Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation [2017/08/31 12:30] poulm |
tutorial:adm:server_preparation [2019/03/18 15:05] urbanl new tomcat instalation |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Server preparation - Linux ====== | ||
+ | |||
+ | {{tag> | ||
+ | |||
+ | This tutorial shows how to prepare the server for test or production usage of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[: | ||
+ | |||
+ | ===== Basic system setup ===== | ||
+ | * 1 server (can be virtualized) for all: backend, frontend and database. | ||
+ | * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation | ||
+ | * It is possible to use Debian but you have to adjust the installation guide a little. We tested CzechIdM installation on Stretch. | ||
+ | * PostgreSQL - installed from a new repository | ||
+ | * Java - distribution repository (OpenJDK 1.8) | ||
+ | * Apache Tomcat - manually installed into /opt/tomcat | ||
+ | * Services start via systemd in OS | ||
+ | * Services run under dedicated user (non-privileged one) | ||
+ | |||
+ | ===== Instalation and software configuration ===== | ||
+ | Prerequisities - Basic installation of CentOS 7 | ||
+ | <code bash> | ||
+ | # EPEL installation | ||
+ | yum clean all | ||
+ | yum install -y epel-release | ||
+ | yum update -y | ||
+ | # other recommended packages installation | ||
+ | yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet | ||
+ | # enable haveged after OS start | ||
+ | systemctl start haveged.service | ||
+ | systemctl enable haveged.service | ||
+ | # remove unnecessary software | ||
+ | yum remove -y postfix | ||
+ | systemctl stop avahi-daemon.socket avahi-daemon.service | ||
+ | systemctl disable avahi-daemon.socket avahi-daemon.service | ||
+ | yum remove -y avahi-autoipd avahi | ||
+ | # set the hostname | ||
+ | hostnamectl set-hostname FQDN_server_name | ||
+ | hostnamectl status | ||
+ | # check the network configuration, | ||
+ | # reboot the server | ||
+ | </ | ||
+ | |||
+ | When installing on Debian, install these packages: | ||
+ | < | ||
+ | screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent | ||
+ | </ | ||
+ | ===== PostgreSQL ===== | ||
+ | <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial: | ||
+ | CentOS7 default repository version of PostgreSQL is 9.2. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option. | ||
+ | ==== Database server installation - CentOS7 ==== | ||
+ | * Software installation (versions can vary): | ||
+ | <code bash> | ||
+ | yum install -y https:// | ||
+ | yum install -y postgresql96-server postgresql96-contrib pgstat2_96 pg_top96 | ||
+ | </ | ||
+ | * create new system directory: | ||
+ | < | ||
+ | mkdir -p / | ||
+ | chown -R postgres: | ||
+ | chmod 700 /data/pgsql | ||
+ | </ | ||
+ | * Copy of the configuration file for systemd, in which we will make change of directory for data: | ||
+ | <code bash> | ||
+ | cp / | ||
+ | </ | ||
+ | In the file ''/ | ||
+ | < | ||
+ | # Location of database directory | ||
+ | Environment=PGDATA=/ | ||
+ | </ | ||
+ | |||
+ | * In the file '' | ||
+ | |||
+ | < | ||
+ | PGDATA=/ | ||
+ | </ | ||
+ | |||
+ | * Reload changes: | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | systemctl daemon-reload | ||
+ | |||
+ | </ | ||
+ | |||
+ | * Initialize database: | ||
+ | |||
+ | <code bash> | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | * Enable and start database: | ||
