Update INSTALL-rhel.md

made some changes to the installation of cerebrate, after new version requirements and lessons learnt.

INSTALL/INSTALL-rhel.md

@@ -1,12 +1,14 @@
-# Installing Cerebrate on RedHat Enterprise Linux (RHEL 8)
+# Installing Cerebrate on RedHat Enterprise Linux
->This installation instructions assume SELinux is enabled, and in Enforcing mode.
+>Instructions adapted from https://doc.cerebrate-project.org/install/
+>This installation instructions assume, you have RHEL 8 with SELinux enabled, and in Enforcing mode.
 >and that you want to keep it that way :)
 >You need to be root when running these commands.
 
 ## Prerequisites
 >Install needed packages:
 ```Shell
-dnf install @httpd mariadb-server git @php unzip sqlite vim wget  php-intl php-ldap php-mysqlnd php-pdo php-zip
+dnf install @httpd mariadb-server git unzip sqlite vim wget \
+            @php:8.0 php-intl php-ldap php-mysqlnd php-pdo php-zip
 ```
 ## Install composer 
 >Instructions taken from https://getcomposer.org/download/
@@ -39,9 +41,11 @@ FLUSH PRIVILEGES;
 QUIT;
 ```
 ## Allow ports through the firewall
+> 8001 for local access, (e.g. curl) and 
+> 8443 for remote access with proper certificates (SSL TLS).
 ```Shell
-firewall-cmd --zone=public --add-service=http         --permanent 
 firewall-cmd --zone=public --add-port=8001/tcp        --permanent
+firewall-cmd --zone=public --add-port=8443/tcp        --permanent
 ```
 > reload firewall and show applied firewall rules
 ```Shell
@@ -51,11 +55,19 @@ firewall-cmd --zone public --list-all
 
 ## Main Cerebrate Installation
 >Steps to install Cerebrate on RHEL
+>in order to run some commands you need to (temporarily) allow the apache user 
+>to login using *bash shell*
+```Shell
+usermod -s /bin/bash apache
+# in the end you need to set the login shell to *nologin*
+# usermod -s /sbin/nologin apache;
+```
 
 ### Clone this repository
 ```Shell
-mkdir /var/www/cerebrate
+mkdir -p /var/www/cerebrate;
-git clone https://github.com/cerebrate-project/cerebrate.git /var/www/cerebrate
+sudo chown apache:apache /var/www/cerebrate;
+sudo -u apache git clone https://github.com/cerebrate-project/cerebrate.git /var/www/cerebrate;
 ```
 
 ### Run composer
@@ -64,25 +76,21 @@ mkdir -p /var/www/.composer
 chown -R apache.apache  /var/www/.composer
 chown -R apache.apache  /var/www/cerebrate
 cd /var/www/cerebrate
-composer install 
+sudo -H -u apache composer install
 ```
->you will see a prompt: \
+
->`Do you trust "cakephp/plugin-installer" to execurte code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]` \
->*repond with* `y` \
->`Do you trust "dealerdirect/phpcodesniffer-composer-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]` \
->*repond with* `y`
 
 ### Create your local configuration and set the db credentials
 ```Shell
-cp -a /var/www/cerebrate/config/app_local.example.php /var/www/cerebrate/config/app_local.php
+cp -a /var/www/cerebrate/config/app_local.example.php /var/www/cerebrate/config/app_local.php;
-cp -a /var/www/cerebrate/config/config.example.json /var/www/cerebrate/config/config.json
+cp -a /var/www/cerebrate/config/config.example.json /var/www/cerebrate/config/config.json;
 ```
 
 ### Modify the Datasource -> default array's in file `app_local.php`
 >Simply modify the `Datasources` section, to reflect your values for: username, password, and database 
 >fields, as configured in the above [#create-a-new-database-user-and-password-for-cerebrate](<#create-a-new-database-user-and-password-for-cerebrate>)
 ```Shell
-vim /var/www/cerebrate/config/app_local.php
+sudo -u apache vim /var/www/cerebrate/config/app_local.php;
 ```
 ```PHP
     'Datasources' => [
@@ -96,18 +104,12 @@ vim /var/www/cerebrate/config/app_local.php
 
