Installation - Local via apt

• This project is currently in Beta with many ongoing changes.

• Whilst we're confident the majority of code is safe, nothing in life is 100% safe or risk-free. Writing functional, secure code is very difficult. The current fast pace of development/change may unintentionally introduce bugs/security issues. Use your best judgment before storing highly confidential information in the app. You may wish to consider running ITFlow on it's own server, using a web-app firewall, restricting access (except /portal) to trusted IP addresses, etc.

• Need to report a security issue? Check the security policy

• ITFlow comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law

ITFlow runs on most “standard” Linux web servers. For the core functionality, you just need Apache, a database (MariaDB is highly recommended over MySQL) and PHP.

1. Install a LAMP stack (Linux, Apache, MariaDB & PHP)
2. Create a SQL database, username & password
3. Clone ITFlow (https://github.com/itflow-org/itflow.git) in your web directory root
4. Point your browser to https://itflow.yourdomain.com
5. Go!

There's also a script that automates this process for you and uses Let's Encrypt certificates.

Update apt

• sudo apt update

Install Apache

• sudo apt install apache2 -y

Install MariaDB

• sudo apt install mariadb-server -y

Install PHP

• sudo apt install php php-intl php-imap php-mailparse php-mysqli php-curl libapache2-mod-php -y

Install Git & whois

• sudo apt install git whois -y

Harden your Linux installation. As a starting point:

• MariaDB: sudo mysql_secure_installation
• UFW: sudo ufw allow ssh & sudo ufw allow “Apache Full” & sudo ufw enable
• Consider setting up a web app firewall, like ModSecurity

Enable PHP (hint: hit tab after typing php to get a suggested version number)

• sudo a2enmod php8.1

Adjust PHP File Upload Limits

• sudo nano /etc/php/php.ini - Adjust:
  • upload_max_filesize = 20M
  • post_max_size = 20M

Enable SSL

• sudo a2enmod ssl

Add public/private TLS keys. You could also use LetsEncrypt, but setting this up is beyond the scope of this guide.

• Place public key at: /etc/ssl/certs/public.pem
• Place private key at: /etc/ssl/private/private.key

Adjust Apache's default SSL config to reflect the location of your keys:

• sudo nano /etc/apache2/sites-available/default-ssl.conf - Adjust:
  • SSLCertificateKeyFile /etc/ssl/certs/public.pem
  • SSLCertificateFile /etc/ssl/private/private.key

Check Apache config

• sudo apachectl configtest

Enable the 00-default site

• sudo a2ensite default-ssl

Reload Apache Service to apply the changes

• sudo systemctl reload apache2

Test: HTTP & HTTPS

• Check you can access the default Apache page using HTTP & HTTPS

Configure Apache to redirect HTTP to HTTPS

• sudo nano /etc/apache2/sites-enabled/000-default.conf
  • Add the line Redirect permanent / https://itflow.yourdomain.com/ (or similar) under the VirtualHost for port 80

Log in to the database

• sudo mysql -u root

Create a new database for ITFlow

• MariaDB> CREATE DATABASE itflow;
• MariaDB> FLUSH PRIVILEGES;

Setup a user for the ITFlow app

• MariaDB> CREATE USER 'itflow'@'localhost' IDENTIFIED BY 'supersecurepassword';
• MariaDB> GRANT ALL PRIVILEGES on itflow.* to 'itflow'@'localhost';
• exit

Clone ITFlow to the Apache web directory

• cd /var/www/html
• rm index.html
• git clone https://github.com/itflow-org/itflow.git .

Set the web folder to be owned by Apache

• sudo chown -R www-data:www-data /var/www/html

Set web folder permissions (all, for now, we'll change this after setup)

• sudo chmod -R 777 /var/www/html

Run through the initial setup by navigating to your web server using HTTPS

• Provide the database name, username, and password you set up earlier when prompted

Once complete, tidy up the webserver permissions

• sudo find /var/www/html -type d -exec chmod 775 {} \;
• sudo find /var/www/html -type f -exec chmod 664 {} \;
• sudo chmod 640 /var/www/html/config.php

• Backups: Especially your master encryption key
• Config.php: Check you don't need to add any specific variables (e.g. not using HTTPS)
• Cron: For scheduled activities
• Email Configuration: To send outbound emails (invoicing, tickets, etc)
• Email to Ticket: To receive inbound ticketing emails

Done!