Project Refresh #2

Project Refresh #2

On Linux this time.

Cleaned, redacted, organized, added config and new comments to sample env file to make multiple configurations easier.
Adds new setting for future SELinux and SCM res minify path fix.

Revised installation document.

Added similar instructions from the Mac pathway in a more concise fashion, possibly as a better convention for the document later.
Possibly more security conscious now from using login path, not sure..
Found more project names to update.

Added quick sample API doc, as was also useful for making this commit.

Added some SELinux files for at least better running on dev systems.

Leftover CSR readability change in the index.

Revised nginx root conf.  May need converging or splitting work so this file has answers for all OSes, like comments for each as done in the site config with the lines, but maybe it helps clean up others from a cleaner Linux perspective instead.
Site conf did some nice deduplication in the same inspiration that I want for root conf, except for the log directives that I added with the same refactoring reasoning, trying to edit system-wide files as little as possible.

Nearly forgot the default test user password, but added helpful comment once I did.

.env.example

@@ -1,24 +1,35 @@
+[WEB]
+minify=true
+enableTests=false
+cacheFolderRootPath=/tmp
+
 [DATABASE]
 DBMS=mysql
-DBHOST=localhost
-DBPORT=3306
 DBNAME=tingle
 DBUSER=tingle
-DBPASSWD=""
-# Quotes at least around the password field to allow for special characters.
 PREFIX=
+
+; For TCP/IP network-style connections
+;DBHOST=127.0.0.1
+;DBPORT=3306
+; For Linux-style local filesystem socket connections
+;DBHOST=localhost
+;DBSOCKET=/var/lib/mysql/mysql.sock
+
+; Quotes to allow special characters in values.
+; Escape double-quote characters using a backslash.
+DBPASSWD=""
+
 [SECURITY]
 LOST_PASSWORD_RANDOM_GENERATOR_STRENGTH=MEDIUM
+
 [MAIL]
 mailEnabled=false
-server="smtp.server.com"
+server=""
 port=465
-username="[email protected]"
+username=""
 password=""
-replyToAddress="[email protected]"
+replyToAddress=""
 replyToName="Tingle"
 lostPasswordSubject="Tingle - Password Reset"
 lostPasswordBodyTemplateFilePath="content/lostPasswordEmailBodyTemplate.txt"
-[WEB]
-minify=true
-enableTests=false

dev/db/createSampleDatabaseExport-generateDevUsers.sql

@@ -1,3 +1,5 @@
+-- Password is 'test'.
+
 SELECT
   `unique_marker_and_marker_tab_users`.`user_id` AS `id`,
   CONCAT('test', `unique_marker_and_marker_tab_users`.`user_id`) AS `username`,

dev/server/nginx/SELinux/httpd-dosfs_read-open.te

@@ -0,0 +1,12 @@
+module my-nginx 1.0;
+
+require {
+        type httpd_t;
+        type dosfs_t;
+        class file { getattr open read };
+}
+
+#============= httpd_t ==============
+
+allow httpd_t dosfs_t:file read;
+allow httpd_t dosfs_t:file { getattr open };

dev/server/nginx/root.conf

@@ -2,12 +2,12 @@
 #user  nobody;
 worker_processes  1;
 
-#error_log  logs/error.log;
-#error_log  logs/error.log  debug;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
+#error_log  /var/log/nginx/error.log;
+#error_log  /var/log/nginx/error.log  debug;
+#error_log  /var/log/nginx/error.log  notice;
+#error_log  /var/log/nginx/error.log  info;
 
-#pid        logs/nginx.pid;
+#pid        /run/nginx.pid;
 
 
 events {
@@ -32,6 +32,6 @@ http {
     keepalive_timeout  65;
 
     #gzip  on;
-    
+
     include servers/*.conf;
 }

dev/server/nginx/site.conf.example

@@ -1,6 +1,12 @@
 server {
 
   set $project_location /path/to/Zelda-Maps;
+  root    $project_location;
+
+  #error_log  /var/log/nginx/error.log        ;
+  #error_log  /var/log/nginx/error.log  debug ;
+  #error_log  /var/log/nginx/error.log  notice;
+  #error_log  /var/log/nginx/error.log  info  ;
 
   listen       8443 ssl;
   server_name  localhost;
@@ -14,19 +20,9 @@ server {
   ssl_ciphers  HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers  on;
 