+ | |||
+ | <code bash> | ||
+ | systemctl start postgresql-9.6.service | ||
+ | systemctl enable postgresql-9.6.service | ||
+ | </ | ||
+ | |||
+ | * Check that the database is running: | ||
+ | |||
+ | <code bash> | ||
+ | [root@tomcat1 system]# systemctl status postgresql-9.6.service -l | ||
+ | ● postgresql-9.6.service - PostgreSQL 9.6 database server | ||
+ | | ||
+ | | ||
+ | Main PID: 2626 (postmaster) | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | lis 18 23:50:06 tomcat1.localdomain systemd[1]: Starting PostgreSQL 9.6 database server... | ||
+ | lis 18 23:50:06 tomcat1.localdomain postmaster[2626]: | ||
+ | lis 18 23:50:06 tomcat1.localdomain postmaster[2626]: | ||
+ | lis 18 23:50:06 tomcat1.localdomain systemd[1]: Started PostgreSQL 9.6 database server. | ||
+ | </ | ||
+ | |||
+ | ==== Database server installation - Debian Stretch ==== | ||
+ | Install the database from OS packages: | ||
+ | < | ||
+ | apt-get install postgresql-9.6 | ||
+ | </ | ||
+ | We will move the database - create directory structure: | ||
+ | < | ||
+ | mkdir -p / | ||
+ | chown -R postgres: | ||
+ | chmod -R 700 /data/pgsql | ||
+ | </ | ||
+ | Create the file .bash\_profile in postgres user's home (default / | ||
+ | < | ||
+ | PGDATA=/ | ||
+ | </ | ||
+ | Stop the database: | ||
+ | < | ||
+ | systemctl stop postgresql | ||
+ | </ | ||
+ | Move database directory (run this as root): | ||
+ | < | ||
+ | mv / | ||
+ | </ | ||
+ | In the PostgreSQL configuration file / | ||
+ | < | ||
+ | data_directory = '/ | ||
+ | </ | ||
+ | Enable and start the database: | ||
+ | < | ||
+ | systemctl start postgresql | ||
+ | systemctl enable postgresql | ||
+ | </ | ||
+ | ==== DB server configuration ==== | ||
+ | |||
+ | First of all, enable the password authentication. | ||
+ | |||
+ | In the file ''/ | ||
+ | < | ||
+ | host all | ||
+ | host all | ||
+ | </ | ||
+ | |||
+ | and change the value at the end of each line into md5 like this: | ||
+ | < | ||
+ | host all | ||
+ | host all | ||
+ | </ | ||
+ | |||
+ | Now we can do DB sizing. We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular sizing, use a [[https:// | ||
+ | In a file ''/ | ||
+ | < | ||
+ | max_connections = 100 # (change requires restart) | ||
+ | |||
+ | shared_buffers = 768MB # min 128kB | ||
+ | effective_cache_size = 2304MB | ||
+ | work_mem = 7864kB | ||
+ | maintenance_work_mem = 192MB | ||
+ | |||
+ | min_wal_size = 1GB | ||
+ | max_wal_size = 2GB | ||
+ | checkpoint_completion_target = 0.7 | ||
+ | wal_buffers = 16MB | ||
+ | |||
+ | default_statistics_target = 100 | ||
+ | |||
+ | log_min_duration_statement = 200 | ||
+ | </ | ||
+ | |||
+ | Restart DB: '' | ||
+ | |||
+ | For Debian installation, | ||
+ | < | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | |||
+ | ===== Tomcat ===== | ||
+ | |||
+ | Installation - CentOS7: | ||
+ | <code bash> | ||
+ | yum install -y tomcat | ||
+ | </ | ||
+ | |||
+ | Installation - Debian: | ||
+ | <code bash> | ||
+ | apt install -y tomcat8 | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Start Tomcat automatically after system startup - CentOS ==== | ||
+ | | ||
+ | |||
+ | * Make some adjustments to systemd unit. | ||
+ | |||
+ | <code bash> | ||
+ | systemctl edit tomcat.service | ||
+ | </ | ||
+ | Or if you want use diferent editor than nano( vim) use this comands: | ||
+ | <code bash> | ||
+ | export SYSTEMD_EDITOR="/ | ||
