Installation

Contents

1. Introduction
    1.1 Conventions
        1.1 1 General
        1.1.2 Documentation conventions
        1.1.3 web servers and folders
    1.2 Requirements
        1.2.1 Technical requirements
        1.2.2 User requirements
    1.3 Preparations
        1.3.1 Downloads
        1.3.2 Installing on a server with root (administrator) access
        1.3.3 Installing on a server without root access
        1.3.4 Installing on a XS4ALL server
        1.3.5 Installing on a PC with XAMPP
    1.4 On secure passwords

2. The installation
    2.1 Language
    2.2 Installation type
    2.3 License
    2.4 Database
    2.5 Website
    2.6 User account
    2.7 Compatibility
    2.8 Confirmation
       2.8.1 Crossroads
    2.9 Finish
    2.10 Download configuration file
    2.11 E-mail alerts

3. Tips for a secure installation
    3.1 Program files and configuration file
    3.2 Data files
        3.2.1 Outside the document root
        3.2.2 Inside the document root

4. After the installation
    4.1 Virus scanning
    4.2 Session name
    4.3 Proxy friendly URLs
    4.4 Configuring cron.php

5. Errors
    5.1 Canceled installation
    5.2 Unable to write in data directory
    5.3 Config.php write problems

6. Upgrading

7. Concluding remarks

1. Introduction

This chapter describes the download, uppacking, installing and securing of the Website@School program on a server. Two installation modes are available, 'Standard' and 'Custom'. In the screenshots the 'Standard' installation is depicted. In the text both types are described.

We did our utmost to describe every detail of the installation. Please read this chapter. Comments and additions are welcome.

1.1 Conventions

1.1.1 General features

Some general features of Website@School are not that easily found.

1.1.2 Documentation conventions

Below are the text elements in this chapter that have a special markup:

1.1.3 web servers and folders

In the installation chapter we use specific names to indicate the different locations of files and folders.

1.2 Requirements

Website@School requires a LAMP or WAMP compatible server. That is, the program can be installed on Linux and Windows servers that are equipped with the Apache web server, the MySQL database and the PHP scripting language.
It's impossible to give detailed installation recipes or howto's to install the above programs for every Linux or Windows server. Many howto's can be found on the internet by Googling on 'how to install a lamp server on <YourServerSoftwareHere>'. Select a howto that also describes the tests to check if Apache, PHP and MySQL are properly installed.

An easy way to install Website@School on a PC is XAMPP, described in Appendices XAMPP installation

1.2.1 Technical requirements

Please note that the following minimal versions are required by Website@School: Installing on XAMPP: Version 1.7.4 or higher.

1.2.2 User requirements

Website@School is not particularly difficult to use but it does require a willingness to read and follow the instructions. If you have a natural aversion to reading instructions, and your approach to new software is to click on every button you see until something resembling the desired effect occurs, then Website@School is probably not suitable for your school. Courtesy OmegaT User Requirements.

You need some computer skills to install Website@School:

When you are uncertain about your skills, it's better to ask help at a local Linux group. They are virtually everywhere and are willing to perform a small service for the school and (possibly) your kids. See http://en.wikipedia.org/wiki/Linux_User_Group

1.3 Preparations

NOTE: We have no experience with the secure installation of Website@School on Windows servers! Please help us with a description of the installation procedure.

Before you can begin with the actual installation of Website@School, a few things have to be taken care of.
Depending on whether you have root (administrator) access to the server or your server is located at an ISP (Internet Service Provider), you have to follow different routes.

Start with creating some place to download files if it not already exists.

Downloading the Website@School program is discussed in the next paragraph.

1.3.1 Downloads

Proceed as follows to download the necessary files: [ * ] The content of the .zip archives and the .tar.gz archives are the same; you only have to download one of the two.

