Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation [2020/02/03 12:15] fiserp [HTTPd installation and configuration] |
tutorial:adm:server_preparation [2021/05/10 16:09] urbanl [HTTPd installation and configuration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Server preparation - Linux ====== | + | ====== Server preparation - Linux - CentOS8 |
{{tag> | {{tag> | ||
- | This tutorial shows how to prepare the server for test or production | + | This tutorial shows how to prepare the server for test or production |
===== Basic system setup ===== | ===== Basic system setup ===== | ||
- | * 1 server (can be virtualized) for all: backend, frontend and database. | + | * 1 server (can be virtualized) for everything: backend, frontend and database. |
- | * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation | + | * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation |
- | * It is possible to use Debian but you have to adjust | + | * It is possible to use Debian |
- | * PostgreSQL - installed from a new repository | + | * PostgreSQL |
- | * Java - distribution repository (OpenJDK 1.8) | + | * Java 11 - installed from OS packages. |
- | * Apache Tomcat - manually | + | * Apache Tomcat |
- | * Services | + | * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. |
- | * Services run under dedicated | + | * All services |
+ | * Each service runs under dedicated non-privileged | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
- | Prerequisities - Basic installation of CentOS | + | Prerequisities - Basic installation of CentOS |
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
- | yum clean all | + | dnf clean all |
- | yum install | + | dnf -y install |
- | yum update | + | dnf -y update |
# other recommended packages installation | # other recommended packages installation | ||
- | yum install | + | dnf -y install mc haveged nmap screen sysstat telnet |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
systemctl enable haveged.service | systemctl enable haveged.service | ||
- | # remove unnecessary software | + | |
- | yum remove -y postfix | + | |
- | systemctl stop avahi-daemon.socket avahi-daemon.service | + | |
- | systemctl disable avahi-daemon.socket avahi-daemon.service | + | |
- | yum remove -y avahi-autoipd avahi | + | |
# set the hostname | # set the hostname | ||
hostnamectl set-hostname FQDN_server_name | hostnamectl set-hostname FQDN_server_name | ||
Line 39: | Line 37: | ||
</ | </ | ||
- | When installing on Debian, install these packages: | + | ===== PostgreSQL |
- | < | + | <note tip>If you are installing |
- | screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent | + | We install |
- | </ | + | ==== Database server installation - CentOS8 |
- | ===== PostgreSQL ===== | + | * Software installation |
- | <note tip>If you are install | + | |
- | CentOS7 default repository version of PostgreSQL | + | |
- | ==== Database server installation - CentOS7 | + | |
- | * Software installation (versions can vary): | + | |
<code bash> | <code bash> | ||
- | yum install -y https:// | + | # enable module postgres 12 |
- | yum install | + | dnf module enable postgresql:12 |
+ | dnf -y install postgresql-server | ||
</ | </ | ||
- | | + | |
- | < | + | |
- | mkdir -p / | + | |
+ | < | ||
+ | mkdir -p / | ||
chown -R postgres: | chown -R postgres: | ||
chmod 700 /data/pgsql | chmod 700 /data/pgsql | ||
</ | </ | ||
- | | + | |
+ | | ||
<code bash> | <code bash> | ||
- | cp / | + | cp / |
</ | </ | ||
- | In the file ''/ | + | |
+ | In the file ''/ | ||
< | < | ||
# Location of database directory | # Location of database directory | ||
- | Environment=PGDATA=/ | + | Environment=PGDATA=/ |
</ | </ | ||
- | * In the file '' | + | * In the file '' |