+ | sudo -E systemctl edit tomcat.service | ||
+ | </ | ||
+ | * Add these lines and save the file: | ||
+ | |||
+ | < | ||
+ | [Service] | ||
+ | SyslogFacility=local3 | ||
+ | Environment=' | ||
+ | Environment=' | ||
+ | </ | ||
+ | |||
+ | * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. | ||
+ | * Tomcat will be started under user tomcat: | ||
+ | * After every systemd configuration change it is necessary to reload: | ||
+ | |||
+ | < | ||
+ | systemctl daemon-reload | ||
+ | </ | ||
+ | * Test start: | ||
+ | < | ||
+ | systemctl start tomcat | ||
+ | </ | ||
+ | * Check that Tomcat runs with desirable parameters: | ||
+ | <code bash> | ||
+ | [root@tomcat1 logs]# ps -u tomcat -fwww | ||
+ | UID PID PPID C STIME TTY TIME CMD | ||
+ | tomcat | ||
+ | </ | ||
+ | * Stop Apache Tomcat: | ||
+ | < | ||
+ | systemctl stop tomcat | ||
+ | </ | ||
+ | * Enable tomcat start after OS start: | ||
+ | <code bash> | ||
+ | systemctl enable tomcat | ||
+ | </ | ||
+ | ==== Start Tomcat automatically after system startup - Debian ==== | ||
+ | |||
+ | * In file ''/ | ||
+ | |||
+ | <file ini tomcat8> | ||
+ | |||
+ | CATALINA_OPTS=" | ||
+ | JAVA_OPTS=" | ||
+ | |||
+ | </ | ||
+ | |||
+ | * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. | ||
+ | * Tomcat will be started under user '' | ||
+ | * Test start: | ||
+ | |||
+ | < | ||
+ | |||
+ | systemctl start tomcat8 | ||
+ | |||
+ | </ | ||
+ | * Check that Tomcat runs with desirable parameters: | ||
+ | <code bash> | ||
+ | [root@tomcat1 logs]# ps -u tomcat8 -fwww | ||
+ | UID PID PPID C STIME TTY TIME CMD | ||
+ | tomcat8 | ||
+ | </ | ||
+ | * Stop Apache Tomcat: | ||
+ | < | ||
+ | systemctl stop tomcat8 | ||
+ | </ | ||
+ | * Enable tomcat start after OS start: | ||
+ | <code bash> | ||
+ | systemctl enable tomcat8 | ||
+ | </ | ||
+ | ==== Apache Tomcat configuration recommended for production usage ==== | ||
+ | |||
+ | It is advised to follow these steps for production usage: | ||
+ | |||
+ | - In file ''/ | ||
+ | * Turn off the shutdown port: | ||
+ | * Set value -1 from 8005 to the Server port tag, thus you deactivate it: | ||
+ | |||
+ | <code xml> | ||
+ | <Server port=" | ||
+ | </ | ||
+ | |||
+ | - In same file do this: | ||
+ | * Make Tomcat listen only on localhost: | ||
+ | * Add the '' | ||
+ | * In Debian you need to uncoment AJP conector on port '' | ||
+ | * Change logging into '' | ||
+ | * Find these lines and comment them. | ||
+ | |||
+ | <code xml> | ||
+ | <!-- | ||
+ | <Valve className=" | ||
+ | | ||
+ | | ||
+ | --> | ||
+ | </ | ||
+ | And add these lines: | ||
+ | <code xml> | ||
+ | <Valve className=" | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | - In the file ''/ | ||
+ | * Do not show aplication server version: | ||
+ | * Set showServerInfo to false (default is true): | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | We need to tell Tomcat where idm.war will be. Create context file ''/ | ||
+ | <code xml> | ||
+ | <Context | ||
+ | docBase="/ | ||
+ | path="" | ||
+ | /> | ||
+ | </ | ||
+ | ==== Tomcat loging configuration ==== | ||
+ | - in file ''/ | ||
+ | * Change logging properties | ||
+ | * Add/change lines( 1catalina, 2localhost, 3manager, 4host-manager) into this(leave the other lines as they are): | ||
+ | |||
+ | < | ||
+ | 1catalina.org.apache.juli.FileHandler.level = ALL | ||
+ | 1catalina.org.apache.juli.FileHandler.prefix = tomcat. | ||
