Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2021/05/10 16:14]
urbanl [Tomcat] Changed tomcat version to 9.0 		tutorial:adm:server_preparation [2021/09/01 09:04]
fiserp [HTTPd installation and configuration]
Line 475: Line 475:
 <code bash> <code bash>
 yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs
 +
 </code> </code>
  
Line 480: Line 481:
  
 Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so: Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so:
- 
 <code bash> <code bash>
 # Select the MPM module which should be used by uncommenting exactly # Select the MPM module which should be used by uncommenting exactly
Line 500: Line 500:
 # #
 #LoadModule mpm_event_module modules/mod_mpm_event.so #LoadModule mpm_event_module modules/mod_mpm_event.so
 +
 </code> </code>
  
 Disable "welcome" page: Disable "welcome" page:
 +
 <code bash> <code bash>
 cd /etc/httpd/conf.d cd /etc/httpd/conf.d
 mv welcome.conf welcome.conf-DISABLED mv welcome.conf welcome.conf-DISABLED
 touch welcome.conf touch welcome.conf
 +
 </code> </code>
  
Line 515: Line 518:
    Redirect permanent / https://SERVER/    Redirect permanent / https://SERVER/
 </VirtualHost> </VirtualHost>
 +
 </code> </code>
  
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost: +Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
 <code> <code>
-  Protocols       h2 https/1.1+  Protocols       https/1.1
   ProxyRequests     off   ProxyRequests     off
   ProxyPreserveHost on   ProxyPreserveHost on
Line 526: Line 529:
   ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**   ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
   ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**   ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 +
 </code> </code>
  
-In IE 11, CzechIdM  has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set ''Cache-Control'' HTTP header. We need to set it only for font files:+In IE 11, CzechIdM has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set ''Cache-Control'' HTTP header. We need to set it only for font files:
 <code> <code>
 # workaround for bad font handling in IE 11 # workaround for bad font handling in IE 11
 <LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$"> <LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$">
-        Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate" +        Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate"
 </LocationMatch> </LocationMatch>
 +
 </code> </code>
  
-Identity manager CzechIdM will be available on address https://server/idm/ It is possible to forward from / to /idm/, so that the user does not need to type the whole URL. +Identity manager CzechIdM will be available on address [[https://server/idm/|https://server/idm/]] It is possible to forward from / to /idm/, so that the user does not need to type the whole URL. To do so, add following lines to the virtualhost config file (ssl.conf):
-To do so, add following lines to the virtualhost config file (ssl.conf):+
 <code> <code>
 +
 RewriteEngine On RewriteEngine On
-RewriteRule "^/$"  "/idm/" [R] +RewriteRule "^/$"  "/idm/" [R] 
 </code> </code>
  
Line 547: Line 553:
 If you have prepared certifikate, key and certificate authority chain just chnge these properties in ''/etc/httpd/conf.d/ssl.conf'' and make sure that only httpd can read the files. If you have prepared certifikate, key and certificate authority chain just chnge these properties in ''/etc/httpd/conf.d/ssl.conf'' and make sure that only httpd can read the files.
 <code> <code>
- SSLCertificateFile PATH_TO_CERTIFICATE_FILE +    SSLCertificateFile PATH_TO_CERTIFICATE_FILE 
- SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE +    SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE 
- SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE+    SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE 
 </code> </code>
 +
 Then continue with cheking syntax of httpd. Then continue with cheking syntax of httpd.
  
-If you not prepared them in the moment. Create temporary certificate and key. +If you not prepared them in the moment. Create temporary certificate and key. 
 <code> <code>
 mkdir /etc/httpd/cert mkdir /etc/httpd/cert
Line 563: Line 572:
 chmod 600 /etc/httpd/cert/* chmod 600 /etc/httpd/cert/*
 chown -R tomcat:tomcat  /etc/httpd/cert/ chown -R tomcat:tomcat  /etc/httpd/cert/
 +
 </code> </code>
 +
 Then change set path to them in these properties in ''/etc/httpd/conf.d/ssl.conf''. Then change set path to them in these properties in ''/etc/httpd/conf.d/ssl.conf''.
 <code> <code>
- SSLCertificateFile /etc/httpd/cert/http_temp_cert.crt +    SSLCertificateFile /etc/httpd/cert/http_temp_cert.crt 
- SSLCertificateKeyFile /etc/httpd/cert/http_temp_cert.key+    SSLCertificateKeyFile /etc/httpd/cert/http_temp_cert.key 
 </code> </code>
  
Line 573: Line 585:
  
 Syntax check before httpd restart Syntax check before httpd restart
 +
 <code> <code>
 httpd -t -D DUMP_VHOST httpd -t -D DUMP_VHOST
 # or apachectl configtest # or apachectl configtest
 +
 </code> </code>
  
 httpd restart and reload configuration changes: httpd restart and reload configuration changes:
 +
 <code> <code>
 systemctl restart httpd systemctl restart httpd
 +
 </code> </code>
  
 Allow in SELINUX to httpd connect to network: Allow in SELINUX to httpd connect to network:
 +
 <code> <code>
 /usr/sbin/setsebool -P httpd_can_network_connect 1 /usr/sbin/setsebool -P httpd_can_network_connect 1
 +
 </code> </code>
- +
 Enable httpd after OS start: Enable httpd after OS start:
 +
 <code bash> <code bash>
 systemctl enable httpd.service systemctl enable httpd.service
 +
 </code> </code>
 +
  
 ===== mod_security configuration ===== ===== mod_security configuration =====
  • by koulaj