Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation [2021/05/10 14:56] urbanl [Disabling mod_security rules] Removing modsec rules which are not in modsec_crs 3.0 |
tutorial:adm:server_preparation [2021/09/08 08:24] urbanl Oprava nastaveni opravneni na temp certifikatu pro apache |
||
---|---|---|---|
Line 6: | Line 6: | ||
===== Basic system setup ===== | ===== Basic system setup ===== | ||
- | | + | |
+ | | ||
* OS Linux with EPEL repository enabled - CentOS, basic network enabled installation | * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation | ||
- | | + | |
* PostgreSQL 12.x - installed from OS packages. | * PostgreSQL 12.x - installed from OS packages. | ||
* Java 11 - installed from OS packages. | * Java 11 - installed from OS packages. | ||
Line 15: | Line 16: | ||
* All services start via systemd. | * All services start via systemd. | ||
* Each service runs under dedicated non-privileged user. | * Each service runs under dedicated non-privileged user. | ||
+ | |||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
+ | |||
Prerequisities - Basic installation of CentOS 8 | Prerequisities - Basic installation of CentOS 8 | ||
+ | |||
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
Line 35: | Line 39: | ||
# check the network configuration, | # check the network configuration, | ||
# reboot the server | # reboot the server | ||
+ | |||
</ | </ | ||
- | ===== PostgreSQL | + | ===== PostgreSQL ===== |
- | <note tip>If you are installing CzechIdM on Microsoft SQL Server, please follow [[tutorial: | + | |
- | We install PostgreSQL 12 database binaries and change database data directory from ''/ | + | <note tip>If you are installing CzechIdM on Microsoft SQL Server, please follow [[.: |
==== Database server installation - CentOS8 ==== | ==== Database server installation - CentOS8 ==== | ||
+ | |||
* Software installation on CentOS8(versions can vary): | * Software installation on CentOS8(versions can vary): | ||
Line 47: | Line 54: | ||
dnf module enable postgresql: | dnf module enable postgresql: | ||
dnf -y install postgresql-server postgresql-contrib postgresql-libs | dnf -y install postgresql-server postgresql-contrib postgresql-libs | ||
+ | |||
</ | </ | ||
Line 55: | Line 63: | ||
chown -R postgres: | chown -R postgres: | ||
chmod 700 /data/pgsql | chmod 700 /data/pgsql | ||
+ | |||
</ | </ | ||
Line 61: | Line 70: | ||
<code bash> | <code bash> | ||
cp / | cp / | ||
+ | |||
</ | </ | ||
- | In the file ''/ | + | In the file ''/ |
< | < | ||
+ | |||
# Location of database directory | # Location of database directory | ||
Environment=PGDATA=/ | Environment=PGDATA=/ | ||
+ | |||
</ | </ | ||
- | * In the file ''/ | + | * In the file ''/ |
< | < | ||
PGDATA=/ | PGDATA=/ | ||
+ | |||
</ | </ | ||
Line 78: | Line 91: | ||
<code bash> | <code bash> | ||
- | |||
systemctl daemon-reload | systemctl daemon-reload | ||
+ | |||
</ | </ | ||
Line 87: | Line 100: | ||
<code bash> | <code bash> | ||
postgresql-setup --initdb --unit postgresql | postgresql-setup --initdb --unit postgresql | ||
+ | |||
</ | </ | ||
Change SELINUX labels: | Change SELINUX labels: | ||
+ | |||
< | < | ||
chcon -Rt postgresql_db_t / | chcon -Rt postgresql_db_t / | ||
chcon -Rt postgresql_log_t / | chcon -Rt postgresql_log_t / | ||
+ | |||
</ | </ | ||
Line 100: | Line 116: | ||
systemctl start postgresql.service | systemctl start postgresql.service | ||
systemctl enable postgresql.service | systemctl enable postgresql.service | ||
+ | |||
</ | </ | ||
Line 114: | Line 131: | ||
| | ||
| | ||
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
Mar 11 10:48:06 HOSTNAME systemd[1]: Starting PostgreSQL database server... | Mar 11 10:48:06 HOSTNAME systemd[1]: Starting PostgreSQL database server... | ||
Line 131: | Line 148: | ||