 ### Run the database schema migrations
 ```Shell
-usermod -s /bin/bash apache
+chown -R apache.apache  /var/www/.composer;
+chown -R apache.apache  /var/www/cerebrate;
 
-chown -R apache.apache  /var/www/.composer
+sudo -u apache /var/www/cerebrate/bin/cake migrations migrate;
-chown -R apache.apache  /var/www/cerebrate
+sudo -u apache /var/www/cerebrate/bin/cake migrations migrate -p tags;
-
+sudo -u apache /var/www/cerebrate/bin/cake migrations migrate -p ADmad/SocialAuth;
-su apache <<'EOFi'
-/var/www/cerebrate/bin/cake migrations migrate
-/var/www/cerebrate/bin/cake migrations migrate -p tags
-/var/www/cerebrate/bin/cake migrations migrate -p ADmad/SocialAuth
-EOFi
-
-usermod -s /sbin/nologin apache
 ```
 
 
@@ -118,13 +120,14 @@ rm /var/www/cerebrate/tmp/cache/persistent/*
 ```
 
 ### copy the Apache httpd template to the default apache configuration folder
-> in our case we used apache to serve this website, NGINX could also be used.
+> in our case we use apache to serve this website.
 ```Shell
 cp -v /var/www/cerebrate/INSTALL/cerebrate_apache_dev.conf /etc/httpd/conf.d/.
 mkdir /var/log/apache2
 chown apache.root -R /var/log/apache2
 restorecon -Rv /etc/httpd/conf.d/*
 restorecon -Rv /var/log/*
+### Relabeled /var/log/apache2 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:httpd_log_t:s0
 ```
 ### Make changes to the apache httpd site configuration file
 >Edit the file `/etc/httpd/conf.d/cerebrate_apache_dev.conf` change the two references of port 8000 to 8001
@@ -149,6 +152,8 @@ chown apache.apache /var/www/cerebrate
 ```
 systemctl enable httpd
 systemctl restart httpd
+# do not forget to set nologin for user apache
+usermod -s /sbin/nologin apache;
 ```
 
 ## Point your browser to: http://localhost:8001
@@ -158,3 +163,52 @@ systemctl restart httpd
 Username: admin
 Password: Password1234
 ```
+
+
+
+## Optional: Enable HTTPS secure connection to the site
+> if you also want to enable SSL TLS certificates, you need to do the following
+
+### copy the certificates in place
+vi   /etc/pki/tls/certs/cerebrate-chain.pem
+vi   /etc/pki/tls/private/cerebrate-key.pem
+chmod 600 /etc/pki/tls/private/cerebrate-key.pem
+
+### edit the configuration file to include the SSL Section.
+vim /etc/httpd/conf.d/cerebrate_apache_dev.conf
+```Shell
+Listen 8443 https
+
+<VirtualHost <your IP address:8443>
+        ErrorLog /var/log/apache2/cerebrate_ssl_error_log
+        TransferLog /var/log/apache2/cerebrate_ssl_access_log
+        LogLevel warn
+        SSLEngine on
+        SSLHonorCipherOrder on
+        SSLCipherSuite PROFILE=SYSTEM
+        SSLProxyCipherSuite PROFILE=SYSTEM
+        SSLCertificateFile    /etc/pki/tls/certs/cerebrate-chain.pem
+        SSLCertificateKeyFile /etc/pki/tls/private/cerebrate-key.pem
+
+        <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                SSLOptions +StdEnvVars
+        </FilesMatch>
+        ServerName mycerebrate.<csirt.eu>
+        DocumentRoot /var/www/cerebrate/webroot
+        <Directory /var/www/cerebrate/webroot>
+                Options -Indexes
+                AllowOverride all
+                Order allow,deny
+                allow from all
+                SSLOptions +StdEnvVars
+        </Directory>
+
+        BrowserMatch "MSIE [2-5]" \
+                nokeepalive ssl-unclean-shutdown \
+                downgrade-1.0 force-response-1.0
+
+        CustomLog /var/log/apache2/cerebrate_ssl_request.log \
+                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+```