When on a server with root access, proceed to the next paragraph. When the server where Website@School is to be installed is located at an ISP (Internet Service Provider), proceed with paragraph 1.3.3 Installing on a server without root acces

1.3.2 Installing on a server with root (administrator) access

Now that you have downloaded the necessary files, you can unpack them on the right location, the web server Document Root, e.g. /home/httpd/htdocs or C:\Program Files\Apache Group\Apache\htdocs. Proceed as follows.

You are now almost ready to install Website@School. Please first read paragraph 1.4 On secure passwords, before proceeding to 2. The installation.

1.3.3 Installing on a server without root access

When your server is, for example, located at an ISP (Internet Service Provider) and you have no root access to the server, you have to upload the files and directories to the server from your computer.

We assume you have downloaded the files in the downloads directory as described in paragraph 1.3.1 Downloads, i.e. the downloads directory is in the users home directory.

You are now almost ready to install Website@School. Please first read the next paragraph 1.4 On secure passwords, before proceeding to 2. The installation.

1.3.4 Installing on an XS4ALL server

XS4ALL is a Dutch ISP that offers all Dutch schools very low priced Internett access, server space and a database. Their installation procedure has, like other ISP's, its own anomalies. This type of installation is discussed in Appendices XS4ALL installation.

1.3.5 Installing on a PC with XAMPP

XAMPP is easy to use. Still their installation procedure has, like others, its own quirks. This type of installation is discussed in Appendices XAMPP installation.

1.4 On secure passwords

Website@School does not accept simple passwords like helen or maria2. These simple passwords are easy to guess and using them endangers your complete system and the data. Passwords must have certain properties to make them difficult to guess. A Website@School password must:

Please bear this in mind when entering passwords during the installation. Nuff said, time to start!

(top)

2. The installation

Open your browser and start the Install Wizard by surfing to /program/install.php on your school website. That is, if your school website is at www.exemplum.eu, you should go to http://www.exemplum.eu/program/install.php. (Replace www.exemplum.eu with the name of your site).

2.1 Language

[ Language, drop down menu: list of languages expanded ]
install_language.png

The installation starts with the selection of the language in the dropdown menu. Please select a language and click [Next] to continue or [Cancel] to abort the installation.

2.2 Installation type

[ Installation type, dropdown menu: types, checkbox: high visibility ]
install_installation_type.png
Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.3 License

[ License, page: top ]
install_license-top.png
For the purpose of this manual, many text lines in the license are skipped in the pictures above and below. Please read the license agreement carefully before signing the agreement.
[ License, page bottom, entry field ]
install_license-bottom.png

To be able to install the program, you have to accept the license agreement by typing 'I agree' (without quotes) in the field. In languages other than English, the exact wording can be found at the bottom of the license agreement.

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.4 Database

[ Database, drop down menu: type, entry fields ]
install_database.png

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.5 Website

[ Website, page: top, entry fields ] [ Website, page: bottom, entry fields ]
install_website-top.png

install_website-bottom.png

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.6 User account

[ User Account, entry fields ]
install_user_account.png

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.7 Compatibility

[ Compatibility ]
install_compatibility.png

Below is an overview of required and desired settings. You need to make sure that the requirements are satisfied before you continue.

NOTE: Required items have an '*' asterisk.

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.8 Confirmation

[ Confirmation, page: top ] [ Confirmation, page: bottom ]
install_confirmation-top.png

install_confirmation-bottom.png

You are about to install your new website. Carefully check the configuration settings. Please do as suggested and print this page for future reference.
Thereafter you can press [Next] to start the actual installation process or press [Previous] to correct errors, or [Cancel] to abort the installation.

The installation process may take a while.

2.8.1 Crossroads

When the installation process is finished, two possibilities exist
  1. The configuration file config.php was automatically written to the CMS Root Folder. You see a picture as in 2.9 Finish. Proceed from there.
  2. The configuration file config.php was not automatically written to the CMS Root Folder and it must be put there by hand. Please proceed with paragraph 2.10 Download configuration file.

