09- Web Applications- ZenCart
We will start with a fresh installation of OpenSuSE 11.3, available on
the labshare. Copy the Zen Cart installation archive to the directory /srv/www, and
uncompress. We rename the resulting directory OurShopSite, and now discard the original zip archive.
In the directory /srv/www/htdocs/OurShopSite/, copy the file /srv/www/htdocs/OurShopSite/includes/dist-configure.php to /srv/www/htdocs/OurShopSite/includes/configure.php and set permissions to 777.
Copy the file /srv/www/htdocs/OurShopSite/admin/includes/dist-configure.php to /srv/www/htdocs/OurShopSite/admin/includes/configure.php and set permissions to 777.
We need to modify the permissions on a number of directories. For each of these, set the permissions to 777:
Update line 996 of the file /etc/php5/apache2/php.ini to read date.timezone = America/New_York. In particular, be sure to uncomment the line! Note also that you will need to restart apache for this change to take effect; in OpenSuSE the command is
# /etc/init.d/apache2 restart
In a browser, visit the web page http://YourServer.Yourdomain/OurShopSite/. A web page will appear, thanking you for installing Zen Cart. Since this is the first time using Zen Cart, we still need to complete the installation process. Click on the appropriate link. Read the Welcome page, and click continue. Read and agree to the licence requirements (GPL).
Some errors and warnings will appear- we will now solve each in turn. Our first issue is that curl is not compiled into out version of PHP. Let’s remedy that.
Ensure that you have a valid .iso for OpenSuSE 11.3. Because the original DVD .iso for OpenSuSE is larger than 4 GB, it will not fit on a FAT32 device- like my portable hard drive. I used 7-zip to split the ,iso into two files, which are in the labshare2 directory. Use 7-zip (available on the labshare) to combine and uncompress these files into a single .iso. Point the CD drive for the VM to the .iso. Run YaST. Select Software Repositories, and unselect all of the Internet repos, leaving only the CD. From YaST, run Software Management. Do a search for PHP. A number of packages will be presented, some installed and some not. Check the box for php5-curl, and select accept. Restart Apache, and return to the web page. Life should be good.
There is another warning, letting us know that gd is not installed in PHP. We fix that in the same way we did above, save the package is called php5-gd. Installing php5-gd will also require an additional package (t1lib) to be installed; this will happen automatically. Don’t forget to restart apache!
At this point, we see all greens, and are ready to install- Press the install button.
And you thought that it would just install at that point- seriously how long have we been doing this!
The next thing that we will need to do is to give Zen Cart the credentials it will need to connect to a database. The database does not need to be on the same server as the web server. For simplicity, the base machine provided already has MySQL set up and running, so you can use MySQL as the database type, and localhost as the database host. In this example, I will use the database on the server; it is simple to modify the commands below if you choose otherwise.
First we need to create the account that the zencart program will use to access the database. As root on the database, run
mysql> CREATE USER zencart@localhost IDENTIFIED BY 'password1!';
Next we need to create the database for our shop; let’s call that Ourshop:
mysql> CREATE DATABASE Ourshop;
Now we need to give our user full authority over the shop database:
mysql> GRANT ALL ON Ourshop.* TO zencart.localhost;
Enter this data into the relevant fields on the web page. The optional settings can be left unchanged.
Now we would like to protect our website with SSL- it is an e-commerce site. We quickly notice however, that the Apache2 configuration for OpenSuSE is quite different than what we saw for CentOS. Let me give you a quick crash course and show you how to get SSL set up in OpenSuSE.
The directory /etc/apache2 has subdirectories ssl.crt/, ssl.key/, and ssl.key/, suggesting that the server has pre-built keys for SSL; this is not the case. Indeed, try
# cat /etc/apache2/ssl.key/server.key
to see that this is not the case.
We start by generating a server key:
# openssl genrsa -out /etc/apache2/ssl.key/server.key 4096
Generate a csr:
# openssl req -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
Copy the csr to your CA and sign it:
# openssl x509 -req -days 365 -in ./server.csr -CA /root/certs/ca.crt -CAkey /root/certs/ca.key -set_serial 01 -out server.crt
Copy the result back to /etc/apache2/ssl.crt/server.crt on the web server.
By default, the OpenSuSE apache server does not use SSL. To change this, edit the file /etc/sysconfig/apache2. In that file on line 133 are the flags passed to the server. We need to modify that line to read
At this point, we can restart the apache server.
# /etc/init.d/apache2 restart
Be sure to check both /var/log/messages and /var/log/apache2/error_log for errors. You can also run a netstat command to see that apache is now listening on TCP/443.
Create the directory /srv/www/htdocs/ssltest and be sure to include a basic web page. We are going to protect that site with SSL. Examine the file /etc/apache2/httpd.conf and note that lines 21-92 describe the default file structure used to configure apache. The first thing to notice is that they recommend that configuration for
virtual hosts be kept in the directory /etc/apache2/vhosts.d they even provide templates for virtual hosts in that directory.
