Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation [2018/11/19 12:47] fiserp [HTTPd installation and configuration] |
tutorial:adm:server_preparation [2020/08/11 08:58] urbanl [Apache Tomcat configuration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Server preparation - Linux - CentOS8 ====== | ||
+ | |||
+ | {{tag> | ||
+ | |||
+ | This tutorial shows how to prepare the server for test or production use of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[: | ||
+ | |||
+ | ===== Basic system setup ===== | ||
+ | * 1 server (can be virtualized) for everything: backend, frontend and database. | ||
+ | * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation | ||
+ | * It is possible to use Debian (we tested on Stretch) or other distributions, | ||
+ | * PostgreSQL 12.x - installed from OS packages. | ||
+ | * Java 11 - installed from OS packages. | ||
+ | * Apache Tomcat 8.5.x - installed manually into ''/ | ||
+ | * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. | ||
+ | * All services start via systemd. | ||
+ | * Each service runs under dedicated non-privileged user. | ||
+ | ===== Instalation and software configuration ===== | ||
+ | Prerequisities - Basic installation of CentOS 8 | ||
+ | <code bash> | ||
+ | # EPEL installation | ||
+ | dnf clean all | ||
+ | dnf -y install epel-release | ||
+ | dnf update -y | ||
+ | |||
+ | # other recommended packages installation | ||
+ | dnf -y install mc haveged nmap screen sysstat telnet net-tools nano wget vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils tar | ||
+ | |||
+ | # enable haveged after OS start | ||
+ | systemctl start haveged.service | ||
+ | systemctl enable haveged.service | ||
+ | |||
+ | # set the hostname | ||
+ | hostnamectl set-hostname FQDN_server_name | ||
+ | hostnamectl status | ||
+ | # check the network configuration, | ||
+ | # reboot the server | ||
+ | </ | ||
+ | |||
+ | ===== PostgreSQL | ||
+ | <note tip>If you are installing CzechIdM on Microsoft SQL Server, please follow [[tutorial: | ||
+ | We install PostgreSQL 12 database binaries and change database data directory from ''/ | ||
+ | ==== Database server installation - CentOS8 ==== | ||
+ | * Software installation on CentOS8(versions can vary): | ||
+ | |||
+ | <code bash> | ||
+ | # enable module postgres 12 | ||
+ | dnf module enable postgresql: | ||
+ | dnf -y install postgresql-server postgresql-contrib postgresql-libs | ||
+ | </ | ||
+ | |||
+ | * create new directory for database data: | ||
+ | |||
+ | <code bash> | ||
+ | mkdir -p / | ||
+ | chown -R postgres: | ||
+ | chmod 700 /data/pgsql | ||
+ | </ | ||
+ | |||
+ | * Copy the PostgreSQL' | ||
+ | |||
+ | <code bash> | ||
+ | cp / | ||
+ | </ | ||
+ | |||
+ | In the file ''/ | ||
+ | < | ||
+ | # Location of database directory | ||
+ | Environment=PGDATA=/ | ||
+ | </ | ||
+ | |||
+ | * In the file ''/ | ||
+ | |||
+ | < | ||
+ | PGDATA=/ | ||
+ | </ | ||
+ | |||
+ | * Reload changes: | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | systemctl daemon-reload | ||
+ | |||
+ | </ | ||
+ | |||
+ | * Initialize database: | ||
+ | |||
+ | <code bash> | ||
+ | postgresql-setup --initdb --unit postgresql | ||
+ | </ | ||
+ | |||
+ | Change SELINUX labels: | ||
+ | < | ||
+ | chcon -Rt postgresql_db_t / | ||
+ | chcon -Rt postgresql_log_t / | ||
+ | </ | ||
+ | |||
+ | * Enable and start database: | ||
+ | |||
+ | <code bash> | ||
+ | systemctl start postgresql.service | ||
+ | systemctl enable postgresql.service | ||
+ | </ | ||
+ | |||
+ | * Check that the database is running: | ||
+ | |||
+ | <code bash> | ||