Mar 11 10:48:06 HOSTNAME postmaster[25715]: | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
Mar 11 10:48:06 HOSTNAME systemd[1]: Started PostgreSQL database server. | Mar 11 10:48:06 HOSTNAME systemd[1]: Started PostgreSQL database server. | ||
- | </ | ||
+ | </ | ||
==== Database server configuration and sizing ==== | ==== Database server configuration and sizing ==== | ||
Line 138: | Line 155: | ||
* Enable the password authentication. | * Enable the password authentication. | ||
- | In the file ''/ | + | In the file ''/ |
< | < | ||
host all | host all | ||
host all | host all | ||
+ | |||
</ | </ | ||
- | and change the value at the end of each line to '' | + | |
+ | and change the value at the end of each line to '' | ||
< | < | ||
host all | host all | ||
host all | host all | ||
+ | |||
</ | </ | ||
* Adjust DB instance sizing. | * Adjust DB instance sizing. | ||
- | | + | |
- | * We also log queries running longer than 200ms. | + | * We also log queries running longer than 200ms. |
- | In a file ''/ | + | |
+ | In a file ''/ | ||
< | < | ||
+ | |||
# This is an EXAMPLE. Use the calculator to adjust for your deployment! | # This is an EXAMPLE. Use the calculator to adjust for your deployment! | ||
Line 177: | Line 200: | ||
log_min_duration_statement = 200 | log_min_duration_statement = 200 | ||
+ | |||
</ | </ | ||
Line 183: | Line 207: | ||
< | < | ||
systemctl restart | systemctl restart | ||
+ | |||
</ | </ | ||
Line 189: | Line 214: | ||
===== Java - CentOS8 ===== | ===== Java - CentOS8 ===== | ||
- | Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[devel: | + | Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[:devel: |
Installation: | Installation: | ||
< | < | ||
+ | |||
dnf install -y java-11-openjdk-headless java-11-openjdk-devel | dnf install -y java-11-openjdk-headless java-11-openjdk-devel | ||
+ | |||
</ | </ | ||
- | |||
===== Tomcat ===== | ===== Tomcat ===== | ||
Line 206: | Line 232: | ||
getent passwd tomcat | getent passwd tomcat | ||
# | # | ||
+ | |||
</ | </ | ||
Line 213: | Line 240: | ||
mkdir /opt/tomcat | mkdir /opt/tomcat | ||
cd /opt/tomcat | cd /opt/tomcat | ||
+ | |||
</ | </ | ||
- | * Download Apache Tomcat | + | * Download Apache Tomcat |
- | * In our exapmle the version is 8.5.57. | + | * In our exapmle the version is 9.0.45. |
* extract files from the archive: | * extract files from the archive: | ||
<code bash> | <code bash> | ||
- | tar xzf apache-tomcat-8.5.57.tar.gz | + | tar xzf apache-tomcat-9.0.45.tar.gz |
</ | </ | ||
Line 229: | Line 258: | ||
cd /opt/tomcat | cd /opt/tomcat | ||
ln -s apache-tomcat-8.5.57 current | ln -s apache-tomcat-8.5.57 current | ||
+ | |||
</ | </ | ||
Line 247: | Line 277: | ||
chown tomcat: | chown tomcat: | ||
chmod 750 / | chmod 750 / | ||
- | </ | ||
+ | </ | ||
==== Start Tomcat automatically after system startup ==== | ==== Start Tomcat automatically after system startup ==== | ||
Line 256: | Line 286: | ||
<code bash> | <code bash> | ||
vim / | vim / | ||
+ | |||
</ | </ | ||
Line 286: | Line 317: | ||
[Install] | [Install] | ||
WantedBy=multi-user.target | WantedBy=multi-user.target | ||
+ | |||
</ | </ | ||
+ | |||
< | < | ||
- | | + | |
+ | | ||
* Tomcat will be started under user '' | * Tomcat will be started under user '' | ||
+ | |||
</ | </ | ||
* Reload systemd configuration: | * Reload systemd configuration: | ||
- | |||
< | < | ||
+ | |||
systemctl daemon-reload | systemctl daemon-reload | ||
+ | |||
</ | </ | ||
Line 303: | Line 339: | ||
systemctl start tomcat | systemctl start tomcat | ||
systemctl enable tomcat | systemctl enable tomcat | ||
+ | |||
</ | </ | ||
Line 310: | Line 347: | ||
[root@tomcat1 logs]# ps -ef | grep ^tomcat | [root@tomcat1 logs]# ps -ef | grep ^tomcat | ||
tomcat | tomcat | ||
+ | |||
