Setting up a web server can sound daunting for folks who don't normally do that kind of thing. This guide will help you walk through the configuration for Apache or Nginx on Linux and OSX.

Using Apache

The most common setup for Snipe-IT on a linux server is to use Apache, so if you're not sure what to pick, Apache might be the best bet, as it's free, easy to configure, and well documented.

❗️

IMPORTANT:

The DocumentRoot in your server configuration must be set to the public directory that ships with Snipe-IT.

In a standard Apache virtualhost setup, that might look something like this:

<VirtualHost *:80>
	<Directory /var/www/html/public>
		Allow From All
		AllowOverride All
		Options -Indexes
	</Directory>

	DocumentRoot /var/www/html/public
	ServerName www.yourserver.com
	# Other directives here
</VirtualHost>

📘

NOTE:

/var/www/html/public is a common path used on web servers, however you will want to change /var/www/html/public to wherever the public directory is in within the Snipe-IT files on your server. If you are using the installer script for Centos6+/Ubuntu 14+ remember to change your Directory and DocumentRoot to /var/www/html/snipeit/public.

Snipe-IT uses a .htaccess file to include some rewrite rules to handle URLs. If you prefer to include those rules in your web server configuration instead of using the .htaccess (for whatever reason, performance, security...), your configuration would look something like this:

<VirtualHost *:80>
	<Directory /var/www/html/public>
		Allow From All
		AllowOverride None
		Options None
	</Directory>

	DocumentRoot /var/www/html/public
	ServerName www.yourserver.com
	# Other directives here

	RewriteEngine On
	# From public/.htaccess
	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
	RewriteCond %{REQUEST_URI} (.+)/$
	RewriteRule ^ %1 [L,R=301]
	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
	RewriteRule ^ /index.php [L]
</VirtualHost>

An OS X virtualhost setup could look more like:

<Directory "/Users/youruser/Sites/snipe-it/public/">
	Allow From All
	AllowOverride All
	Options -Indexes
</Directory>

<VirtualHost *:80>
	ServerName "www.yourserver.com"
	DocumentRoot "/Users/youruser/Sites/snipe-it/public"
</VirtualHost>

Snipe-IT requires mod_rewrite to be installed and enabled on systems running Apache. For more information on how to set up mod_rewrite, click here.

📘

NOTE:

In Apache 2.4, you may need to use Require all granted instead of Allow From All

Using Nginx and PHP-FPM

If you wish to use Nginx and PHP-FPM instead of Apache, PHP-FPM will need to be installed and setup to listen on a socket. For more information on how to setup PHP-FPM, click here.

server {
    listen 80;
    server_name localhost;

    root /Users/youruser/Sites/snipe-it/public/;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        try_files $uri $uri/ =404;
        fastcgi_pass unix:/var/run/php5-fpm-www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

If you prefer to use a forced SSL setup, you can use the following configuration instead.

server {
    listen 80;
    server_name localhost;

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /path/to/your.crt;
    ssl_certificate_key /path/to/your.key;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
    ssl_session_timeout 5m;
    ssl_session_cache builtin:1000 shared:SSL:10m;

    root /Users/youruser/Sites/snipe-it/public/;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        try_files $uri $uri/ =404;
        fastcgi_pass unix:/var/run/php5-fpm-www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

📘

NOTE:

With the SSL configuration you will need to adjust the path to your SSL certificate or it will not work. You can use a proper certificate generated from a CA or a self-signed certificate. For more information on creating a self-signed certificate, click here.

Running Snipe-IT on an EC2 Micro Instance

Depending on your needs, you could probably run this system in an EC2 micro instance. It doesn't take up very much memory and typically won't be a super-high-traffic application. EC2 micros fall into the free/dirt-cheap tier, which might make this a nice option. One thing to note though - composer can be a little memory-intensive while you're running updates, and you may have trouble with it failing on a micro. You can crank the memory_limit up in php.ini, but EC2 micros have swap disabled by default, so even that may not cut it. If you run into totally unhelpful error messages while running composer updates (like simply 'Killed') or fatal memory issues mentioning phar, your best bet will be to enable swap:

sudo /bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=1024
sudo /sbin/mkswap /var/swap.1
sudo /sbin/swapon /var/swap.1

If you need more than 1024MB then change that to something higher.

To enable it by default after reboot, add this line to /etc/fstab:

/var/swap.1 swap swap defaults 0 0

Notes on SELinux

If you’re running SELinux, you’ll need to change the security context in order for the web server to be able to write to files where needed (log files, image uploads, sessions, etc).

If you’re not sure, don’t worry about it unless you’ve set up Snipe-IT and you’re hitting permission errors even after you’ve updated the directory permissions to be writable.

To tell if you’re running SELinux, you can run:

cat /etc/sysconfig/selinux

or

sestatus

If it turns out you’re running SELinux, the syntax for permanently changing the security context on a directory is:

semanage fcontext -a -t <type> "<path/regex>"

So for example, you might do something like:

semanage fcontext -a -t httpd_sys_rw_content_t "/srv/snipeit/storage(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/snipeit/bootstrap/cache(/.*)?"
restorecon -RF /srv/snipeit/storage
restorecon -RF /var/www/html/snipeit/bootstrap/cache

Depending on where your Snipe-IT files are located. This will change the default SELinux file context for the folder and everything in it. It will then apply this "new" default context to the folder and everything in it. Note: never use chcon for anything but testing; it will not survive a filesystem relabel nor using the restorecon command.

As a last resort, you can try disabling SELinux, although we don't really recommend that.

Send email with SELinux enabled

when sending email while selinux enabled you will probably get the following error:

[2017-12-07 15:34:32] production.ERROR: Swift_TransportException: Connection could not be established with host masked_ip [Permission denied #13] in /var/www/html/snipeit/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php:268

In order to be able to send emails you need to install policycoreutils-python and after running audit2allow -w -a you will see the following:

type=AVC msg=audit(1512628596.912:279): avc:  denied  { name_connect } for  pid=1607 comm="httpd" dest=25 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
	Was caused by:
	One of the following booleans was set incorrectly.
	Description:
	Allow httpd to can network connect

	Allow access by executing:
	# setsebool -P httpd_can_network_connect 1
	Description:
	Allow httpd to can sendmail

	Allow access by executing:
	# setsebool -P httpd_can_sendmail 1
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1

Then, you only need to add the following and test send email again:

setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_sendmail 1