Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:server_preparation [2019/04/09 08:16] fiserp [Rotating Tomcat logs] |
tutorial:adm:server_preparation [2024/01/10 10:35] (current) koulaj [Java - CentOS8] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Server preparation - Linux ====== | + | ====== Server preparation - Linux - CentOS8 |
{{tag> | {{tag> | ||
- | This tutorial shows how to prepare the server for test or production | + | This tutorial shows how to prepare the server for test or production |
===== Basic system setup ===== | ===== Basic system setup ===== | ||
- | | + | |
- | * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation | + | |
- | * It is possible to use Debian but you have to adjust | + | * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation |
- | * PostgreSQL - installed from a new repository | + | * It is possible to use Debian |
- | * Java - distribution repository | + | * PostgreSQL |
- | * Apache Tomcat - manually | + | * Java 11 (Java 21 for CzechIdM 13.1.0+) - installed from OS packages. |
- | * Services | + | * Apache Tomcat |
- | * Services run under dedicated | + | * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. |
+ | * All services | ||
+ | * Each service runs under dedicated non-privileged | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
- | Prerequisities - Basic installation of CentOS | + | |
+ | Prerequisities - Basic installation of CentOS | ||
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
- | yum clean all | + | dnf clean all |
- | yum install | + | dnf -y install |
- | yum update | + | dnf -y update |
# other recommended packages installation | # other recommended packages installation | ||
- | yum install | + | dnf -y install mc haveged nmap screen sysstat telnet |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
systemctl enable haveged.service | systemctl enable haveged.service | ||
- | # remove unnecessary software | + | |
- | yum remove -y postfix | + | |
- | systemctl stop avahi-daemon.socket avahi-daemon.service | + | |
- | systemctl disable avahi-daemon.socket avahi-daemon.service | + | |
- | yum remove -y avahi-autoipd avahi | + | |
# set the hostname | # set the hostname | ||
hostnamectl set-hostname FQDN_server_name | hostnamectl set-hostname FQDN_server_name | ||
Line 37: | Line 40: | ||
# check the network configuration, | # check the network configuration, | ||
# reboot the server | # reboot the server | ||
- | </ | ||
- | When installing on Debian, install these packages: | ||
- | < | ||
- | screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent | ||
</ | </ | ||
+ | |||
===== PostgreSQL ===== | ===== PostgreSQL ===== | ||
- | <note tip>If you are install | + | |
- | CentOS7 default repository version of PostgreSQL | + | <note tip>If you are installing |
- | ==== Database server installation - CentOS7 | + | |
- | * Software installation (versions can vary): | + | ==== Database server installation - CentOS8 |
+ | |||
+ | * Software installation | ||
<code bash> | <code bash> | ||
- | yum install -y https:// | + | # enable module postgres 12 |
- | yum install | + | dnf module enable postgresql:12 |
+ | dnf -y install postgresql-server | ||
</ | </ | ||
- | | + | |
- | < | + | |
- | mkdir -p / | + | |
+ | < | ||
+ | mkdir -p / | ||
chown -R postgres: | chown -R postgres: | ||
chmod 700 /data/pgsql | chmod 700 /data/pgsql | ||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
<code bash> | <code bash> | ||
- | cp / | + | cp / |
</ | </ | ||
- | In the file ''/ | + | |
+ | In the file ''/ | ||
< | < | ||
+ | |||
# Location of database directory | # Location of database directory | ||
- | Environment=PGDATA=/ | + | Environment=PGDATA=/ |
</ | </ | ||
- | * In the file '' | + | * In the file '' |
< | < | ||
- | PGDATA=/ | + | PGDATA=/ |
</ | </ | ||
Line 77: | Line 92: | ||
