# iTop 2.7安装笔记

## 软硬件需求

iTop 是基于 PHP 和 MySQL 的程序，有以下软件要求：

• Web 服务器，Nginx，Apache 之类
• Graphviz，用于展示影响分析图表
• PHP 模块需求：ctype, dom, iconv, json, mysqli, soap
• php-gd 是可选择的，但如果需要用 CKEditor 上传图片和调整图片大小，需要安装此模块。
• 全新安装的 2.7 版本默认的加密算法是 Sodium，如果需要使用其他加密方法，需要安装对应模块。
• 数据库版本最低为 MySQL 5.6 或者 MariaDB 10.1, 推荐 MariaDB 10.3 或者 MySQL 5.7，MySQL 8 works but is not recommended if you have high volumes of data.
• Galera clusters with multiple masters are NOT supported by iTop, because such clusters do not properly implement the GET_LOCK MySQL function

## 安装依赖软件

### PHP

PHP 的参数调整见参考资料 4。建议设置

### MySQL

Ubuntu 19.10 上默认的 MySQL 版本是 8。用以下方式设置密码，使用 mysql_native_password 方式。

### Nginx配置

Nginx 需要配置 path_info，Portal 需要用到。

enble-php-pathinfo.conf 内容为：

pathinfo.conf：

### APCu

If you are using APCu on mutiple instances, after a Move To Production, the cache must be cleared on all instances. As we have no tools for doing this, practically speaking this means:

• either restart all web servers
• or do not use APCu

## 安装 iTop

### 交互式安装

iTop 最新版本可以在 SourceForge 上下载。下载解压到 Web 目录，设置正确的权限之后，通过浏览器访问 domin/setup/ 即可开始安装。

### 后台任务

In order to operate properly, iTop maintenance operations and asynchronous tasks must be executed on a regular basis. In order to ease the installation, all the background tasks have been grouped to be launched from a single file: webservices/cron.php

The following features rely on the activation of cron.php

• Notification when a ticket reach a threshold (TTO/TTR) will not happen without this web service to be called. (Task:CheckStopWatchThresholds)
• Check ticket SLA. Tickets reaching the limits will be passed into Escalation TTO/TTR states.
• Automated Backups.
• Automatic deletion of useless attachments and in-line images, created during an object creation or edition which was cancelled (Task: InlineImageGC which runs hourly)
• Asynchronous emails. By default, this option is disabled. To enable it, set 'email_asynchronous' to 1 in the configuration file (Task: ExecAsyncTask)
• Many Extensions rely on this cron as well, for exemple: Ticket Creation from Email, Approval Automation, Communication to Customers,…

Since the arguments passed to cron.php on the command line are visible to other users on the system, a recommended practice is to move all the sensitive parameters away from the command line. This is the purpose of the “parameter file”. param_file 的形式如下：

• cron_max_execution_time：Duration (seconds) of the page cron.php, must be shorter than php setting max_execution_time and shorter than the web server response timeout
• cron_sleep：Duration (seconds) before cron.php checks again if something must be done
• email_asynchronous：If set to 1, the emails are sent off line, which requires cron.php to be activated. Exception: some features like the email test utility will force the serialized mode

## 安全设置

### 关键目录的权限设置

Here are file directories that must be denied to the web users :

• conf : directory and all of its content
• data : directory and all of its content
• datamodels : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
• env-* : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
• extensions : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
• lib : directory and all of its content
• log : directory and all of its content

You should also prevent directory listing.

### 使用HTTPS

You should serve your pages only using the https protocol.

As stated by wikipedia: it protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication.

### 防止 session theft

While PHP default configuration is quite relevant from a security point of view, it can be enhanced: you should change the default value for those entries:

• session.cookie_httponly : In order to prevent malicious javascript code to sniff the user's session, you should enable session.cookie_httponly
• session.cookie_secure: If you use https, you should enable this directive so cookies are only sent over secure connections

### 额外的HTTP头

• Strict-Transport-Security 设置为 "max-age=63072000; includeSubdomains;" env=HTTPS，强制使用 HTTPS
• X-Frame-Options 设置为 "sameorigin"。This indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>。（这一条在需要嵌入 Grafana 或者 Kubernetes Dashboard 时应该会有影响）
• X-Content-Type-Options 设置为 "nosniff"。This allows to opt-out of MIME type sniffing (the MIME types advertised in the Content-Type headers should not be changed)。
• Content-Security-Policy 设置有助于检测和减轻跨站点脚本攻击（XSS）和数据注入攻击。