Setting up Homer: Difference between revisions

From Alpine Linux
No edit summary
m (Specify branches in pkg template.)
 
(8 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Draft}}
{{TOC right}}
{{Obsolete|The homer packages do not exist in alpine 3.16 and later}}


Rough notes for setting up [http://sipcapture.org Homer] on Alpine Linux from testing repository
This page describes how to set up [https://sipcapture.org/ HOMER] on
Alpine Linux.


<pre>apk add homer-api-doc homer-ui mariadb kamailio-mysql nginx php7-fpm
The packages are available in the community repository starting from
Alpine Linux 3.6. Make sure that this repository is enabled in
{{path|/etc/apk/repositories}}.


rc-service mariadb setup
== Primary Node ==
rc-update add mariadb
rc-service mariadb start
mysql_secure_installation


homer_db_init
Install the required packages, set up the database, and enable
rc-update add crond
required services:
rc-service crond start


cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg
{{cmd|# apk add {{pkg|homer-api-doc|branch=v3.15|arch=}} {{pkg|homer-ui|branch=v3.15|arch=}} {{pkg|mariadb|branch=v3.15|arch=}} {{pkg|kamailio-mysql|branch=v3.15|arch=}} {{pkg|nginx|branch=v3.15|arch=}} {{pkg|php7-fpm|branch=v3.15|arch=}}}}
echo rc_need=mariadb > /etc/conf.d/kamailio
rc-update add kamailio
rc-service kamailio start


cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php7/php-fpm.d/homer5.conf
{{cmd|<nowiki># rc-service mariadb setup
rc-update add php-fpm7
# rc-update add mariadb
rc-service php-fpm7 start
# rc-service mariadb start
# mysql_secure_installation
</nowiki>}}


rm /etc/nginx/conf.d/default.conf
{{cmd|<nowiki># homer_db_init
# rc-update add crond
# rc-service crond start
</nowiki>}}
 
{{cmd|<nowiki># cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg
# echo rc_need=mariadb > /etc/conf.d/kamailio
# rc-update add kamailio
# rc-service kamailio start
</nowiki>}}
 
{{cmd|<nowiki># cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php7/php-fpm.d/homer5.conf
# rc-update add php-fpm7
# rc-service php-fpm7 start
</nowiki>}}
 
Override the default nginx configuration with the HOMER template:
 
<pre>: > /etc/nginx/conf.d/default.conf
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf
edit "root" in /etc/nginx/conf.d/homer5.conf to "/usr/share/webapps/homer"
</pre>
edit "server_name" in /etc/nginx/conf.d/homer5.conf
 
edit "fastcgi_pass" in /etc/nginx/conf.d/homer5.conf to "127.0.0.1:9001"
Make the following changes in
edit "SINGLE_NODE" in /etc/homer/configuration.php to "0" if using DB nodes
{{path|/etc/nginx/conf.d/homer5.conf}}:
edit "HOMER_TIMEZONE" in /etc/homer/preferences.php
 
rc-update add nginx
{|
rc-service nginx start
|root
|{{path|/usr/share/webapps/homer}}
|-
|server_name
|your server's host name
|-
|fastcgi_pass
|<code>127.0.0.1:9001</code>
|}
 
If you are going to deploy database nodes in addition to this primary
node, change <code>SINGLE_NODE</code> to <code>0</code> in
{{path|/etc/homer/configuration.php}}.
 
Set <code>HOMER_TIMEZONE</code> in
{{path|/etc/homer/preferences.php}} according to your time zone.
 
Enable the <code>nginx</code> service:


configure DB nodes in web UI, default password is "homer_password"
{{cmd|<nowiki># rc-update add nginx
</pre>
# rc-service nginx start
</nowiki>}}
 
If using a firewall, you have to allow users to access the nginx
server using HTTP. In addition, reception of the captured SIP traffic
must be allowed on UDP port 9060.
 
=== LDAP Authentication ===
 
If you intend to authenticate the HOMER users using LDAP, install the
LDAP authentication module:
 
{{cmd|# apk add {{pkg|homer-api-ldap|branch=v3.15|arch=}}}}
 
In addition, you have to allow connections to the LDAP server if using
a firewall.
 
