Install Nginx

• This guide is for Raspberry Pi OS based on Debian version 12 (Bookworm).
• You can run the command cat /etc/issue.net to confirm the version. Debian GNU/Linux 12 should be displayed.
• Make sure it is up to date.

# Get the latest package lists
sudo apt-get update
# Update the system to the latest
sudo apt-get upgrade

• Install Nginx

sudo apt-get -y install nginx

• Make sure that the web server is started and running

sudo systemctl stop nginx.service
sudo systemctl start nginx.service

• Using a browser, navigate to the IP address of the server on which you have installed Nginx to ensure that Nginx is serving content, e.g. http://127.0.0.1

• The default install of Nginx does not support the serving of .php files.
• We will install a program (actually a service) called php-fpm.
• This service will listen for requests to interpret.
• Install the php-fpm service by installing the default version 8.2 of the packages

sudo apt-get -y install php-fpm
sudo systemctl enable php8.2-fpm
sudo systemctl start php8.2-fpm

• Now that the php-fpm service is installed we should change the default Nginx server to make use of it.
• Edit the default server file:

sudo vi /etc/nginx/sites-enabled/default

• Add index.php to this line:

# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;

• Activate PHP processing by un-commenting this this section. Note that we use the UNIX socket and we are using 8.2 and not 7.4 which is specified originally in the config file.

# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    #
    #       # With php-fpm (or other unix sockets):
    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    #       # With php-cgi (or other tcp sockets):
    #       fastcgi_pass 127.0.0.1:9000;
}

• Enable the hiding of .htaccess files

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
    deny all;
}

• Reload the Nginx web server's configuration

sudo systemctl reload nginx.service

• Create a test .php file to confirm that it does work

sudo vi /var/www/html/test.php

• Contents

<?php
    phpinfo();
?>

• Navigate to http://127.0.0.1/test.php and see if the page display the PHP info.

• We discovered that the version of MySQL that comes bundled by default with Debian 12 (bookworm) are breaking things on RADIUSdesk.
• For this reason we install MariaDB as an alternative.
• MariaDB is an open-source relational database management system, commonly used as an alternative for MySQL as the database portion of the popular LAMP (Linux, Apache, MySQL, PHP/Python/Perl) stack.
• It is intended to be a drop-in replacement for MySQL.
• Be sure to supply a root password for the MariaDB database when asked for it if you are security conscious else simply hit the ESC key.

sudo apt-get -y install mariadb-server php8.2-mysql
sudo systemctl enable mariadb
sudo systemctl restart mariadb
sudo systemctl status mariadb

• With Debian 12 (bookworm), the bundled release of MariaDB is at version 15.1 which introduced a few Strict modes which have some problems with RADIUSdesk database implementation.
• We will disable Strict SQL Mode in MariaDB by creating a new file /etc/mysql/conf.d/disable_strict_mode.cnf

sudo vi /etc/mysql/conf.d/disable_strict_mode.cnf

• Enter these two lines:

[mysqld]
sql_mode=IGNORE_SPACE,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

• Save the file and restart the MySQL Server

sudo systemctl restart mariadb

• Edit the /etc/nginx/sites-available/default file:

sudo vi /etc/nginx/sites-available/default

• Add the following inside the server section:

location ~ ^/cake4/.+\.(jpg|jpeg|gif|png|ico|js|css)$ {
    rewrite ^/cake4/rd_cake/webroot/(.*)$ /cake4/rd_cake/webroot/$1 break;
    rewrite ^/cake4/rd_cake/(.*)$ /cake4/rd_cake/webroot/$1 break;
    access_log off;
    expires max;
    add_header Cache-Control public;
}

• Add below only if you require backward compatibility (MESHdesk and APdesk).

location ~ ^/cake3/.+\.(jpg|jpeg|gif|png|ico|js|css)$ {
    rewrite ^/cake3/rd_cake/webroot/(.*)$ /cake3/rd_cake/webroot/$1 break;
    rewrite ^/cake3/rd_cake/(.*)$ /cake3/rd_cake/webroot/$1 break;
    access_log off;
    expires max;
    add_header Cache-Control public;
}

• Reload Nginx:

sudo systemctl reload nginx.service

• The first part prepared everything to install RADIUSdesk.
• This part will go through the steps to install the latest RADIUSdesk.
• RADIUSdesk consists of three components.
  • rd directory with its contents contains all the HTML and JavaScript code and is used as the presentation layer.
  • cake4 is a CakePHPv4 application and can be considered the engine room. Here the data is processed before being presented by the presentation layer.
  • login is a directory with various login pages which are centrally managed through the RADIUSdesk Dynamic Login Pages applet.
• Later we will create various symbolic links from locations inside the rdcore directory to locations inside the web server's document root directory.

