# Server Requirements

# PHP

Version PHP
3.20 7.4

Chevereto is PHP (opens new window) software, it has been designed using:

Packages and PECL provides the same convenience, but as packages are made for debian-based systems you should prefer PECL if you don't have a compatible system.

Packages vs PECL

Packages not only contain the software, it could trigger other effects in the system.

# PHP configuration

The following ini values are recommended for Chevereto installations.

upload_max_filesize = 50M;
post_max_size = 50M;
max_execution_time = 30;
memory_limit = 512M;
Property Description Example
upload_max_filesize Maximum upload size 50M for 50 MB
post_max_size Maximum post size Same as above
max_execution_time Maximum time to execute the software, in seconds 30 for 30 seconds
memory_limit Maximum memory to allocate 512M for 512 MB

You can toggle this limits to reflect your hardware and server load. Check this article for more info: PHP common pitfalls (opens new window).

# PHP Extensions

The following PHP extensions are required for Chevereto.

  • curl
  • exif
  • fileinfo
  • hash
  • imagick
  • gd
  • json
  • mbstring
  • pdo
  • pdo-mysql
  • session
  • xml
  • zip

# PHP Features

Chevereto requires unrestricted access to all PHP functions. If any PHP function is removed it could cause Chevereto to fail or to not work at all. Note that the following functions must not be restricted:

# Image library

The image library (GD, Imagick) should be provided with support for PNG GIF JPG BMP WEBP. By default, Chevereto uses Imagick and fallback to GD.

If you need to explicit use GD you can add this key to Settings file:

$settings['image_library'] = 'gd';

Workaround missing formats

If the server doesn't provide support for all the image formats handled by Chevereto you must use the following Settings file workaround.

In the following example Chevereto is configured with explicit support only for PNG, GIF, BMP and JPG (removes WEBP):

$settings['image_formats_available'] = ['PNG', 'GIF', 'BMP', 'JPG'];

# Configuring image library

Check for CHEVERETO_IMAGE_LIBRARY for changing the default image library used by Chevereto.

# ImageMagick

Additional recommended ImageMagick configuration at /etc/ImageMagick-6/policy.xml file:

<policymap>
    <!-- policies -->
    <policy domain="resource" name="width" value="16KP"/>
    <policy domain="resource" name="height" value="16KP"/>
</policymap>

# Filesystem

User running php must be in the owner group of your installation directory. This is required to allow Chevereto to modify the filesystem for uploading, one-click update and many other features.

Chevereto user will require read/write access in the following paths:

  • /tmp
  • app/content/
  • app/content/languages/
  • app/content/languages/cache/
  • app/content/system/
  • content/
  • images/

# Database

Version MySQL MariaDB
3.20 5.7, 8 10
  • Database user must have ALL PRIVILEGES over the target database
  • InnoDB table storage engine

Upgrading from old installation

Old versions using MyISAM table storage engine will require to convert the old tables to InnoDB. Read Convert MyISAM tables to InnoDB (opens new window)

# Web server

# Disable PHP in sensitive files

  • Apache HTTP server

Edit the Virtual Host (opens new window) entry by adding the following directive for your upload directory. This will disable PHP interpreter on folders containing public upload content:

Must edit /var/www/html/images to reflect your actual upload directory.

<Directory /var/www/html/images>
    AllowOverride None
    <LimitExcept GET>
        <IfModule !mod_authz_core.c>
            Order Allow,Deny
            Deny from all
        </IfModule>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
    </LimitExcept>
    <FilesMatch "\.(?:[Pp][Hh][Pp][345]?|[Pp][Hh][Tt][Mm][Ll])|(po|sql|html?)$">
        <IfModule !mod_authz_core.c>
            Order Allow,Deny
            Deny from all
        </IfModule>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
    </FilesMatch>
    <IfModule mod_php7.c>
        php_flag engine off
    </IfModule>
    <FilesMatch ".+\.*$">
        SetHandler !
    </FilesMatch>
    <IfModule mod_rewrite.c>
        RewriteRule ^.*\.php$ - [F,L]
    </IfModule>
</Directory>