2.9 Finish

[ Finish, drop down menu: choises ]
install_finish.png

The installation is finished.
It's not a bad idea to check for updates or bug fixes. We assume your version is up to date. Proceed by selecting an item from the dropdown menu:

Jump to:

Or click [OK] to go to the default destination: the admin.php login dialogue.

[ Exemplum Primary School, login page. username 'name', password ******** ]
install_login.png
You can now continue reading the manual with the Logging in and out chapter.

2.10 Download configuration file

The installer may be unable to write the configuration file config.php in the CMS Root Folder because the directory is write protected. In that case, you have the option to download config.php. You can save it in the was directory on your computer and copy (upload) it with FTP to the CMS Root Folder. This feature is a security measure.
[ Finish, download configuration file, drop down menu: choises ]
install_finish_download.png
NOTE: Do not click the [OK] button! It gives you a screen with condition code 010.

To download the file config.php, proceed as follows:

The installation is finished.
It's not a bad idea to check for updates or bug fixes. We assume your version is up to date. Proceed by selecting an item from the dropdown menu:

Jump to:

Or click [OK] to go to the default destination: the admin.php login dialogue:

[ Exemplum Primary School, login page. username 'name', password ******** ]
install_login.png
You can now continue reading the manual with the Logging in and out chapter.

2.11 E-mail alerts

When Website@School was installed with demonstration data, after a successful installation 2 e-mails are sent. One toe the webmaster Wilhelmina Bladergroen and one to the principal of the Exemplum Primary School.
  -------- E-mail Message --------
From: Exemplum Primary School <webmaster@exemplum.eu>
Subject: Alerts for website Exemplum Primary School: 1
To: webmaster@exemplum.eu (Wilhelmina Bladergroen)

2014-07-22 12:50:17
Initial installation of demodata, including this test message.
You will receive an alert at most once every 1440 minutes (1 day).
Alerts will trigger on a change in any area.
Alerts will be mailed to this address:
webmaster@exemplum.eu (Wilhelmina Bladergroen)
  -------- E-mail Message --------
From: Exemplum Primary School <a.cackle@exemplum.eu>
Subject: Alerts for website Exemplum Primary School: 1
To: a.cackle@exemplum.eu (Amelia Cackle)

2014-07-22 12:50:17
Initial installation of demodata, including this test message.
You will receive an alert at most once every 60 minutes (1 hour). 
Alerts will only be sent for changes on the intranet
Alerts will be mailed to this address:
a.cackle@exemplum.eu (Amelia Cackle)

(top)

3. Tips for a secure installation

NOTE: Securing an installation, thus protecting the schools website, the (sometimes) confidential data and the server itself can be complicated to perform. Mistakes are easily made. If you are unfamiliar with the intricacies in this paragraph, please ask help from a local Linux group. The operations should not be performed by someone who hasn't done it before.

This paragraph discusses the points to check for a secure installation. However, it is impossible to describe all possibilities and their exceptions. Do not hesitate to ask help from a local Linux group or ask for support.

All program files of Website@School are installed in the so called CMS Root Folder. The CMS Root Folder is often the same as the web server Document Root. However, it is also possible to use a subdirectory of the web server Document Root instead.

Furthermore, for a good installation a separate Data Directory is necessary. After installation is complete, this Data Directory will contain the CMS Data Folder.

3.1 Program files and configuration file

After a successful installation, the CMS Root Folder, i.e. the web server Document Root, or the self chosen subdirectory, should contain the following files and directory. Observe permissions and ownership:
-rw-r--r--  1 root  root     2210 Feb  1 14:00 admin.php
-rw-r--r--  1 root  root     7827 Feb  1 14:00 config-example.php
-r--------  1 www   root      754 Feb  1 11:10 config.php
-rw-r--r--  1 root  root     2204 Feb  1 14:00 cron.php
-rw-r--r--  1 root  root     2653 Feb  1 14:00 file.php
-rw-r--r--  1 root  root     2675 Feb  1 14:00 index.php
drwxr-xr-x  1 root  root      824 Feb  2 10:11 program

The CMS Program Folder program/ contains dozens of files and subdirectories. Together these form the Website@School program.