</ | </ | ||
* Stop the Tomcat. | * Stop the Tomcat. | ||
- | |||
< | < | ||
+ | |||
systemctl stop tomcat | systemctl stop tomcat | ||
+ | |||
</ | </ | ||
Line 324: | Line 363: | ||
Apache Tomcat offers two applications for tomcat management available at: | Apache Tomcat offers two applications for tomcat management available at: | ||
- | * http:// | + | * [[http:// |
- | * http:// | + | * [[http:// |
- | <note important> | + | <note important> |
If you want to use them, it is necessary to do following steps. | If you want to use them, it is necessary to do following steps. | ||
Line 334: | Line 373: | ||
* Create administration user | * Create administration user | ||
- | | + | |
- | * The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | + | * The documentation of available roles as well as overall configuration of the application is a part of application installation available at [[http:// |
+ | |||
+ | The file ''/ | ||
- | The file ''/ | ||
<file xml tomcat-users.xml> | <file xml tomcat-users.xml> | ||
<?xml version=" | <?xml version=" | ||
Line 351: | Line 391: | ||
<user username=" | <user username=" | ||
</ | </ | ||
+ | |||
</ | </ | ||
* If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | ||
- | | + | |
- | Add your IP address into application configuration files. In files ''/ | + | Add your IP address into application configuration files. In files ''/ |
For example, if you want to access Tomcat' | For example, if you want to access Tomcat' | ||
Line 362: | Line 403: | ||
<file xml context.xml> | <file xml context.xml> | ||
<?xml version=" | <?xml version=" | ||
- | <Context antiResourceLocking=" | + | <Context antiResourceLocking=" |
<Valve className=" | <Valve className=" | ||
- | | + | |
</ | </ | ||
+ | |||
</ | </ | ||
Line 372: | Line 414: | ||
<code bash> | <code bash> | ||
systemctl restart tomcat | systemctl restart tomcat | ||
+ | |||
</ | </ | ||
- | === Apache Tomcat configuration recommended for production use === | + | === Apache Tomcat configuration recommended for production use === |
We advise to follow these steps to configure Tomcat for production deployment. | We advise to follow these steps to configure Tomcat for production deployment. | ||
Line 382: | Line 425: | ||
<code bash> | <code bash> | ||
rm -rf / | rm -rf / | ||
+ | |||
</ | </ | ||
* Turn off the shutdown port: | * Turn off the shutdown port: | ||
- | | + | |
<code xml> | <code xml> | ||
<Server port=" | <Server port=" | ||
+ | |||
</ | </ | ||
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
- | | + | |
- | * Set the '' | + | * Set the '' |
- | * In the ''/ | + | * In the ''/ |
* In same file configure AJP port ('' | * In same file configure AJP port ('' | ||
- | |||
< | < | ||
+ | |||
< | < | ||
address=" | address=" | ||
Line 406: | Line 451: | ||
port=" | port=" | ||
redirectPort=" | redirectPort=" | ||
+ | |||
</ | </ | ||
* Do not show aplication server version: | * Do not show aplication server version: | ||
- | | + | |
<code xml> | <code xml> | ||
Line 429: | Line 475: | ||
< | < | ||
</ | </ | ||
+ | |||
</ | </ | ||
=== Rotating Tomcat logs === | === Rotating Tomcat logs === | ||
- | Default Tomcat logger appneds to the logfile, it is therefore safe to use simple '' | + | |
+ | Default Tomcat logger appneds to the logfile, it is therefore safe to use simple '' | ||
<file txt tomcat> | <file txt tomcat> | ||
/ | / | ||
- | rotate 90 | + | |
- | daily | + | daily |
- | dateext | + | dateext |
- | copytruncate | + | copytruncate |
- | missingok | + | missingok |
- | notifempty | + | notifempty |
- | compress | + | compress |
} | } | ||
+ | |||
</ | </ | ||
- | It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because '' | + | |
+ | It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because '' | ||