<code bash> | <code bash> | ||
- | |||
systemctl daemon-reload | systemctl daemon-reload | ||
+ | |||
</ | </ | ||
Line 85: | Line 100: | ||
<code bash> | <code bash> | ||
- | / | + | postgresql-setup |
</ | </ | ||
+ | Change SELINUX labels: | ||
+ | < | ||
+ | chcon -Rt postgresql_db_t / | ||
+ | chcon -Rt postgresql_log_t / | ||
+ | |||
+ | </ | ||
* Enable and start database: | * Enable and start database: | ||
<code bash> | <code bash> | ||
- | systemctl start postgresql-9.6.service | + | systemctl start postgresql.service |
- | systemctl enable postgresql-9.6.service | + | systemctl enable postgresql.service |
</ | </ | ||
Line 100: | Line 123: | ||
<code bash> | <code bash> | ||
- | [root@tomcat1 system]# systemctl status postgresql-9.6.service -l | + | [root@HOSTNAME data]# systemctl status postgresql.service -l |
- | ● postgresql-9.6.service - PostgreSQL | + | ● postgresql.service - PostgreSQL database server |
- | | + | |
- | | + | |
- | Main PID: 2626 (postmaster) | + | Main PID: 25715 (postmaster) |
- | | + | Tasks: 8 (limit: 52428) |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | └─2634 postgres: stats collector | + | |
+ | | ||
+ | ├─25722 postgres: stats collector | ||
+ | | ||
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME postmaster[25715]: |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME postmaster[25715]: |
- | </ | + | Mar 11 10:48:06 HOSTNAME postmaster[25715]: |
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME | ||
+ | Mar 11 10:48:06 HOSTNAME | ||
- | ==== Database server installation - Debian Stretch ==== | ||
- | Install the database from OS packages: | ||
- | < | ||
- | apt-get install postgresql-9.6 | ||
- | </ | ||
- | We will move the database - create directory structure: | ||
- | < | ||
- | mkdir -p / | ||
- | chown -R postgres: | ||
- | chmod -R 700 /data/pgsql | ||
- | </ | ||
- | Create the file .bash\_profile in postgres user's home (default / | ||
- | < | ||
- | PGDATA=/ | ||
</ | </ | ||
- | Stop the database: | ||
- | < | ||
- | systemctl stop postgresql | ||
- | </ | ||
- | Move database directory (run this as root): | ||
- | < | ||
- | mv / | ||
- | </ | ||
- | In the PostgreSQL configuration file / | ||
- | < | ||
- | data_directory = '/ | ||
- | </ | ||
- | Enable and start the database: | ||
- | < | ||
- | systemctl start postgresql | ||
- | systemctl enable postgresql | ||
- | </ | ||
- | ==== DB server configuration ==== | ||
- | First of all, enable | + | ==== Database server configuration and sizing ==== |
+ | |||
+ | * Enable | ||
+ | |||
+ | In the file ''/ | ||
- | In the file ''/ | ||
< | < | ||
host all | host all | ||
host all | host all | ||
+ | |||
</ | </ | ||
- | and change the value at the end of each line into md5 like this: | + | and change the value at the end of each line to '' |
< | < | ||
host all | host all | ||
host all | host all | ||
+ | |||
</ | </ | ||
- | Now we can do DB sizing. | + | * Adjust |
- | In a file ''/ | + | * In following snippet, we presume the system has 3GB of memory |
+ | * We also log queries running longer than 200ms. | ||
+ | |||
+ | In a file ''/ | ||
< | < | ||
- | max_connections = 100 # (change requires restart) | ||
- | shared_buffers = 768MB # min 128kB | + | # This is an EXAMPLE. Use the calculator to adjust for your deployment! |
+ | |||
+ | # DB Version: 12 | ||
+ | # OS Type: linux | ||
+ | # DB Type: web | ||
+ | # Total Memory (RAM): 3 GB | ||
+ | # Connections num: 100 | ||
+ | # Data Storage: ssd | ||
+ | max_connections = 100 | ||
+ | shared_buffers = 768MB | ||
effective_cache_size = 2304MB | effective_cache_size = 2304MB | ||
- | work_mem = 7864kB | ||
maintenance_work_mem = 192MB | maintenance_work_mem = 192MB | ||
- | |||
- | min_wal_size = 1GB | ||
- | max_wal_size = 2GB | ||
checkpoint_completion_target = 0.7 | checkpoint_completion_target = 0.7 | ||