+ | [root@HOSTNAME data]# systemctl status postgresql.service -l | ||
+ | ● postgresql.service - PostgreSQL database server | ||
+ | | ||
+ | | ||
+ | Main PID: 25715 (postmaster) | ||
+ | Tasks: 8 (limit: 52428) | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Mar 11 10:48:06 HOSTNAME systemd[1]: Starting PostgreSQL database server... | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME systemd[1]: Started PostgreSQL database server. | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Database server configuration and sizing ==== | ||
+ | |||
+ | * Enable the password authentication. | ||
+ | |||
+ | In the file ''/ | ||
+ | < | ||
+ | host all | ||
+ | host all | ||
+ | </ | ||
+ | and change the value at the end of each line to '' | ||
+ | < | ||
+ | host all | ||
+ | host all | ||
+ | </ | ||
+ | |||
+ | * Adjust DB instance sizing. | ||
+ | * In following snippet, we presume the system has 3GB of memory dedicated for the database and about 100 db connections. **For your deployment, adjust the sizing accordingly. Use a [[https:// | ||
+ | * We also log queries running longer than 200ms. | ||
+ | In a file ''/ | ||
+ | |||
+ | < | ||
+ | # This is an EXAMPLE. Use the calculator to adjust for your deployment! | ||
+ | |||
+ | # DB Version: 12 | ||
+ | # OS Type: linux | ||
+ | # DB Type: web | ||
+ | # Total Memory (RAM): 3 GB | ||
+ | # Connections num: 100 | ||
+ | # Data Storage: ssd | ||
+ | max_connections = 100 | ||
+ | shared_buffers = 768MB | ||
+ | effective_cache_size = 2304MB | ||
+ | maintenance_work_mem = 192MB | ||
+ | checkpoint_completion_target = 0.7 | ||
+ | wal_buffers = 16MB | ||
+ | default_statistics_target = 100 | ||
+ | random_page_cost = 1.1 | ||
+ | effective_io_concurrency = 200 | ||
+ | work_mem = 3932kB | ||
+ | min_wal_size = 1GB | ||
+ | max_wal_size = 4GB | ||
+ | |||
+ | log_min_duration_statement = 200 | ||
+ | </ | ||
+ | |||
+ | * Restart the database | ||
+ | |||
+ | < | ||
+ | systemctl restart | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | |||
+ | ===== Java - CentOS8 ===== | ||
+ | |||
+ | Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[devel: | ||
+ | |||
+ | Installation: | ||
+ | < | ||
+ | dnf install -y java-11-openjdk-headless java-11-openjdk-devel | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Tomcat ===== | ||
+ | |||
+ | * Create a new group and add user for the tomcat to run under: | ||
+ | |||
+ | < | ||
+ | groupadd -r tomcat | ||
+ | useradd -r -s / | ||
+ | getent passwd tomcat | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | * change working directory into /opt/tomcat | ||
+ | |||
+ | <code bash> | ||
+ | mkdir /opt/tomcat | ||
+ | cd /opt/tomcat | ||
+ | </ | ||
+ | |||
+ | * Download Apache Tomcat 8.5.x from the website [[https:// | ||
+ | * In our exapmle the version is 8.5.57. | ||
+ | |||
+ | * extract files from the archive: | ||
+ | |||
+ | <code bash> | ||
+ | tar xzf apache-tomcat-8.5.57.tar.gz | ||
+ | </ | ||
+ | |||
+ | * create a new symbolic link to current user version (we presume there may be more versions at the server in future due to upgrades/ | ||
+ | |||
+ | <code bash> | ||
+ | cd /opt/tomcat | ||
+ | ln -s apache-tomcat-8.5.57 current | ||
+ | </ | ||
+ | |||
+ | * Set rights on files for tomcat user (still working under root): | ||
+ | |||
+ | <code bash> | ||
+ | chown -R root:root /opt/tomcat | ||
+ | chown root:tomcat /opt/tomcat | ||
+ | chmod 750 /opt/tomcat | ||
+ | cd / | ||
+ | chmod -R o+rX ./ | ||
+ | chgrp -R tomcat conf/ bin/ lib/ | ||
+ | chmod g+rx conf | ||
+ | chmod g+r conf/* | ||