If this happens, set the permissive mode for logrotate: | If this happens, set the permissive mode for logrotate: | ||
+ | |||
< | < | ||
semanage permissive -a logrotate_t | semanage permissive -a logrotate_t | ||
+ | |||
</ | </ | ||
- | <note warning> | + | <note warning> Evaluate impact of SELinux adjustments **before** |
- | Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. | + | |
There are some possibilities: | There are some possibilities: | ||
+ | |||
* Set permissive mode for logrotate as above. | * Set permissive mode for logrotate as above. | ||
* Set permissive mode for whole SELinux. (This will drop the SELinux' | * Set permissive mode for whole SELinux. (This will drop the SELinux' | ||
* Adjust particular SELinux labels. Example ([[https:// | * Adjust particular SELinux labels. Example ([[https:// | ||
- | </ | ||
+ | </ | ||
====== Apache httpd as a reverse proxy ====== | ====== Apache httpd as a reverse proxy ====== | ||
- | It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy. | + | It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy. Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https. Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), |
- | Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https. | + | |
- | Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), | + | |
The configuration example is written for the server which allows access to its services under the name " | The configuration example is written for the server which allows access to its services under the name " | ||
Line 475: | Line 526: | ||
<code bash> | <code bash> | ||
yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
+ | |||
+ | |||
</ | </ | ||
HTTPd basic configuration: | HTTPd basic configuration: | ||
- | Change MPM to worker - in the file ''/ | + | Change MPM to worker - in the file ''/ |
<code bash> | <code bash> | ||
Line 500: | Line 553: | ||
# | # | ||
#LoadModule mpm_event_module modules/ | #LoadModule mpm_event_module modules/ | ||
+ | |||
+ | |||
</ | </ | ||
Disable " | Disable " | ||
+ | |||
<code bash> | <code bash> | ||
cd / | cd / | ||
mv welcome.conf welcome.conf-DISABLED | mv welcome.conf welcome.conf-DISABLED | ||
touch welcome.conf | touch welcome.conf | ||
+ | |||
+ | |||
</ | </ | ||
Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string ' | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string ' | ||
+ | |||
<code xml> | <code xml> | ||
< | < | ||
Line 515: | Line 574: | ||
| | ||
</ | </ | ||
- | </ | ||
- | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | ||
+ | </ | ||
+ | |||
+ | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | ||
< | < | ||
- | | + | |
+ | | ||
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
Line 526: | Line 587: | ||
ProxyPass / ajp:// | ProxyPass / ajp:// | ||
ProxyPassReverse / ajp:// | ProxyPassReverse / ajp:// | ||
+ | |||
</ | </ | ||
- | In IE 11, CzechIdM | + | In IE 11, CzechIdM has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set '' |
< | < | ||
# workaround for bad font handling in IE 11 | # workaround for bad font handling in IE 11 | ||
< | < | ||
- | Header set Cache-Control " | + | Header set Cache-Control " |
</ | </ | ||
+ | |||
</ | </ | ||
- | Identity manager CzechIdM will be available on address https:// | + | Identity manager CzechIdM will be available on address |
- | To do so, add following lines to the virtualhost config file (ssl.conf): | + | |
< | < | ||
+ | |||
RewriteEngine On | RewriteEngine On | ||
- | RewriteRule " | + | RewriteRule " |
</ | </ | ||
+ | |||
+ | === Certificate for httpd === | ||
+ | |||
+ | If you have prepared certifikate, | ||
+ | |||
+ | < | ||
+ | SSLCertificateFile PATH_TO_CERTIFICATE_FILE | ||
+ | SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE | ||
+ | SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then continue with cheking syntax of httpd. | ||
+ | |||
+ | If you not prepared them in the moment. Create temporary certificate and key. | ||
+ | |||
+ | < | ||
+ | mkdir / | ||
+ | cd / | ||
+ | openssl genrsa -out http_temp_cert.key | ||
+ | openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/ | ||
+ | openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 -out http_temp_cert.crt | ||
+ | rm http_temp_cert.csr | ||
+ | chmod 600 / | ||
+ | chown -R apache: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then change set path to them in these properties in ''/ | ||
+ | |||
+ | < | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | </ | ||
+ | |||
+ | === Checking httpd configuration syntax and configuring selinux === | ||
Syntax check before httpd restart | Syntax check before httpd restart | ||
+ | |||
< | < | ||
httpd -t -D DUMP_VHOST | httpd -t -D DUMP_VHOST | ||
# or apachectl configtest | # or apachectl configtest | ||
+ | |||
</ | </ | ||
httpd restart and reload configuration changes: | httpd restart and reload configuration changes: | ||
+ | |||
< | < | ||
systemctl restart httpd | systemctl restart httpd | ||
+ | |||
</ | </ | ||
Allow in SELINUX to httpd connect to network: | Allow in SELINUX to httpd connect to network: | ||
+ | |||
< | < | ||
/ | / | ||
+ | |||
</ | </ | ||
- | + | ||
Enable httpd after OS start: | Enable httpd after OS start: | ||
+ | |||
<code bash> | <code bash> | ||
systemctl enable httpd.service | systemctl enable httpd.service | ||
+ | |||
+ | |||
</ | </ | ||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
+ | |||
Mod_security files locations (on CentOS8): | Mod_security files locations (on CentOS8): | ||
Line 580: | Line 692: | ||
SecRuleRemoveById RULE_ID | SecRuleRemoveById RULE_ID | ||
</ | </ | ||
+ | |||
</ | </ | ||
Line 586: | Line 699: | ||
These rules are disabled for modsec_crs 3.0. | These rules are disabled for modsec_crs 3.0. | ||
- | In the file ''/ | + | In the file ''/ |
<code xml> | <code xml> | ||
Line 594: | Line 707: | ||
SecRuleRemoveById 920300 | SecRuleRemoveById 920300 | ||
SecRuleRemoveById 920230 | SecRuleRemoveById 920230 | ||
- | | + | |
# Allow Czech signs | # Allow Czech signs | ||
SecRuleRemoveById 942110 | SecRuleRemoveById 942110 | ||
Line 600: | Line 713: | ||
SecRuleRemoveById 942460 | SecRuleRemoveById 942460 | ||
SecRuleRemoveById 942260 | SecRuleRemoveById 942260 | ||
- | | + | |
# Too restrictive for login format | # Too restrictive for login format | ||
SecRuleRemoveById 920440 | SecRuleRemoveById 920440 | ||
- | | + | |
- | # Needed by Websockets | + | # Needed by Websockets |
< | < | ||
SecRuleRemoveById 950100 | SecRuleRemoveById 950100 | ||
Line 612: | Line 725: | ||
SecAuditLogParts AFHZ | SecAuditLogParts AFHZ | ||
</ | </ | ||
+ | |||
</ | </ | ||
- | ==== mod_security configuration - CentOS8 | + | ==== mod_security configuration - CentOS8 ==== |
Edit the file ''/ | Edit the file ''/ | ||
- | * find the rule '' | + | * find the rule '' |
< | < | ||
Line 628: | Line 742: | ||
nolog,\ | nolog,\ | ||
setvar:' | setvar:' | ||
+ | |||
</ | </ | ||
- | * find the rule '' | + | * find the rule '' |
< | < | ||
Line 640: | Line 755: | ||
nolog,\ | nolog,\ | ||
setvar:' | setvar:' | ||
+ | |||
</ | </ | ||
- | |||
===== mod_deflate configuration ===== | ===== mod_deflate configuration ===== | ||
- | It is advised to set up gzip so the users get minimum of data from the frontend server. | + | |
- | In the file ''/ | + | It is advised to set up gzip so the users get minimum of data from the frontend server. In the file ''/ |
<code xml> | <code xml> | ||
< | < | ||
Line 679: | Line 795: | ||
Header append Vary User-Agent | Header append Vary User-Agent | ||
</ | </ | ||
+ | |||
</ | </ | ||