Installing Enterprise Passwork + Nginx Password Manager on Centos 8 / Rocky Linux

Passwork stores passwords in a structured form with flexible user access control and is suitable for both corporate collaboration and personal use.

Preparation

Install software

                      
                        $ sudo dnf makecache
$ sudo dnf -y install epel-release
$ sudo dnf -y install wget traceroute net-tools nano bind-utils telnet htop rsync policycoreutils-python-utils
$ sudo dnf-y install git avahi
                      
                    

Install Nginx, configure Firewall

Add the Nginx repository

                      
                        $ sudo nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/
                        
                          centos
                        
                        /$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=https://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
                      
                    

Install Nginx, add it to startup and run

                      
                        $ sudo dnf -y install nginx
$ sudo systemctl enable --now nginx
                      
                    

Configuring Firewall

                      
                        $ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --permanent --add-port=5353/udp
$ sudo firewall-cmd --reload
                      
                    

Restarting the avahi service

                      
                        $ sudo systemctl restart avahi-daemon
                      
                    

Installing MongoDB 4.2 Database

Add MongoDB repository

                      
                        $ sudo nano /etc/yum.repos.d/mongodb-org-4.2.repo

[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc
                      
                    

Install MongoDB

                      
                        $ sudo dnf -y install mongodb-org
                      
                    

Disable SELinux

                      
                        $ sudo nano /etc/selinux/config
...
SELINUX=disabled
                      
                    

In order not to reboot, execute the command

                      
                        $ sudo setenforce 0
                      
                    

Add MongoDB to autoload, run, check

                      
                        $ sudo systemctl enable --now mongod
$ systemctl status mongod
                      
                    

Install PHP-fpm 7.3

Add Remi repository

                      
                        $ sudo dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
                      
                    

Install php-fpm 7.3 and required modules

                      
                        $ sudo dnf module list php
$ sudo dnf module enable php:remi-7.3
$ sudo dnf -y install php-fpm php-json php-ldap php-xml php-bcmath php-mbstring
                      
                    

Configuring php-fpm

                      
                        $ sudo nano /etc/php-fpm.d/www.conf
...
user = nginx
group = nginx
...
listen = /run/php-fpm/www.sock
                      
                    

Editing php.ini

                      
                        $ sudo nano /etc/php.ini
...
date.timezone = Europe/Moscow
...
short_open_tag = On
                      
                    

Change directory owner

                      
                        $ sudo chown -R nginx. /var/lib/php/session
                      
                    

Add php-fpm to autoload, run, check

                      
                        $ sudo systemctl enable --now php-fpm
$ systemctl status php-fpm
                      
                    

Installing PHP Mongo Driver

Installing the necessary components

                      
                        $ sudo dnf -y install gcc php-pear openssl-devel
                      
                    

On Centos 8 to install php-devel you must first install the package libedit-devel from the PowerTools repository, otherwise there will be an installation error in the console

                      
                        $ sudo dnf -y install https://mirror.yandex.ru/centos/8/PowerTools/x86_64/os/Packages/libedit-devel-3.1-23.20170329cvs.el8.x86_64.rpm
$ sudo dnf -y install php-devel
                      
                    

Putting the driver together

                      
                        $ sudo pecl install mongodb
                      
                    

Add it to php

                      
                        $ echo "extension=mongodb.so" | sudo tee /etc/php.d/20-mongodb.ini
                      
                    

Restart php-fpm service

                      
                        $ sudo systemctl restart php-fpm
                      
                    

Installing PHP framework Phalcon version 3.4.5

Installing the necessary components

                      
                        $ sudo yum -y install php-mysql libtool pcre-devel
                      
                    

Clone the repository and install the framework

                      
                        $ cd /opt/
$ sudo git clone --branch 3.4.x  --depth=1 "https://github.com/phalcon/cphalcon.git"
$ cd cphalcon/build
$ sudo ./install
                      
                    

