Project

General

Profile

Installation

This wiki page describes a full Nephthys installation on Debian.

The following parameters are used for this example installation:

  • Server-Name: share.mydomain.test
  • Install directory: /srv/www/share.mydomain.test
    • /srv/www/share.mydomain.test/htdocs/
      - virtual-host document root
    • /srv/www/share.mydomain.test/htdocs/nephthys
      - Nephthys PHP source
    • /srv/www/share.mydomain.test/nirvana/
      - Nirvana directory (see below)
    • /srv/www/share.mydomain.test/transfer/
      - bucket directory
    • /srv/www/share.mydomain.test/db/
      - Directory which will contain the SQLite database (if MySQL is not used)

1. Prepare Debian system

  • Install the necessary system requirements
sudo aptitude install apache2 libapache2-mod-php5 smarty php-pear
sudo pear install HTML_AJAX
sudo pear install Mail Net_UserAgent_Detect
  • If you want to use WebDAV, Apache'es WebDAV module needs to be enabled
sudo a2enmod dav_fs
  • As HTML_AJAX is still in beta state, it will probably tell you during install probably to do something like that:
sudo pear install channel://pear.php.net/HTML_AJAX-0.x.x

2. Prepare database system

Either choose MySQL or SQLite. The database structure (tables) and initial data are filled automatically on first opening Nephthys.

2.1 MySQL

  • Install software
sudo aptitude install mysql-server-5.0 mysql-client-5.0 php5-mysql
sudo pear install MDB2 pear/MDB2#mysqli
  • Create a database which will be used for Nephthys. For example let us call the database 'db_nephthys':
create database db_nephthys;
  • Create a user in the MySQL database which will be used by Nephthys.
grant all on db_nephthys.* to 'nephthys'@'localhost';
set password for 'nephthys'@'localhost' = password('somesecurepassword');
flush privileges;

2.2 SQLite

sudo aptitude install sqlite php5-sqlite
sudo pear install MDB2 pear/MDB2#sqlite

3. Install Nephthys

1. Create the directory hierarchy:

mkdir /srv/www/share.mydomain.test
cd /srv/www/share.mydomain.test
mkdir htdocs nirvana transfer db
chown -R www-data.www-data htdocs nirvana transfer db

1. Either get a public release or checkout the latest development code in copy all files to /srv/www/share.mydomain.test/htdocs/nephthys. For example here as GIT checkout:

cd /srv/www/share.mydomain.test/htdocs
git clone http://git.netshadow.at/Nephthys.git/ nephthys

2. Prepare Nephthys configuration file

cp nephthys_cfg.php.dist nephthys_cfg.php

3. Open nephthys_cfg.php in your favorite text editor and take a look at all configuration options and their default settings. Espacially the config options regarding local directories ($base_path, $data_path, ...) need to be checked. Also the connection parameters to the MySQL database & position of SQLite database are set here.

If you choose SQLite, set the $sqlite_path to /srv/www/share.mydomain.test/db/nephthys.db. Keep the SQLite always out of the htdocs and transfer directory!

5. Create the following file in the htdocs directory to automatically redirect users from / to Nephthys (/nephthys/).

echo "<?php Header('Location: /nephthys/'); ?>" > /srv/www/share.mydomain.test/htdocs/index.php
6. Now open your Nephthys installation in your browser: 7. Login with user "admin", password "admin".
  • After login please consider to change the default administrator password immediately!

8. You are done! Have fun with Nephthys!

4. Apache 2.2 configuration

The following shows how I configured Apache to support the previously created directory structure of Nephthys. Also in this way it takes care, that you can't get a bucket-list by browsing the "transfer" directory which will be redirected to the nirvana directory.

<VirtualHost share.mydomain.test:80>

   ServerName share.mydomain.test
   ServerAdmin root@mydomain.test

   DocumentRoot /srv/www/share.mydomain.test/htdocs

   # Take care of M$ windows in handling WebDAV
   BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
   BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
   BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
   BrowserMatch "^WebDrive" redirect-carefully
   BrowserMatch "^WebDAVFS" redirect-carefully

   LogLevel warn
   ErrorLog /var/log/apache2/share.mydomain.test_error.log
   CustomLog /var/log/apache2/share.mydomain.test_access.log combined
   ServerSignature On
   IndexOptions Charset=UTF-8

   # some nirvana aliases to avoid directory listing and problems
   # with Microsoft WebDAV handling.
   AliasMatch ^/$ /srv/www/share.mydomain.test/nirvana/
   AliasMatch ^/index.php$ /srv/www/share.mydomain.test/htdocs/index.php
   AliasMatch ^/transfer$ /srv/www/share.mydomain.test/nirvana
   # Alias for bucket directory
   Alias /transfer/ /srv/www/share.mydomain.test/transfer/

   <Directory /srv/www/share.mydomain.test/htdocs>
      Options Indexes FollowSymLinks MultiViews
      AllowOverride None
      Order allow,deny
      allow from all
    </Directory>

