1. INSTALL BASE REQUIRED SOFTWARE ON THE APP/DATABASE SERVER ================================================================ 1.1 Install Development Tools as a part of the Server Build sudo yum groupinstall "Development Tools" (this command will not work if already installed as a part of server build) 1.2 Install git sudo yum install git 1.3 Install EPEL : ## RHEL/CentOS 7 64-Bit ## wget https://epel.mirror.constant.com/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm sudo rpm -ivh epel-release-7-11.noarch.rpm sudo yum -y update 1.4 Install Postgres 9.6 sudo yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm sudo yum groupinstall "PostgreSQL Database Server 9.6 PGDG" sudo /usr/pgsql-9.6/bin/postgresql96-setup initdb systemctl start postgresql-9.6.service 2. CREATE THE ESP DATABASE USER AND DATABASE ON THE DATABASE SERVERS =================================================================== 2.1 Create Postgres ESP User and Database sudo -u postgres psql psql#> create user esp password 'xxxxxxxxxx'; **not actual password** psql#> create database esp owner esp; psql#> \q 2.2 Configure Postgres to accept connections sudo su postgres cd /var/lib/pgsql/9.6/data vi postgresql.conf Uncomment and change the following line from: #listen_addresses = 'localhost' to: listen_addresses = '*' 2.3 Configure pg_hba.conf for connections sudo su postgres cd /var/lib/pgsql/9.6/data vi pg_hba.conf Replace the contents at the bottom of the file with the following: # "local" is for Unix domain socket connections only #local all all trust local all postgres ident local esp esp ident local all all md5 # IPv4 local connections: #host all all 127.0.0.1/32 trust host all all 127.0.0.1/32 md5 host all all 0.0.0.0/0 md5 # IPv6 local connections: #host all all ::1/128 trust host all all ::1/128 md5 # Allow replication connections from localhost, by a user with the # replication privilege. #local replication postgres peer #host replication postgres 127.0.0.1/32 ident #host replication postgres ::1/128 ident 2.4 Restart Postgres systemctl restart postgresql-9.6.service 3. INSTALL ADDITIONAL REQUIRED SOFTWARE ON THE APP SERVER ========================================================== 3.1 Install Python virtualenv and PIP sudo yum install python-virtualenv sudo yum install python-pip sudo yum install python-cffi 3.2 Install Apache & Mod_Wsgi sudo yum install httpd mod_wsgi 3.3 Install PostgreSQL library (and dependencies) sudo yum install libpqxx-devel sudo yum install postgresql-devel sudo yum install postgresql-libs 3.4 Install other required packages sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms sudo subscription-manager repos --enable rhel-7-server-optional-rpms sudo yum install redhat-rpm-config gcc libffi-devel python-devel openssl-devel 3.5 Pip updates sudo pip install --upgrade setuptools sudo pip install --upgrade pip 4. ESP PRE-REQUISITES AND INSTALL ESP ON THE APP SERVER ======================================================== 4.1 Create an 'esp' user and add the user to the 'wheel' group. Change XXXXXX to the password of your choice. sudo useradd -d /srv/esp/ -m -p XXXXXXX esp sudo usermod -a -G wheel esp 4.2 Clone the esp repository in /srv/esp/[prod or test] sudo su esp cd /srv/esp/ git clone https://gitlab.com/ESP-Project/ESP.git prod 4.3 Checkout the desired branch and give it a “local” branch name. Unless you specifically require an earlier release, use the latest tagged release branch cd /srv/esp/prod git checkout vX.X.X.X -b versionX.X.X.X For example: git checkout v3.4.7 -b version3.4.7 4.4 Prepare for a "first time" ESP installation sudo su esp cd /srv/esp/prod Modify the requirements.pypi.txt file vi requirements.pypi.txt Modify the line for django_tables2. Replace it with the following line django_tables2==1.2 Add the following line before the paramiko line cryptography <= 1.8 4.5 Run the install script sudo su esp cd /srv/esp/prod ./install.sh 4.6 Install any disease detection plugins you require (likely only gonorrhea and chlamydia to start) ./setupPlugins.sh 4.7 As the ESP user, create the directories and files expected by ESP by entering: sudo su esp mkdir -p /srv/esp/data/{case_reports,epic,load_reports} mkdir -p /srv/esp/data/epic/{archive,incoming,error} mkdir -p /srv/esp/data/fake Use of the folder name “epic” is vestigial. These folders are used for text data from any source. 