Overview
GLPI (Gestionnaire Libre de Parc Informatique) is an open source IT asset management and helpdesk solution aligned with ITIL best practices. It centralises equipment management, support tickets, licences and contracts within a single web interface.
This procedure covers the installation of GLPI 11.0.6 on Debian 12 (Bookworm) using the Apache 2 + PHP 8.4-FPM + MariaDB stack, following the directory separation recommended by the project for a secure deployment.
Key Features
- Ticketing and helpdesk (ITIL compliant)
- Automatic hardware and software inventory
- Asset, licence and contract management
- Built-in LDAP / Active Directory integration
- Configuration Management Database (CMDB)
- Extensible plugin ecosystem
Technical Architecture
| Component | Value |
|---|---|
| Operating system | Debian 12 (Bookworm) |
| Web server | Apache 2.4 |
| PHP engine | PHP 8.4-FPM |
| Database | MariaDB 10.11+ |
| Application | GLPI 11.0.6 |
| Access | Web interface (HTTP/HTTPS) |
Directory Separation (GLPI 11 best practice)
| Directory | Purpose |
|---|---|
/var/www/glpi/ | Application source code (DocumentRoot = public/) |
/etc/glpi/ | Configuration files (outside the webroot) |
/var/lib/glpi/ | Persistent data (uploads, cache, sessions) |
/var/log/glpi/ | Application logs |
Why separate directories? Placing configuration and data outside the webroot prevents them from being directly exposed through Apache, significantly hardening the installation in a production environment.
Prerequisites
Minimum Hardware
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 1 vCPU | 2 vCPU |
| RAM | 1 GB | 2 GB |
| Storage | 8 GB | 20 GB |
Software Requirements
- Debian 12 (Bookworm) — fully updated
- Root or sudo access
- Internet connectivity (package downloads)
Step-by-step Installation
Step 1: System Update
apt update && apt upgrade -y
Step 2: Install Dependencies
Install Apache, MariaDB, PHP 8.4-FPM and all PHP extensions required by GLPI 11:
apt install -y apache2 mariadb-server \
php8.4-fpm \
php8.4-{curl,gd,intl,mysql,zip,bcmath,mbstring,xml,bz2,apcu,imap} \
wget tar
Optional LDAP extension (required for Active Directory integration):
apt install -y php8.4-ldap
PHP-FPM vs mod_php: PHP-FPM (FastCGI Process Manager) is the recommended execution mode for GLPI 11. It delivers better performance and process isolation compared to the classic Apache PHP module.
Step 3: Secure MariaDB
Run the interactive security script bundled with MariaDB:
mysql_secure_installation
Answer the prompts as follows:
- Switch to unix_socket authentication →
n - Change the root password →
y, then enter a strong password - Remove anonymous users →
y - Disallow root login remotely →
y - Remove test database →
y - Reload privilege tables →
y
Step 4: Create the Database
mysql -u root -p
CREATE DATABASE db25_glpi CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; CREATE USER 'glpi_adm'@'localhost' IDENTIFIED BY 'StrongPassword!2025'; GRANT ALL PRIVILEGES ON db25_glpi.* TO 'glpi_adm'@'localhost'; FLUSH PRIVILEGES; EXIT;
Security: Replace
StrongPassword!2025 with a unique strong password. Never use the root account as the application database user.
Step 5: Download and Extract GLPI
cd /tmp wget https://github.com/glpi-project/glpi/releases/download/11.0.6/glpi-11.0.6.tgz tar -xzvf glpi-11.0.6.tgz -C /var/www/ rm glpi-11.0.6.tgz
Set correct ownership on the source tree:
chown -R www-data:www-data /var/www/glpi/ chmod -R 755 /var/www/glpi/
Step 6: Directory Separation (best practice)
Move configuration, data and logs outside the webroot so they cannot be accessed directly through Apache:
# Configuration directory mkdir -p /etc/glpi mv /var/www/glpi/config /etc/glpi/config chown -R www-data:www-data /etc/glpi/ # Persistent data directory mkdir -p /var/lib/glpi mv /var/www/glpi/files /var/lib/glpi/files chown -R www-data:www-data /var/lib/glpi/ # Logs directory mkdir -p /var/log/glpi chown -R www-data:www-data /var/log/glpi/
Step 7: Create downstream.php
This file tells GLPI where to find its configuration (outside the webroot):
nano /var/www/glpi/inc/downstream.php
<?php
define('GLPI_CONFIG_DIR', '/etc/glpi/config/');
if (file_exists(GLPI_CONFIG_DIR . '/local_define.php')) {
require_once GLPI_CONFIG_DIR . '/local_define.php';
}
Step 8: Create local_define.php
This file declares the custom paths for data and logs:
nano /etc/glpi/config/local_define.php
<?php
define('GLPI_VAR_DIR', '/var/lib/glpi/files');
define('GLPI_LOG_DIR', '/var/log/glpi');
chown -R www-data:www-data /etc/glpi/config/
Apache Configuration
Step 9: Create the VirtualHost
With GLPI 11, DocumentRoot must point to the public/ subdirectory — not the application root:
nano /etc/apache2/sites-available/glpi.conf
<VirtualHost *:80>
ServerName glpi.example.com
DocumentRoot /var/www/glpi/public
<Directory /var/www/glpi/public>
Require all granted
RewriteEngine On
# Forward the Authorization header to PHP-FPM
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Route all requests through the front controller
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
ErrorLog ${APACHE_LOG_DIR}/glpi_error.log
CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined
</VirtualHost>
# Enable the site and required modules a2ensite glpi.conf a2dissite 000-default.conf a2enmod rewrite # Enable PHP-FPM proxy a2enmod proxy_fcgi setenvif a2enconf php8.4-fpm systemctl restart apache2
Why
public/? GLPI 11 uses the "front controller" pattern: only the public/ folder is exposed on the web. The rest of the code (includes, config, vendor) is unreachable from a browser, reducing the attack surface.
