Friendica
1. System Requirements
- Ubuntu 22.04 LTS
- PHP 8.2 or higher
- MySQL/MariaDB
- Apache 2.4
- Composer 2.x
2. System Preparation
Update System
sudo apt update
sudo apt upgrade -y
Install Required Packages
# Add PHP repository
sudo apt install -y software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt update
# Install LAMP stack and required packages
sudo apt install -y \
apache2 \
mariadb-server \
php8.2 \
php8.2-{mysql,curl,gd,xml,zip,mbstring,intl,cli,fpm,bcmath} \
git \
unzip \
curl
Verify PHP Installation
php8.2 -v # Should show version 8.2.x
Install Security Tools
# Install UFW and fail2ban
sudo apt install -y ufw fail2ban
# Configure UFW
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
# Configure fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo tee -a /etc/fail2ban/jail.local << 'EOF'[apache]
enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/error.log maxretry = 3 findtime = 600 bantime = 3600 EOF # Start and enable fail2ban sudo systemctl start fail2ban sudo systemctl enable fail2ban # Verify services sudo ufw status sudo systemctl status fail2ban
3. Composer Installation
# Download and verify Composer installer
HASH=`curl -sS https://composer.github.io/installer.sig`
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
php -r "if (hash_file('SHA384', '/tmp/composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('/tmp/composer-setup.php'); } echo PHP_EOL;"
# Install Composer globally
sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer
# Clean up
rm /tmp/composer-setup.php
# Verify installation
composer --version # Should show version 2.x
4. Composer Environment Configuration
# Create required Composer directories
sudo mkdir -p /var/www/.composer
sudo mkdir -p /var/www/.cache/composer/vcs
sudo mkdir -p /var/www/.config/composer
# Set correct ownership
sudo chown -R www-data:www-data /var/www/.composer
sudo chown -R www-data:www-data /var/www/.cache
sudo chown -R www-data:www-data /var/www/.config
# Configure Composer home for www-data
sudo -u www-data composer config --global home /var/www/.composer
# Verify configuration
sudo -u www-data composer config --list --global
5. Database Setup
# Secure MariaDB installation
sudo mysql_secure_installation
# Create database and user (replace 'your_secure_password' with a strong password)
sudo mysql -u root -p <<EOF
CREATE DATABASE friendica CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER 'friendica'@'localhost' IDENTIFIED BY 'your_secure_password';
GRANT ALL PRIVILEGES ON friendica.* TO 'friendica'@'localhost';
FLUSH PRIVILEGES;
EOF
6. Friendica Installation
# Create and set up Friendica directories
sudo mkdir -p /var/www/friendica
sudo chown -R www-data:www-data /var/www/friendica
# Clone Friendica repository
cd /var/www
sudo -u www-data git clone https://git.friendi.ca/friendica/friendica.git /var/www/friendica
# Clone addons repository (MUST be done BEFORE composer install)
sudo -u www-data git clone https://git.friendi.ca/friendica/friendica-addons.git /var/www/friendica/addon
cd /var/www/friendica
# Clear any existing lock file to ensure clean installation
sudo -u www-data rm -f composer.lock
# Install dependencies
sudo -u www-data composer install --no-dev
# Copy .htaccess configuration
sudo -u www-data cp .htaccess-dist .htaccess
# Copy configuration file
sudo -u www-data cp config/local-sample.config.php config/local.config.php
# Set proper permissions for Friendica directories
sudo -u www-data mkdir -p /var/www/friendica/storage
sudo -u www-data mkdir -p /var/www/friendica/view/smarty3
sudo chmod 755 /var/www/friendica/storage
sudo chmod 755 /var/www/friendica/view/smarty3
7. Apache Configuration
Create Virtual Host
# Create configuration file
sudo tee /etc/apache2/sites-available/friendica.conf << 'EOF'
ServerAdmin webmaster@localhost
DocumentRoot /var/www/friendica
ServerName your.domain.com
# Security: Disable CGI execution
Options None
Require all denied
# Security: Block dot-dot path traversal attempts
Require all denied