Finally, there is the configuration file config.php. This file (which is created by the Install Wizard) must be placed in the same directory as the other files, i.e. in the CMS Root Folder.

It is sufficient for the web server (Apache) to only have read permissions on all these program files and subdirectories. This also applies to the configuration file config.php.

Security wise it is best to make sure that the web server (Apache) has no write permissions on these program files and (sub) directories. This also applies tot the configuration file config.php.

For additional security and protection of the data in config.php it makes sense to limit the permissions on that file even further.

On a Linux server it speaks for itself to set these read- and write permissions as follows:

- All files, with the exception of config.php, get permissions 0644 and are owned by user root and group root.
- Al directories get permissions 0755 and are owned by user root and group root.
- The file config.php gets permissions 0400 and becomes owned by user www and group root.

NOTE 1:
It is also possible to give the files (except config.php) permissions 0444 and the directories permissions 0555, but this adds factually little when the files are owned by user root, because anyhow user root has all permissions, also write permissions, on any file.

NOTE 2:
In this example user www is used as the account under which the web server (Apache) is running. Depending on the specific system, this can also be the user apache or nobody. Please consult the documentation and/or configuration of the web server.

NOTE 3:
The file config.php is a case on its own. This file contains the database password. For that reason it is good to only and exclusively give the web server (Apache) read permissions on this file and no other user or group.

NOTE 4:
If it is not possible to make the files (except config.php) and directories owned by user root and group root, then it is also possible to choose another user and group, as long as it is not the web server user and group for that purpose. Permissions 0644 or 0755 are usable.

3.2 Data files

For a fully functional Website@School, also storage space is needed, preferably outside the websrervers Document Root.
During the installation in step 2.5 Website you have entered a path, for example /home/httpd/wasdata.

For security reasons the installer creates a subdirectory inside this directory: This we call the CMS Data Folder. The full path of the CMS Data Folder is the Data Directory path followed by a difficult to guess directory name of 32 letters and digits, for example: /home/httpd/wasdata/b27b7d81c0ea26c4885784564bda2e11.

It is necessary that, during the installation, the web server (Apache) has read-, write- and execute permissions in the Data Directory (for example wasdata), in order to create the CMS Data Root.
After finishing the installation the write permissions can be minimized, as long the read and search permissions for the web server remain.

3.2.1 Outside the document root

Concerning security it is strongly advised that the CMS Data Folder is located outside the web server Document Root.

Example 1:
On the Linux server /home/httpd/htdocs is the web server Document Root. In that case a secure choice for the Data Directory is /home/httpd/wasdata. This results in:
- Data Directory: /home/httpd/wasdata
- CMS Data Folder: /home/httpd/wasdata/fa0aff7743cd61f2afb473ca528fd431

During the installation, the Data Directory must have permissions 0700 with user www and group root. After finishing the installation, it is sufficient to set the permissions of this directory to 0500 with user www and group root.

Example 2:
On a Linux server /var/www is the web server Document Root. The Data Directory could be located in /var/wasdata. This results in:
- Data Directory: /var/wasdata
- CMS Data Folder: /var/wasdata/fa0aff7743cd61f2afb473ca528fd431

During the installation, this Data Directory should have sufficient file access permissions, e.g. by -- temporarily -- elevating permissionss to 0777, with user wblade and group users. After finishing the installation, it is sufficient to set the permissions of this directory to 0555 with user wblade and group users.