==== Changes in {{path|/etc/homer/preferences.php}} ====
 
Enable LDAP authentication:
{{cat|/etc/homer/preferences.php|...
define('AUTHENTICATION',"LDAP");
...}}
 
Uncomment the LDAP section and add/update parameters according to your
server configuration:
 
{{cat|/etc/homer/preferences.php|<nowiki>...
define('LDAP_HOST',"localhost");
define('LDAP_PORT',389);
define('LDAP_VERSION',3);
define('LDAP_BIND_USER',"cn=HOMER,ou=Apps,dc=example,dc=com");
define('LDAP_BIND_PASSWORD',"secret");
define('LDAP_BASEDN',"ou=Users,dc=example,dc=com");
...</nowiki>}}
 
Add one of the following lines, depending on whether the STARTTLS
mechanism shall be used to protect the LDAP connection:
 
{{cat|/etc/homer/preferences.php|...
define('LDAP_ENCRYPTION',"none");
define('LDAP_ENCRYPTION',"tls");
...}}
 
If TLS is used, you have to make sure that the relevant root
certificate is trusted. If using a self-signed root certificate, one
way to achieve this is to add the <code>TLS_CACERT</code> parameter to
{{path|/etc/openldap/ldap.conf}}, specifying the path to the
trusted CA certificate.
 
Specify the users who should have admin rights:
 
{{cat|/etc/homer/preferences.php|...
define('LDAP_ADMIN_USERS',"donald,mike");
...}}
 
Remove the parameters starting with <code>LDAP_GROUP_</code> unless
you want to authorize users based on group membership.
 
==== Nested Groups with Active Directory ====
 
The default settings in {{path|/etc/homer/preferences.php}} are
intended for LDAP schemas conforming to
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307]. Otherwise, you may
have to modify the parameters starting with
<code>LDAP_USERNAME_ATTRIBUTE_</code>. The following example
demonstrates how to authenticate and authorize users against Microsoft
Windows Active Directory based on nested group membership:
 
{{cat|/etc/homer/preferences.php|<nowiki>...
define('LDAP_USERNAME_ATTRIBUTE_OPEN',"(&(samaccountname=");
define('LDAP_USERNAME_ATTRIBUTE_CLOSE',")(memberof:1.2.840.113556.1.4.1941:=cn=HOMER,ou=Groups,dc=example,dc=com))");
...</nowiki>}}


== Database Nodes ==
== Database Nodes ==


<pre>apk add homer-api-doc homer-db mariadb kamailio-mysql
To make your HOMER system more scalable, you may want to deploy
multiple database nodes. This sections instructs how to set up an
additional database node.
 
Install the required packages on the new database node and enable the
database service:
 
{{cmd|# apk add {{pkg|homer-api-doc|branch=v3.15|arch=}} {{pkg|homer-db|branch=v3.15|arch=}} {{pkg|mariadb|branch=v3.15|arch=}} {{pkg|kamailio-mysql|branch=v3.15|arch=}}}}
 
{{cmd|<nowiki># rc-service mariadb setup
# rc-update add mariadb
# rc-service mariadb start
</nowiki>}}
 
Set up the database. You may want to disable remote root logins to the
database.
 
{{cmd|<nowiki># mysql_secure_installation
# homer_db_init -r
</nowiki>}}
 
You may want to change the default password for the HOMER database
user. This can be done as follows:
 
{{cmd|# mysql -e "SET PASSWORD FOR 'homer_user' {{=}} PASSWORD('<password>');"}}
 
Enable the <code>crond</code> service:
 
{{cmd|<nowiki># rc-update add crond
# rc-service crond start
</nowiki>}}
 
Override the Kamailio configuration with the HOMER template:
 
{{cmd|# cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg}}
 
Change the <code>capture_node</code> parameter in
{{path|/etc/kamailio/kamailio.cfg}} to a unique value. If you
changed the database user password, update the
<code>HOMER_DB_PASSWORD</code> parameter accordingly.
 