wal_buffers = 16MB | wal_buffers = 16MB | ||
- | |||
default_statistics_target = 100 | default_statistics_target = 100 | ||
+ | random_page_cost = 1.1 | ||
+ | effective_io_concurrency = 200 | ||
+ | work_mem = 3932kB | ||
+ | min_wal_size = 1GB | ||
+ | max_wal_size = 4GB | ||
log_min_duration_statement = 200 | log_min_duration_statement = 200 | ||
+ | |||
</ | </ | ||
- | Restart | + | * Restart |
- | For Debian installation, | ||
< | < | ||
- | /etc/postgresql/9.6/main/pg_hba.conf | + | systemctl restart |
- | /etc/ | + | |
+ | </code> | ||
+ | |||
+ | < | ||
+ | |||
+ | ===== Java - CentOS8 ===== | ||
+ | |||
+ | Tomcat application server needs Java installed. We recommend to use OpenJDK 11 from standard OS repository. (OpenJDK 1.8 is also supported, check [[: | ||
+ | |||
+ | Installation: | ||
+ | < | ||
+ | |||
+ | dnf install -y java-11-openjdk-headless java-11-openjdk-devel | ||
+ | |||
+ | </code> | ||
+ | |||
+ | For CzechIdM 13.1.0+: | ||
+ | |||
+ | < | ||
+ | dnf install -y java-21-openjdk-headless java-21-openjdk-devel | ||
</ | </ | ||
- | < | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
- | Installation | + | * Create a new group and add user for the tomcat to run under: |
+ | |||
+ | < | ||
+ | groupadd | ||
+ | useradd -r -s / | ||
+ | getent passwd tomcat | ||
+ | # | ||
+ | |||
+ | </ | ||
+ | |||
+ | * change working directory into / | ||
<code bash> | <code bash> | ||
- | yum install -y tomcat | + | mkdir /opt/tomcat |
+ | cd / | ||
+ | |||
</ | </ | ||
- | Installation | + | * Download Apache Tomcat 9.0.x from the website [[https:// |
+ | * In our exapmle the version is 9.0.45. | ||
+ | |||
+ | * extract files from the archive: | ||
<code bash> | <code bash> | ||
- | apt install | + | tar xzf apache-tomcat-9.0.45.tar.gz |
+ | |||
</ | </ | ||
+ | * create a new symbolic link to current user version (we presume there may be more versions at the server in future due to upgrades/ | ||
- | ==== Start Tomcat automatically after system startup | + | <code bash> |
- | + | cd / | |
+ | ln -s apache-tomcat-9.0.45 current | ||
+ | |||
+ | |||
+ | </ | ||
- | * Make some adjustments to systemd unit. | + | * Set rights on files for tomcat user (still working under root): |
<code bash> | <code bash> | ||
- | systemctl edit tomcat.service | + | chown -R root:root /opt/tomcat |
+ | chown root:tomcat / | ||
+ | chmod 750 / | ||
+ | cd / | ||
+ | chmod -R o+rX ./ | ||
+ | chgrp -R tomcat conf/ bin/ lib/ | ||
+ | chmod g+rx conf | ||
+ | chmod g+r conf/* | ||
+ | chown -R tomcat webapps/ work/ temp/ logs/ | ||
+ | |||
+ | mkdir / | ||
+ | chown tomcat: | ||
+ | chmod 750 / | ||
+ | |||
</ | </ | ||
- | Or if you want use diferent editor than nano( vim) use this comands: | + | |
+ | |||
+ | ==== Start Tomcat automatically after system startup ==== | ||
+ | |||
+ | * Create startup script | ||
<code bash> | <code bash> | ||
- | export SYSTEMD_EDITOR=" | + | vim /etc/ |
- | sudo -E systemctl edit tomcat.service | + | |
</ | </ | ||
- | * Add these lines and save the file: | ||
- | <code> | + | * File content of ''/ |
+ | |||
+ | <file ini tomcat.service> | ||
+ | # Systemd unit file for tomcat | ||
+ | [Unit] | ||
+ | Description=Apache Tomcat Web Application Container | ||
+ | After=syslog.target network.target postgresql.service | ||
[Service] | [Service] | ||
- | SyslogFacility=local3 | + | Type=forking |
+ | |||
+ | PIDFile=/ | ||
+ | |||
+ | Environment=JAVA_HOME=/ | ||
+ | Environment=CATALINA_PID=/ | ||
+ | Environment=CATALINA_HOME=/ | ||
+ | Environment=CATALINA_BASE=/ | ||
Environment=' | Environment=' | ||
Environment=' | Environment=' | ||
- | </ | ||
- | * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. | + | ExecStart=/ |
- | * Tomcat will be started under user tomcat:tomcat. | + | ExecStop=/ |
