Loading...

Manual Installation

Please note, automated installation scripts and pre-created Virtual Machine images are also available.

Please only continue with a manual installation if you are confident with installing and configuring OS packages manually.

Review the system requirements before proceeding.

Installing NGINX

NGINX handles incoming requests and proxies those requests to PHP-FPM which we will setup a bit later.
Please install and configure NGINX in the following way.

NGINX Configuration

We have provided sample configuration below, please update the configuration to suit your requirements.

We've made the following assumptions below, please replace yourdomain.com with your own.

  • HTTP domain idp.yourdomain.com
  • Static files (web root) is located at /var/www/idp.yourdomain.com/www/public
  • NGINX log files are located at /var/www/idp.yourdomain.com/logs
  • SSL certificate files are located at /var/www/idp.yourdomain.com/ssl
  • php-fpm server is on the same physical machine as nginx
  • diffie-hellman group is available at /var/www/idp.yourdomain.com/ssl/dh.pem.

Please generate the required diffie-hellman group using the following command:

sudo openssl dhparam -out /var/www/idp.yourdomain.com/ssl/dh.pem 2048


NGINX Configuration Example for one PHP-FPM Node

server {
    listen 80;
    server_name idp.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen *:443 ssl http2;
    server_name idp.yourdomain.com; 
    root /var/www/idp.yourdomain.com/www/public;    
    index index.php;

    gzip on;
    gzip_types text/css application/x-javascript application/javascript;

    access_log /var/www/idp.yourdomain.com/logs/access.log combined;
    error_log /var/www/idp.yourdomain.com/logs/error.log;

    ssl on;
    ssl_certificate /var/www/idp.yourdomain.com/ssl/certificate.crt;
    ssl_certificate_key /var/www/idp.yourdomain.com/ssl/certificate.key;
    ssl_dhparam /var/www/idp.yourdomain.com/ssl/dh.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

    # All HTTP requests must supply Content-Length header and it can't exceed 400kb. Adjust accordingly (this should be equal to maximum SAML Authentication Request size)

    client_max_body_size 400k;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }  
}

NGINX Configuration Example for multiple PHP-FPM Nodes

This section assumes that there are 4 php-fpm servers in an internal network, at following IP addresses and ports:

  • 10.0.0.1:9000
  • 10.0.0.2:9000
  • 10.0.0.3:9000
  • 10.0.0.4:9000
server {
    listen 80;
    server_name idp.authstack.co.uk;
    return 301 https://$server_name$request_uri;
}

server {
    listen *:443 ssl http2;
    server_name idp.yourdomain.com; 
    root /var/www/idp.yourdomain.com/www/public;    
    index index.php;

    gzip on;
    gzip_types text/css application/x-javascript application/javascript;

    access_log /var/www/idp.yourdomain.com/logs/access.log combined;
    error_log /var/www/idp.yourdomain.com/logs/error.log;

    ssl on;
    ssl_certificate /var/www/idp.yourdomain.com/ssl/certificate.crt;
    ssl_certificate_key /var/www/idp.yourdomain.com/ssl/certificate.key;
    ssl_dhparam /var/www/idp.yourdomain.com/ssl/dh.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

    # All HTTP requests must supply Content-Length header and it can't exceed 400kb. Adjust accordingly (this should be equal to maximum SAML Authentication Request size)
    client_max_body_size 400k;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;

    # Define servers in the cluster
    upstream phpcluster {
        server 10.0.0.1:9000;
        server 10.0.0.2:9000;
        server 10.0.0.3:9000;
        server 10.0.0.4:9000;
    }

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass phpcluster; # Pass to phpcluster upstream. Additional load balancing rules can be defined in upstream block
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }  
}

Installing PHP-FPM

The following guide details how to install and configure PHP-FPM.