+ | 1catalina.org.apache.juli.FileHandler.rotatable = false | ||
+ | 1catalina.org.apache.juli.FileHandler.suffix = log | ||
+ | |||
+ | 2localhost.org.apache.juli.FileHandler.rotatable = false | ||
+ | 2localhost.org.apache.juli.FileHandler.suffix = log | ||
+ | |||
+ | 3manager.org.apache.juli.FileHandler.rotatable = false | ||
+ | 3manager.org.apache.juli.FileHandler.suffix = log | ||
+ | |||
+ | 4host-manager.org.apache.juli.FileHandler.rotatable = false | ||
+ | 4host-manager.org.apache.juli.FileHandler.suffix = log | ||
+ | </ | ||
+ | |||
+ | On Debian make these extra changes: | ||
+ | < | ||
+ | handlers = 1catalina.org.apache.juli.AsyncFileHandler, | ||
+ | #, java.util.logging.ConsoleHandler | ||
+ | |||
+ | .handlers = 1catalina.org.apache.juli.FileHandler | ||
+ | #, java.util.logging.ConsoleHandler | ||
+ | |||
+ | ############################################################ | ||
+ | # Handler specific properties. | ||
+ | ############################################################ | ||
+ | |||
+ | 3manager.org.apache.juli.FileHandler.level = FINE | ||
+ | 3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/ | ||
+ | 3manager.org.apache.juli.FileHandler.prefix = manager. | ||
+ | |||
+ | 4host-manager.org.apache.juli.FileHandler.level = FINE | ||
+ | 4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/ | ||
+ | 4host-manager.org.apache.juli.FileHandler.prefix = host-manager. | ||
+ | |||
+ | # | ||
+ | # | ||
+ | |||
+ | ############################################################ | ||
+ | # Facility specific properties. | ||
+ | ############################################################ | ||
+ | |||
+ | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
+ | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
+ | |||
+ | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
+ | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | On CentOS for redirect logging from / | ||
+ | < | ||
+ | ### tomcat log | ||
+ | $template TomcatForm," | ||
+ | if ($syslogfacility-text == ' | ||
+ | action(type=" | ||
+ | & stop | ||
+ | } | ||
+ | </ | ||
+ | Then restart rsyslog | ||
+ | < | ||
+ | systemctl restart rsyslog | ||
+ | </ | ||
+ | |||
+ | ==== Rotating Tomcat logs ==== | ||
+ | Tomcat logger appneds to the logfile at ''/ | ||
+ | <file txt tomcat> | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | rotate COUNT | ||
+ | daily | ||
+ | dateext | ||
+ | copytruncate | ||
+ | missingok | ||
+ | notifempty | ||
+ | compress | ||
+ | create 0644 tomcat tomcat | ||
+ | } | ||
+ | / | ||
+ | { | ||
+ | rotate COUNT | ||
+ | daily | ||
+ | dateext | ||
+ | copytruncate | ||
+ | missingok | ||
+ | notifempty | ||
+ | compress | ||
+ | create 0644 tomcat tomcat | ||
+ | sharedscripts | ||
+ | postrotate | ||
+ | /bin/kill -HUP `cat / | ||
+ | | ||
+ | } | ||
+ | </ | ||
+ | On **Debian** logs are in ''/ | ||
+ | <file txt tomcat8> | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | rotate 7 | ||
+ | daily | ||
+ | dateext | ||
+ | copytruncate | ||
+ | missingok | ||
+ | notifempty | ||
+ | compress | ||
+ | create 0644 tomcat8 tomcat8 | ||
+ | } | ||
+ | </ | ||
+ | It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because '' | ||
+ | |||
+ | If this happens, set the permissive mode for logrotate: | ||
+ | < | ||
+ | semanage permissive -a logrotate_t | ||
+ | </ | ||
+ | |||
+ | <note warning> | ||
+ | Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. | ||
