Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install Grocy Webapp in cPanel #354

Closed
dilshandiss opened this issue Sep 10, 2019 · 6 comments

Comments

@dilshandiss
Copy link

@dilshandiss dilshandiss commented Sep 10, 2019

I'm not sure where to post this but I feel that since I have gone through this scenario, im sure other out there would face the same. To contribute towards the community, i want to share my experiences;

Request to Developer -
Please see if you can modify Grocy, such that we dont need to worry about the web root, this would make installations for those using administrator panels like cpanel, manage this easier.

General
First off, what a really really cool system. I havnt started using it fully since I was battling through the installation process since my scenario here is a little different. However, hats off to the developer for creating this system, there is nothing on the www that will come close to this. There are other solution but they are really overkill / have a ugly UI. The next task I have ahead of me is to convince the Wife to use it!

My Scenario -
So, I have a cPanel instance with a good web host and I deploy all my webapps under different sub-folders in my domain. Yes, I could use "Addon" or "sub-domains" to host Grocy, but it would count towards my limits (and the url will actually be quite long). I did a few work-arounds and it seems to be working. This is what I will share below.

My Workaround -

  1. So as the developer said, download the latest zip and extract that to your sub-folder on your domain. Follow his instructions on the config.php as well and give the required permissions for the "Data" folder.

  2. Within the config.php file, modify the "BASE PATH" such that it points to the public folder of Grocy. E.G. https://your-domain-name/grocy/public/

  3. Use a 301 redirect generator such as THIS and fill in the old url, the new url, "php" as the redirect method, generate and copy the code.

  4. Create a file in the grocy root called index.php and paste the above code into it. For example, the file located at https://your-domain-name/grocy/index.php should have the code you copied in the previous step in it.

  5. At this point if you navigate to your URL https://your-domain-name/grocy/ it should redirect to https://your-domain-name/grocy/public/ automatically.

  6. The final step is to prevent directory listing of your files. This time, go to your control panel (in my case its cPanel) and then look for an option called "Indexes" / "Directory Listing" / etc. it generally is put into an "Advanced" / "Security" sections or categories. Once you have located that, navigate to your "Grocy" folder and disable / stop indexes for this folder ONLY. If you need help on this, it would be best to get in touch with your respective web control panel support team.

Thats it! I suppose another method of doing this will be through your htaccess (i havnt tried this) or if you have ssh access to your cpanel (most of the time if your just hosting websites, you dont), you can modify the virtual hosts file to reflect the public folder of Grocy.

If anyone else has anything to add / modify / remove to this, please do.

Hope this could be useful to someone out there!

Update
So guys, after a quick chat below with Bernd, there could be security implications, so please do provide insight on this work-around that I suggested above. Perhaps if we secure this with a username / password combo, would it make a bit more secure? We would need a developer versed in security to be able to shed some light on the matter.

@berrnd

This comment has been minimized.

Copy link
Member

@berrnd berrnd commented Sep 10, 2019

Great that grocy is useful for you and thanks for sharing your experience with the cPanel installation. :)

Please see if you can modify Grocy, such that we dont need to worry about the web root

I don't really know what I should do about that...
It's pretty common for PHP applications that a seperate directory is served as the web root, especially because there are other files and directories (like the /data directory) you never want to expose. So that is the simplest way, because only /public is exposed, nothing else.

So be careful about your setup that https://your-domain-name/grocy/data/grocy.db does not serve the database file, I don't think that you want that...

@dilshandiss

This comment has been minimized.

Copy link
Author

@dilshandiss dilshandiss commented Sep 10, 2019

Sure, no problem, glad to be of some assistance.

Ah, I see your point now! Unfortunately, I'm from an Infrastructure background so I wouldnt have any idea on how to do this. There are a few apps (PHPIPAM, WORDPRESS amoungst others) that I have running that however don't point to a public folder, but the difference I notice here is that they are all using a php/mysql architecture. So that could be one method, but in all of them, they have a configuration file which we must edit (for example SQL Connection details) but I wont know how they build security around the folders that these configuration type files reside in. These config files cannot be exposed to the WWW.

You brought up a very valid point on exposing the grocy.db file. I'm assuming that by disabling the directory listing feature of the web server, malicious users will not be able to download the file? I'm not sure on this, i could secure it more by using an htaccess file i suppose or by writing a script to request a username / password to access the folder. Honestly, I think malicious users have better things to hack-away rather than trying to find out when my groceries are going to expire :) but i could be wrong!

Keep up the good work mate, i'm sure you must have plenty of compliments for your system, it really is well thought out, structured and feature rich with just what I require! No more fights on chores or throwing away expired products!

@berrnd

This comment has been minimized.

Copy link
Member

@berrnd berrnd commented Sep 10, 2019

I'm assuming that by disabling the directory listing feature of the web server, malicious users will not be able to download the file?

I would say that this just prevents directory listing, not the download of an explicit file. Using .htaccess rules (for Apache, other ways for other webservers) would be the only way to prevent this, I think.

Wordpress does this by putting an empty .php file in each directory, to prevent file listing. But it's possible (for the default file structure) to serve any file in the wp-* folders when explicitly provided.

I think malicious users have better things to hack-away rather than trying to find out when my groceries are going to expire :)

I agree, but it should be safe, regardless of how sensitive the data is, in my opinion...

it really is well thought out, structured and feature rich with just what I require! No more fights on chores or throwing away expired products!

Thank you again. :)
It evolved by trying to solve my own daily "problems" about that ... after finding no existing solution ... and after I played the Excel game till the end... :D

@dilshandiss

This comment has been minimized.

Copy link
Author

@dilshandiss dilshandiss commented Sep 10, 2019

oh yes, very true! haven't we all played that excel game :)

So I got quite a few points from your reply, which I learnt and will need a bit more research from my end. I will post updates to this thread as an when I dig a little deeper.

Well its been a pleasure and I truly hope that you will continue to make such wonderful systems that will not only solve your problems, but ours as well :)

berrnd added a commit to grocy/grocy-website that referenced this issue Sep 16, 2019
@berrnd

This comment has been minimized.

Copy link
Member

@berrnd berrnd commented Sep 16, 2019

Because this could maybe useful for others too, I added this now as a link on https://grocy.info/links.

Thanks again. :)

@berrnd berrnd closed this Sep 16, 2019
@dilshandiss

This comment has been minimized.

Copy link
Author

@dilshandiss dilshandiss commented Sep 16, 2019

Sure @berrnd , its a pleasure and glad that I could contribute my two cents! :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.