
PermitRootLogin yes
  • restart sshd 
    systemctl restart sshd

Installing Apache, PHP and Redis on Ubuntu

The core components are:

  • Apache Web Server
  • PHP
  • Redis - for caching (for X seconds) the API responses

Installing Apache

Reference: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/setting-apache-http-server_deploying-different-types-of-servers

  • Check what packages are currently installed.
    • yum list --installed | more
    • Install Apache - 
      yum install httpd
    • Enable for Auto startup 
      sudo systemctl enable httpd
    • Open Firewall on port 80 
      firewall-cmd --permanent --add-port=80/tcp
    • Reload Firewall 
      firewall-cmd --reload
    • Start Apache Service 
      sudo systemctl start httpd
  • Root Folder is located here: /var/www/html/
    • Make sure any directories you create have r and x permissions for all.
    • Make sure any web files you create have read permissions for all
  • View Log files written
    • sudo ls -al /var/log/httpd/
    • open access logs 
      sudo more /var/log/httpd/access_log
    • open error logs 
      sudo more /var/log/httpd/error_log

Enabling HTTPS

Reference1: https://www.redhat.com/sysadmin/webserver-use-https
Reference2: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-httpd-secure-server

Redhat 8 Security guide - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/securing-services_security-hardening#securing-apache-http-servers_securing-http-servers

The mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.

  • Install the SSL for httpd - 
    sudo yum install httpd mod_ssl
  • Restart apache - 
    sudo systemctl restart httpd

The SSL module install will have created it own SSL Cert with just the hostname and not the FQDN.
So you will need to create your CSR (and if you want a temp Self Signed Cert). The SSL Conf - ssl.conf file is located in /etc/httpd/conf.d/ directory You must also open the Firewall on port 443 and then reload the Firewall - as per below commands: 

sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Create a Self Signed Cert

openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd-tmp.key -x509 -days 30 -out /etc/pki/tls/certs/httpd-tmp.crt

Enter the details of your Self Signed Cert - making sure to include the FQDN when asked. Then update the ssl.conf file to utilise this certificate and restart the apache server. 

SSLCertificateFile /etc/pki/tls/certs/httpd-tmp.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd-tmp.key

Create a CSR Certificate

Below command saves the CSR file to the /home/user1/ directory. 

sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -out /home/user1/httpd.csr

Import Certifcates to Trusted Store

Copy it to the cert to /etc/pki/ca-trust/source/anchors/ sub directory, and run the command: 

sudo update-ca-trust

Install Redis

  • install redis - 
    sudo yum install redis
  • Enable auto startup - 
    sudo systemctl enable redis
  • Start Redis - 
    sudo systemctl start redis
  • Check Statis - 
    sudo systemctl status redis

Install PHP

Install PHP 7.4 instead of the default PHP 7.2 - (7.2 is the default with RHE 8) 

sudo yum module reset php
sudo yum -y module enable php:7.4
  • Install PHP 
    sudo yum install php

The core PHP install also by default installed the following modules (some output removed): 

Installing:
 php                              x86_64                 7.4
Installing dependencies:
 nginx-filesystem                 noarch                 1:1
 oniguruma                        x86_64                 6.8
 php-common                       x86_64                 7.4
Installing weak dependencies:
 php-cli                          x86_64                 7.4
 php-fpm                          x86_64                 7.4
 php-json                         x86_64                 7.4
 php-mbstring                     x86_64                 7.4
 php-opcache                      x86_64                 7.4
 php-pdo                          x86_64                 7.4
 php-xml                          x86_64                 7.4

Hence you should not need to install Curl (Common), XML or JSON modules.

  • Install PHP Curl Module
    sudo yum install php-curl
  • Install PHP XML Module
    sudo yum install php-xml
  • Install PHP JSON Module
    sudo yum install php-json

But you will need to install the Redis modules:

  • Install PHP REDIS Module
    sudo yum install php-redis

However this module was NOT available in the repository…. so an alternative approach is to download and install the module manually using the pecl command line:

  • Install PHP Pear - 
    sudo yum install php-pear
  • pecl also requires the php-devel module - to be able to compile and install the extension - so we also need to install this@
    • sudo install php-devel
  • Download the redis php extension from pecl (PHP Extension Community Library - https://pecl.php.net/package/redis
  • Copy the extension to the machine (e.g. redis-5.3.7.tgz in this example) and then run the pecl install command as follows:
    • sudo pecl install -O redis-5.3.7.tgz

However this pecl command didn't work - because of the following error: 

shtool at '/var/tmp/redis/build/shtool' does not exist or is not executable.
Make sure that the file exists and is executable and then rerun this script.

No exec privileges was confirmed with the following command: 

[myuser@servername ~]$ mount -l | grep "/var/tmp"
/dev/mapper/vgsystem-lvtmp on /var/tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

To enable exec privilegdes run the following: 

mount -o remount,exec /var/tmp/

Once finished don't forget to REMOVE exec preivildges using this command: 

mount -o remount,noexec /var/tmp/

When running the pecl command - it also failed - as make was not installed - so install this using 

sudo yum install make


Following by 

sudo pecl install -O redis-5.3.7.tgz

, which now installs successfully! 

...
Build process completed successfully
Installing '/usr/lib64/php/modules/redis.so'
install ok: channel://pecl.php.net/redis-5.3.7
configuration option "php_ini" is not set to php.ini location
You should add "extension=redis.so" to php.ini

Now revert back exec privileges - 

sudo mount -o remount,noexec /var/tmp/

and edit the php file and restart php.

However - do not configure the extension via php.ini as per above, since php also checks the following directory after the ini file. /etc/php.d and json must be enabled BEFORE redis.

So create a new file (chmod a+r) with a higher number than the json file, e.g. 

sudo vi 30-redis.ini

- with the below as an example on how the file should look like. 

; Enable redis extension module
extension=redis

Also edit each of the other extensions in this folder and disable them if not required. 

sudo vi /etc/php.ini

Add the following lines at the end of the file - (note you need to load json BEFORE redis - as it required for redis to work 

extension=json
extension=redis

Restart PHP 

sudo systemctl restart php-fpm

SE Linux

By default SELinux does not allow Apache to make socket connections. To enable socket connections - use the following command: 

sudo /usr/sbin/setsebool -P httpd_can_network_connect=1

For More information can be found here and here.

When using setsebool with the -P to make the boolean change persistent, this updates the policy
Use 

sudo semanage boolean -l

to inspect the boolean

PHP TIPS

  • Confirm no warnings or errors on php by using the following 
    php -v
  • PHP-specific configuration for httpd - 
    /etc/httpd/conf.d/php.conf
  • All info on PHP install - 
    php -i
  • Location of php.ini file 
    php -i | grep "Loaded Configuration File"
  • If you make changes to the php.ini file - you need to restart php-fpm (note - no need to restart apache) - 
    sudo systemctl restart php-fpm

Firewall Tips

The firewall-cmd –list-all command shows you all the UDP/TCP ports opened - in below example - you can see only port 80 has been opened. 

#sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 80/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Apache Tips

  • Check out what Modules are installed 
    httpd -M
  • vendors/cisco/uc/ece/chatapiserver-ubuntu.txt
  • Last modified: 2023/04/12 16:49
  • by gerardorourke