+ | |||
+ | There are some possibilities: | ||
+ | * Set permissive mode for logrotate as above. | ||
+ | * Set permissive mode for whole SELinux. (This will drop the SELinux' | ||
+ | * Adjust particular SELinux labels. Example ([[https:// | ||
+ | </ | ||
+ | Please note that the log does not rotate during the first day, but after the second day. | ||
+ | ==== Optional - Management Interface for Tomcat==== | ||
+ | |||
+ | If you installed two additional applications for tomcat management follow this part to complete tomcat configuration. | ||
+ | |||
+ | These applications are available at: | ||
+ | |||
+ | * http:// | ||
+ | * http:// | ||
+ | |||
+ | If you want to use them, it is necessary to do following steps. | ||
+ | |||
+ | First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | ||
+ | |||
+ | Create user like this: | ||
+ | |||
+ | Create the a new user in the file ''/ | ||
+ | The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | ||
+ | |||
+ | The file ''/ | ||
+ | <file xml tomcat-users.xml> | ||
+ | <?xml version=" | ||
+ | < | ||
+ | xmlns: | ||
+ | xsi: | ||
+ | version=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <user username=" | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see '' | ||
+ | |||
+ | Add your IP address into application configuration files. In files ''/ | ||
+ | |||
+ | In my case, I want to access to Tomcat management from network 192.168.0.0/ | ||
+ | |||
+ | <file xml context.xml> | ||
+ | <?xml version=" | ||
+ | <Context antiResourceLocking=" | ||
+ | <Valve className=" | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Again, restart the tomcat: | ||
+ | <code bash> | ||
+ | systemctl restart tomcat | ||
+ | </ | ||
+ | ====== Apache httpd as a reverse proxy ====== | ||
+ | |||
+ | It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy. | ||
+ | Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https. | ||
+ | Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), | ||
+ | |||
+ | The configuration example is written for the server which allows access to its services under the name " | ||
+ | |||
+ | ===== HTTPd installation and configuration ===== | ||
+ | |||
+ | Install httpd and mod\_security: | ||
+ | |||
+ | <code bash> | ||
+ | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
+ | </ | ||
+ | |||
+ | On Debian install those packages and allow modules: | ||
+ | < | ||
+ | apt-get install apache2 libapache2-mod-security2 modsecurity-crs | ||
+ | a2enmod ssl | ||
+ | a2enmod proxy | ||
+ | a2enmod proxy_ajp | ||
+ | a2enmod proxy_http | ||
+ | a2enmod security2 | ||
+ | a2enmod rewrite | ||
+ | a2enmod headers | ||
+ | </ | ||
+ | |||
+ | HTTPd basic configuration: | ||
+ | |||
+ | Change MPM to worker (lower system requirements) - in the file ''/ | ||
+ | |||
+ | <code bash> | ||
+ | # Select the MPM module which should be used by uncommenting exactly | ||
+ | # one of the following LoadModule lines: | ||
+ | |||
+ | # prefork MPM: Implements a non-threaded, | ||
+ | # See: http:// | ||
+ | #LoadModule mpm_prefork_module modules/ | ||
+ | |||
+ | # worker MPM: Multi-Processing Module implementing a hybrid | ||
+ | # multi-threaded multi-process web server | ||
+ | # See: http:// | ||
+ | # | ||
+ | LoadModule mpm_worker_module modules/ | ||
+ | |||
+ | # event MPM: A variant of the worker MPM with the goal of consuming | ||
+ | # threads only for connections with active processing | ||