• Make sure the following packages are installed.

sudo apt-get -y install php-cli php-mysql php-gd php-curl php-xml php-mbstring php-intl php-sqlite3 git wget
sudo systemctl restart php8.2-fpm

• Check out the rdcore git repository.

cd /var/www
sudo git clone https://github.com/RADIUSdesk/rdcore.git

• This will create an rdcore directory containing some sub-folders.
• It is recommended that you also include the RD Mobile UI.
• Check out the rd_mobile git repository.

cd /var/www
sudo git clone https://github.com/RADIUSdesk/rd_mobile.git

• We will create soft links in the directory where Nginx will serve the RADIUSdesk contents.

cd /var/www/html
sudo ln -s ../rdcore/rd ./rd
sudo ln -s ../rdcore/cake4 ./cake4
#If backward compatibility is required for older firmware of MESHdesk
sudo ln -s ../rdcore/cake4 ./cake3
sudo ln -s ../rdcore/login ./login
sudo ln -s ../rdcore/AmpConf/build/production/AmpConf ./conf_dev
sudo ln -s ../rdcore/cake4/rd_cake/setup/scripts/reporting ./reporting
#For the RD Mobile UI
sudo ln -s ../rd_mobile/build/production/RdMobile ./rd_mobile

• Change the ownership of the following files to www-data so Nginx can make changes to the files/directories

sudo mkdir -p  /var/www/html/cake4/rd_cake/logs
sudo mkdir -p /var/www/html/cake4/rd_cake/webroot/files/imagecache
sudo mkdir -p /var/www/html/cake4/rd_cake/tmp
sudo chown -R www-data: /var/www/html/cake4/rd_cake/tmp
sudo chown -R www-data: /var/www/html/cake4/rd_cake/logs
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/realms
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/dynamic_details
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/dynamic_photos
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/access_providers
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/img/hardwares
sudo chown -R www-data: /var/www/html/cake4/rd_cake/webroot/files/imagecache

• Make sure the timezone on the server is set to UTC (You can use sudo raspi-config)
• Populate the timezone data on the DB

#NOTE FAILING THIS STEP will break the RADIUS graphs
#There might be some error messages in the output which is fine - no need to be alarmed
sudo su
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root  mysql

• Create an empty database called rd

sudo su
mysql -u root
create database rd;
GRANT ALL PRIVILEGES ON rd.* to 'rd'@'127.0.0.1' IDENTIFIED BY 'rd';
GRANT ALL PRIVILEGES ON rd.* to 'rd'@'localhost' IDENTIFIED BY 'rd';
exit;

• Populate the database:

sudo mysql -u root rd < /var/www/html/cake4/rd_cake/setup/db/rd.sql

sudo mysql -u root rd < /var/www/rdcore/cake4/rd_cake/setup/db/8.068_add_email_sms_histories.sql 

• Configure Nginx to rewrite some RdCore URLs starting with /cake4/rd_cake.
• Edit /etc/nginx/sites-enabled/default

sudo vi /etc/nginx/sites-enabled/default

• Add this once section directly below server_name item. (This is so that this rule is hit first for the reporting side. We do not use CakePHP for the reporting anymore due to performance issues.

server_name _;
location /cake4/rd_cake/node-reports/submit_report.json {
    try_files $uri $uri/ /reporting/reporting.php;
}

• If you need backward compatibility support (MESHdesk and APdesk) also add this section:

location /cake3/rd_cake/node-reports/submit_report.json {
    try_files $uri $uri/ /reporting/reporting.php;
}

• Add the following configuration block inside the server section (This you can add towards the end):

location /cake4/rd_cake {
   rewrite ^/cake4/rd_cake(.+)$ /cake4/rd_cake/webroot$1 break;
   try_files $uri $uri/ /cake4/rd_cake/index.php$is_args$args;
}

• If you need backward compatibility support (MESHdesk and APdesk) also add this section:

location /cake3/rd_cake {
   rewrite ^/cake3/rd_cake(.+)$ /cake3/rd_cake/webroot$1 break;
   try_files $uri $uri/ /cake3/rd_cake/index.php$is_args$args;
}

• Reload the Nginx:

sudo systemctl reload nginx

• The following URLs are important to reach the UI
• To load the optimized UI, go to http://127.0.0.1/rd/build/production/Rd/
• If you want to serve the content directly out of the webroot, do the following:

sudo cp -R /var/www/html/rd/build/production/Rd/* /var/www/html/

• To load the RD Mobile UI, go to http://127.0.0.1/rd_mobile

• By default you can log in with the following credentials

Username: root Password: admin

• RADIUSdesk requires a few scripts to run periodically in order to maintain a healthy and working system.
• To activate the cron scripts execute the following command, which will add RADIUSdesk's crons scripts to the Cron system

sudo cp /var/www/html/cake4/rd_cake/setup/cron/cron4 /etc/cron.d/

• If you want to change the default intervals at which the scripts get executed, just edit the /etc/cron.d/cron4 file.

• Rather than repeating existing documentation we will just add a URL with the instructions to do it.
• You might want to run the following first before going to the instructions in the URL

sudo apt-get update
sudo apt-get -y install software-properties-common

• https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-11

• Be sure to also install FreeRADIUS