Non-docker Installation on Ubuntu Server 20.04

ciphermenial · April 30, 2020, 6:02am

Introduction

I was recently testing out Xibo for use within a school. I origianlly used the Docker install but ended up feeling more comfortable with a manual installation. I have installed it on Ubuntu Server 20.04 using Apache2 as the web server and enforcing TLS. I have placed the necessary certificate and key file under /etc/ssl/private. You will need to follow another guide for creating the required certificates. I recommend using Let’s Encrypt with their certbot.

Notes

The MariaDB and PHP versions installed here are not currently supported by Xibo.
The library location is /var/www/Library due to the installer writing the install log file to /var/www/library. The installer requires that the library directory be empty.
A local install of QuickChart is not covered in this guide but recommended.

Install Requirements

All of the requirements can be installed using apt.

sudo apt install mariadb-server mariadb-client apache2 php php-cli php-json php-dom php-mysql php-zip php-soap php-curl php-xml php-mbstring php-zmq libapache2-mod-xsendfile

Install Xibo CMS

When I am configuring server software outside of a package manager I always place it under the /srv folder. I will be installing Xibo under /srv/xibo-cms.

sudo mkdir /srv/xibo-cms
cd /srv/xibo-cms
sudo wget https://github.com/xibosignage/xibo-cms/releases/download/2.3.3/xibo-cms-2.3.3.tar.gz

This extracts the contents of the archive without placing it into a folder

sudo tar -xvzf xibo-cms-2.3.3.tar.gz --strip-components=1
sudo rm xibo-cms-2.3.3.tar.gz

The apache2 user ‘www-data’ needs to be set as owner of all the extracted items.

sudo chown -R www-data:www-data /srv/xibo-cms

This deletes the existing /var/www directory and creates a symlink to /srv/xibo-cms.

sudo rm -r /var/www
sudo ln -s /srv/xibo-cms /var/www

Configure Apache2

This enables the necessary apache2 modules and creates a site configuration using vim.

sudo a2enmod rewrite
sudo a2enmod ssl
sudo vim /etc/apache2/sites-available/xibo-cms.conf

xibo-cms.conf

<VirtualHost *:80>
    DocumentRoot "/var/www/web"
    ServerName xibo.domain.com
    XSendFile on
    XSendFilePath /var/www/Library
    <Directory "/var/www/web">
        AllowOverride All
        Options Indexes FollowSymLinks MultiViews
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/var/www/web"
    ServerName xibo.domain.com
    XSendFile on
    XSendFilePath /var/www/Library
    SSLEngine on
    SSLCertificateFile "/etc/ssl/private/ssl-cert.pem"
    SSLCertificateKeyFile "/etc/ssl/private/ssl-private-key.pem"
    <Directory "/var/www/web">
        AllowOverride All
        Options Indexes FollowSymLinks MultiViews
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

This disables the default site and enables the newly created xibo-cms site configuration.

sudo a2dissite 000-default.conf
sudo a2ensite xibo-cms.conf

Configure MariaDB

This configures a root password for MariaDB. Make sure to change MY_NEW_PASSWORD to your password of choice.

sudo mysql
ALTER USER 'root'@'localhost' IDENTIFIED BY 'MY_NEW_PASSWORD';
FLUSH PRIVILEGES;
quit

Configure PHP

PHP configuration needs to be modified to allow upload of larger files.

sudo vim /etc/php/7.4/apache2/php.ini

Modify the following lines as shown

max_execution_time = 300
memory_limit = 256M
post_max_size = 2G
upload_max_filesize = 2G
session.cookie_secure = Off
session.cookie_httponly = On
session.cookie_samesite = Lax

Configure XMR

Create XMR Configuration File

sudo vim /srv/xibo-cms/vendor/xibosignage/xibo-xmr/bin/config.json

Enter the following information and change the pubOn IP address to the public IP of the server.

{
    "listenOn": "tcp://127.0.0.1:50001",
    "pubOn": ["tcp://192.168.1.1:9505"],
    "debug": false
}

sudo chown www-data:www-data /srv/xibo-cms/vendor/xibosignage/xibo-xmr/bin/config.json

Create XMR service

sudo vim /etc/systemd/system/xibo-xmr.service

Enter the following.

[Unit]
Description=Xibo XMR
After=network.target

[Service]
User=www-data
Group=www-data
ExecStart=/usr/bin/php /srv/xibo-cms/vendor/bin/xmr.phar
Restart=always
KillMode=process
RestartSec=1

[Install]
WantedBy=multi-user.target

Start the service

sudo systemctl daemon-reload
sudo systemctl enable xibo-xmr.service
sudo systemctl start xibo-xmr.service

Check the status of the xibo-xmr service to confirm it is working.

sudo systemctl status xibo-xmr.service

Configure XTR

sudo crontab -u www-data -enable

Select the editor you prefer and then enter the following line.

