Skip to content

Installation

Jump to bottom Edit New page
Jeffery (Zeyu) Zhao edited this page Apr 23, 2021 · 13 revisions

This guide is for new installation. If you want to upgrade from old versions, use upgrade guide

  1. Install PHP (7.1+), MySQL (MariaDB) and WebServer(IIS, Apache or Nginx) in your server. Make sure PDO is supported
  2. Create a database in your MySQL server for this password manager
  3. Import initial.sql into that database
  4. Download src folder in this repository from newest Release, and edit src/function/config.php with your configuration (database and etc., see comments in this file)
  5. Upload files in src folder to your web server, along with your edited src/function/config.php
  6. Set up HTTPS (required) and HTTP redirect to HTTPS. Use Let's encrypt if you need a free certificate. Set header Strict-Transport-Security: max-age=63072000; includeSubDomains; preload on your server if you don't decide to use invalid certificate in the future (e.g. self-signed certificate). If you decide to use invalid certificate, this password manager might work. But no support will be provided for using invalid certificate.
  7. If you enabled file feature, make the maximal allowed POST packet size at least 15MB in my.cnf and php.ini (post_max_size) and httpd.conf (note, you might need to change SecRequestBodyNoFilesLimit in mod_security.conf). The files are posted as a string so changing max upload file size doesn't work. Don't forget to restart mysqld and httpd.
  8. If you enabled email verification feature, make sure your configuration works by testing API using your configuration (https://sendgrid.com/docs/API_Reference/Web_API/mail.html). If you use invalid settings, your email will not be sent out and you will not be able to login.
  9. Open webpage in web browser
  10. Click Signup to register an account. (If you don't want others to sign up, just set $ALLOW_SIGN_UP to false in config.php after you are done. If you feel insecure, you can further delete signup.php and reg.php but it's not required)
  11. You are done!
  12. Remember your password to login. No one can recover your data if you lose that!

Enable client-side source file check

This is to prevent password leak when the attacker gets control of your server and deploys malicious client-side Javascript code. For example, he can edits the login javascript to directly post your raw password. The solution to this is asking client (web browser) to check the integrity of all javascript / html / css components everytime before visiting password manager.

  1. Follow above to complete basic installation.

  2. prepare an absolutely safe host supporting static web page hosting (Github Pages is a good choice! You can use public repo, no need to hide code). And Associate a domain / subdomain X to that static site (Github pages will provide you with a free subdomain).

  3. On your main server (where you install password manager), set Header set Access-Control-Allow-Origin "*" or instead of *, include your domain / subdomain X. This is to ensure your web browser can get access to password manager from website X.

  4. Finish all setup, including import, disabling new sign up etc.

  5. file_lists.txt in this project repository is all the files to check. If you delete some files, you should also delete them on the txt. Alternatively, you can run generate_file_lists.py to generate files that needs to be checked. On your server, suppose your code for password manager lives in src, you can run python generate_file_lists.py. If it's not src, edit the Python file accordingly.

  6. Edit check_website.html, assign your website URL (including tail /) to global variable WEBSITE.

  7. Upload check_website.html and file_lists.txt to the safe host at step 2. and visit check_website.html in web browser and you will get error message, where you can see actual MD5 for files.

  8. Edit check_website.html and assign the actual MD5 you got from previous step to global variable CORRECT_MD5. Re-upload the html.

  9. Optionally, you can rename check_website.html to index.html or any name you like.

When you want to visit password manager, always visit X/check_website.html. It will redirect you to password manager if integrity checks passes. Otherwise, it will show an error and you should check if your server is compromised.

Do NOT put check_website.html and file_lists.txt at same host of password manager. Otherwise this check is useless. Remember to change CORRECT_MD5 everytime you make changes to source files (Redo step 8).

Debug

If Password Manager doesn't work properly after installation, try following:

  1. Goto demo site try if your bug can be reproduced there. If so, go to step 3.
  2. If your bug can't be reproduced in demo site, it's most likely you didn't install password manager correctly. Carefully check src/function/config.php to see if you make any mistake there and make sure you didn't edit other files in src folder. Then enable PHP debug in php.ini and check httpd error log.
  3. submit an issue with steps to reproduce the bug. If your bug can be reproduced in demo site, you don't need to provide any other information. Otherwise, provide error log and PHP debug output.
Add a custom footer
Add a custom sidebar
Clone this wiki locally