< | < | ||
- | PGDATA=/ | + | PGDATA=/ |
</ | </ | ||
Line 85: | Line 86: | ||
<code bash> | <code bash> | ||
- | / | + | postgresql-setup |
</ | </ | ||
+ | Change SELINUX labels: | ||
+ | < | ||
+ | chcon -Rt postgresql_db_t / | ||
+ | chcon -Rt postgresql_log_t / | ||
+ | </ | ||
* Enable and start database: | * Enable and start database: | ||
<code bash> | <code bash> | ||
- | systemctl start postgresql-9.6.service | + | systemctl start postgresql.service |
- | systemctl enable postgresql-9.6.service | + | systemctl enable postgresql.service |
</ | </ | ||
Line 100: | Line 105: | ||
<code bash> | <code bash> | ||
- | [root@tomcat1 system]# systemctl status postgresql-9.6.service -l | + | [root@HOSTNAME data]# systemctl status postgresql.service -l |
- | ● postgresql-9.6.service - PostgreSQL | + | ● postgresql.service - PostgreSQL database server |
- | | + | |
- | | + | |
- | Main PID: 2626 (postmaster) | + | Main PID: 25715 (postmaster) |
- | | + | Tasks: 8 (limit: 52428) |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | └─2634 postgres: stats collector | + | |
+ | | ||
+ | ├─25722 postgres: stats collector | ||
+ | | ||
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME postmaster[25715]: |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME postmaster[25715]: |
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME | ||
+ | Mar 11 10:48:06 HOSTNAME | ||
</ | </ | ||
- | ==== Database server installation - Debian Stretch ==== | ||
- | Install the database from OS packages: | ||
- | < | ||
- | apt-get install postgresql-9.6 | ||
- | </ | ||
- | We will move the database - create directory structure: | ||
- | < | ||
- | mkdir -p / | ||
- | chown -R postgres: | ||
- | chmod -R 700 /data/pgsql | ||
- | </ | ||
- | Create the file .bash\_profile in postgres user's home (default / | ||
- | < | ||
- | PGDATA=/ | ||
- | </ | ||
- | Stop the database: | ||
- | < | ||
- | systemctl stop postgresql | ||
- | </ | ||
- | Move database directory (run this as root): | ||
- | < | ||
- | mv / | ||
- | </ | ||
- | In the PostgreSQL configuration file / | ||
- | < | ||
- | data_directory = '/ | ||
- | </ | ||
- | Enable and start the database: | ||
- | < | ||
- | systemctl start postgresql | ||
- | systemctl enable postgresql | ||
- | </ | ||
- | ==== DB server configuration ==== | ||
- | First of all, enable | + | ==== Database server configuration and sizing ==== |
+ | |||
+ | * Enable | ||
- | In the file ''/ | + | In the file ''/ |
< | < | ||
host all | host all | ||
host all | host all | ||
</ | </ | ||
- | + | and change the value at the end of each line to '' | |
- | and change the value at the end of each line into md5 like this: | + | |
< | < | ||
host all | host all | ||
Line 168: | Line 149: | ||
</ | </ | ||
- | Now we can do DB sizing. | + | * Adjust |
- | In a file ''/ | + | * In following snippet, we presume the system has 3GB of memory |
+ | * We also log queries running longer than 200ms. | ||
+ | In a file ''/ | ||
< | < | ||
- | max_connections = 100 # (change requires restart) | + | # This is an EXAMPLE. Use the calculator to adjust for your deployment! |
- | shared_buffers = 768MB # min 128kB | + | # DB Version: 12 |
+ | # OS Type: linux | ||
+ | # DB Type: web | ||
+ | # Total Memory (RAM): 3 GB | ||
+ | # Connections num: 100 | ||
+ | # Data Storage: ssd | ||
+ | max_connections = 100 | ||
+ | shared_buffers = 768MB | ||
effective_cache_size = 2304MB | effective_cache_size = 2304MB | ||
- | work_mem = 7864kB | ||
maintenance_work_mem = 192MB | maintenance_work_mem = 192MB | ||
- | |||
- | min_wal_size = 1GB | ||
- | max_wal_size = 2GB | ||
checkpoint_completion_target = 0.7 | checkpoint_completion_target = 0.7 | ||