-  root    $project_location;
+  include /etc/nginx/default.d/*.conf;
 
   location / {
     index   index.html index.htm;
   }
-
-  location ~ \.php$ {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-
-    fastcgi_pass   unix:/usr/local/var/run/php5-fpm.sock;
-    #fastcgi_pass   127.0.0.1:9000;
-    fastcgi_index  index.php;
-    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-    include        fastcgi_params;
-  }
 }

docs/API Examples.md

@@ -0,0 +1,27 @@
+# Sample Client Flow
+TODO: sort..
+## Page Load
+
+https://.../res.php?type=javascript
+https://.../res.php?type=css
+
+https://.../ajax.php?command=get_container&game=BotW
+
+https://.../ajax.php?command=get_container_name&game=BotW
+https://.../ajax.php?command=get_categories&game=19
+https://.../ajax.php?command=get_map&game=19
+https://.../ajax.php?command=get_category_tree&game=19
+https://.../ajax.php?command=get_games
+
+https://.../ajax.php?command=get_markers&game=19
+
+## Login
+https://.../ajax.php?command=login
+
+## User Load
+https://.../ajax.php?command=get_user_info
+https://.../ajax.php?command=get_changelog&sinceVersion=0.0.0
+https://.../ajax.php?command=get_user_completed_markers&game=19&userId=1
+
+## Logout
+https://.../ajax.php?command=logout