   # Nirvana basically permitts DAV but only GET and PROPFIND calls
   <Directory /srv/www/share.mydomain.test/nirvana>
      Dav On
      Options Indexes
      AllowOverride All
      <Limit GET PROPFIND>
         Allow from all
      </Limit>
      <Limit ALL>
         Deny from all
      </Limit>
   </Directory>

   # Fully enable DAV on any item and directory within directory
   <Directory /srv/www/share.mydomain.test/transfer/*>
      Dav On
      Options Indexes
      AllowOverride None
   </Directory>

   # No DAV on the transfer directory itself
   <Directory /srv/www/share.mydomain.test/transfer>
      Options none
      AllowOverride None
   </Directory>

   <Directory /srv/www/share.mydomain.test>
      Options FollowSymLinks
      AllowOverride None
      Allow from all
   </Directory>

   # finally we secure everything else
   <Directory />
      Options FollowSymLinks
      AllowOverride None
      Deny from all 
   </Directory> 

</VirtualHost>

It's also wise to set "ServerTokens" to "Prod" in your main apache configuration file. In this way, Apache does not tell much about itself (version information, loaded modules, ...).

5. proftpd configuration

The following shows how I configured proftpd to support the directory structure of Nephthys. Currently a drawback - it's possible to upload files to the / directory. But the directory listing is not possible.

Include                 /etc/proftpd/modules.conf
PidFile                 /var/run/proftpd.pid
ServerType              standalone
ServerIdent             off
UseIPv6                 off

User                    ftp
Group                   nogroup
Port                    21
PassivePorts            49152 65534

ServerName              "share.mydomain.test" 
MaxInstances            20
UseReverseDNS           off
TimeoutNoTransfer       600
TimeoutStalled          600
TimeoutIdle             600
MultilineRFC2228        on
DefaultRoot             /srv/www/share.mydomain.test/transfer
DefaultServer           on
# per default do not allow overwriting files
AllowOverwrite          off
# do not allow .ftpaccess files 
AllowOverride           off
ShowSymlinks            off
AllowForeignAddress     on
DisplayLogin            welcome.msg
DisplayChdir       .message true
ListOptions             "-aln +R" strict
DenyFilter              \*.*/|NLST
RequireValidShell       off
DeferWelcome            off
MaxLoginAttempts        3
AllowStoreRestart       on
AllowRetrieveRestart    on
IdentLookups            off
LogFormat               default  "%h %l %u %t \"%r\" %s %b" 
LogFormat               auth     "%v [%P] %h %t \"%r\" %s" 
LogFormat               write    "%h %l %u %t \"%r\" %s %b" 
TransferLog             /var/log/proftpd/xfer.log
ExtendedLog             /var/log/proftpd/access.log      WRITE,READ write
ExtendedLog             /var/log/proftpd/auth.log        AUTH auth
ExtendedLog             /var/log/proftpd/paranoid.log    ALL default

<Anonymous /srv/www/share.mydomain.test/transfer>
   HideUser                root
   HideNoAccess            on
   User                    www-data
   Group                   www-data
   GroupOwner              www-data
   DirFakeUser             on ftp
   DirFakeGroup            on ftp
   Umask                   022 022

   UserAlias               anonymous www-data
   MaxClients              10
   DisplayLogin            welcome.msg
   DisplayFirstChdir       .message
   AllowOverwrite          off

   #
   # Limits
   #

   # getting the current working directory and
   # change directory is allowed
   <Limit PWD CWD>
      IgnoreHidden      on
      AllowAll
   </Limit>
   # everything else is denied
   <Limit ALL>
      DenyAll
   </Limit>

   # for any object _within_ the ftp root directory
   # listing the directory content is allowed (LIST)
   # as well as getting the current working directory
   # and change directory.
   <Directory /srv/www/share.mydomain.test/transfer/*>
      AllowOverwrite       off
      <Limit PWD CWD LIST>
         IgnoreHidden      on
         AllowAll
      </Limit>
   </Directory>

   # within the bucket directories, everything is allowed
   <Directory /srv/www/share.mydomain.test/transfer/*/*>
      AllowOverwrite       on

      # changing permissions and ownerships is not allowed
      <Limit SITE_CHMOD>
         DenyAll
      </Limit>

      <Limit ALL>
         IgnoreHidden      on
         Allow             from all
      </Limit>
   </Directory>

</Anonymous>

6. Cron-job for deleting expired buckets

Nephthys comes with a script which automatically cleans up expired buckets. Create a new file in /etc/cron.d/nephthys

# set mailto to a email address if somebody should be informed which buckets got deleted.
# otherwise set it to "" which will suppress any email message
MAILTO="" 
0 * * * * www-data  php /srv/www/share.bahnforum.info/htdocs/nephthys/nephthys_watch.php

What about this Nirvana-directory

The nirvana directory is a trick to fool some WebDAV clients (like Explorer) that WebDAV is available in the webservers root / and /transfer/ path.
Some clients refuse to enter the buckets path (/transfer/{hash}) by WebDAV if its parent folders are not WebDAV-enabled already. So we lead those requests to an empty, WebDAV-enabled directory.

The nirvana directory shall always be empty.