wal_buffers = 16MB | wal_buffers = 16MB | ||
- | |||
default_statistics_target = 100 | default_statistics_target = 100 | ||
+ | random_page_cost = 1.1 | ||
+ | effective_io_concurrency = 200 | ||
+ | work_mem = 3932kB | ||
+ | min_wal_size = 1GB | ||
+ | max_wal_size = 4GB | ||
log_min_duration_statement = 200 | log_min_duration_statement = 200 | ||
</ | </ | ||
- | Restart | + | * Restart |
- | For Debian installation, | ||
< | < | ||
- | /etc/postgresql/9.6/ | + | systemctl restart |
- | / | + | |
</ | </ | ||
- | < | + | < |
- | ===== Java - CentOS7 | + | ===== Java - CentOS8 |
- | Java must be installed | + | Tomcat application server needs Java installed. |
Installation: | Installation: | ||
- | < | + | < |
- | yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel | + | dnf install -y java-11-openjdk-headless java-11-openjdk-devel |
</ | </ | ||
- | Then create the file ''/ | ||
- | <file bash java.sh> | ||
- | [ -d / | ||
- | </ | ||
- | |||
- | ===== Java - Debian ===== | ||
- | |||
- | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. | ||
- | |||
- | Installation: | ||
- | <code bash> | ||
- | apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless | ||
- | </ | ||
- | |||
- | Then create the file ''/ | ||
- | <file bash java.sh> | ||
- | [ -d / | ||
- | </ | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
- | * Create a new group and add user for the tomcat to run under (for Debian, use / | + | * Create a new group and add user for the tomcat to run under: |
< | < | ||
groupadd -r tomcat | groupadd -r tomcat | ||
- | useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat | + | useradd -r -s /usr/sbin/nologin -g tomcat -d /opt/tomcat tomcat |
getent passwd tomcat | getent passwd tomcat | ||
- | tomcat: | + | #tomcat: |
</ | </ | ||
Line 244: | Line 215: | ||
</ | </ | ||
- | * Download Apache Tomcat 8.5.x from the website [[https:// | + | * Download Apache Tomcat 8.5.x from the website [[https:// |
- | * In our exapmle the version is 8.5.8. | + | * In our exapmle the version is 8.5.57. |
- | * extract files from archive: | + | * extract files from the archive: |
<code bash> | <code bash> | ||
- | tar xzf apache-tomcat-8.5.8.tar.gz | + | tar xzf apache-tomcat-8.5.57.tar.gz |
</ | </ | ||
Line 257: | Line 228: | ||
<code bash> | <code bash> | ||
cd /opt/tomcat | cd /opt/tomcat | ||
- | ln -s apache-tomcat-8.5.8 current | + | ln -s apache-tomcat-8.5.57 current |
</ | </ | ||
Line 267: | Line 238: | ||
chmod 750 /opt/tomcat | chmod 750 /opt/tomcat | ||
cd / | cd / | ||
- | chmod o+rX -R ./ | + | chmod -R o+rX ./ |
chgrp -R tomcat conf/ bin/ lib/ | chgrp -R tomcat conf/ bin/ lib/ | ||
- | chmod g+rwx conf | + | chmod g+rx conf |
chmod g+r conf/* | chmod g+r conf/* | ||
chown -R tomcat webapps/ work/ temp/ logs/ | chown -R tomcat webapps/ work/ temp/ logs/ | ||
+ | |||
+ | mkdir / | ||
+ | chown tomcat: | ||
+ | chmod 750 / | ||
</ | </ | ||
Line 289: | Line 264: | ||
[Unit] | [Unit] | ||
Description=Apache Tomcat Web Application Container | Description=Apache Tomcat Web Application Container | ||
- | After=syslog.target network.target | + | After=syslog.target network.target |
[Service] | [Service] | ||
Line 312: | Line 287: | ||
WantedBy=multi-user.target | WantedBy=multi-user.target | ||
</ | </ | ||
+ | < | ||
+ | * Values of '' | ||
+ | * Tomcat will be started under user '' | ||
+ | </ | ||
- | * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. | + | * Reload |
- | + | ||
- | * Tomcat will be started under user '' | + | |
- | * For Debian, change the JAVA\_HOME to '' | + | |
- | * After every systemd configuration | + | |
< | < | ||
systemctl daemon-reload | systemctl daemon-reload | ||
</ | </ | ||
- | | + | |
+ | | ||
< | < | ||