Enable the <code>kamailio</code> service:
 
{{cmd|<nowiki># echo rc_need=mariadb > /etc/conf.d/kamailio
# rc-update add kamailio
# rc-service kamailio start
</nowiki>}}


rc-service mariadb setup
If using a firewall, you have to allow the reception of captured SIP
rc-update add mariadb
packets on UDP port 9060. In addition, you have to allow the primary
rc-service mariadb start
node to access the local database.
mysql_secure_installation


homer_db_init -r
Finally, you have to add the database node to the primary server
rc-update add crond
configuration via the web user interface. Log in as an admin
rc-service crond start
user. Click on ''Panels'', ''System Admin'', and then
''Add Node''. Use the following values:


cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg
{|
edit "capture_node" in /etc/kamailio/kamailio.cfg
|Node
echo rc_need=mariadb > /etc/conf.d/kamailio
|Value of <code>capture_node</code> in {{path|/etc/kamailio/kamailio.cfg}}
rc-update add kamailio
|-
rc-service kamailio start
|Host
</pre>
|Host name or IP address of the database node
|-
|Port
|<code>3306</code>
|-
|DB Name
|<code>homer_data</code>
|-
|DB Username
|<code>homer_user</code>
|-
|DB Password
|Database password, which is <code>homer_password</code> unless you changed it
|-
|DB Tables
|<code>sip_capture</code>
|}


== Capture Nodes ==
== Capture Nodes ==


<pre>apk add captagent
To capture packets on a SIP server, install the HOMER CaptAgent:
edit "capture-host" in /etc/captagent/transport_hep.xml
 
edit "capture-port" in /etc/captagent/transport_hep.xml to "9060"
{{cmd|# apk add {{pkg|captagent|branch=v3.15|arch=}}}}
rc-update add captagent
 
rc-service captagent start
Configure the <code>capture-host</code> and <code>capture-port</code>
</pre>
parameters in {{path|/etc/captagent/transport_hep.xml}}. The
capture host is the primary or an additional database node. The port
should be set to <code>9060</code>.
 
Enable the service:
 
{{cmd|<nowiki># rc-update add captagent
# rc-service captagent start
</nowiki>}}
 
If using a firewall, you have to allow sending the captured SIP
packets to UDP port 9060 of the specified capture host.
 
== Retention Period of Captured Packets ==
 
A cron job takes care of removing obsolete data from the capture host
databases. The retention period can be adjusted by modifying
{{path|/etc/homer/rotation.ini}}.
 
[[category:Telephony]]

Latest revision as of 07:44, 13 January 2024

This material is obsolete ...

The homer packages do not exist in alpine 3.16 and later (Discuss)

This page describes how to set up HOMER on Alpine Linux.

The packages are available in the community repository starting from Alpine Linux 3.6. Make sure that this repository is enabled in /etc/apk/repositories.

Primary Node

Install the required packages, set up the database, and enable required services:

# apk add homer-api-doc homer-ui mariadb kamailio-mysql nginx php7-fpm

# rc-service mariadb setup # rc-update add mariadb # rc-service mariadb start # mysql_secure_installation

# homer_db_init # rc-update add crond # rc-service crond start

# cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg # echo rc_need=mariadb > /etc/conf.d/kamailio # rc-update add kamailio # rc-service kamailio start

# cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php7/php-fpm.d/homer5.conf # rc-update add php-fpm7 # rc-service php-fpm7 start

Override the default nginx configuration with the HOMER template:

: > /etc/nginx/conf.d/default.conf
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/conf.d/homer5.conf

Make the following changes in /etc/nginx/conf.d/homer5.conf:

root /usr/share/webapps/homer
server_name your server's host name
fastcgi_pass 127.0.0.1:9001

If you are going to deploy database nodes in addition to this primary node, change SINGLE_NODE to 0 in /etc/homer/configuration.php.

Set HOMER_TIMEZONE in /etc/homer/preferences.php according to your time zone.

Enable the nginx service:

# rc-update add nginx # rc-service nginx start

If using a firewall, you have to allow users to access the nginx server using HTTP. In addition, reception of the captured SIP traffic must be allowed on UDP port 9060.

LDAP Authentication

If you intend to authenticate the HOMER users using LDAP, install the LDAP authentication module:

# apk add homer-api-ldap

In addition, you have to allow connections to the LDAP server if using a firewall.

Changes in /etc/homer/preferences.php

Enable LDAP authentication:

Contents of /etc/homer/preferences.php

... define('AUTHENTICATION',"LDAP"); ...