4.8 Create the ESP Log File sudo touch /var/log/esp.log sudo chown esp:esp /var/log/esp.log sudo chmod 666 esp.log 4.9 Create initial versions of ESP’s application.ini and secrets.ini configuration files sudo su esp cd /srv/esp/prod ./bin/esp makeini Normal output: [esp@redhat74esp prod]$ ./bin/esp makeini Could not find configuration file /srv/esp/prod/etc/secrets.ini Could not find configuration file /srv/esp/prod/etc/application.ini Configuration problems will limit ESP functionality. WARNING:generic::10: /srv/esp/prod/ESP/nodis/models.py:15: RemovedInDjango19Warning: django.contrib.contenttypes.generic is deprecated and will be removed in Django 1.9. Its contents have been moved to the fields, forms, and admin submodules of django.contrib.contenttypes. from django.contrib.contenttypes import generic Could not find configuration file /srv/esp/prod/etc/secrets.ini Creating new configuration file. You will need to edit the default values. Could not find configuration file /srv/esp/prod/etc/application.ini Creating new configuration file. You will need to edit the default values. Review messages above and modify configuration file as needed. 4.10 Update the secrets.ini files vi /srv/esp/prod/etc/secrets.ini Enter the password for the “esp” database role (from Step 2) For the secret_key, enter a random string of at least 32 characters long 4.11 Update the application.ini files vi /srv/esp/prod/etc/application.ini In the [General] section, edit the following settings: site_name = Your Site Name data_folder = /srv/esp/data admins = your_email@your_host.com, another_email@your_host.com managers = your_email@your_host.com, another_email@your_host.com icd10_support = True In the [Database] section, edit the following settings: db_name = esp username = esp In the [Web] section, edit the following settings: allowed_hosts = localhost, In the [ETL] section, edit the following settings: load_report_dir = /srv/esp/data/load_reports/ In the [Email] section, edit the following setttings: host = server_email = esp-no-reply@your_host.com default_from_email = esp-no-reply@your_host.com In the [Site] section, edit the following settings: site_header = ESP-YOURSITE case_report_site_name = EMR site_clia = site_last_name = Jones site_first_name = Bob site_address1 = 133 AnyStreet Avenue site_city = Boston site_state = MA site_zip = 02215 site_country = USA site_email = bjones@yourhost.org site_area_code = 617 site_tel_numeric = 1234567 site_app_name = ESP site_sending_facility = YOURSITE Other settings may be modified as necessary. 4.12 As the ESP user, from the ESP installation directory, populate the media/static folder (select yes when prompted): cd /srv/esp/prod ./bin/esp collectstatic 4.13 As the ESP user, from the ESP installation directory, initialize the ESP database by entering: sudo su esp cd /srv/esp/prod ./bin/esp migrate Grab a beverage as this will take awhile to complete. Normal output: [esp@redhat74esp prod]$ ./bin/esp migrate WARNING:generic::10: /srv/esp/prod/ESP/nodis/models.py:15: RemovedInDjango19Warning: django.contrib.contenttypes.generic is deprecated and will be removed in Django 1.9. Its contents have been moved to the fields, forms, and admin submodules of django.contrib.contenttypes. from django.contrib.contenttypes import generic Operations to perform: Synchronize unmigrated apps: staticfiles, ui, messages, django_tables2 Apply all migrations: sessions, admin, hef, auth, sites, contenttypes, static, nodis, conf, emr, vaers Synchronizing apps without migrations: Creating tables... Running deferred SQL... Installing custom SQL... Running migrations: Rendering model states... DONE Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying admin.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying static.0001_initial... OK Applying static.0002_auto_20160513_1020... OK Applying static.0003_load_initial_data...Installed 1144 object(s) from 1 fixture(s) Installed 114064 object(s) from 1 fixture(s) Installed 3829 object(s) from 1 fixture(s) Installed 53345 object(s) from 1 fixture(s) Installed 54868 object(s) from 1 fixture(s) OK Applying conf.0001_initial... OK Applying conf.0002_load_initial_data...Installed 302 object(s) from 1 fixture(s) OK Applying conf.0003_auto_20160513_1020... OK Applying emr.0001_initial... OK Applying emr.0002_auto_20151204_1116... OK Applying emr.0003_auto_20160513_1020... OK Applying emr.0004_load_initial_data...Installed 10 object(s) from 1 fixture(s) OK Applying emr.0005_auto_20160811_0535... OK Applying emr.0006_auto_20170925_1308... OK Applying hef.0001_initial... OK Applying hef.0002_auto_20151204_1050... OK Applying nodis.0001_initial... OK Applying nodis.0002_auto_20160513_1020... OK Applying nodis.0003_auto_20160624_1615... OK