systemctl start tomcat | systemctl start tomcat | ||
+ | systemctl enable tomcat | ||
</ | </ | ||
+ | |||
* Check that Tomcat runs with desirable parameters: | * Check that Tomcat runs with desirable parameters: | ||
+ | |||
<code bash> | <code bash> | ||
- | [root@tomcat1 logs]# ps -u tomcat | + | [root@tomcat1 logs]# ps -ef | grep ^tomcat |
- | UID PID PPID C STIME TTY TIME CMD | + | tomcat |
- | tomcat | + | |
</ | </ | ||
- | | + | |
+ | | ||
< | < | ||
systemctl stop tomcat | systemctl stop tomcat | ||
- | </ | ||
- | * Enable tomcat start after OS start: | ||
- | <code bash> | ||
- | systemctl enable tomcat | ||
</ | </ | ||
Line 350: | Line 327: | ||
* http:// | * http:// | ||
- | If you want to use them, it is necessary | + | <note important> |
- | First of all, create a database user that you will use for the access to those applications. | + | If you want to use them, it is necessary |
- | Create | + | First of all, create a Tomcat' |
- | Create the a new user in the file ''/ | + | * Create administration user |
- | The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | + | * Create the a new user in the file ''/ |
+ | | ||
- | The file ''/ | + | The file ''/ |
<file xml tomcat-users.xml> | <file xml tomcat-users.xml> | ||
<?xml version=" | <?xml version=" | ||
Line 375: | Line 353: | ||
</ | </ | ||
- | If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see '' | + | * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. |
+ | * If you see '' | ||
- | Add your IP address into application configuration files. In files ''/ | + | Add your IP address into application configuration files. In files ''/ |
- | In my case, I want to access | + | For example, if you want to access Tomcat' |
<file xml context.xml> | <file xml context.xml> | ||
Line 389: | Line 368: | ||
</ | </ | ||
- | Again, restart the tomcat: | + | * Again, restart the tomcat |
<code bash> | <code bash> | ||
systemctl restart tomcat | systemctl restart tomcat | ||
</ | </ | ||
- | === Apache Tomcat configuration recommended for production | + | === Apache Tomcat configuration recommended for production |
- | It is advised | + | We advise |
- | * Remove unnecessary | + | * Remove unnecessary |
<code bash> | <code bash> | ||
Line 410: | Line 390: | ||
<Server port=" | <Server port=" | ||
</ | </ | ||
+ | |||
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
- | * In the ''/ | + | * In the ''/ |
+ | |||
+ | * Set the '' | ||
+ | * In the ''/ | ||
+ | |||
+ | * In same file configure AJP port ('' | ||
+ | |||
+ | < | ||
+ | < | ||
+ | address=" | ||
+ | secretRequired=" | ||
+ | secret=" | ||
+ | port=" | ||
+ | redirectPort=" | ||
+ | </ | ||
* Do not show aplication server version: | * Do not show aplication server version: | ||
- | * In the file ''/ | + | * In the file ''/ |
<code xml> | <code xml> | ||
Line 440: | Line 435: | ||
<file txt tomcat> | <file txt tomcat> | ||
/ | / | ||
- | rotate | + | rotate |
daily | daily | ||
dateext | dateext | ||
Line 464: | Line 459: | ||
* Adjust particular SELinux labels. Example ([[https:// | * Adjust particular SELinux labels. Example ([[https:// | ||
</ | </ | ||
- | |||
- | Please note that on Debian, the log is not rotate during the first day, but after the second day. | ||
Line 482: | Line 475: | ||
<code bash> | <code bash> | ||
yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
- | </ | ||
- | |||
- | On Debian install those packages and allow modules: | ||
- | < | ||
- | apt-get install apache2 libapache2-mod-security2 modsecurity-crs | ||
- | a2enmod ssl | ||
- | a2enmod proxy | ||
- | a2enmod proxy_ajp | ||
- | a2enmod proxy_http | ||
- | a2enmod security2 | ||
- | a2enmod rewrite | ||
- | a2enmod headers | ||
</ | </ | ||