Add it to php

                      
                        $ echo "extension=phalcon.so" | sudo tee /etc/php.d/50-phalcon.ini
                      
                    

Restart php-fpm service

                      
                        $ sudo systemctl restart php-fpm
                      
                    

Check if modules are loaded into php

                      
                        $ php -m | egrep 'phalcon|mongodb'
                      
                    

Downloading and installing Passwork

Create a directory and go to it

                      
                        $ sudo mkdir /opt/passwork
$ cd /opt/passwork
                      
                    

Clone the repository

                      
                        $ sudo git init
$ sudo git remote add origin https://passwork.download/passwork/passwork.git
$ sudo git fetch
login:
pass:

$ sudo git checkout v4
                      
                    

Login, password and certificate can be requested at https://passwork.ru/ for testing

Copy the configuration file and change the rights to files / directories

                      
                        $ sudo cp /opt/passwork/app/config/config.example.ini /opt/passwork/app/config/config.ini
$ sudo find /opt/passwork/ -type d -exec chmod 755 {} ;
$ sudo find /opt/passwork/ -type f -exec chmod 644 {} ;
$ sudo chown -R nginx. /opt/passwork/
                      
                    

Editing the configuration file

                      
                        $ sudo nano /opt/passwork/app/config/config.ini
...
[application]
domain = https://passwork.itdraft.ru
                      
                    

Recovering MongoDB Database

                      
                        $ sudo mongorestore --drop /opt/passwork/dump/
                      
                    

Configuring Nginx. Disable the default nginx config

                      
                        $ sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled
                      
                    

Copying the repository config

                      
                        $ sudo cp /opt/passwork/nginx.conf.example /etc/nginx/conf.d/nginx.conf
                      
                    

Configuring

                      
                        $ sudo nano /etc/nginx/conf.d/nginx.conf
    server unix:/run/php-fpm/www.sock;

    root /opt/passwork/public/;
    server_name passwork.itdraft.ru;
                      
                    

Restarting services

                      
                        $ sudo systemctl restart nginx php-fpm
                      
                    

We connect an SSL certificate for the browser extension to work

We generate a self-signed certificate, or use a ready-made one

                      
                        $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj '/CN=passwork.itdraft.ru' -addext 'subjectAltName=DNS: passwork.itdraft.ru' -keyout /etc/ssl/certs/passwork.key -out /etc/ssl/certs/passwork.crt
                      
                    

How to create a Diffie-Hellman group

                      
                        $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
                      
                    

Add it to our generated certificate

                      
                        $ cat /etc/ssl/certs/dhparam.pem | sudo tee -a /etc/ssl/certs/passwork.crt
                      
                    

When working over an SSL connection (HTTPS), the browser Chrome requires the Secure and SameSite flags in the cookie. We turn them on

                      
                        $ sudo nano /etc/php.ini
...
session.cookie_secure = On
                      
                    

Disable the disableSameSiteCookie parameter in the passwork configuration file config.ini

                      
                        $ sudo nano /opt/passwork/app/config/config.ini
[application]

...
disableSameSiteCookie = Off
                      
                    

Restarting services php-fpm and nginx

                      
                        $ sudo systemctl restart php-fpm nginx
                      
                    

Configuring the Nginx config

                      
                        $ sudo nano /etc/nginx/conf.d/nginx.conf

server {
    listen 80;
    server_name passwork.itdraft.ru;
    rewrite ^ https://$http_host$request_uri? permanent;        # force redirect http to https
    server_tokens off;
}

server {
    listen 443 ssl;
    server_name pass.gge.local;
#    ssl on;
    ssl_certificate /etc/ssl/certs/passwork.crt;        # path to your cacert.pem
    ssl_certificate_key /etc/ssl/certs/passwork.key;      # path to your privkey.pem
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # secure settings (A+ at SSL Labs ssltest at time of writing)
    # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
    ssl_prefer_server_ciphers on;
...
                      
                    

Done, now you can connect the browser extension