Copy the template vhost-ssl.template to /etc/apache2/vhosts.d/ssl.conf. Open that file. Let us add an SSL protected directory to the system by adding the following (outside the <VirtualHost> directive)
<Directory "/srv/www/htdocs/ssltest"> SSLRequireSSL SSLOptions +StrictRequire </Directory>
Because we used the default file locations, we did not have to modify any of the other lines in the ssltest.conf file.
You can then check that the page http://OurShop.class/ssltest is not accessible
while the page https://OurShop.class/ssltest is accessible, and without certificate errors (if you import your CA key!). This completes our discussion of the SSL differences between OpenSuSE and CentOS.
Before continuing, verify that your can reach your Zen Cart installation web site via SSL from another host!
Returning to the Zen Cart installation web page, set both the HTTPS domain (e.g. https://ourshop.class) and the HTTP Server URL (e.g. https://ourshop.class.OurShopSite). Enable SSL and Enable SSL in the Admin Area; then Save System Settings.
You can select the variables in the Store Setup page as you see fit. I recommend that, on your first installation anyway, you install the Store Demo to see how the system will function when complete.
Set up an administrator user name (e.g. zenadmin) and password (e.g. password1!). We don’t have email set up, but you must enter a value or the install will throw an error. You do not want to check for updates- the lab does not have an Internet connection, and you don’t want the connections to wait todiscover this fact.
Change the permissions on /srv/www/htdocs/OurShopSite/includes/configure.php to 644; do the same with /srv/www/htdocs/OurShopSite/admin/includes/configure.php.
Delete the directory /srv/www/htdocs/OurShop/zc_install
The install process (at least for me) resulted in one error that needed to be handled manually. In the file /srv/www/htdocs/OurShopSite/includes/configure.php line 17 needs to be changed from
or whatever is appropriate for your host name. The same problem was noted in lines 30 and 32 of /srv/www/htdocs/OurShopSite/admin/includes/configure.php
Verify that your Zen Cart install functions- at least for shoppers.
The administrative page is located at https://ourshop.class/OurShopSite/admin. Visit that page. Notice the bright red warnings- I guess they mean them, huh? To change the location of the admin page to, say “newadmin”, we first open the file /srv/www/htdocs/OurShopSite/admin/includes/configure.php. In lines 42-45, change them from
define('DIR_WS_ADMIN', '/OurShopSite/admin/'); define('DIR_WS_CATALOG', '/OurShopSite/'); define('DIR_WS_HTTPS_ADMIN', '/OurShopSite/admin/'); define('DIR_WS_HTTPS_CATALOG', '/OurShopSite/');
define('DIR_WS_ADMIN', '/OurShopSite/newadmin/'); define('DIR_WS_CATALOG', '/OurShopSite/'); define('DIR_WS_HTTPS_ADMIN', '/OurShopSite/newadmin/'); define('DIR_WS_HTTPS_CATALOG', '/OurShopSite/');
In lines 61-62, change them from
define('DIR_FS_ADMIN', '/srv/www/htdocs/OurShopSite/admin/'); define('DIR_FS_CATALOG', '/srv/www/htdocs/OurShopSite/');
define('DIR_FS_ADMIN', '/srv/www/htdocs/OurShopSite/newadmin/'); define('DIR_FS_CATALOG', '/srv/www/htdocs/OurShopSite/');
Rename the folder /srv/www/htdocs/OurShopSite/admin to /srv/www/htdocs/OurShopSite/newadmin to match the change we just made.
Log into the Zen Cart site as admin, and verify that all functions as expected.
Securing Zen Cart
Zen Cart make a number of recommendations to secure their site. For the complete list, see http://www.zen-cart.com/wiki/index.php/Important_Site_Security_Recommendations.
We will summarize some of the more important recommendations from that document.
- Use SSL; moreover use SSL with a certificate that is specific to your site.
- Do not use FTP to access files on your site.
- A number of files & folders in the default install should be removed
- /zc_install/ [Which we removed as part of the install]
- If the shop does not contain downloadable products or music, you can also
remove the directories
but you need to tell Zen Cart that downloads have been disabled. Do so from the admin page, through Configuration -> Attribute Settings, then set Enable Downloads to false.
They recommend renaming the admin folder, but as we saw, this is now required as part of the install process.
- If you are going to send email from the admin portion of your site, be sure to use SMTP rather than the default PHP methods for email transport (Admin -> Configuration -> Email options -> Email Transport method) as the PHP method will expose your admin directory.
- Set permissions on the two configure.php files to 644 (or 444).
- Know how many admin accounts you have on your system. (Admin -> Tools -> Admin Settings).
- During installation, a number of directories are set to 777 so that the contents can be changed during installation. Once the install is complete, the permission can be tuned dowm, usually to 755 for folders and 644 for files.