HTTPd basic configuration: | HTTPd basic configuration: | ||
- | Change MPM to worker | + | Change MPM to worker - in the file ''/ |
<code bash> | <code bash> | ||
Line 528: | Line 509: | ||
</ | </ | ||
- | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/ | + | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/ |
<code xml> | <code xml> | ||
< | < | ||
Line 536: | Line 517: | ||
</ | </ | ||
- | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | + | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ |
< | < | ||
+ | Protocols | ||
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
ProxyAddHeaders on | ProxyAddHeaders on | ||
- | ProxyPass / ajp:// | + | ProxyPass / ajp:// |
- | ProxyPassReverse / ajp:// | + | ProxyPassReverse / ajp:// |
</ | </ | ||
Line 561: | Line 543: | ||
</ | </ | ||
- | We also have to secure the communication. **Edit** corresponding lines in '' | + | === Certificate for httpd === |
+ | |||
+ | If you have prepared certifikate, | ||
< | < | ||
- | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | + | SSLCertificateFile PATH_TO_CERTIFICATE_FILE |
- | SSLCipherSuite ALL: | + | SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE |
- | SSLHonorCipherOrder on | + | SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE |
</ | </ | ||
- | < | + | Then continue |
- | On Debian, create symlinks to sites-enabled: | + | If you not prepared them in the moment. Create temporary certificate and key. |
< | < | ||
- | cd /etc/apache2/sites-enabled | + | mkdir / |
- | ln -s ../sites-available/vhost-redirect.conf 01vhost-redirect.conf | + | cd /etc/httpd/cert |
- | ln -s ../sites-available/ssl.conf 02ssl.conf | + | openssl genrsa |
+ | openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/C=CZ/ | ||
+ | openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 | ||
+ | rm http_temp_cert.csr | ||
+ | chmod 600 /etc/ | ||
+ | chown -R tomcat: | ||
</ | </ | ||
+ | Then change set path to them in these properties in ''/ | ||
+ | < | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | </ | ||
+ | |||
+ | === Checking httpd configuration syntax and configuring selinux === | ||
- | Syntax check before httpd restart: | + | Syntax check before httpd restart |
< | < | ||
httpd -t -D DUMP_VHOST | httpd -t -D DUMP_VHOST | ||
+ | # or apachectl configtest | ||
</ | </ | ||
Line 586: | Line 583: | ||
</ | </ | ||
+ | Allow in SELINUX to httpd connect to network: | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
Enable httpd after OS start: | Enable httpd after OS start: | ||
<code bash> | <code bash> | ||
Line 592: | Line 594: | ||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
- | Mod_security files locations (on CentOS7): | + | Mod_security files locations (on CentOS8): |
* Audit log: ''/ | * Audit log: ''/ | ||
* Directory with activated rules: ''/ | * Directory with activated rules: ''/ | ||
- | * basic configuration file for mod\_security: | + | * basic configuration file for mod\_security: |
* The file for chosen rules deactivation: | * The file for chosen rules deactivation: | ||
Line 611: | Line 613: | ||
==== Disabling mod_security rules ==== | ==== Disabling mod_security rules ==== | ||
- | In the file ''/ | + | These rules are disabled for modsec_crs 3.0. |
+ | |||
+ | In the file ''/ | ||
<code xml> | <code xml> | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | | ||
+ | | ||
# Allow Czech signs | # Allow Czech signs | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
| | ||
# Too restrictive for login format | # Too restrictive for login format | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | |||
# Needed by Websockets | # Needed by Websockets | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
</ | </ | ||
- | | ||
