diff --git a/INSTALL.md b/INSTALL.md index 9f2e1a61a..538c90834 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -118,6 +118,7 @@ The installer will: - Download the **latest stable release** of OSPOS from GitHub - Create a database with secure random password - Configure OSPOS and Apache +- **Set up SSL/TLS certificates** (Let's Encrypt or self-signed) - Display login credentials after completion **Customization (optional):** @@ -127,6 +128,9 @@ curl -sSL https://opensourcepos.org/install | DB_PASS=mypassword APACHE_SERVER_N # Install a specific OSPOS version curl -sSL https://opensourcepos.org/install | OSPOS_VERSION=3.4.2 sudo -E bash + +# Production setup with Let's Encrypt SSL (recommended) +curl -sSL https://opensourcepos.org/install | APACHE_SERVER_NAME=pos.example.com SSL_EMAIL=admin@example.com sudo -E bash ``` **Environment variables:** @@ -137,6 +141,11 @@ curl -sSL https://opensourcepos.org/install | OSPOS_VERSION=3.4.2 sudo -E bash - `OSPOS_VERSION` - OSPOS version to install (default: latest stable release) - `PHP_VERSION` - PHP version (default: 8.2) - `APACHE_SERVER_NAME` - Server hostname (default: localhost) +- `SSL_EMAIL` - Email for Let's Encrypt (production SSL). If set, enables production SSL with auto-renewal + +**SSL/TLS Configuration:** +- **Production (recommended):** Set `SSL_EMAIL=your@email.com` to use Let's Encrypt with automatic renewal +- **Development/Testing:** Without `SSL_EMAIL`, a self-signed certificate is generated (your browser will show a security warning) > **Note:** If the short URL is unavailable, use the direct GitHub URL: > ```bash @@ -145,4 +154,4 @@ curl -sSL https://opensourcepos.org/install | OSPOS_VERSION=3.4.2 sudo -E bash For other cloud providers or manual installation, see the [detailed installation guide](https://github.com/opensourcepos/opensourcepos/wiki/Getting-Started-installations) in the wiki. -**Important:** After installation, change the default password and configure SSL/TLS certificates for production use. +**Important:** Change the default password after first login! diff --git a/scripts/install-ubuntu.sh b/scripts/install-ubuntu.sh index d049cb43e..353360bf1 100644 --- a/scripts/install-ubuntu.sh +++ b/scripts/install-ubuntu.sh @@ -29,6 +29,7 @@ OSPOS_DIR="${OSPOS_DIR:-/var/www/ospos}" OSPOS_VERSION="${OSPOS_VERSION:-}" PHP_VERSION="${PHP_VERSION:-8.2}" APACHE_SERVER_NAME="${APACHE_SERVER_NAME:-localhost}" +SSL_EMAIL="${SSL_EMAIL:-}" MYSQL_ROOT_PASS="${MYSQL_ROOT_PASS:-}" echo -e "${COLOR_YELLOW}Configuration:${COLOR_RESET}" @@ -42,6 +43,12 @@ if [ -n "$OSPOS_VERSION" ]; then else echo -e " OSPOS Version: latest" fi +if [ -n "$SSL_EMAIL" ]; then + echo -e " SSL Email: ${SSL_EMAIL}" + echo -e " SSL: Let's Encrypt (production)" +else + echo -e " SSL: Self-signed certificate" +fi echo "" if [ -d "$OSPOS_DIR" ]; then @@ -50,10 +57,10 @@ if [ -d "$OSPOS_DIR" ]; then exit 1 fi -echo -e "${COLOR_GREEN}[1/9] Updating system packages...${COLOR_RESET}" +echo -e "${COLOR_GREEN}[1/11] Updating system packages...${COLOR_RESET}" apt-get update -qq -echo -e "${COLOR_GREEN}[2/9] Installing Apache, PHP, and dependencies...${COLOR_RESET}" +echo -e "${COLOR_GREEN}[2/11] Installing Apache, PHP, and dependencies...${COLOR_RESET}" apt-get install -y -qq \ apache2 \ mariadb-server \ @@ -73,19 +80,19 @@ apt-get install -y -qq \ unzip \ openssl -echo -e "${COLOR_GREEN}[3/9] Starting MariaDB...${COLOR_RESET}" +echo -e "${COLOR_GREEN}[3/11] Starting MariaDB...${COLOR_RESET}" systemctl start mariadb systemctl enable mariadb if [ -z "$MYSQL_ROOT_PASS" ]; then - echo -e "${COLOR_GREEN}[3/9] Securing MariaDB installation...${COLOR_RESET}" + echo -e "${COLOR_BLUE}Securing MariaDB installation...${COLOR_RESET}" mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '';" mysql -e "FLUSH PRIVILEGES;" else mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASS}';" fi -echo -e "${COLOR_GREEN}[4/9] Creating database and user...${COLOR_RESET}" +echo -e "${COLOR_GREEN}[4/11] Creating database and user...