密码管理平台ratticdb的部署，在centos7上的部署

一，前言

一直想用ratticdb这个有web界面的密码管理工具，百度了一下居然没有找到中文的部署文档，访问官网也是notfound。找到了官方的部署指南：https://github.com/tildaslash/RatticWeb/wiki/Development，感觉写的太简略了，部署中出了很多问题无法解决。

然后我又找了一篇印度小哥写的部署指南：https://linoxide.com/tools/setup-ratticdb-ubuntu-16-04/ ，写的很详细，但是我的系统是centos7的，还是有些差别，于是一路摸索终于部署成功，在此记录下部署步骤，也算是对印度小哥文章的汉化和centos版。可惜的是ratticdb已于2015年8月停止更新，本文使用ratticdb最后一个版本进行安装。

二，部署准备

机器配置：2核4G

磁盘：50G

操作系统：centos7.3

数据库版本：5.5.56-MariaDB

三，部署以及配置

1，安装apache,mysql和相关依赖包

yum install httpd php git gcc mariadb mariadb-client python-setuptools gcc openssl libxml2 python-dev libxml2-dev libxslt1-dev zlib1g-dev libldap2-dev python-ldap python-mysqldb gettext apache2-dev libmysqlclient-dev libsasl2-dev python-dev libldap2-dev libssl-dev pyflakes python-pip libevent-devel libxml2 libxslt libxslt-devel

2,安装pip工具

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

python get-pip.py

3，添加主机名解析

vim /etc/hosts

172.16.1.1 test.mima.com

此处ip和域名仅作为示例，请根据实际情况做调整，下文出现的域名和ip配置同理。

4，创建程序目录并下载安装ratticweb

cd /opt

mkdir apps

cd apps

git clone https://github.com/tildaslash/RatticWeb.git

cd RatticWeb/

/usr/local/bin/pip install -r requirements-mysql.txt -r requirements-dev.txt

5,在mysql里创建数据库和用户

mysql -u root -p

mysql> create database rattic CHARACTER SET utf8;

Query OK, 1 row affected (0.00 sec)

mysql> SET GLOBAL innodb_file_per_table = ON, innodb_file_format = Barracuda, innodb_large_prefix = ON;

Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON rattic.* TO 'rattic'@'localhost' identified by 'somepassword';

Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)

mysql> exit

Bye

6， 配置RatticWeb

vim /opt/apps/RatticWeb/conf/defaults.cfg 进行如下配置没有的就新增

[ratticweb]

secretkey = 123456

timezone = Asia/Shanghai

hostname = test.mima.com      #此处填写你自己的域名

static =  /opt/apps/RatticWeb/static

[database]

engine = django.db.backends.mysql

# The name of the database (or its filename for sqllite)

name = rattic

user = rattic

password = somepasswd

host = localhost

port = 3306

7,修改Python配置并进行rattic初始化

cd /usr/lib/python2.7/site-packages/

rm -rf kombu/transport/django/migrations djcelery/migrations

mv kombu/transport/django/south_migrations kombu/transport/django/migrations

mv djcelery/south_migrations djcelery/migrations

cd /opt/apps/RatticWeb/

root@demohost:/opt/apps/RatticWeb# ./manage.py syncdb

root@demohost:/opt/apps/RatticWeb# ./manage.py migrate 【创建和配置数据库】

root@demohost:/opt/apps/RatticWeb# mkdir static 【创建静态目录】

root@demohost:/opt/apps/RatticWeb#  ./manage.py collectstatic -c --noinput 【填充静态文件目录】

root@demohost:/opt/apps/RatticWeb# ./manage.py demosetup【创建初始用户accoun】

8，安装配置mod_wsgi

yum install mod_wsgi

yum install mod_ssl

安装完成之后，mod_wsgi.so会在Apache的modules目录中

在/etc/httpd/conf/httpd.conf文件中添加以下内容

LoadModule  wsgi_module modules/mod_wsgi.so

LoadModule ssl_module         modules/mod_ssl.so

9，生成证书并配置apache的ssl服务

这里生成的是自签名证书，如果对于安全性有更高的要求请使用权威CA机构颁发的证书文件

mkdir /etc/ssl/private/

mkdir  /etc/ssl/certs

root@demohost:~# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/demohost.com.key -out /etc/ssl/certs/demohost.com.crt

Generating a 2048 bit RSA private key
........................................+++
.......+++
writing new private key to 'demohost.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:xiaoxun
Common Name (eg, your name or your server's hostname) []:test.mima.com 【这一项写自己需要配置的域名】
Email Address []:

vim /etc/httpd/conf/httpd.conf

新增

ServerAdmin root@localhost

RewriteEngine on

RewriteCond  %{HTTPS} !=on

RewriteRule  ^(.*) https://%{SERVER_NAME}$1 [L,R]

vim /etc/httpd/conf.d/ssl.conf

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)

SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):

#   Configure one or more sources to seed the PRNG of the

#   SSL library. The seed data should be of good random quality.

#   WARNING! On some platforms /dev/random blocks if not enough entropy

#   is available. This means you then cannot use the /dev/random device

#   because it would lead to very long connection times (as long as

#   it requires to make more entropy available). But usually those

#   platforms additionally provide a /dev/urandom device which doesn't

#   block. So, if available, use this one instead. Read the mod_ssl User

#   Manual for more details.

SSLRandomSeed startup file:/dev/urandom  256

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

#

# Use "SSLCryptoDevice" to enable any supported hardware

# accelerators. Use "openssl engine -v" to list supported

# engine names.  NOTE: If you enable an accelerator and the

# server does not start, consult the error logs and ensure

# your accelerator is functioning properly.

#

SSLCryptoDevice builtin

<IfModule mod_ssl.c>

<VirtualHost *:443>

#ServerAdmin webmaster@demohost.com

SSLEngine on

SSLCertificateFile /etc/ssl/certs/demohost.com.crt

SSLCertificateKeyFile /etc/ssl/private/demohost.com.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">

SSLOptions +StdEnvVars

</FilesMatch>

<Directory /usr/lib/cgi-bin>

SSLOptions +StdEnvVars

</Directory>

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

# MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Alias /robots.txt /opt/apps/RatticWeb/static/robots.txt

Alias /favicon.ico /opt/apps/RatticWeb/static/favicon.ico

AliasMatch ^/([^/]*\.css) /opt/apps/RatticWeb/static/styles/$1

Alias /media/ /opt/apps/RatticWeb/media/

Alias /static/ /opt/apps/RatticWeb/static/

<Directory /opt/apps/RatticWeb/static>

Require all granted

</Directory>

<Directory /opt/apps/RatticWeb/media>

Require all granted

</Directory>

WSGIScriptAlias / /opt/apps/RatticWeb/ratticweb/wsgi.py

WSGIPassAuthorization On

WSGIDaemonProcess rattic processes=2 threads=25 home=/opt/apps/RatticWeb/ python-path=/opt/apps/RatticWeb display-name=%{GROUP}

WSGIProcessGroup rattic

<Directory /opt/apps/RatticWeb/ratticweb>

<Files wsgi.py>

Require all granted

</Files>

</Directory>

</VirtualHost>

</IfModule>

10，重启Apache

systemctl restart  httpd.service

11，用浏览器访问网页

访问https://test.mima.com
必须域名访问，不然会报400错误

没有做公网解析的域名可以通过给自己电脑配置hosts访问。
Windows下hosts文件的地址是：C:\Windows\System32\drivers\etc\hosts