# Security: Block common exploit patterns
Require all denied
Options -Indexes +FollowSymLinks -ExecCGI
AllowOverride All
Require all granted
# PHP settings
php_value memory_limit 512M
php_value upload_max_filesize 16M
php_value post_max_size 16M
php_value max_execution_time 180
# Security headers
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "same-origin"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https:; media-src 'self' https:;"
# Additional security
php_admin_flag engine on
php_admin_flag safe_mode off
php_flag display_errors off
php_value error_reporting E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT
php_value date.timezone UTC
# Logging
ErrorLog ${APACHE_LOG_DIR}/friendica_error.log
CustomLog ${APACHE_LOG_DIR}/friendica_access.log combined
LogLevel warn
# PHP-FPM configuration
SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost"
# Block access to sensitive files
Require all denied
EOF
Additional Security Configuration
# Create a custom security configuration
sudo tee /etc/apache2/conf-available/security.conf << 'EOF'
ServerTokens Prod
ServerSignature Off
TraceEnable Off
# Disable TRACE and TRACK methods
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE [OR]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
# Protection against malicious URL patterns
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} (\.\.|) [NC,OR]
RewriteCond %{REQUEST_URI} (||\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} ^.*cgi.* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*bin.* [NC]
RewriteRule .* - [F]
EOF
# Enable the security configuration
sudo a2enconf security
sudo systemctl restart apache2
Configure ModSecurity (Optional but Recommended)
# Install ModSecurity
sudo apt install libapache2-mod-security2
# Enable ModSecurity
sudo a2enmod security2
# Copy and configure rules
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Edit ModSecurity configuration
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf
# Restart Apache
sudo systemctl restart apache2
Enable Required Modules and PHP-FPM
# Enable Apache modules
sudo a2enmod rewrite headers proxy_fcgi setenvif ssl
# Enable PHP-FPM
sudo a2enconf php8.2-fpm
sudo systemctl restart php8.2-fpm
Enable Site Configuration
sudo a2ensite friendica.conf
sudo a2dissite 000-default.conf
8. SSL Configuration
Install Certbot
sudo apt install certbot python3-certbot-apache
Obtain SSL Certificate
sudo certbot --apache -d your.domain.com
Verify SSL Renewal
# Check timer status
sudo systemctl status certbot.timer
# Test renewal process
sudo certbot renew --dry-run
9. Final Steps
Test Apache Configuration
sudo apache2ctl -t
Restart Apache
sudo systemctl restart apache2
10. Web Installation
- Access your domain via HTTPS (e.g., https://your.domain.com)
- Follow the web installer, providing:
- Database details:
- Host: localhost
- Database: friendica
- User: friendica
- Password: (your database password)
- Admin account details
- Site settings
11. Worker Setup
Option A: Cron Worker (Recommended)
# Create cron job for www-data user
sudo -u www-data crontab -e
# Add this line:
*/10 * * * * cd /var/www/friendica && /usr/bin/php8.2 bin/worker.php
Option B: Daemon
# Create systemd service file
sudo tee /etc/systemd/system/friendica-daemon.service << 'EOF'
[Unit]
Description=Friendica background worker
After=network.target mysql.service apache2.service
Requires=mysql.service apache2.service
[Service]
Type=simple
User=www-data
ExecStart=/usr/bin/php8.2 /var/www/friendica/bin/daemon.php
WorkingDirectory=/var/www/friendica
Restart=always
RestartSec=10
StandardOutput=append:/var/log/friendica-daemon.log
StandardError=append:/var/log/friendica-daemon.error.log
[Install]
WantedBy=multi-user.target
EOF
# Enable and start the daemon
sudo systemctl daemon-reload
sudo systemctl enable friendica-daemon
sudo systemctl start friendica-daemon
12. Configuration File Setup
Edit the configuration file with proper settings:
sudo -u www-data nano /var/www/friendica/config/local.config.php
Add these essential configurations: “`php
Views: 4
