Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2021/02/08 13:56]
soval [Instalation and software configuration] 		tutorial:adm:server_preparation [2021/09/01 09:04]
fiserp [HTTPd installation and configuration]
Line 215: Line 215:
 </code> </code>
  
-  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to ''/opt/tomcat/'' +  * Download Apache Tomcat 9.0.x from the website [[https://tomcat.apache.org/download-90.cgi]] to ''/opt/tomcat/'' 
-    * In our exapmle the version is 8.5.57.+    * In our exapmle the version is 9.0.45.
  
   * extract files from the archive:   * extract files from the archive:
  
 <code bash> <code bash>
-tar xzf apache-tomcat-8.5.57.tar.gz+tar xzf apache-tomcat-9.0.45.tar.gz
 </code> </code>
  
Line 475: Line 475:
 <code bash> <code bash>
 yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs
 +
 </code> </code>
  
Line 480: Line 481:
  
 Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so: Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so:
- 
 <code bash> <code bash>
 # Select the MPM module which should be used by uncommenting exactly # Select the MPM module which should be used by uncommenting exactly
Line 500: Line 500:
 # #
 #LoadModule mpm_event_module modules/mod_mpm_event.so #LoadModule mpm_event_module modules/mod_mpm_event.so
 +
 </code> </code>
  
 Disable "welcome" page: Disable "welcome" page:
 +
 <code bash> <code bash>
 cd /etc/httpd/conf.d cd /etc/httpd/conf.d
 mv welcome.conf welcome.conf-DISABLED mv welcome.conf welcome.conf-DISABLED
 touch welcome.conf touch welcome.conf
 +
 </code> </code>
  
Line 515: Line 518:
    Redirect permanent / https://SERVER/    Redirect permanent / https://SERVER/
 </VirtualHost> </VirtualHost>
-</code> 
  
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:+</code>
  
 +Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
 <code> <code>
-  Protocols       h2 https/1.1+  Protocols       https/1.1
   ProxyRequests     off   ProxyRequests     off
   ProxyPreserveHost on   ProxyPreserveHost on
Line 526: Line 529:
   ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**   ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
   ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**   ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 +
 </code> </code>
  
-In IE 11, CzechIdM  has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set ''Cache-Control'' HTTP header. We need to set it only for font files:+In IE 11, CzechIdM has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set ''Cache-Control'' HTTP header. We need to set it only for font files:
 <code> <code>
 # workaround for bad font handling in IE 11 # workaround for bad font handling in IE 11
 <LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$"> <LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$">
-        Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate" +        Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate"
 </LocationMatch> </LocationMatch>
 +
 </code> </code>
  
-Identity manager CzechIdM will be available on address https://server/idm/ It is possible to forward from / to /idm/, so that the user does not need to type the whole URL. +Identity manager CzechIdM will be available on address [[https://server/idm/|https://server/idm/]] It is possible to forward from / to /idm/, so that the user does not need to type the whole URL. To do so, add following lines to the virtualhost config file (ssl.conf):
-To do so, add following lines to the virtualhost config file (ssl.conf):+
 <code> <code>
 +
 RewriteEngine On RewriteEngine On
-RewriteRule "^/$"  "/idm/" [R] +RewriteRule "^/$"  "/idm/" [R] 
 </code> </code>
 +
 +=== Certificate for httpd ===
 +
 +If you have prepared certifikate, key and certificate authority chain just chnge these properties in ''/etc/httpd/conf.d/ssl.conf'' and make sure that only httpd can read the files.
 +<code>
 +    SSLCertificateFile PATH_TO_CERTIFICATE_FILE
 +    SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE
 +    SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE
 +
 +</code>
 +
 +Then continue with cheking syntax of httpd.
 +
 +If you not prepared them in the moment. Create temporary certificate and key.
 +
 +<code>
 +mkdir /etc/httpd/cert
 +cd /etc/httpd/cert
 +openssl genrsa -out http_temp_cert.key
 +openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert"
 +openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 -out http_temp_cert.crt
 +rm http_temp_cert.csr
 +chmod 600 /etc/httpd/cert/*
 +chown -R tomcat:tomcat  /etc/httpd/cert/
 +
 +</code>
 +
 +Then change set path to them in these properties in ''/etc/httpd/conf.d/ssl.conf''.
 +<code>
 +    SSLCertificateFile /etc/httpd/cert/http_temp_cert.crt
 +    SSLCertificateKeyFile /etc/httpd/cert/http_temp_cert.key
 +
 +</code>
 +
 +=== Checking httpd configuration syntax and configuring selinux ===
  
 Syntax check before httpd restart Syntax check before httpd restart
 +
 <code> <code>
 httpd -t -D DUMP_VHOST httpd -t -D DUMP_VHOST
 # or apachectl configtest # or apachectl configtest
 +
 </code> </code>
  
 httpd restart and reload configuration changes: httpd restart and reload configuration changes:
 +
 <code> <code>
 systemctl restart httpd systemctl restart httpd
 +
 </code> </code>
  
 Allow in SELINUX to httpd connect to network: Allow in SELINUX to httpd connect to network:
 +
 <code> <code>
 /usr/sbin/setsebool -P httpd_can_network_connect 1 /usr/sbin/setsebool -P httpd_can_network_connect 1
 +
 </code> </code>
- +
 Enable httpd after OS start: Enable httpd after OS start:
 +
 <code bash> <code bash>
 systemctl enable httpd.service systemctl enable httpd.service
 +
 </code> </code>
 +
  
 ===== mod_security configuration ===== ===== mod_security configuration =====
Line 608: Line 658:
                 SecRuleRemoveById 950100                 SecRuleRemoveById 950100
         </Location>         </Location>
-        +
         # do not log request/response body         # do not log request/response body
         SecAuditLogParts AFHZ         SecAuditLogParts AFHZ
  • by koulaj