- | * After every systemd configuration change it is necessary to reload: | + | |
+ | User=tomcat | ||
+ | Group=tomcat | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | |||
+ | </ | ||
+ | |||
+ | < | ||
+ | |||
+ | * Values of '' | ||
+ | * Tomcat will be started under user '' | ||
+ | |||
+ | </ | ||
+ | |||
+ | * Reload systemd configuration: | ||
< | < | ||
+ | |||
systemctl daemon-reload | systemctl daemon-reload | ||
+ | |||
</ | </ | ||
- | | + | |
+ | | ||
< | < | ||
systemctl start tomcat | systemctl start tomcat | ||
+ | systemctl enable tomcat | ||
+ | |||
</ | </ | ||
+ | |||
* Check that Tomcat runs with desirable parameters: | * Check that Tomcat runs with desirable parameters: | ||
+ | |||
<code bash> | <code bash> | ||
- | [root@tomcat1 logs]# ps -u tomcat | + | [root@tomcat1 logs]# ps -ef | grep ^tomcat |
- | UID PID PPID C STIME TTY TIME CMD | + | tomcat |
- | tomcat | + | |
</ | </ | ||
- | | + | |
+ | | ||
< | < | ||
+ | |||
systemctl stop tomcat | systemctl stop tomcat | ||
+ | |||
</ | </ | ||
- | * Enable tomcat start after OS start: | ||
- | <code bash> | ||
- | systemctl enable tomcat | ||
- | </ | ||
- | ==== Start Tomcat automatically after system startup - Debian ==== | ||
- | * In file ''/ | + | ==== Apache Tomcat configuration ==== |
- | < | + | === Interface Management === |
+ | |||
+ | Apache Tomcat offers two applications for tomcat management available at: | ||
+ | |||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | If you want to use them, it is necessary to do following steps. | ||
+ | |||
+ | First of all, create a Tomcat' | ||
+ | |||
+ | * Create administration user | ||
+ | * Create the a new user in the file ''/ | ||
+ | * The documentation of available roles as well as overall configuration of the application is a part of application installation available at [[http:// | ||
+ | |||
+ | The file ''/ | ||
+ | |||
+ | <file xml tomcat-users.xml> | ||
+ | <?xml version=" | ||
+ | < | ||
+ | xmlns: | ||
+ | xsi: | ||
+ | version=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <role rolename=" | ||
+ | <user username=" | ||
+ | </ | ||
- | CATALINA_OPTS=" | ||
- | JAVA_OPTS=" | ||
</ | </ | ||
- | * Values of Xms a Xmx se are closely dependent on server sizing. | + | * If you plan to connect to the applications remotely (not only from localhost) |
- | * Tomcat will be started under user '' | + | * If you see '' |
- | * Test start: | + | |
- | < | + | Add your IP address into application configuration files. In files ''/ |
- | systemctl start tomcat8 | + | For example, if you want to access Tomcat' |
+ | |||
+ | <file xml context.xml> | ||
+ | <?xml version=" | ||
+ | <Context antiResourceLocking=" | ||
+ | <Valve className=" | ||
+ | | ||
+ | </ | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | * Again, restart the tomcat | ||
- | </ | ||
- | * Check that Tomcat runs with desirable parameters: | ||
<code bash> | <code bash> | ||
- | [root@tomcat1 logs]# ps -u tomcat8 -fwww | + | systemctl restart |
- | UID PID PPID C STIME TTY TIME CMD | + | |
- | tomcat8 | + | |
- | </ | + | |
- | * Stop Apache Tomcat: | + | |
- | < | + | |
- | systemctl stop tomcat8 | + | |
</ | </ | ||
- | | + | |
+ | === Apache Tomcat configuration recommended for production use === | ||
+ | |||
+ | We advise to follow these steps to configure Tomcat for production deployment. | ||
+ | |||
+ | | ||
<code bash> | <code bash> | ||
- | systemctl enable tomcat8 | + | rm -rf / |
+ | |||
</ | </ | ||
- | ==== Apache Tomcat configuration recommended for production usage ==== | ||
- | It is advised to follow these steps for production usage: | ||
- | |||
- | - In file ''/ | ||
* Turn off the shutdown port: | * Turn off the shutdown port: | ||
- | * Set value -1 from 8005 to the Server port tag, thus you deactivate it: | + | |
<code xml> | <code xml> | ||
<Server port=" | <Server port=" | ||