Uncomment the LDAP section and add/update parameters according to your server configuration:

Contents of /etc/homer/preferences.php

... define('LDAP_HOST',"localhost"); define('LDAP_PORT',389); define('LDAP_VERSION',3); define('LDAP_BIND_USER',"cn=HOMER,ou=Apps,dc=example,dc=com"); define('LDAP_BIND_PASSWORD',"secret"); define('LDAP_BASEDN',"ou=Users,dc=example,dc=com"); ...

Add one of the following lines, depending on whether the STARTTLS mechanism shall be used to protect the LDAP connection:

Contents of /etc/homer/preferences.php

... define('LDAP_ENCRYPTION',"none"); define('LDAP_ENCRYPTION',"tls"); ...

If TLS is used, you have to make sure that the relevant root certificate is trusted. If using a self-signed root certificate, one way to achieve this is to add the TLS_CACERT parameter to /etc/openldap/ldap.conf, specifying the path to the trusted CA certificate.

Specify the users who should have admin rights:

Contents of /etc/homer/preferences.php

... define('LDAP_ADMIN_USERS',"donald,mike"); ...

Remove the parameters starting with LDAP_GROUP_ unless you want to authorize users based on group membership.

Nested Groups with Active Directory

The default settings in /etc/homer/preferences.php are intended for LDAP schemas conforming to RFC 2307. Otherwise, you may have to modify the parameters starting with LDAP_USERNAME_ATTRIBUTE_. The following example demonstrates how to authenticate and authorize users against Microsoft Windows Active Directory based on nested group membership:

Contents of /etc/homer/preferences.php

... define('LDAP_USERNAME_ATTRIBUTE_OPEN',"(&(samaccountname="); define('LDAP_USERNAME_ATTRIBUTE_CLOSE',")(memberof:1.2.840.113556.1.4.1941:=cn=HOMER,ou=Groups,dc=example,dc=com))"); ...

Database Nodes

To make your HOMER system more scalable, you may want to deploy multiple database nodes. This sections instructs how to set up an additional database node.

Install the required packages on the new database node and enable the database service:

# apk add homer-api-doc homer-db mariadb kamailio-mysql

# rc-service mariadb setup # rc-update add mariadb # rc-service mariadb start

Set up the database. You may want to disable remote root logins to the database.

# mysql_secure_installation # homer_db_init -r

You may want to change the default password for the HOMER database user. This can be done as follows:

# mysql -e "SET PASSWORD FOR 'homer_user' = PASSWORD('<password>');"

Enable the crond service:

# rc-update add crond # rc-service crond start

Override the Kamailio configuration with the HOMER template:

# cp /usr/share/doc/homer-api/examples/sipcapture/sipcapture.kamailio /etc/kamailio/kamailio.cfg

Change the capture_node parameter in /etc/kamailio/kamailio.cfg to a unique value. If you changed the database user password, update the HOMER_DB_PASSWORD parameter accordingly.

Enable the kamailio service:

# echo rc_need=mariadb > /etc/conf.d/kamailio # rc-update add kamailio # rc-service kamailio start

If using a firewall, you have to allow the reception of captured SIP packets on UDP port 9060. In addition, you have to allow the primary node to access the local database.

Finally, you have to add the database node to the primary server configuration via the web user interface. Log in as an admin user. Click on Panels, System Admin, and then Add Node. Use the following values:

Node Value of capture_node in /etc/kamailio/kamailio.cfg
Host Host name or IP address of the database node
Port 3306
DB Name homer_data
DB Username homer_user
DB Password Database password, which is homer_password unless you changed it
DB Tables sip_capture

Capture Nodes

To capture packets on a SIP server, install the HOMER CaptAgent:

# apk add captagent

Configure the capture-host and capture-port parameters in /etc/captagent/transport_hep.xml. The capture host is the primary or an additional database node. The port should be set to 9060.

Enable the service:

# rc-update add captagent # rc-service captagent start

If using a firewall, you have to allow sending the captured SIP packets to UDP port 9060 of the specified capture host.

Retention Period of Captured Packets

A cron job takes care of removing obsolete data from the capture host databases. The retention period can be adjusted by modifying /etc/homer/rotation.ini.