User wblade is Wilhelmina Bladergroen, the systems administrator of the Exemplum Primary School. For explanation on this user and the school see the ServerAtSchool documentation at http://serveratschool.net/doc/manual/overview.html#h2

NOTE: The permissions and ownership of the underlying directories created by the Installation Wizard, must remain as they are. Here is an example:

drwx------  3 www www    240 Feb  6 13:53 fa0aff7743cd61f2afb473ca528fd431

3.2.2 Inside the document root

Concerning security it is strongly advised to have the CMS Data Folder located outside the Document Root. If, for some reason or another, this is not possible, then choose a difficult and long directory name to make it difficult for a third party to find this directory by 'guessing'. After all, all documents are in principle directly accessible, provided the name of the document is known.

Example 1:
On a Linux server /home/httpd/htdocs is the web servers Document Root. If the Data Directory and hence the CMS Data Folder is to stay in there, then b27b7d81c9ea26q4885734564qda2e12 looks like a good, difficult to guess subdirectory name. This results in:
- Data Directory /home/httpd/htdocs/b27b7d81c9ea26q4885734564qda2e12
- CMS Data Folder: /home/httpd/htdocs/b27b7d81c9ea26q4885734564qda2e12/fa0aff7743cd61f2afb473ca528fd431

The permissions of the Data Directory during the installation are 0700 with user www and group root. After the installation permissions 0500 with user www and group root are enough.

Example 2:
On a Linux server /var/www is the web servers Document Root. If the Data Directory and hence the CMS Data Folder is to stay in there, then b27b7d81c9ea26q4885734564qda2e12 looks like a good, difficult to guess directory name. This results in:
- Data Directory: /var/www/b27b7d81c9ea26q4885734564qda2e12
- CMS Data Folder: /var/www/b27b7d81c9ea26q4885734564qda2e12/fa0aff7743cd61f2afb473ca528fd431

During the installation, the Data Directory has --temporarily-- permissions 0777 with user wblade and group users. After the installation it is sufficient to set back the permissions of this directory to 0555 with user wblade and group users.

User wblade is Wilhelmina Bladergroen, the systems administrator on the Exemplum Primary School. For explanation on this user and the school see the ServerAtSchool Documentation at http://serveratschool.net/doc/manual/overview.html#h2

NOTE: The permissions and ownership of the underlying directories created by the installation wizard, must remain as they are.

3.3 Further information

This manual is not a study book on server security. For safety contact your systems administrator or ISP (Internet Service Provider) for a possibly even tighter installation or contact the Website@School support at support@websiteatschool.eu.

NOTE: Before making use of your installation, please also read the next section to check some of the configuration items that affect security.

(top)

4. After the installation

When you have successfully completed the previous section, please also check the following items that either affect the security of your installation or prevent problems. All items are described in the Configuration Manager, paragraph 5. Site.

4.1 Virus scanning

On a school server with so many users able to upload files from anywhere, scanning for viruses is a must. In the procedure below we describe how to check if virus scanning is indeed functioning.

First check at [  ] Scan files for viruses on upload if the box is checked. Then perform the following test to verify the correct operation of the virus scanner by creating a special 'test virus'. There is a standard test, developed explicitly for testing anti-virus programs. It was developed by the European Institute for Computer Anti-Virus Research (EICAR). You can easily create this test using any text editor. The test file consists of 68 plain ASCII characters as shown below. Note that the 3rd character is a capital 'O' and not the digit '0'.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now store these 68 characters in a file. Do not name the file EICAR.COM as suggested by the Institute, because by default the file extension .com is a not allowed extension in Website@School. Maliciously we rename the file to image.png, so it will be accepted and uploaded to your My Files location.
The virus should be detected and an error message must be generated like:

[ My Files, message= virus found ]
install_after_install_virus.png

The virus scanner is properly installed and found during installation because the virus was detected and not uploaded.
However, if the virus scanner for some reason is not working properly during the upload, a message like the following is displayed. NOTE 'Error 2'.

Filename(1): Error 2 while scanning for viruses, file 'other_image.bmp'
Files added: 0, files ignored: 1
.

If a virus is found, the webmaster receives an e-mail like the one we found on our public Website@School test site. For details and login, please see chapter Basic procedures for beginners, paragraph 7.2 Our sandbox).

