Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation [2020/07/28 09:08] urbanl |
tutorial:adm:server_preparation [2021/09/01 09:04] fiserp [HTTPd installation and configuration] |
||
---|---|---|---|
Line 21: | Line 21: | ||
dnf clean all | dnf clean all | ||
dnf -y install epel-release | dnf -y install epel-release | ||
- | dnf update | + | dnf -y update |
# other recommended packages installation | # other recommended packages installation | ||
Line 215: | Line 215: | ||
</ | </ | ||
- | * Download Apache Tomcat | + | * Download Apache Tomcat |
- | * In our exapmle the version is 8.5.57. | + | * In our exapmle the version is 9.0.45. |
* extract files from the archive: | * extract files from the archive: | ||
<code bash> | <code bash> | ||
- | tar xzf apache-tomcat-8.5.57.tar.gz | + | tar xzf apache-tomcat-9.0.45.tar.gz |
</ | </ | ||
Line 326: | Line 326: | ||
* http:// | * http:// | ||
* http:// | * http:// | ||
+ | |||
+ | <note important> | ||
If you want to use them, it is necessary to do following steps. | If you want to use them, it is necessary to do following steps. | ||
Line 367: | Line 369: | ||
* Again, restart the tomcat | * Again, restart the tomcat | ||
+ | |||
<code bash> | <code bash> | ||
systemctl restart tomcat | systemctl restart tomcat | ||
Line 472: | Line 475: | ||
<code bash> | <code bash> | ||
yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
+ | |||
</ | </ | ||
Line 477: | Line 481: | ||
Change MPM to worker - in the file ''/ | Change MPM to worker - in the file ''/ | ||
- | |||
<code bash> | <code bash> | ||
# Select the MPM module which should be used by uncommenting exactly | # Select the MPM module which should be used by uncommenting exactly | ||
Line 497: | Line 500: | ||
# | # | ||
#LoadModule mpm_event_module modules/ | #LoadModule mpm_event_module modules/ | ||
+ | |||
</ | </ | ||
Disable " | Disable " | ||
+ | |||
<code bash> | <code bash> | ||
cd / | cd / | ||
mv welcome.conf welcome.conf-DISABLED | mv welcome.conf welcome.conf-DISABLED | ||
touch welcome.conf | touch welcome.conf | ||
+ | |||
</ | </ | ||
Line 512: | Line 518: | ||
| | ||
</ | </ | ||
+ | |||
</ | </ | ||
- | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | + | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ |
< | < | ||
- | Protocols | + | Protocols |
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
Line 523: | Line 529: | ||
ProxyPass / ajp:// | ProxyPass / ajp:// | ||
ProxyPassReverse / ajp:// | ProxyPassReverse / ajp:// | ||
+ | |||
</ | </ | ||
- | In IE 11, CzechIdM | + | In IE 11, CzechIdM has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set '' |
< | < | ||
# workaround for bad font handling in IE 11 | # workaround for bad font handling in IE 11 | ||
< | < | ||
- | Header set Cache-Control " | + | Header set Cache-Control " |
</ | </ | ||
+ | |||
</ | </ | ||
- | Identity manager CzechIdM will be available on address https:// | + | Identity manager CzechIdM will be available on address |
- | To do so, add following lines to the virtualhost config file (ssl.conf): | + | |
< | < | ||
+ | |||
RewriteEngine On | RewriteEngine On | ||
- | RewriteRule " | + | RewriteRule " |
</ | </ | ||
+ | |||
+ | === Certificate for httpd === | ||
+ | |||
+ | If you have prepared certifikate, | ||
+ | < | ||
+ | SSLCertificateFile PATH_TO_CERTIFICATE_FILE | ||
+ | SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE | ||
+ | SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then continue with cheking syntax of httpd. | ||
+ | |||
+ | If you not prepared them in the moment. Create temporary certificate and key. | ||
+ | |||
+ | < | ||
+ | mkdir / | ||
+ | cd / | ||
+ | openssl genrsa -out http_temp_cert.key | ||
+ | openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/ | ||
+ | openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 -out http_temp_cert.crt | ||
+ | rm http_temp_cert.csr | ||
+ | chmod 600 / | ||
+ | chown -R tomcat: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then change set path to them in these properties in ''/ | ||
+ | < | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | </ | ||
+ | |||
+ | === Checking httpd configuration syntax and configuring selinux === | ||
Syntax check before httpd restart | Syntax check before httpd restart | ||
+ | |||
< | < | ||
httpd -t -D DUMP_VHOST | httpd -t -D DUMP_VHOST | ||
# or apachectl configtest | # or apachectl configtest | ||
+ | |||
</ | </ | ||
httpd restart and reload configuration changes: | httpd restart and reload configuration changes: | ||
+ | |||
< | < | ||
systemctl restart httpd | systemctl restart httpd | ||
+ | |||
</ | </ | ||
Allow in SELINUX to httpd connect to network: | Allow in SELINUX to httpd connect to network: | ||
+ | |||
< | < | ||
/ | / | ||
+ | |||
</ | </ | ||
- | + | ||
Enable httpd after OS start: | Enable httpd after OS start: | ||
+ | |||
<code bash> | <code bash> | ||
systemctl enable httpd.service | systemctl enable httpd.service | ||
+ | |||
</ | </ | ||
+ | |||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
Line 605: | Line 658: | ||
SecRuleRemoveById 950100 | SecRuleRemoveById 950100 | ||
</ | </ | ||
- | | + | |
# do not log request/ | # do not log request/ | ||
- | SecAuditLogParts | + | SecAuditLogParts |
</ | </ | ||
</ | </ |