+ | # See: http:// | ||
+ | # | ||
+ | #LoadModule mpm_event_module modules/ | ||
+ | </ | ||
+ | |||
+ | Disable " | ||
+ | <code bash> | ||
+ | cd / | ||
+ | mv welcome.conf welcome.conf-DISABLED | ||
+ | touch welcome.conf | ||
+ | </ | ||
+ | |||
+ | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string ' | ||
+ | <code xml> | ||
+ | < | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | ||
+ | |||
+ | < | ||
+ | ProxyRequests | ||
+ | ProxyPreserveHost on | ||
+ | ProxyAddHeaders on | ||
+ | ProxyPass / ajp:// | ||
+ | ProxyPassReverse / ajp:// | ||
+ | </ | ||
+ | |||
+ | In IE 11, CzechIdM | ||
+ | < | ||
+ | # workaround for bad font handling in IE 11 | ||
+ | < | ||
+ | Header set Cache-Control " | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Identity manager CzechIdM will be available on address https:// | ||
+ | To do so, add following lines to the virtualhost config file (ssl.conf): | ||
+ | < | ||
+ | RewriteEngine On | ||
+ | RewriteRule " | ||
+ | </ | ||
+ | |||
+ | In the file ssl.conf we also have to disable SSLv3. Edit the line with SSLProtocol directive: | ||
+ | < | ||
+ | SSLProtocol all -SSLv2 -SSLv3 | ||
+ | </ | ||
+ | |||
+ | On Debian, create symlinks to sites-enabled: | ||
+ | < | ||
+ | cd / | ||
+ | ln -s ../ | ||
+ | ln -s ../ | ||
+ | </ | ||
+ | |||
+ | Syntax check before httpd restart: | ||
+ | < | ||
+ | httpd -t -D DUMP_VHOST | ||
+ | </ | ||
+ | |||
+ | httpd restart and reload configuration changes: | ||
+ | < | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | Enable httpd after OS start: | ||
+ | <code bash> | ||
+ | systemctl enable httpd.service | ||
+ | </ | ||
+ | |||
+ | ===== mod_security configuration ===== | ||
+ | Mod_security files locations (on CentOS7): | ||
+ | |||
+ | * Audit log: ''/ | ||
+ | * Directory with activated rules: ''/ | ||
+ | * basic configuration file for mod\_security: | ||
+ | * The file for chosen rules deactivation: | ||
+ | |||
+ | The default set of rules is relatively strict. CzechIdM cannot run with the default configuration of mod_security. | ||
+ | |||
+ | Each rule is identified by a unique ID. If you want to deactivate the whole rule, it is advised to write the rule ID into ssl.conf like this: | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | SecRuleRemoveById RULE_ID | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Disabling mod_security rules ==== | ||
+ | |||
+ | In the file ''/ | ||
+ | <code xml> | ||
+ | < | ||
+ | SecRuleRemoveById 981173 | ||
+ | SecRuleRemoveById 960015 | ||
+ | SecRuleRemoveById 950109 | ||
+ | |||
+ | # Allow Czech signs | ||
+ | SecRuleRemoveById 981318 | ||
+ | SecRuleRemoveById 981242 | ||
+ | SecRuleRemoveById 960024 | ||
+ | SecRuleRemoveById 981245 | ||
+ | | ||
+ | # Too restrictive for login format | ||
+ | SecRuleRemoveById 960035 | ||
+ | |||
+ | # Needed by Websockets | ||
+ | < | ||
+ | SecRuleRemoveById 970901 | ||
+ | </ | ||
+ | | ||
+ | # These break Certificate Authority module | ||
+ | < | ||
+ | SecRuleRemoveById 960915 | ||
+ | SecRuleRemoveById 200003 | ||
+ | </ | ||
+ | |||
+ | # do not log request/ | ||
+ | SecAuditLogParts ABFHZ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== mod_security configuration - CentOS7 | ||
+ | |||
+ | In the file / | ||
+ | Whole rule after the changes looks like this: | ||
+ | |||
+ | < | ||
+ | SecAction \ | ||
+ | " | ||
+ | phase:1, \ | ||