docs/Installation.md

@@ -3,30 +3,64 @@
   * Set-up Dependencies
     * Set-up database
       * Install and configure a database connection for this project.
+        * https://dev.mysql.com/doc/mysql-installation-excerpt/8.0/en/
+          * Linux
+            * https://dev.mysql.com/doc/mysql-installation-excerpt/8.0/en/linux-installation-native.html
+            * `sudo dnf install community-mysql-server`
+            * `sudo systemctl start mysqld`
+      * Install recommended GUI editor/IDE
+        * https://dev.mysql.com/downloads/workbench/
       * Perform the usual and secure database set-up steps:
         * Catch the new, randomly generated root account's password during the installation.
-        * Add `/usr/local/mysql/bin` to user path variable.
+        * Windows/Cygwin?: Add `/usr/local/mysql/bin` to user path variable.
         * `mysql_secure_installation`
+          * Recommended settings
+            * Password validation: `y`, `2` (strong)
+            * Remove anonymous users: `y`
+            * Force root local only: `y`
+            * Remove test database: `y`
+            * Reload privs: `y`
+      * A dedicated account is recommended to only read the related database schemas, so add a less privileged database account for this project to use:
+        * `CREATE USER 'tingle'@'localhost' IDENTIFIED BY '<password>';`
         * The `mysql_config_editor` to create and store local, default, client credentials may be recommended, especially when contacting different project-related servers.
-        * A separate account is recommended to only read the related database schemas, so add a less privileged database account for only this project to use:
-          * `mysql --login-path=local -e "CREATE USER 'tingle'@'localhost' IDENTIFIED BY '<password>'"`
-      * Import the `dev/db/samples/tingle.sql` file.
-        * `mysql --login-path=local < "dev/db/samples/tingle.sql"`
+      * Import the sample database file.
+        * `dev/db/samples/tingle.sql`
       * Grant the new db user all or some schema privileges to the newly imported `tingle` schema.
-        * All: ``mysql --login-path=local -e "GRANT ALL PRIVILEGES ON `tingle`.* to 'tingle'@'localhost'"``
-        * Specific Schema Privileges: `SELECT, INSERT, UPDATE, DELETE`.
+        * All: ``GRANT ALL PRIVILEGES ON `tingle`.* to 'tingle'@'localhost'``
+        * Specific Schema Privileges: ``GRANT SELECT, INSERT, UPDATE, DELETE ON `tingle`.* to 'tingle'@'localhost';``
       * Setup project local backend PHP config parameters:
         * `cp .env.example .env`
         * Edit the newly copied `.env` file to your database's parameters for connection location and account credentials.
     * Set-up web server
+      * Linux:
+        * `sudo dnf install nginx php-fpm php-mysqlnd`
+          * https://www.php.net/manual/en/mysqli.installation.php
+        * `sudo mkdir -p /etc/nginx`
+        * `sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/nginx/nginx.key -out /etc/nginx/nginx.crt`
+        * `cp dev/server/nginx/site.conf.example dev/server/nginx/site.conf`
+        * `sed -i -r 's|(\s+set \$project_location ).+$|\1'(readlink -f .)';|' dev/server/nginx/site.conf`
+        * Could use `unix:/` socket instead of network pass.
+        * `sudo ln -s (readlink -f dev/server/nginx/site.conf) /etc/nginx/conf.d/Tingle.conf`
+        * `sudo systemctl start php-fpm nginx`
+        * Check for failures due to SELinux
+          * `sudo systemctl status nginx`
+            * open failed for site conf file
+              * Copy relevant error line.
+              * `xclip -out | audit2why`
+              * `xclip -out | audit2allow`
+              * `sudo semodule -i dev/server/nginx/selinux/httpd-dosfs_read-open.pp/`
+          * `sudo systemctl status php-fpm`
+            * May require additional permissions to connect to network address and port for database communication.
+              * Using the local Linux socket route works with additional configuration.
       * Mac:
         * nginx or [MAMP](https://www.mamp.info)
-        * Install through homebrew: `brew install nginx`.
+        * Install through Homebrew: `brew install nginx`.
         * Generate SSL certificates: `openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/etc/nginx/nginx.key -out /usr/local/etc/nginx/nginx.crt`
-        * `cp site.conf.example site.conf`
+        * `cp dev/server/nginx/site.conf.example dev/server/nginx/site.conf`
         * Edit the newly copied `site.conf` file to modify the `$project_location` line appropriately to the root of this project's source tree, and the `fastcgi_pass` directive according to your platform.
+          * See if this works: `sed -i -r 's|(\s+set \$project_location ).+$|\1'(readlink -f .)';|' dev/server/nginx/site.conf`
           * `unix:/` for *nix/bsd platforms, IP and port for Windows or in general.
-        * `ln -s (readlink -f ZM_nginx.conf) /usr/local/etc/nginx/servers/Zelda-Maps.conf`
+        * `ln -s (readlink -f dev/server/nginx/site.conf) /usr/local/etc/nginx/servers/Tingle.conf`
         * `nginx -p /usr/local/var`
         * Enable PHP FPM (Similar to FastCGI?)
           * `brew install homebrew/php/php56-xdebug`
@@ -51,7 +85,8 @@
         * Tell the Windows OS to "Allow network connections" when the dialog automatically appears.
     * PHP dependencies
       * Mysqli
-        * Make sure it is enabled in `php.ini`.  Just uncomment the extension line most likely.
+        * Now the mysqlnd package.
+        * (Old?) Make sure it is enabled in `php.ini`.  Just uncomment the extension line most likely.
       * Optional: Install php zend extension xdebug
         * https://stackify.com/php-debugging-guide/
           * Download

index.html

@@ -25,7 +25,12 @@
       <meta http-equiv="Content-Language" content="en-us" />
       <meta name="description" content="Zelda Maps provides rich interactive maps of Hyrule from the The Legend of Zelda with detailed descriptions for each location, character, easter egg and more." />
 
-      <meta http-equiv="Content-Security-Policy" content="default-src *; img-src * 'unsafe-inline' 'unsafe-eval' data:; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'">
+      <meta http-equiv="Content-Security-Policy" content="
+        default-src *;
+        img-src * 'unsafe-inline' 'unsafe-eval' data:;
+        script-src * 'unsafe-inline' 'unsafe-eval';
+        style-src * 'unsafe-inline';
+      ">
 
       <!-- Third-Party LIBs -->
       <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.0.0/jquery.min.js"></script>