Introduction
Snipe-IT is a free and open-source project designed to handle IT asset management. It can handle keeping track of assets such as laptops, software, and licenses, their purchase dates, and other corresponding information. It's built with PHP and the Laravel framework and relies upon MySQL as a database for storing and retrieving its data.
Prerequisites
- A Rcs CentOS 7 instance.
- A sudo user.
- A fully-qualified domain name.
- A DNS A record from your fully-qualified domain name to your instance's IP.
1. Configure Firewall
CentOS comes with firewalld
as the default firewall and is configured to only allow incoming traffic for SSH (port 22) by default. However, it is necessary to allow incoming traffic for HTTP and HTTPS on ports 80 and 443, respectively, for the Snipe-IT installation to be accessible to the internet. Certbot also requires these ports to be open to verify your domain name and issue an HTTPS certificate.
Open these ports using firewall-cmd
.
$ sudo firewall-cmd --permanent --add-port=80/tcp
$ sudo firewall-cmd --permanent --add-port=443/tcp
Now, reload the firewall to make the new configuration changes active.
$ sudo firewall-cmd --reload
2. Install EPEL Repository
Some of the packages required for this guide are only available in the EPEL (Extra Packages for Enterprise Linux) repository. The EPEL repository is maintained by a Special Interest Group on the Fedora project, which Red Hat sponsors. The EPEL repository provides the Certbot and Certbot Nginx plugin packages required for this guide.
Install the epel-release
package.
$ sudo yum install -y epel-release
3. Install Remi Repository
CentOS 7's repositories ship PHP version 5.4, while Snipe-IT requires a minimum PHP version of 7.2.5. To work around this, there's a repository that provides newer versions of PHP for CentOS. However, Snipe-IT's documentation recommends a PHP version of 7.4, and the Remi repository provides that.
Install the repository's package.
$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
Install YUM utilities.
$ sudo yum install -y yum-utils
Configure YUM to prefer installing PHP 7.4 from Remi's repository instead of the older PHP version from the default CentOS repository.
$ sudo yum-config-manager --enable remi-php74
4. Install Nginx
Nginx is an extensible web server with many features such as load balancing, reverse proxying, HTTP caching, and more. It is also supported in Certbot, which makes it easy to obtain and renew HTTPS certificates using the running Nginx server.
Install the nginx
package.
$ sudo yum install -y nginx
Start the Nginx service and enable it to start on boot automatically.
$ sudo systemctl enable nginx.service
$ sudo systemctl start nginx.service
5. Install Certbot
Certbot is a tool for automatically obtaining an HTTPS certificate through Lets Encrypt. Lets Encrypt verifies ownership of the domain name by serving verification files from the server and attempting to fetch them. Certbot integrates with Nginx and uses the Nginx server to serve the verification files using the Certbot Nginx plugin. Using an HTTPS certificate on the web server will allow encryption of traffic between the browser and the server. Another benefit is preventing MITM (man in the middle) attacks.
Install the packages.
$ sudo yum install -y python2-certbot python2-certbot-nginx
6. Obtain an HTTPS Certificate
Use Certbot to obtain an HTTPS certificate for the domain using the running Nginx server. The email provided will be used by Let's Encrypt to notify you if the certificate is about to expire or if the certificate is misconfigured.
Make sure to replace
user@example.com
with your email.Make sure to replace
snipeit.example.com
with your fully-qualified domain name.$ sudo certbot certonly --agree-tos --no-eff-email --nginx -m user@example.com -d snipeit.example.com
7. Automatically Renew HTTPS Certificates
By default, Certbot does not automatically renew HTTPS certificates. If the HTTPS certificate expires, the connection to the server may stop working and show a security warning in the browser. This can be prevented by using cron
to start Certbot to renew the certificates automatically.
Edit the crontab
.
$ sudo crontab -e
Press I to edit the file and insert the following line. This will configure cron
to run Certbot every day and renew any certificates that are about to expire.
0 0 * * * certbot renew
Press Esc, type ColonWQ and press Enter to save and exit.
8. Install MariaDB
MariaDB is a community-developed, commercially supported fork of the MySQL relational database licensed under the GPL. It's intended to be a drop-in replacement for MySQL with improved performance and scalability by providing a newer and more optimized storage engine.
Install the packages.
$ sudo yum install -y mariadb mariadb-server
Start the MariaDB service and enable it to start on boot automatically.
$ sudo systemctl start mariadb.service
$ sudo systemctl enable mariadb.service
9. Configure MariaDB
MariaDB ships by default with a blank root password and an insecure configuration in order for it to be easier to configure. It comes with a secure installation script intended to set the root password and configure the server with secure defaults.
Run the secure installation script.
$ sudo mysql_secure_installation
When prompted for the current password for root, press Enter
for none.
When asked to supply a new root password, make sure to use a secure password. That password will be used in future steps throughout the guide for managing the database. Therefore, it is recommended to store this password somewhere safe.
Answer Y or press Enter for all remaining prompts.
10. Create a Database
Login to MariaDB as the root
user. Use the password from step #8.
$ sudo mysql -u root -p
Create a new database called snipeit
.
CREATE DATABASE snipeit;
MariaDB, by default, comes with only the root
user, which should only be used for administering the server and should not be used to connect from any applications. Create a new user called snipeit
.