  -------- E-mail Message --------
From: Exemplum Test Site <jtester@wexample.org>
Subject: Virusalert for website Exemplum Test Site: attempt to upload virus
To: jtester@example.org (Exemplum Test Site)

There was an attempt to upload a file containing
a virus. The output of the virusscanner is as follows:

/tmp/php1DGFo: PHP.Trojan.Agent-8  FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.002 sec (0 m 0 s)

The currently logged in user was

Jane Tester (jtester)

and the file was /tmp/phpP1DGFoj (b374k.php).

Kind regards,

Your automated webmaster

In a future release the senders IP address will be added, so you do not have to look up his IP address in the Website@School log file.

NOTE: Do not forget to keep the virus scanner on the server up to date!

More information on EICAR.COM can be found on the EICAR web site at http://www.eicar.org/anti_virus_test_file.htm.

Note that this EICAR.COM file in itself is a valid but harmless DOS program. When executed (in a DOS box), it simply displays the text 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!', nothing more.

This sub paragraph on testing with a virus is gracefully copied and slightly adapted from http://serveratschool.net/doc/, the ServerAtSchool Documentation, where the installation of a secure school server is discussed.

4.2 Session name

In every installation of Website@School the session name is the same. A bit of extra security can be added by changing the session name WASSESSION to something else. After changing, log out and in again.

4.3 Proxy friendly URLs

Easy to change after the installation, however when this change is done some time in the future, it might give you a lot of work. Please read about this item in the Configuration Manager, paragraph 3. Site

4.4 Configuring cron.php

It is necessary for Website@School to periodically perform some housekeeping chores. This is done by calling or executing the file cron.php. The exact installation of the cron-job depends on the server where you installed Website@School and the privileges you have on that server.

A few options may exist:

NOTICE:
It is not necessary to call cron.php from the same server that hosts your Website@School installation; you can easily use wget from any other server in the world to periodically execute cron.php.

See also section 4.1 Site configuration in chapter Configuration manager for two configuration items dealing with cron.php.

(top)

5. Errors

Below the most common errors during the installation procedure are discussed.

5.1 Canceled installation

When the installation is canceled, it is because the Website@School installer found an already existing config.php configuration file. This is a security feature that prevents overwriting an existing configuration file. Check if the file exists. If this is the case, either delete or rename it. You cannot accidently overwrite an existing config.php file while doing a new installation of Website@School, even when the file permissions would allow it.

Click [OK] to return to the language selection. It is possible to download the config.php file. See paragraph 2.10 Download configuratoin file.

5.2 Unable to write in Data Directory

When you have created the data directory with the wrong ownership (for example root.root), you can get an error message like:

Error: Data directory: directory can not be created: /home/httpd/htdocs/wasdata/6a69137e2689c8f91873e0634ca46bda.

You get the same type of errors when the file permissions are too low (for example 000 or 600). Here is an example of minimal permissions and ownership:

drwx------ 2 www www  48 Feb  3 16:49 wasdata

5.3 Config.php write problems

The installer can be unable to write [1] the configuration file config.php because the directory is write protected. In that case, you have the possibility to download config.php and save it on your computer. Then copy it to the location you choose to put the program in. This feature could be seen as a security measure.

[1] For example when Website@Schools CMS Root Folder has permissions like:

dr-x------  3 www www    240 Oct 21 13:53 htdocs

It is impossible to write in the directory.

(top)

6. Upgrading

See chapter Tools, paragraph 6. Update manager.

(top)

7. Concluding remarks

Your Website@School is ready for use. Please take the Basic procedures for beginners to have a quick introduction to some (but not all) features of Webiste@School.

(top)

Authors: Dirk Schouten <dirk (at) websiteatschool (dot) eu> and Peter Fokker <peter (at) websiteatschool (dot) eu>
Last updated: 2016-06-23