  • Version: 5.6.x
  • Ioncube Loader 9.0 required

Ubuntu 16.04

sudo LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php
sudo apt-get update

sudo apt-get install -y \
php5.6-cli \
php5.6-fpm \
php5.6-curl \
php5.6-gd \
php5.6-intl \
php5.6-ldap \
php5.6-mysql \
php5.6-recode \
php5.6-opcache \
php5.6-json \
php5.6-bz2 \
php5.6-mcrypt \
php5.6-readline \
php5.6-xmlrpc \
php5.6-xsl \
php5.6-mbstring \
php5.6-xml \
php5.6-zip 

CentOS 7.0

sudo yum install epel-release -y 
sudo rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
sudo yum install -y \
php56w \
php56w-cli \
php56w-common \
php56w-fpm \
php56w-gd \
php56w-intl \
php56w-ldap \
php56w-mbstring \
php56w-readline \
php56w-mssql \
php56w-mysql \
php56w-opcache \
php56w-pdo \
php56w-process \
php56w-recode \
php56w-xml \
php56w-xmlrpc

Installing IonCube Loader

Ioncube Loaders are available at http://www.ioncube.com/loaders.php.

The .so file required is called ioncube_loader_lin_5.6.so. It's located in the archive file with loaders.

To install it, do the following:

  • Find php's extension_dir
  • Copy the file to extension directory
  • Enable the loader in .ini file

Finding the PHP extension directory

$ php -i | grep extension_dir

Configuring PHP-FPM pool

Assumptions:

  • php-fpm pool runs under www-data user

Sample PHP-FPM Config

[www]

user = www-data
group = www-data

# IP and port where this pool will be listening at
listen = 127.0.0.1:9000

pm = dynamic
pm.max_children = 5

# Increase this value to number of CPU cores of your system or less (don't go above)
pm.start_servers = 2 

pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 500

php_admin_value[error_log] = /var/log/fpm-php.www.log

Final PHP-FPM Notes

  • If php-fpm is setup to run as a standalone service OR when php-fpm runs on the same server as nginx, the approach is the same - directory paths are always identical.
  • If nginx configuration states that root is located at /var/www/idp.yourdomain.com/public then php-fpm machine must have the same directory structure.

Installing MySQL

Please install as per the following instructions.

  • Required version: 5.7

Sample MySQL Configuration File

my.cnf:

[mysqld]
# CACHES AND LIMITS #
key_buffer = 256kb
tmp_table_size = 32M
max_heap_table_size = 32M
query_cache_type = 1
query_cache_size = 64M
query_cache_limit = 1M
max_connections = 100
max_user_connections = 500
thread_cache_size = 100
open_files_limit = 65535
table_definition_cache = 4096
table_open_cache = 4096
connect_timeout = 10

# INNODB CONFIG #
innodb = FORCE
#innodb_strict_mode = 1
innodb_locks_unsafe_for_binlog = 1
innodb_autoinc_lock_mode = 2
# This value should equal to a large value so that entire data-set can fit into memory. Recommendation is 75% of available RAM on the machine
innodb_buffer_pool_siz = 1G
innodb_additional_mem_pool_size = 20M
innodb_write_io_threads = 16
innodb_io_capacity = 4000
innodb_max_dirty_pages_pct = 90
innodb_support_xa = OFF

# LOG SETUP #
innodb_log_buffer_size = 32M
innodb_log_file_size = 64M

# TRASACTION FLUSH METHOD #
innodb_flush_method = O_DIRECT
innodb_flush_log_at_trx_commit = 1

Download AuthStack Sources

To obtain the latest AuthStack code, use our public software repository available at https://git.buckhill.co.uk/ and the Composer package manager.

Instructions how to install composer are available at: https://getcomposer.org/download/

Once composer.phar is downloaded, move it to /usr/local/bin so that it is available globally to every user.

$ sudo mv composer.phar /usr/local/bin/composer`

Note: if you have a valid AuthStack license, you will automatically have access to our software repository.

To checkout the repository, please navigate to your profile settings under GitLab and add the SSH key of the machine which will clone the repository.

Checking out the sources is done via GIT command:

$ git clone git@git.buckhill.co.uk:authstack/server-iam.git .

Once cloned, navigate to where you have cloned the repository and type:

composer install

AuthStack Sources and dependencies will be downloaded and installed, AuthStack itself is then ready to be configured and installed either manually or using unattended setup.

Fetching Updates

To fetch AuthStack updates run the git pull command.

$ git -C /var/www/idp.yourdomain.com/www pull

Previous Article

Supported Browsers

Next Article

Automated Installation

We're happy to talk

Our offices are open 8.30am - 7pm GMT, Monday to Friday - but you can always contact us via email. When we receive your email during opening hours, we aim to respond within 30 minutes or less. Should your email reach us out of hours, we will contact you when the office re-opens.

You can contact us using live chat