CentOS 7 and WebTrees 1.7x

So I finally started getting the new web server up and running with CentOS 7. First step once running was to install a LAMP configuration (php7.1) and to get WebTrees running. Rather than hang WebTrees directly off /var/www/html/webtrees or similar, I chose to place it at /var/www/wt. I basically unzipped it into a working directory in my home folder so I could examine it and then copied the entire folder to my target location.

I ran into three large issues that prevented running the application:

  1. Needed to configure the system properly inside apache’s configuration files to ensure the directory is accessible to the webserver process, and also to create an alias that points to the folder.
  2. Once that part was complete, the web process couldn’t write to /var/www/wt/data folder; apache (httpd) runs with a user/group of apache rather than www-data as found on many other debian-based distros.
  3. Even when correct user/group had been applied to all files, still couldn’t write. Finally dawned on me that SELinux is used on CentOS (and many other distros) and requires some additional permissions to be set. I highly recommend that you do not follow the WebTrees setup wizard advice of assigning 777 (world-read/write) permissions as this bypasses many security things. Also, it won’t work anyway without disabling SELinux, which is an even greater security breach. Read on, do some additional research (not specific to WebTrees) and you’ll see it’s not really that hard. I’ll describe as best I can what the various components mean.

1 – Configure folder access (since it’s not located under /var/www/html)

I normally add this right after the last <Directory> tag found in /etc/httpd/conf/httpd.conf, which for a default installation will probably be your normal /var/www/html access. Please note that this currently does not add SSL as I have the system limited to my local home network. Later, I’ll try to detail how to make this an SSL (https) access instead for additional security.

The Alias directive tells the system that the files found at /var/www/wt should be considered to off /wt on the web server (http://servername/wt). The following Directory entry simply controls whether the files in the directory can be listed, etc.

Alias "/wt" "/var/www/wt"
<Directory "/var/www/wt">
   Options None
   AllowOverride None
   Require all granted
</Directory>

2 – Set correct user/group ownership

This is a relatively simple fix; both 2 and 3 must be done before any noticeable change will occur.

If you use

ls -l /var/www

You’ll see that the default user:group for the wt folder is www-data:www-data. Use the following command to change it to the correct webserver process apache:apache. -R changes everything in the folder not just the folder itself.

sudo chmod -R apache:apache /var/www/wt

3 – Edit SELinux policies to permit proper access control

(Please note that I am definitely not an SELinux expert and have adapted these steps from the description provided by Shane Rainville’s Overview located on http://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/. I highly recommend reviewing this information yourself as I have summarized it to the steps I utilized only.)

I normally login to my web server as a normal user and then use sudo for any commands that require root/admin access. There are many flame wars about what is best for isolated systems, YMMV. If you login as a normal user, prefix all commands with sudo.

Install the core policy utilities:

yum install -y policycoreutils-python

Also install the SELinux troubleshooting (there is a typo on Shane’s list, should be setroubleshoot, not setroubleshooting):

yum install -y setroubleshoot

The two above steps allow you to manage the SELinux policies, view them, etc. Shane’s page illustrates how to list existing policies in place, which is probably handy when combined with grep, but my system printed more than enough to fill up the scroll-back buffer. Knowing how to do it comes in handy later, though, for troubleshooting your typos, etc.

Shane illustrates the need to create several types of process accesses, including content, logs, and cache. However, for WebTrees all that I currently need is the content access. Therefore, I issued the command:

semanage fcontext -a -t http_sys_content_t "/webapps(/.*)?"

to permit the httpd process to access content within the entire /var/www/wt folder and derivatives. Note that the last bit on the end of the command above makes sure all subfolders, files, etc., are covered within that context. Note that double quotes, forward slashes, etc., are all critical to the command.

Next, you need to permit read/write access to the /var/www/wt/data folder and files in order to get past the server check on the setup wizard. In reality, this permits the system to store multimedia files, etc., within the data structure properly. (Note that there was a typo here and the -t was left off Shane’s page, I’ve added it here)

semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"

At this point, you should be able to run the setup wizard successfully and get to the MySQL/MariaDB configuration portion to setup the database itself.

One point to make here is that WebTrees places its configuration file (config.inc.php) within the data directory so a command to allow read/write to that file is not required as it is already covered by the previous command. As Shane points out, though, it could be necessary if setting up an application that stores that file in a more traditional location (which could be anywhere, tradition be damned).

Have fun. No guarantees, warranty, etc.

 

Genealogy Update (Again)

Well, after tinkering with TribalPages.com for a bit, I’ve reached the conclusion that they provide a much nicer family tree (sans adoption records, I guess) than phpGedView, when considering the total maintenance. The online editing feature works very well and for $2 a month, it’s hard to beat. If you visit http://genealogy.marstella.net, you’ll automatically be redirected to http://marstellafamily.tribalpages.com. That was the easiest way to do things at this point. There’s an option to request access, as I really don’t want the scavengers taking data from the system that might be invalid. I will probably open it up a bit after I upload some of the current data that I have written scribbled in various places, but it will probably be around Christmas.

Genealogy Update!

Finally, I’ve taken a few moments to add some genealogy content to http://genealogy.marstella.net. Unfortunately, it’s not the most recent file; the most recent is currently in storage from our move and will probably be a few weeks before it’s posted. The current content is missing about 50 extended family persons, no direct ancestors or descendants for Henry Garret Hall, Sr., or William Marstella.

Anyone wishing to have an account will need to request one as the old database was lost when marstella.com was killed.

Stay tuned!

Genealogy Status

I finally had a chance to start getting the genealogy system (phpgedview) back online. The system is now in place, although anyone with a user ID will need to contact me to have their logins restored. The site is located at http://genealogy.marstella.net.

The genealogy system is (or at least will be again) configured to allow visitors to see records of non-living persons. However, full user access is required to download gedcom files and see records for living persons.

Hopefully, the system will be fully online within the next 2 days…

marstella.com perishes

marstella.com perished a few months ago due to a failure on my part to renew the domain. Unfortunately, I haven’t been able to re-acquire it as the company that bought it hasn’t been willing to contact me. Apparently the domain is worth thousands to them…