+ | t:none, \ | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | nolog, \ | ||
+ | pass" | ||
+ | </ | ||
+ | |||
+ | ==== mod_security configuration - Debian ==== | ||
+ | Enable mod\_security configuration: | ||
+ | < | ||
+ | cd / | ||
+ | cp modsecurity.conf-recommended modsecurity.conf | ||
+ | </ | ||
+ | |||
+ | Uncomment following rules in the ''/ | ||
+ | < | ||
+ | SecAction \ | ||
+ | " | ||
+ | phase:1,\ | ||
+ | nolog,\ | ||
+ | pass,\ | ||
+ | t:none,\ | ||
+ | setvar:' | ||
+ | |||
+ | SecAction \ | ||
+ | " | ||
+ | phase:1,\ | ||
+ | nolog,\ | ||
+ | pass,\ | ||
+ | t:none,\ | ||
+ | setvar:' | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== mod_deflate configuration ===== | ||
+ | It is advised to set up gzip so the users get minimum of data from the frontend server. | ||
+ | In the file ''/ | ||
+ | <code xml> | ||
+ | < | ||
+ | # Compress HTML, CSS, JavaScript, Text, XML and fonts | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE font/ | ||
+ | AddOutputFilterByType DEFLATE font/otf | ||
+ | AddOutputFilterByType DEFLATE font/ttf | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE text/css | ||
+ | AddOutputFilterByType DEFLATE text/html | ||
+ | AddOutputFilterByType DEFLATE text/ | ||
+ | AddOutputFilterByType DEFLATE text/plain | ||
+ | AddOutputFilterByType DEFLATE text/xml | ||
+ | |||
+ | # Remove browser bugs (only needed for really old browsers) | ||
+ | BrowserMatch ^Mozilla/4 gzip-only-text/ | ||
+ | BrowserMatch ^Mozilla/ | ||
+ | BrowserMatch \bMSIE !no-gzip !gzip-only-text/ | ||
+ | Header append Vary User-Agent | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ===== Workaround for slow HTTPD shutdown ===== | ||
+ | In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https:// | ||
+ | Workaround is to edit '''/ | ||
+ | < | ||
+ | KillMode=none | ||
+ | </ | ||
+ | Then reload systemd: | ||
+ | |||
+ | < | ||
+ | systemctl daemon-reload | ||
+ | </ | ||
+ | |||
+ | It is absolutely correct to create new versions of unity in /etc, that has the option: | ||
+ | |||
+ | < | ||
+ | cp / | ||
+ | vim / | ||
+ | systemctl daemon-reload | ||
+ | </ | ||
+ | |||
+ | The patch of httpd should come soon so the first option is OK too. | ||
+ | |||
+ | ===== SSO ===== | ||
+ | |||
+ | If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial: | ||
+ | |||
+ | ====== nginx as reverse proxy ====== | ||
+ | |||
+ | In case that you want to use nginx instead of Apache httpd, the configuration is as follows. | ||
+ | |||
+ | <code ini> | ||
+ | server { | ||
+ | listen | ||
+ | server_name | ||
+ | client_max_body_size 1G; | ||
+ | ssl on; | ||
+ | ssl_certificate | ||
+ | ssl_certificate_key | ||
+ | gzip on; | ||
+ | gzip_proxied any; | ||
+ | gzip_types | ||
+ | text/css | ||
+ | | ||
+ | text/xml | ||
+ | | ||
+ | application/ | ||
+ | | ||
+ | application/ | ||
+ | |||
+ | location / { | ||
+ | proxy_hide_header X-Frame-Options; | ||
+ | add_header X-Frame-Options SAMEORIGIN; | ||
+ | proxy_pass http:// | ||
+ | proxy_set_header Host $host; | ||
+ | proxy_set_header X-Real-IP $remote_addr; | ||
+ | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
+ | proxy_set_header X-Forwarded-Proto " | ||
+ | proxy_ssl_session_reuse off; | ||
+ | proxy_redirect off; | ||
+ | |||
+ | # WebSocket support | ||
+ | proxy_http_version 1.1; | ||
+ | proxy_set_header Upgrade $http_upgrade; | ||
+ | proxy_set_header Connection " | ||
+ | } | ||
+ | } | ||
+ | </ | ||