+ | chown -R tomcat webapps/ work/ temp/ logs/ | ||
+ | |||
+ | mkdir / | ||
+ | chown tomcat: | ||
+ | chmod 750 / | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Start Tomcat automatically after system startup ==== | ||
+ | |||
+ | * Create startup script (systemd unit), in which we also set the basic JVM parameters: | ||
+ | |||
+ | <code bash> | ||
+ | vim / | ||
+ | </ | ||
+ | |||
+ | * File content of ''/ | ||
+ | |||
+ | <file ini tomcat.service> | ||
+ | # Systemd unit file for tomcat | ||
+ | [Unit] | ||
+ | Description=Apache Tomcat Web Application Container | ||
+ | After=syslog.target network.target postgresql.service | ||
+ | |||
+ | [Service] | ||
+ | Type=forking | ||
+ | |||
+ | PIDFile=/ | ||
+ | |||
+ | Environment=JAVA_HOME=/ | ||
+ | Environment=CATALINA_PID=/ | ||
+ | Environment=CATALINA_HOME=/ | ||
+ | Environment=CATALINA_BASE=/ | ||
+ | Environment=' | ||
+ | Environment=' | ||
+ | |||
+ | ExecStart=/ | ||
+ | ExecStop=/ | ||
+ | |||
+ | User=tomcat | ||
+ | Group=tomcat | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | < | ||
+ | * Values of '' | ||
+ | * Tomcat will be started under user '' | ||
+ | </ | ||
+ | |||
+ | * Reload systemd configuration: | ||
+ | |||
+ | < | ||
+ | systemctl daemon-reload | ||
+ | </ | ||
+ | |||
+ | * Start the Tomcat to ensure it is configured properly. Enable its start on OS start. | ||
+ | |||
+ | < | ||
+ | systemctl start tomcat | ||
+ | systemctl enable tomcat | ||
+ | </ | ||
+ | |||
+ | * Check that Tomcat runs with desirable parameters: | ||
+ | |||
+ | <code bash> | ||
+ | [root@tomcat1 logs]# ps -ef | grep ^tomcat | ||
+ | tomcat | ||
+ | </ | ||
+ | |||
+ | * Stop the Tomcat. | ||
+ | |||
+ | < | ||
+ | systemctl stop tomcat | ||
+ | </ | ||
+ | |||
+ | ==== Apache Tomcat configuration ==== | ||
+ | |||
+ | === Interface Management === | ||
+ | |||
+ | Apache Tomcat offers two applications for tomcat management available at: | ||
+ | |||
+ | * http:// | ||
+ | * http:// | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | If you want to use them, it is necessary to do following steps. | ||
+ | |||
+ | First of all, create a Tomcat' | ||
+ | |||
+ | * Create administration user | ||
+ | * Create the a new user in the file ''/ | ||
+ | * The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | ||
+ | |||
+ | The file ''/ | ||
+ | <file xml tomcat-users.xml> | ||
+ | <?xml version=" | ||
+ | < | ||
+ | xmlns: | ||
+ | xsi: | ||
+ | version=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <user username=" | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | ||
+ | * If you see '' | ||
+ | |||
+ | Add your IP address into application configuration files. In files ''/ | ||
+ | |||
+ | For example, if you want to access Tomcat' | ||
+ | |||
+ | <file xml context.xml> | ||
+ | <?xml version=" | ||
+ | <Context antiResourceLocking=" | ||
+ | <Valve className=" | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | * Again, restart the tomcat | ||
+ | |||
+ | <code bash> | ||
+ | systemctl restart tomcat | ||
+ | </ | ||
+ | |||
+ | === Apache Tomcat configuration recommended for production use === | ||
+ | |||
+ | We advise to follow these steps to configure Tomcat for production deployment. | ||
+ | |||
+ | * Remove unnecessary applications that come with Tomcat: | ||
+ | |||
+ | <code bash> | ||
+ | rm -rf / | ||
+ | </ | ||
+ | |||
+ | * Turn off the shutdown port: | ||
+ | * In the config file ''/ | ||
+ | |||
+ | <code xml> | ||
+ | <Server port=" | ||
+ | </ | ||
+ | |||
+ | * Make Tomcat listen only on localhost: | ||
+ | * In the ''/ | ||
+ | |||
+ | * Set the '' | ||