Applying nodis.0004_auto_20170918_1419... OK Applying nodis.0005_auto_20170918_1515... OK Applying nodis.0006_auto_20170919_1049... OK Applying nodis.0007_auto_20171018_1415... OK Applying sessions.0001_initial... OK Applying sites.0001_initial... OK Applying vaers.0001_initial... OK Applying vaers.0002_load_initial_data...Installed 11475 object(s) from 1 fixture(s) OK 4.14 Create an ESP UI superuser: sudo su esp cd /srv/esp/prod ./bin/esp createsuperuser Username (Leave blank to use 'esp'): superuser E-mail address: Password: Password (again): 4.15 Test run ESP ./bin/esp runserver ./bin/esp runserver 8010 (or some other port to run 2 at a time) The goal is to see this: Performing system checks... System check identified no issues (0 silenced). January 30, 2018 - 09:49:06 Django version 1.8.18, using settings 'ESP.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. 5. Apache Configuration ======================================================== 5.1 Make a copy of django.wsgi.sample located in the $ESP_HOME/share folder to the $ESP_HOME/etc directory and then edit it as described below: sudo su esp cp /srv/esp/prod/share/django.wsgi.sample /srv/esp/prod/etc/django.wsgi vi /srv/esp/prod/etc/django.wsgi Update the contents of the file to match the following. Replace both directory paths to match your environment. import os import sys os.environ['DJANGO_SETTINGS_MODULE'] = 'ESP.settings' # Enable this to prepend your ESP src folder to the beginning of PYTHONPATH, in # case an older version of Django is installed system-wide. # sys.path.insert(0, '/srv/esp/prod') execfile('/srv/esp/prod/bin/activate_this.py') from django.core.wsgi import get_wsgi_application application = get_wsgi_application() 5.2 Create the Apache configuration file. sudo vi /etc/httpd/conf.d/yourservername.conf For example: sudo vi /etc/httpd/conf.d/esp-server.conf You will need to customize this file with your information and your paths. #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # Apache configuration for ESP # #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Old prod code may have 'print' statements scattered throughout; this # directive prevents mod_wsgi from bombing out when it hits such a statement. WSGIRestrictStdout Off ServerName redhat74esp ServerAdmin keberhardt@commoninf.com Alias /static/ /srv/esp/prod/ESP/media/static/ Alias /media /srv/esp/prod/ESP/media/ WSGIDaemonProcess esp WSGIScriptAlias / /srv/esp/prod/etc/django.wsgi SetHandler None Allow from all SetHandler None Allow from all ### Block all trace requests (all vHosts need this!!) ### The following code should be included every VirtualHost. ### It returns a Forbidden on any TRACE or TRACK request. ### TRACE requests are used for debugging, they tell the server ### to return a text version of the REQUEST. This is not ### needed and can be used for abuse/cross-site-scripting ### ### See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html ### for more about TRACE ### RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|CONNECT) RewriteRule .* - [F] Order Deny,Allow Deny from all ProxyRequests Off 5.3 Add required directory configurations to apache.conf sudo vi /etc/httpd/conf/httpd.conf Beneath the following default section: Options Indexes FollowSymLinks AllowOverride None Require all granted Add the following: Options Indexes FollowSymLinks AllowOverride All Require all granted Options Indexes FollowSymLinks AllowOverride All Require all granted 5.4 Set permissions sudo chmod 755 /srv/esp 5.5 Restart Apache sudo service httpd restart 5.6 Attempt to load the site http://ServerName 5.7 Errors may be encountered due to SELinux Troubleshoot as required. grep httpd /var/log/audit/audit.log | audit2allow -M esp_policy semodule -i esp_policy.pp Here is what a policy might look like: module esp_policy 1.0; require { type var_log_t; type postgresql_port_t; type httpd_t; type var_t; type smtp_port_t; class tcp_socket name_connect; class file { execute getattr open read }; } #============= httpd_t ============== #!!!! This avc can be allowed using one of the these booleans: # httpd_can_network_connect, httpd_can_network_connect_db allow httpd_t postgresql_port_t:tcp_socket name_connect; #!!!! This avc can be allowed using one of the these booleans: # httpd_can_network_connect, httpd_can_sendmail, nis_enabled allow httpd_t smtp_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy allow httpd_t var_log_t:file open; #!!!! This avc is allowed in the current policy allow httpd_t var_t:file { execute getattr open read };