${COLOR_RESET}" mysql -u root </dev/null @@ -130,7 +137,7 @@ if [ -f "composer.json" ]; then composer install --no-dev --optimize-autoloader --no-interaction --quiet 2>/dev/null fi -echo -e "${COLOR_GREEN}[7/9] Configuring OSPOS...${COLOR_RESET}" +echo -e "${COLOR_GREEN}[7/11] Configuring OSPOS...${COLOR_RESET}" if [ -f ".env.example" ]; then cp .env.example .env sed -i "s/database\.default\.hostname = localhost/database.default.hostname = ${DB_HOST}/" .env @@ -140,10 +147,10 @@ if [ -f ".env.example" ]; then sed -i "s/CI_ENVIRONMENT = development/CI_ENVIRONMENT = production/" .env fi -echo -e "${COLOR_GREEN}[8/9] Importing database schema...${COLOR_RESET}" +echo -e "${COLOR_GREEN}[8/11] Importing database schema...${COLOR_RESET}" mysql -u root ${DB_NAME} < app/Database/database.sql -echo -e "${COLOR_GREEN}[9/9] Configuring Apache...${COLOR_RESET}" +echo -e "${COLOR_GREEN}[9/11] Configuring Apache...${COLOR_RESET}" cat > /etc/apache2/sites-available/ospos.conf < ServerName ${APACHE_SERVER_NAME} @@ -170,6 +177,69 @@ chmod -R 750 ${OSPOS_DIR}/writable systemctl restart apache2 systemctl enable apache2 +echo -e "${COLOR_GREEN}[10/11] Setting up SSL...${COLOR_RESET}" +if [ -n "$SSL_EMAIL" ]; then + echo -e "${COLOR_BLUE}Installing Certbot for Let's Encrypt...${COLOR_RESET}" + apt-get install -y -qq certbot python3-certbot-apache + + echo -e "${COLOR_BLUE}Obtaining SSL certificate...${COLOR_RESET}" + certbot --apache -d ${APACHE_SERVER_NAME} --non-interactive --agree-tos --email ${SSL_EMAIL} --redirect + + echo -e "${COLOR_BLUE}Setting up auto-renewal...${COLOR_RESET}" + systemctl enable certbot.timer + systemctl start certbot.timer + + PROTOCOL="https" +else + echo -e "${COLOR_BLUE}Generating self-signed SSL certificate...${COLOR_RESET}" + openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout /etc/ssl/private/ospos-selfsigned.key \ + -out /etc/ssl/certs/ospos-selfsigned.crt \ + -subj "/C=US/ST=State/L=City/O=Organization/CN=${APACHE_SERVER_NAME}" 2>/dev/null + + cat > /etc/apache2/sites-available/ospos-ssl.conf < + ServerName ${APACHE_SERVER_NAME} + DocumentRoot ${OSPOS_DIR}/public + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ospos-selfsigned.crt + SSLCertificateKeyFile /etc/ssl/private/ospos-selfsigned.key + + + Options Indexes FollowSymLinks + AllowOverride All + Require all granted + + + ErrorLog \${APACHE_LOG_DIR}/ospos_ssl_error.log + CustomLog \${APACHE_LOG_DIR}/ospos_ssl_access.log combined + +EOF + + a2enmod ssl + a2ensite ospos-ssl.conf + + cat > /etc/apache2/sites-available/ospos.conf < + ServerName ${APACHE_SERVER_NAME} + Redirect permanent / https://${APACHE_SERVER_NAME}/ + +EOF + + a2dissite ospos.conf + a2ensite ospos.conf + + PROTOCOL="https" +fi + +systemctl restart apache2 + +echo -e "${COLOR_GREEN}[11/11] Configuring allowed hostnames...${COLOR_RESET}" +if [ -f "${OSPOS_DIR}/.env" ]; then + sed -i "s/app\.allowedHostnames\.0 = 'localhost'/app.allowedHostnames.0 = '${APACHE_SERVER_NAME}'/" ${OSPOS_DIR}/.env +fi + echo "" echo -e "${COLOR_GREEN}╔══════════════════════════════════════════════════════════╗${COLOR_RESET}" echo -e "${COLOR_GREEN}║ Installation Complete! ║${COLOR_RESET}" @@ -181,7 +251,17 @@ echo -e " Username: ${DB_USER}" echo -e " Password: ${DB_PASS}" echo "" echo -e "${COLOR_YELLOW}Login Credentials:${COLOR_RESET}" -echo -e " URL: http://${APACHE_SERVER_NAME}/" +if [ -n "$SSL_EMAIL" ]; then + echo -e " URL: https://${APACHE_SERVER_NAME}/" + echo -e " SSL: Let's Encrypt (auto-renewal enabled)" +else + echo -e " URL: https://${APACHE_SERVER_NAME}/" + echo -e " SSL: Self-signed certificate" + echo -e "" + echo -e "${COLOR_YELLOW}Note: Your browser will show a security warning for self-signed${COLOR_RESET}" + echo -e "${COLOR_YELLOW} certificates. For production, use Let's Encrypt by setting${COLOR_RESET}" + echo -e "${COLOR_YELLOW} SSL_EMAIL=your@email.com${COLOR_RESET}" +fi echo -e " Username: admin" echo -e " Password: pointofsale" echo ""