+ | * In the ''/ | ||
+ | |||
+ | * In same file configure AJP port ('' | ||
+ | |||
+ | < | ||
+ | < | ||
+ | address=" | ||
+ | secretRequired=" | ||
+ | secret=" | ||
+ | port=" | ||
+ | redirectPort=" | ||
+ | </ | ||
+ | |||
+ | * Do not show aplication server version: | ||
+ | * In the file ''/ | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === Rotating Tomcat logs === | ||
+ | Default Tomcat logger appneds to the logfile, it is therefore safe to use simple '' | ||
+ | <file txt tomcat> | ||
+ | / | ||
+ | rotate 90 | ||
+ | daily | ||
+ | dateext | ||
+ | copytruncate | ||
+ | missingok | ||
+ | notifempty | ||
+ | compress | ||
+ | } | ||
+ | </ | ||
+ | It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because '' | ||
+ | |||
+ | If this happens, set the permissive mode for logrotate: | ||
+ | < | ||
+ | semanage permissive -a logrotate_t | ||
+ | </ | ||
+ | |||
+ | <note warning> | ||
+ | Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. | ||
+ | |||
+ | There are some possibilities: | ||
+ | * Set permissive mode for logrotate as above. | ||
+ | * Set permissive mode for whole SELinux. (This will drop the SELinux' | ||
+ | * Adjust particular SELinux labels. Example ([[https:// | ||
+ | </ | ||
+ | |||
+ | |||
+ | ====== Apache httpd as a reverse proxy ====== | ||
+ | |||
+ | It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy. | ||
+ | Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https. | ||
+ | Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), | ||
+ | |||
+ | The configuration example is written for the server which allows access to its services under the name " | ||
+ | |||
+ | ===== HTTPd installation and configuration ===== | ||
+ | |||
+ | Install httpd and mod\_security: | ||
+ | |||
+ | <code bash> | ||
+ | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
+ | </ | ||
+ | |||
+ | HTTPd basic configuration: | ||
+ | |||
+ | Change MPM to worker - in the file ''/ | ||
+ | |||
+ | <code bash> | ||
+ | # Select the MPM module which should be used by uncommenting exactly | ||
+ | # one of the following LoadModule lines: | ||
+ | |||
+ | # prefork MPM: Implements a non-threaded, | ||
+ | # See: http:// | ||
+ | #LoadModule mpm_prefork_module modules/ | ||
+ | |||
+ | # worker MPM: Multi-Processing Module implementing a hybrid | ||
+ | # multi-threaded multi-process web server | ||
+ | # See: http:// | ||
+ | # | ||
+ | LoadModule mpm_worker_module modules/ | ||
+ | |||
+ | # event MPM: A variant of the worker MPM with the goal of consuming | ||
+ | # threads only for connections with active processing | ||
+ | # See: http:// | ||
+ | # | ||
+ | #LoadModule mpm_event_module modules/ | ||
+ | </ | ||
+ | |||
+ | Disable " | ||
+ | <code bash> | ||
+ | cd / | ||
+ | mv welcome.conf welcome.conf-DISABLED | ||
+ | touch welcome.conf | ||
+ | </ | ||
+ | |||
+ | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string ' | ||
+ | <code xml> | ||
+ | < | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | ||
+ | |||
+ | < | ||
+ | Protocols | ||
+ | ProxyRequests | ||
+ | ProxyPreserveHost on | ||
+ | ProxyAddHeaders on | ||
+ | ProxyPass / ajp:// | ||
+ | ProxyPassReverse / ajp:// | ||
+ | </ | ||
+ | |||
+ | In IE 11, CzechIdM | ||
+ | < | ||
+ | # workaround for bad font handling in IE 11 | ||
+ | < | ||
+ | Header set Cache-Control " | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Identity manager CzechIdM will be available on address https:// | ||
+ | To do so, add following lines to the virtualhost config file (ssl.conf): | ||
+ | < | ||
+ | RewriteEngine On | ||