* * * * * /usr/bin/php /var/www/bin/xtr.php

Configure Firewall

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 9505/tcp
sudo ufw enable

Complete Installation

sudo systemctl restart apache2

You can now browse to the server at the location you configured in the xibo-cms.conf

alex · April 30, 2020, 1:28pm

Thanks for taking the time to write this.

A few notes for anyone else thinking of following this guide.

PHP 7.4 isn’t supported by any version of Xibo at the time of writing - so there’s a chance you may encounter issues as a result. The same is true of MariaDB.

The guide configures XMR but never runs it as a service so it won’t actually work, and the configuration listed is insecure unfortunately. The XMR private port should be bound to the loopback interface or firewalled.

The guide also omits installing QuickChart. By default that means that QR codes and charts generated by the CMS will be rendered by a third party service (quickchart.io). The docker install, and the recommended configuration is to run quickchart locally so no sensitive data leaves your local machine.

There’s some Apache/PHP hardening applied by default in the Docker container that is missed out here, and also the guide doesn’t cover installing mod-x-sendfile and configuring that, so you may find that large files either don’t download properly or cause significant server load when the Players download them.

Finally we don’t recommend configuring the webserver to redirect non-SSL traffic to SSL. That’s because in some configurations, the Players need to be able to make a non-SSL call to pickup the correct date and time from the CMS in order to make a subsequent SSL connection. You can force HTTPS by enabling that option in the CMS and it will redirect all but that call to SSL for you.

ciphermenial · April 30, 2020, 9:36pm

Thanks for the info. I was going to look into hardening the install. I will update the guide once I’m done. I’ll also add a firewall configuration too.

Are there instructions anywhere for how to configure mod-x-sendfile?

alex · May 2, 2020, 2:17pm

You can take a look at the Dockerfile for the Docker containers. Broadly you need to install and enable the module, and then configure it like this:

Then enable it in the main CMS settings by setting “Sendfile Mode” to “Apache”.

ciphermenial · May 5, 2020, 5:58am

I was wondering if I would be able to update my original post? It is not letting me edit it anymore.

alex · May 5, 2020, 7:03am

You should be able to edit it. At the bottom of the post there’s three dots. You click on that, then the pencil icon.

ciphermenial · May 5, 2020, 10:59am

Nah. Not letting me.

alex · May 5, 2020, 11:13am

If you post a new copy then with your changes I’ll replace your original post instead, although it looks to me like your original post has been edited already?

I just spotted in your edited version, you don’t want:

sudo ufw allow 50001/tcp

The XMR private port should only be available to the CMS. It must not be exposed to the LAN/Internet. You should allow it based on the destination IP being the loopback interface ideally.

ciphermenial · May 5, 2020, 11:27am

I’ll update it with that and repost tomorrow. Thanks!

alex · May 6, 2020, 7:05am

Thank you. I’ve updated the original post.

talipcakir · May 28, 2020, 9:51am

[Unit]
Description=Xibo XMR
After=network.target

[Service]
User=www-data
Group=www-data
ExecStart=/usr/bin/php /srv/xibo-cms/vendor/bin/xmr.phar
Restart=always
KillMode=process

[Install]
WantedBy=multi-user.target

Add service config

RestartSec=1

If it is not set like this, the system may become blocked.

talipcakir · May 28, 2020, 10:31am

ciphermenial:

xibo-cms.conf

<VirtualHost *:80>
    DocumentRoot "/var/www/web"
    ServerName xibo.domain.com
    XSendFile on
    XSendFilePath /var/www/Library
    <Directory "/var/www/web">
        AllowOverride All
        Options Indexes FollowSymLinks MultiViews
        Order allow,deny
        Allow from all
        Require all granted
    </Directory
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/var/www/web"
    ServerName xibo.domain.com
    XSendFile on
    XSendFilePath /var/www/Library
    SSLEngine on
    SSLCertificateFile "/etc/ssl/private/ssl-cert.pem"
    SSLCertificateKeyFile "/etc/ssl/private/ssl-private-key.pem"
    <Directory "/var/www/web">
        AllowOverride All
        Options Indexes FollowSymLinks MultiViews
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

missing character “>”

</Directory>

apache2 gives an error that needs to be fixed.

alex · May 28, 2020, 11:04am

Thanks. I’ve made those two modifications.

alex · June 17, 2020, 6:44am

Thanks. That works for a patch version upgrade. For a minor or major you’d also need to run the database migrations.

Elwand25 · July 7, 2022, 12:10pm

this is useful information

ciphermenial · September 19, 2022, 11:57pm

Install Xibo on Ubuntu | Cipher Menial Updated guide