+ | |||
+ | |||
</ | </ | ||
- | - In same file do this: | ||
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
- | * Add the '' | + | |
- | | + | |
- | * Change logging into '' | + | * Set the '' |
- | * Find these lines and comment them. | + | * In the ''/ |
+ | |||
+ | * In same file configure AJP port ('' | ||
+ | < | ||
+ | |||
+ | < | ||
+ | | ||
+ | secretRequired=" | ||
+ | secret=" | ||
+ | port=" | ||
+ | redirectPort=" | ||
- | <code xml> | ||
- | <!-- | ||
- | <Valve className=" | ||
- | | ||
- | | ||
- | --> | ||
- | </ | ||
- | And add these lines: | ||
- | <code xml> | ||
- | <Valve className=" | ||
- | | ||
- | | ||
- | | ||
</ | </ | ||
- | - In the file ''/ | ||
* Do not show aplication server version: | * Do not show aplication server version: | ||
- | | + | |
<code xml> | <code xml> | ||
Line 348: | Line 494: | ||
< | < | ||
</ | </ | ||
- | </ | ||
- | We need to tell Tomcat where idm.war will be. Create context file ''/ | ||
- | <code xml> | ||
- | <Context | ||
- | docBase="/ | ||
- | path="" | ||
- | /> | ||
- | </ | ||
- | ==== Tomcat loging configuration ==== | ||
- | - in file ''/ | ||
- | * Change logging properties | ||
- | * Add/change lines( 1catalina, 2localhost, 3manager, 4host-manager) into this(leave the other lines as they are): | ||
- | < | ||
- | 1catalina.org.apache.juli.FileHandler.level = ALL | ||
- | 1catalina.org.apache.juli.FileHandler.prefix = tomcat. | ||
- | 1catalina.org.apache.juli.FileHandler.rotatable = false | ||
- | 1catalina.org.apache.juli.FileHandler.suffix = log | ||
- | 2localhost.org.apache.juli.FileHandler.rotatable = false | ||
- | 2localhost.org.apache.juli.FileHandler.suffix = log | ||
- | |||
- | 3manager.org.apache.juli.FileHandler.rotatable = false | ||
- | 3manager.org.apache.juli.FileHandler.suffix = log | ||
- | |||
- | 4host-manager.org.apache.juli.FileHandler.rotatable = false | ||
- | 4host-manager.org.apache.juli.FileHandler.suffix = log | ||
</ | </ | ||
- | On Debian make these extra changes: | + | === Rotating Tomcat logs === |
- | < | + | |
- | handlers | + | |
- | #, java.util.logging.ConsoleHandler | + | |
- | .handlers = 1catalina.org.apache.juli.FileHandler | + | Default Tomcat logger appends to the logfile, it is therefore safe to use simple '' |
- | #, java.util.logging.ConsoleHandler | + | |
- | ############################################################ | + | <file txt tomcat> |
- | # Handler specific properties. | + | / |
- | ############################################################ | + | |
+ | daily | ||
+ | dateext | ||
+ | copytruncate | ||
+ | missingok | ||
+ | notifempty | ||
+ | compress | ||
+ | } | ||
- | 3manager.org.apache.juli.FileHandler.level = FINE | ||
- | 3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/ | ||
- | 3manager.org.apache.juli.FileHandler.prefix = manager. | ||
- | 4host-manager.org.apache.juli.FileHandler.level = FINE | + | </file> |
- | 4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs | + | |
- | 4host-manager.org.apache.juli.FileHandler.prefix = host-manager. | + | |
- | #java.util.logging.ConsoleHandler.level = FINE | + | It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because '' |
- | # | + | |
- | ############################################################ | + | If this happens, set the permissive mode for logrotate: |
- | # Facility specific properties. | + | |
- | ############################################################ | + | |
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | |||
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/ | ||
- | |||
- | </ | ||
- | |||
- | |||
- | |||
- | On CentOS for redirect logging from / | ||
- | < | ||
- | ### tomcat log | ||
- | $template TomcatForm," | ||
- | if ($syslogfacility-text == ' | ||
- | action(type=" | ||
- | & stop | ||
- | } | ||
- | </ | ||