+ | RewriteRule " | ||
+ | </ | ||
+ | |||
+ | Syntax check before httpd restart | ||
+ | < | ||
+ | httpd -t -D DUMP_VHOST | ||
+ | # or apachectl configtest | ||
+ | </ | ||
+ | |||
+ | httpd restart and reload configuration changes: | ||
+ | < | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | Allow in SELINUX to httpd connect to network: | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | Enable httpd after OS start: | ||
+ | <code bash> | ||
+ | systemctl enable httpd.service | ||
+ | </ | ||
+ | |||
+ | ===== mod_security configuration ===== | ||
+ | Mod_security files locations (on CentOS8): | ||
+ | |||
+ | * Audit log: ''/ | ||
+ | * Directory with activated rules: ''/ | ||
+ | * basic configuration file for mod\_security: | ||
+ | * The file for chosen rules deactivation: | ||
+ | |||
+ | The default set of rules is relatively strict. CzechIdM cannot run with the default configuration of mod_security. | ||
+ | |||
+ | Each rule is identified by a unique ID. If you want to deactivate the whole rule, it is advised to write the rule ID into ssl.conf like this: | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | SecRuleRemoveById RULE_ID | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Disabling mod_security rules ==== | ||
+ | |||
+ | These rules are disabled for modsec_crs 3.0. | ||
+ | |||
+ | In the file ''/ | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | SecRuleRemoveById 942430 | ||
+ | SecRuleRemoveById 942431 | ||
+ | SecRuleRemoveById 920300 | ||
+ | SecRuleRemoveById 920230 | ||
+ | | ||
+ | # Allow Czech signs | ||
+ | SecRuleRemoveById 942110 | ||
+ | SecRuleRemoveById 942330 | ||
+ | SecRuleRemoveById 942460 | ||
+ | SecRuleRemoveById 942260 | ||
+ | | ||
+ | # Too restrictive for login format | ||
+ | SecRuleRemoveById 920440 | ||
+ | | ||
+ | # Needed by Websockets | ||
+ | < | ||
+ | SecRuleRemoveById 950100 | ||
+ | </ | ||
+ | | ||
+ | # do not log request/ | ||
+ | SecAuditLogParts ABFHZ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== mod_security configuration - CentOS8 | ||
+ | |||
+ | Edit the file ''/ | ||
+ | |||
+ | * find the rule '' | ||
+ | |||
+ | < | ||
+ | # Default HTTP policy: allowed_methods (rule 900200) | ||
+ | SecRule & | ||
+ | " | ||
+ | phase:1,\ | ||
+ | pass,\ | ||
+ | nolog,\ | ||
+ | setvar:' | ||
+ | </ | ||
+ | |||
+ | * find the rule '' | ||
+ | |||
+ | < | ||
+ | # Default HTTP policy: allowed_request_content_type (rule 900220) | ||
+ | SecRule & | ||
+ | " | ||
+ | phase:1,\ | ||
+ | pass,\ | ||
+ | nolog,\ | ||
+ | setvar:' | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== mod_deflate configuration ===== | ||
+ | It is advised to set up gzip so the users get minimum of data from the frontend server. | ||
+ | In the file ''/ | ||
+ | <code xml> | ||
+ | < | ||
+ | # Compress HTML, CSS, JavaScript, Text, XML and fonts | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE font/ | ||
+ | AddOutputFilterByType DEFLATE font/otf | ||
+ | AddOutputFilterByType DEFLATE font/ttf | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE text/css | ||
+ | AddOutputFilterByType DEFLATE text/html | ||
+ | AddOutputFilterByType DEFLATE text/ | ||
+ | AddOutputFilterByType DEFLATE text/plain | ||
+ | AddOutputFilterByType DEFLATE text/xml | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | |||
+ | # Remove browser bugs (only needed for really old browsers) | ||
+ | BrowserMatch ^Mozilla/4 gzip-only-text/ | ||
+ | BrowserMatch ^Mozilla/ | ||
+ | BrowserMatch \bMSIE !no-gzip !gzip-only-text/ | ||
+ | Header append Vary User-Agent | ||
+ | </ | ||
+ | </ | ||
+ | |||