CREATE USER snipeit@localhost IDENTIFIED BY 'snipeit';
New users by default will have no permissions. Grant the newly created user snipeit
all permissions on the newly created database snipeit
.
GRANT ALL PRIVILEGES ON snipeit.* TO snipeit@localhost;
Now, force MariaDB to reload its privileges table. This will make the newly configured permissions for the snipeit
user effective.
FLUSH PRIVILEGES;
Exit the shell by pressing Control + D.
11. Install PHP
PHP is the language and runtime required to run Snipe-IT on the server. In addition, the PHP-FPM package provides PHP FastCGI Manager, which allows Nginx to communicate with PHP and execute PHP scripts. The rest of the packages are dependencies required by Snipe-IT and Composer and the driver for connecting to the MariaDB database.
Install the packages.
$ sudo yum install -y php php-fpm php-ldap php-bcmath php-mbstring php-pdo php-simplexml php-dom php-gd php-mysqlnd
For PHP-FPM to communicate with Nginx, a few changes are required to the configuration file.
Edit the PHP-FPM configuration file.
$ sudo vi /etc/php-fpm.d/www.conf
Press I to edit the file and edit the lines below accordingly.
user = nginx
group = nginx
listen = /run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
Press Esc, type ColonWQ and press Enter to save and exit.
Start the PHP-FPM service and enable it to start on boot automatically.
$ sudo systemctl start php-fpm.service
$ sudo systemctl enable php-fpm.service
12. Install Composer
Composer is a dependency manager for PHP projects. It's used by Snipe-IT and therefore required for installing it, and its required dependencies. It's also used for updating dependencies when newer releases come out.
Install the required packages.
$ sudo yum install -y composer
13. Install Git
Git is a version control system and will be used for obtaining and updating the source code for Snipe-IT. It's the recommended download method from the Snipe-IT documentation. It also allows for easily obtaining and updating to newer releases of Snipe-IT.
Install the git
package.
$ sudo yum install -y git
14. Install Snipe-IT
Use git
to clone the source code into the /var/www
directory.
$ sudo git clone --depth=1 https://github.com/snipe/snipe-it /var/www/snipeit
$ cd /var/www/snipeit
Make a copy of the example configuration file and edit it.
$ sudo cp .env.example .env
$ sudo vi .env
Press I to edit the file. Find the following lines and edit accordingly.
Make sure to replace snipeit.example.com
with your fully-qualified domain name.
APP_URL=https://snipeit.example.com
DB_DATABASE=snipeit
DB_USERNAME=snipeit
DB_PASSWORD=snipeit
Press Esc, type ColonWQ and press Enter to save and exit.
Configure the required permissions so Nginx and PHP can read and write to the storage
and public/uploads
directories.
$ sudo chown -R nginx:nginx storage public/uploads
$ sudo chmod -R 755 storage public/uploads
Install the latest required dependencies by using Composer.
$ sudo composer install --no-dev
Generate a new random app key.
$ sudo php artisan key:generate --force
15. Configure Nginx
Create a configuration file for Nginx.
$ sudo vi /etc/nginx/conf.d/snipeit.conf
Press I to edit the file, and insert the following lines.
Make sure to replace snipeit.example.com
with your fully-qualified domain name.
server {
listen 80;
listen [::]:80;
server_name snipeit.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name snipeit.example.com;
ssl_certificate /etc/letsencrypt/live/snipeit.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/snipeit.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/snipeit/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Press Esc, type ColonWQ and press Enter to save and exit.
Test the Nginx configuration file for errors. Common mistakes include missing HTTPS certificates, syntax errors, and invalid server names.
$ sudo nginx -t
Restart the Nginx service to make the new configuration effective.
$ sudo systemctl restart nginx.service
16. Configure SELinux
CentOS ships with SELinux, a Linux kernel security module that provides mandatory access controls. By default, this prevents some of the different pieces of software from communicating with one another. This can be fixed by configuring the correct policies.
Configure SELinux to allow Nginx and PHP to write to the directory where Snipe-IT is installed to. This is done by changing the SELinux security context on the files in the Snipe-IT installation directory to one that allows Nginx to have read and write access.
$ sudo chcon -R --type=httpd_sys_rw_content_t /var/www/snipeit
Configure SELinux to allow Nginx and PHP to connect to the MariaDB database over TCP. This is done by changing an SELinux boolean value for allowing HTTP daemons to connect to databases.
$ sudo setsebool -P httpd_can_network_connect_db 1
17. Configure Snipe-IT
Navigate to your fully-qualified domain name in a browser. The page should start with a heading that says "Snipe-IT Pre-Flight" with steps labeled at the top.
If there is an error that says, "Your connection is not private," make sure that your browser is navigated to the correct location and that the HTTPS certificate is properly configured.
Verify that all of the items in the table for the "Pre-Flight Check" are valid and correct. If any settings are misconfigured, they can be changed by editing the /var/www/snipeit/.env
file. Once verified, click "Next: Create Database Tables" at the bottom of the page.
The page should now say, "Your database tables have been created." If this fails, there may be a problem with the database connection or credentials. Continue by clicking the button that says "Next: Create User" at the bottom of the page.
Configure the new user and other settings for the Snipe-IT instance, and click the button that says "Next: Get Started" at the bottom of the page once done. This will bring you to the admin panel.