- | Then restart rsyslog | ||
- | < | ||
- | systemctl restart rsyslog | ||
- | </ | ||
- | |||
- | ==== Rotating Tomcat logs ==== | ||
- | Tomcat logger appneds to the logfile at ''/ | ||
- | <file txt tomcat> | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | rotate COUNT | ||
- | daily | ||
- | dateext | ||
- | copytruncate | ||
- | missingok | ||
- | notifempty | ||
- | compress | ||
- | create 0644 tomcat tomcat | ||
- | } | ||
- | / | ||
- | { | ||
- | rotate COUNT | ||
- | daily | ||
- | dateext | ||
- | copytruncate | ||
- | missingok | ||
- | notifempty | ||
- | compress | ||
- | create 0644 tomcat tomcat | ||
- | sharedscripts | ||
- | postrotate | ||
- | /bin/kill -HUP `cat / | ||
- | | ||
- | } | ||
- | </ | ||
- | On **Debian** logs are in ''/ | ||
- | <file txt tomcat8> | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | rotate 7 | ||
- | daily | ||
- | dateext | ||
- | copytruncate | ||
- | missingok | ||
- | notifempty | ||
- | compress | ||
- | create 0644 tomcat8 tomcat8 | ||
- | } | ||
- | </ | ||
- | It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because '' | ||
- | |||
- | If this happens, set the permissive mode for logrotate: | ||
< | < | ||
semanage permissive -a logrotate_t | semanage permissive -a logrotate_t | ||
+ | |||
</ | </ | ||
- | <note warning> | + | <note warning> Evaluate impact of SELinux adjustments **before** |
- | Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization. | + | |
There are some possibilities: | There are some possibilities: | ||
+ | |||
* Set permissive mode for logrotate as above. | * Set permissive mode for logrotate as above. | ||
* Set permissive mode for whole SELinux. (This will drop the SELinux' | * Set permissive mode for whole SELinux. (This will drop the SELinux' | ||
* Adjust particular SELinux labels. Example ([[https:// | * Adjust particular SELinux labels. Example ([[https:// | ||
+ | |||
</ | </ | ||
- | Please note that the log does not rotate during the first day, but after the second day. | ||
- | ==== Optional - Management Interface for Tomcat==== | ||
- | If you installed two additional applications for tomcat management follow this part to complete tomcat configuration. | ||
- | These applications are available at: | ||
- | |||
- | * http:// | ||
- | * http:// | ||
- | |||
- | If you want to use them, it is necessary to do following steps. | ||
- | |||
- | First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | ||
- | |||
- | Create user like this: | ||
- | |||
- | Create the a new user in the file ''/ | ||
- | The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | ||
- | |||
- | The file ''/ | ||
- | <file xml tomcat-users.xml> | ||
- | <?xml version=" | ||
- | < | ||
- | xmlns: | ||
- | xsi: | ||
- | version=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <role rolename=" | ||
- | <user username=" | ||
- | </ | ||
- | </ | ||
- | |||
- | If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see '' | ||
- | |||
- | Add your IP address into application configuration files. In files ''/ | ||
- | |||
- | In my case, I want to access to Tomcat management from network 192.168.0.0/ | ||
- | |||
- | <file xml context.xml> | ||
- | <?xml version=" | ||
- | <Context antiResourceLocking=" | ||
- | <Valve className=" | ||
- | | ||
- | </ | ||
- | </ | ||
- | |||
- | Again, restart the tomcat: | ||
- | <code bash> | ||
- | systemctl restart tomcat | ||
- | </ | ||
====== Apache httpd as a reverse proxy ====== | ====== Apache httpd as a reverse proxy ====== | ||
- | It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy. | + | It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy. Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https. Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), |
- | Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https. | + | |
- | Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), | + | |
The configuration example is written for the server which allows access to its services under the name " | The configuration example is written for the server which allows access to its services under the name " | ||
Line 561: | Line 548: | ||
<code bash> | <code bash> | ||
yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
- | </ | ||
- | On Debian install those packages and allow modules: | + | |
- | < | + | |
- | apt-get install apache2 libapache2-mod-security2 modsecurity-crs | + | |
- | a2enmod ssl | + | |
- | a2enmod proxy | + | |
- | a2enmod proxy_ajp | + | |
- | a2enmod proxy_http | + | |
- | a2enmod security2 | + | |
- | a2enmod rewrite | + | |
- | a2enmod headers | + | |
</ | </ | ||
HTTPd basic configuration: | HTTPd basic configuration: | ||
- | Change MPM to worker | + | Change MPM to worker - in the file ''/ |
<code bash> | <code bash> | ||
Line 598: | Line 575: | ||
# | # | ||
#LoadModule mpm_event_module modules/ | #LoadModule mpm_event_module modules/ | ||
+ | |||
+ | |||
</ | </ | ||
Disable " | Disable " | ||
+ | |||
<code bash> | <code bash> | ||
cd / | cd / | ||
mv welcome.conf welcome.conf-DISABLED | mv welcome.conf welcome.conf-DISABLED | ||
touch welcome.conf | touch welcome.conf | ||
+ | |||
+ | |||
</ | </ | ||
- | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/ | + | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/ |
<code xml> | <code xml> | ||
< | < | ||
| | ||
- | | + | |
</ | </ | ||
- | </ | ||
- | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | ||
+ | </ | ||
+ | |||
+ | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | ||
< | < | ||
+ | |||
+ | Protocols | ||
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
ProxyAddHeaders on | ProxyAddHeaders on | ||
- | ProxyPass / ajp:// | + | ProxyPass / ajp:// |
- | ProxyPassReverse / ajp:// | + | ProxyPassReverse / ajp:// |
</ | </ | ||
- | In IE 11, CzechIdM | + | In IE 11, CzechIdM has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set '' |
< | < | ||
# workaround for bad font handling in IE 11 | # workaround for bad font handling in IE 11 | ||
< | < | ||
- | Header set Cache-Control " | + | Header set Cache-Control " |
</ | </ | ||
+ | |||
</ | </ | ||
- | Identity manager CzechIdM will be available on address https:// | + | Identity manager CzechIdM will be available on address |
- | To do so, add following lines to the virtualhost config file (ssl.conf): | + | |
< | < | ||
- | | + | |
- | RewriteRule " | + | RewriteEngine On |
+ | RewriteRule " | ||
</ | </ | ||
- | In the file ssl.conf | + | === Certificate for httpd === |
+ | |||
+ | If you have prepared certifikate, | ||
< | < | ||
- | SSLProtocol all -SSLv2 -SSLv3 | + | SSLCertificateFile PATH_TO_CERTIFICATE_FILE |
+ | SSLCertificateKeyFile PATH_TO_CERTIFICATE_KEY_FILE | ||
+ | SSLCertificateChainFile PATH_TO_CA_CHAIN_FILE | ||
</ | </ | ||
- | On Debian, create symlinks to sites-enabled: | + | Then continue with cheking syntax of httpd. |
+ | |||
+ | If you not prepared them in the moment. Create temporary certificate and key. | ||
< | < | ||
- | cd /etc/apache2/sites-enabled | + | mkdir / |
- | ln -s ../sites-available/vhost-redirect.conf 01vhost-redirect.conf | + | cd /etc/httpd/cert |
- | ln -s ../sites-available/ssl.conf 02ssl.conf | + | openssl genrsa |
+ | openssl req -new -key http_temp_cert.key -out http_temp_cert.csr -subj "/C=CZ/ | ||
+ | openssl x509 -req -in http_temp_cert.csr -signkey http_temp_cert.key -days 1 -sha256 | ||
+ | rm http_temp_cert.csr | ||
+ | chmod 600 /etc/ | ||
+ | chown -R apache: | ||
</ | </ | ||
- | Syntax check before httpd restart: | + | Then change set path to them in these properties in ''/ |
+ | |||
+ | < | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | </ | ||
+ | |||
+ | === Checking httpd configuration syntax and configuring selinux === | ||