If you don't have access to editing Apache Virtual Host you can use a .htaccess file in the alleged paths:

<LimitExcept GET>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</LimitExcept>
<FilesMatch "\.(?:[Pp][Hh][Pp][345]?|[Pp][Hh][Tt][Mm][Ll])|(po|sql|html?)$">
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</FilesMatch>
<IfModule mod_php7.c>
    php_flag engine off
</IfModule>
<FilesMatch ".+\.*$">
    SetHandler !
</FilesMatch>
<IfModule mod_rewrite.c>
    RewriteRule ^.*\.php$ - [F,L]
</IfModule>
  • NGINX users
location ~* images/.*\.php$  {
    deny all;
}

# URL rewriting

The web server must rewrite HTTP requests like GET /image/some-name.<id> to /index.php. Instructions for NGINX (opens new window) and Apache HTTP Server (opens new window) below.

# NGINX URL rewriting

example.com.conf

# Context limits
client_max_body_size 50M;

# Disable access to sensitive files
location ~* (app|content|lib)/.*\.(po|php|lock|sql)$ {
    deny all;
}

# Disable PHP on image path
location ~* images/.*\.php$  {
    deny all;
}

# Image not found replacement
location ~ \.(jpe?g|png|gif|webp)$ {
    log_not_found off;
    error_page 404 /content/images/system/default/404.gif;
}

# CORS header (avoids font rendering issues)
location ~ \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
    add_header Access-Control-Allow-Origin "*";
}

# Pretty URLs
location / {
    index index.php;
    try_files $uri $uri/ /index.php$is_args$query_string;
}

# Apache HTTP Server URL rewriting

Make sure that mod_rewrite (opens new window) is enabled and that your virtual host settings allows to perform URL rewriting:

    <Directory /var/www/html>
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
    </Directory>

Apache configuration .htaccess files are already included in the software.

/.htaccess

# Disable server signature
ServerSignature Off

# Enable CORS across all your subdomains (replace dev\.local with your domain\.com)
# SetEnvIf Origin ^(https?://.+\.dev\.local(?::\d{1,5})?)$   CORS_ALLOW_ORIGIN=$1
# Header append Access-Control-Allow-Origin  %{CORS_ALLOW_ORIGIN}e   env=CORS_ALLOW_ORIGIN
# Header merge  Vary "Origin"

# Disable directory listing (-indexes), Multiviews (-MultiViews)
Options -Indexes
Options -MultiViews

<IfModule mod_rewrite.c>

    RewriteEngine On

    # If you have problems with the rewrite rules remove the "#" from the following RewriteBase line
    # You will also have to change the path to reflect the path to your Chevereto installation
    # If you are using alias is most likely that you will need this.
    #RewriteBase /

    # 404 images
    # If you want to have your own fancy "image not found" image remove the "#" from RewriteCond and RewriteRule lines
    # Make sure to apply the correct paths to reflect your current installation
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule images/.+\.(gif|jpe?g|png|bmp|webp) - [NC,L,R=404]
    #RewriteRule images/.+\.(gif|jpe?g|a?png|bmp|webp) content/images/system/default/404.gif [NC,L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !\.(css|js|html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpe?g|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|swf|tar|tif|tiff|wav|webp|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ [NC]
    RewriteRule . index.php [L]

</IfModule>

# Real connecting IP

For setups under any kind of proxy (including CloudFlare (opens new window)) is required that the web server sets the appropriate value for the client connecting IP.

WARNING

If real connecting IP is not configured Chevereto won't be able to detect the real visitors IPs, failing to deliver IP based restrictions and flood control.

  • NGINX: ngx_http_realip_module
  • Apache HTTP Server: mod_remoteip
Last Updated: 9/26/2021, 10:12:10 PM