PHP Configuration
Step 10: Tune php.ini
nano /etc/php/8.4/fpm/php.ini
; Session security session.cookie_httponly = On session.cookie_samesite = Lax ; Limits suited for GLPI memory_limit = 256M max_execution_time = 300 upload_max_filesize = 100M post_max_size = 100M date.timezone = Europe/Paris
systemctl restart php8.4-fpm
PHP-FPM Handler in Apache (optional, inside VirtualHost)
If the FPM handler is not applied globally by the php8.4-fpm conf, add inside the <Directory> block:
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.4-fpm.sock|fcgi://localhost/"
</FilesMatch>
Web Installer
Open a browser and navigate to:
http://<SERVER_IP_ADDRESS>
Follow the installation wizard:
- Select language: English
- GPL licence: Accept
- Action type: Install
- Database connection:
- SQL server:
localhost - SQL user:
glpi_adm - Password: the password defined in step 4
- SQL server:
- Select database:
db25_glpi - Initialisation: wait while the schema is loaded
- Installation complete: take note of the default accounts
Default Accounts (change immediately)
| Login | Password | Profile |
|---|---|---|
| glpi | glpi | Super-administrator |
| tech | tech | Technician |
| normal | normal | Standard user |
| post-only | postonly | Ticket observer |
CRITICAL SECURITY: Change all default passwords immediately after the first login. Leaving these accounts unchanged exposes the application to trivial compromise.
Verification
Check Service Status
systemctl status apache2 systemctl status php8.4-fpm systemctl status mariadb
Verify the GLPI Installation
- Log in with glpi / glpi
- Go to Setup → General → System: no red warning should appear
- Create a test ticket: Helpdesk → Tickets → Create
- Confirm it appears in the open tickets list
Check Logs
tail -f /var/log/glpi/php-errors.log tail -f /var/log/apache2/glpi_error.log
Post-installation Hardening
Remove the Install Script
rm -f /var/www/glpi/install/install.php
Tighten Configuration File Permissions
chmod 600 /etc/glpi/config/config_db.php chown www-data:www-data /etc/glpi/config/config_db.php
Change All Default Passwords
In GLPI: Administration → Users → edit each default account (glpi, tech, normal, post-only).
Enable HTTPS (recommended for production)
apt install -y certbot python3-certbot-apache certbot --apache -d glpi.example.com
In a test environment without a public domain name, use a self-signed certificate or an internal HTTPS proxy. HTTPS is mandatory as soon as personal data travels over the network.
Backups
Database Backup
mysqldump -u glpi_adm -p db25_glpi > /root/backup_glpi_$(date +%Y%m%d_%H%M).sql
Application Files Backup
tar -czf /root/glpi_files_$(date +%Y%m%d_%H%M).tar.gz \
/var/www/glpi/ \
/etc/glpi/ \
/var/lib/glpi/
Automated Daily Backup (cron)
nano /etc/cron.daily/backup-glpi
#!/bin/bash BACKUP_DIR="/var/backups/glpi" DATE=$(date +%Y%m%d_%H%M) mkdir -p "$BACKUP_DIR" # Database mysqldump -u glpi_adm -pStrongPassword!2025 db25_glpi \ > "$BACKUP_DIR/db_$DATE.sql" # Files tar -czf "$BACKUP_DIR/files_$DATE.tar.gz" \ /var/lib/glpi/ /etc/glpi/ 2>/dev/null # Rotation: keep the last 7 days find "$BACKUP_DIR" -type f -mtime +7 -delete
chmod +x /etc/cron.daily/backup-glpi
Conclusion
GLPI 11.0.6 is now installed and operational on Debian 12. This procedure implements the best practices recommended by the project: directory separation outside the webroot, PHP-FPM, Apache front controller pattern, and post-installation hardening.
Next Steps
- Active Directory integration (see procedure 08 — GLPI + AD)
- GLPI inventory agent deployment
- Business rule and SLA configuration
- Off-site backup strategy
Key Terms for the BTS Oral
- GLPI: open source ITSM solution, ITIL compliant
- PHP-FPM: high-performance PHP execution via FastCGI
- Front controller: web architecture pattern (all requests route through
index.php) - Webroot separation: config and data kept out of the web server's reach
- MariaDB utf8mb4: full Unicode encoding, supports emoji and special characters