- | # These break Certificate Authority module | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | |||
- | # Modsec can throw false positives on some files due to multipart boundary check | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
# do not log request/ | # do not log request/ | ||
- | SecAuditLogParts | + | SecAuditLogParts |
</ | </ | ||
</ | </ | ||
- | ==== mod_security configuration - CentOS7 | + | ==== mod_security configuration - CentOS8 |
- | In the file / | + | Edit the file '' |
- | Whole rule after the changes looks like this: | + | |
- | < | + | * find the rule '' |
- | SecAction \ | + | |
- | "id:'900012', \ | + | |
- | phase:1, \ | + | |
- | t:none, \ | + | |
- | setvar:'tx.allowed_methods=GET HEAD POST OPTIONS | + | |
- | setvar:'tx.allowed_request_content_type=application/ | + | |
- | setvar:'tx.allowed_http_versions=HTTP/ | + | |
- | setvar:'tx.restricted_extensions=.asa/ | + | |
- | setvar:'tx.restricted_headers=/ | + | |
- | nolog, \ | + | |
- | pass" | + | |
- | </ | + | |
- | ==== mod_security configuration - Debian ==== | ||
- | Enable mod\_security configuration: | ||
< | < | ||
- | cd / | + | # Default HTTP policy: allowed_methods (rule 900200) |
- | cp modsecurity.conf-recommended modsecurity.conf | + | SecRule & |
+ | " | ||
+ | phase:1,\ | ||
+ | pass,\ | ||
+ | nolog,\ | ||
+ | setvar:' | ||
</ | </ | ||
- | Uncomment following rules in the '' | + | * find the rule '' |
- | < | + | |
- | SecAction | + | |
- | " | + | |
- | phase:1,\ | + | |
- | nolog,\ | + | |
- | pass,\ | + | |
- | t:none,\ | + | |
- | setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" | + | |
- | SecAction | + | < |
- | " | + | # Default HTTP policy: allowed_request_content_type (rule 900220) |
- | phase:1,\ | + | SecRule & |
- | | + | "id:901162,\ |
- | | + | phase:1,\ |
- | | + | pass,\ |
- | setvar:' | + | nolog,\ |
+ | setvar:' | ||
</ | </ | ||
Line 733: | Line 710: | ||
</ | </ | ||
- | ===== Workaround for slow HTTPD shutdown ===== | ||
- | In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https:// | ||
- | Workaround is to edit '''/ | ||
- | < | ||
- | KillMode=none | ||
- | </ | ||
- | Then reload systemd: | ||
- | |||
- | < | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | It is absolutely correct to create new versions of unity in /etc, that has the option: | ||
- | |||
- | < | ||
- | cp / | ||
- | vim / | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | The patch of httpd should come soon so the first option is OK too. | ||
- | |||
- | ===== SSO ===== | ||
- | |||
- | If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial: | ||
- | |||
- | ====== nginx as reverse proxy ====== | ||
- | |||
- | In case that you want to use nginx instead of Apache httpd, the configuration is as follows. | ||
- | |||
- | <code ini> | ||
- | server { | ||
- | listen | ||
- | server_name | ||
- | client_max_body_size 1G; | ||
- | ssl on; | ||
- | ssl_certificate | ||
- | ssl_certificate_key | ||
- | gzip on; | ||
- | gzip_proxied any; | ||
- | gzip_types | ||
- | text/css | ||
- | | ||
- | text/xml | ||
- | | ||
- | application/ | ||
- | | ||
- | application/ | ||
- | |||
- | location / { | ||
- | proxy_hide_header X-Frame-Options; | ||
- | add_header X-Frame-Options SAMEORIGIN; | ||
- | proxy_pass http:// | ||
- | proxy_set_header Host $host; | ||
- | proxy_set_header X-Real-IP $remote_addr; | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | proxy_set_header X-Forwarded-Proto " | ||
- | proxy_ssl_session_reuse off; | ||
- | proxy_redirect off; | ||
- | |||
- | # WebSocket support | ||
- | proxy_http_version 1.1; | ||
- | proxy_set_header Upgrade $http_upgrade; | ||
- | proxy_set_header Connection " | ||
- | } | ||
- | } | ||
- | </ | ||