Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation [2021/05/04 08:39] kopro [Disabling mod_security rules] update configuration for certificates |
tutorial:adm:server_preparation [2021/09/01 09:04] fiserp [HTTPd installation and configuration] |
||
---|---|---|---|
Line 215: | Line 215: | ||
</ | </ | ||
- | * Download Apache Tomcat | + | * Download Apache Tomcat |
- | * In our exapmle the version is 8.5.57. | + | * In our exapmle the version is 9.0.45. |
* extract files from the archive: | * extract files from the archive: | ||
<code bash> | <code bash> | ||
- | tar xzf apache-tomcat-8.5.57.tar.gz | + | tar xzf apache-tomcat-9.0.45.tar.gz |
</ | </ | ||
Line 475: | Line 475: | ||
<code bash> | <code bash> | ||
yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
+ | |||
</ | </ | ||
Line 480: | Line 481: | ||
Change MPM to worker - in the file ''/ | Change MPM to worker - in the file ''/ | ||
- | |||
<code bash> | <code bash> | ||
# Select the MPM module which should be used by uncommenting exactly | # Select the MPM module which should be used by uncommenting exactly | ||
Line 500: | Line 500: | ||
# | # | ||
#LoadModule mpm_event_module modules/ | #LoadModule mpm_event_module modules/ | ||
+ | |||
</ | </ | ||
Disable " | Disable " | ||
+ | |||
<code bash> | <code bash> | ||
cd / | cd / | ||
mv welcome.conf welcome.conf-DISABLED | mv welcome.conf welcome.conf-DISABLED | ||
touch welcome.conf | touch welcome.conf | ||
+ | |||
</ | </ | ||
Line 515: | Line 518: | ||
| | ||
</ | </ | ||
- | </ | ||
- | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | + | </code> |
+ | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | ||
< | < | ||
- | Protocols | + | Protocols |
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
Line 526: | Line 529: | ||
ProxyPass / ajp:// | ProxyPass / ajp:// | ||
ProxyPassReverse / ajp:// | ProxyPassReverse / ajp:// | ||
+ | |||
</ | </ | ||
- | In IE 11, CzechIdM | + | In IE 11, CzechIdM has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set '' |
< | < | ||
# workaround for bad font handling in IE 11 | # workaround for bad font handling in IE 11 | ||
< | < | ||
- | Header set Cache-Control " | + | Header set Cache-Control " |
</ | </ | ||
+ | |||
</ | </ | ||
- | Identity manager CzechIdM will be available on address https:// | + | Identity manager CzechIdM will be available on address |
- | To do so, add following lines to the virtualhost config file (ssl.conf): | + | |
< | < | ||
+ | |||
RewriteEngine On | RewriteEngine On | ||
- | RewriteRule " | + | RewriteRule " |
</ | </ | ||
+ | |||
+ | === Certificate for httpd === | ||
+ | |||
+ | If you have prepared certifikate, | ||
+ | < | ||
+ | SSLCertificateFile PATH_TO_CERTIFICATE_FILE | ||
+ | SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE | ||
+ | SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then continue with cheking syntax of httpd. | ||
+ | |||
+ | If you not prepared them in the moment. Create temporary certificate and key. | ||
+ | |||
+ | < | ||
+ | mkdir / | ||
+ | cd / | ||
+ | openssl genrsa -out http_temp_cert.key | ||
+ | openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/ | ||
+ | openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 -out http_temp_cert.crt | ||
+ | rm http_temp_cert.csr | ||
+ | chmod 600 / | ||
+ | chown -R tomcat: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then change set path to them in these properties in ''/ | ||
+ | < | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | </ | ||
+ | |||
+ | === Checking httpd configuration syntax and configuring selinux === | ||
Syntax check before httpd restart | Syntax check before httpd restart | ||
+ | |||
< | < | ||
httpd -t -D DUMP_VHOST | httpd -t -D DUMP_VHOST | ||
# or apachectl configtest | # or apachectl configtest | ||
+ | |||
</ | </ | ||
httpd restart and reload configuration changes: | httpd restart and reload configuration changes: | ||
+ | |||
< | < | ||
systemctl restart httpd | systemctl restart httpd | ||
+ | |||
</ | </ | ||
Allow in SELINUX to httpd connect to network: | Allow in SELINUX to httpd connect to network: | ||
+ | |||
< | < | ||
/ | / | ||
+ | |||
</ | </ | ||
- | + | ||
Enable httpd after OS start: | Enable httpd after OS start: | ||
+ | |||
<code bash> | <code bash> | ||
systemctl enable httpd.service | systemctl enable httpd.service | ||
+ | |||
</ | </ | ||
+ | |||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
Line 608: | Line 658: | ||
SecRuleRemoveById 950100 | SecRuleRemoveById 950100 | ||
</ | </ | ||
- | |||
- | # These break Certificate Authority module | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | | ||
- | # Modsec can throw false positives on some files due to multipart boundary check | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
# do not log request/ | # do not log request/ |