+ | |||
+ | Syntax check before httpd restart | ||
< | < | ||
httpd -t -D DUMP_VHOST | httpd -t -D DUMP_VHOST | ||
+ | # or apachectl configtest | ||
+ | |||
</ | </ | ||
httpd restart and reload configuration changes: | httpd restart and reload configuration changes: | ||
+ | |||
< | < | ||
systemctl restart httpd | systemctl restart httpd | ||
+ | |||
+ | </ | ||
+ | |||
+ | Allow in SELINUX to httpd connect to network: | ||
+ | |||
+ | < | ||
+ | / | ||
+ | |||
</ | </ | ||
Enable httpd after OS start: | Enable httpd after OS start: | ||
+ | |||
<code bash> | <code bash> | ||
systemctl enable httpd.service | systemctl enable httpd.service | ||
+ | |||
+ | |||
</ | </ | ||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
- | Mod_security files locations (on CentOS7): | + | |
+ | Mod_security files locations (on CentOS8): | ||
* Audit log: ''/ | * Audit log: ''/ | ||
* Directory with activated rules: ''/ | * Directory with activated rules: ''/ | ||
- | * basic configuration file for mod\_security: | + | * basic configuration file for mod\_security: |
* The file for chosen rules deactivation: | * The file for chosen rules deactivation: | ||
Line 683: | Line 714: | ||
SecRuleRemoveById RULE_ID | SecRuleRemoveById RULE_ID | ||
</ | </ | ||
+ | |||
</ | </ | ||
==== Disabling mod_security rules ==== | ==== Disabling mod_security rules ==== | ||
- | In the file ''/ | + | These rules are disabled for modsec_crs 3.0. |
+ | |||
+ | In the file ''/ | ||
<code xml> | <code xml> | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | SecRuleRemoveById 920230 | ||
# Allow Czech signs | # Allow Czech signs | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | + | ||
# Too restrictive for login format | # Too restrictive for login format | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | # Needed by Websockets | + | # Needed by Websockets |
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
</ | </ | ||
- | | ||
- | # These break Certificate Authority module | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
# do not log request/ | # do not log request/ | ||
- | SecAuditLogParts | + | SecAuditLogParts |
</ | </ | ||
+ | |||
</ | </ | ||
- | ==== mod_security configuration - CentOS7 | + | ==== mod_security configuration - CentOS8 |
- | In the file / | + | Edit the file '' |
- | Whole rule after the changes looks like this: | + | |
- | < | + | * find the rule '' |
- | SecAction \ | + | |
- | "id:'900012', \ | + | |
- | phase:1, \ | + | |
- | t:none, \ | + | |
- | setvar:'tx.allowed_methods=GET HEAD POST OPTIONS | + | |
- | setvar:'tx.allowed_request_content_type=application/ | + | |
- | setvar:'tx.allowed_http_versions=HTTP/ | + | |
- | setvar:'tx.restricted_extensions=.asa/ | + | |
- | setvar:'tx.restricted_headers=/ | + | |
- | nolog, \ | + | |
- | pass" | + | |
- | </ | + | |
- | ==== mod_security configuration - Debian ==== | ||
- | Enable mod\_security configuration: | ||
< | < | ||
- | cd / | + | # Default HTTP policy: allowed_methods (rule 900200) |
- | cp modsecurity.conf-recommended modsecurity.conf | + | SecRule & |
+ | " | ||
+ | phase:1,\ | ||
+ | pass,\ | ||
+ | nolog,\ | ||
+ | setvar:' | ||
</ | </ | ||
- | Uncomment following rules in the '' | + | * find the rule '' |
< | < | ||
- | SecAction | + | # Default HTTP policy: allowed_request_content_type (rule 900220) |
- | " | + | SecRule & |
- | phase:1,\ | + | "id:901162,\ |
- | | + | phase:1,\ |
- | | + | pass,\ |
- | | + | nolog,\ |
- | setvar:' | + | setvar:' |
- | SecAction \ | ||
- | " | ||
- | phase:1,\ | ||
- | nolog,\ | ||
- | pass,\ | ||
- | t:none,\ | ||
- | setvar:' | ||
</ | </ | ||
- | |||
===== mod_deflate configuration ===== | ===== mod_deflate configuration ===== | ||
- | It is advised to set up gzip so the users get minimum of data from the frontend server. | + | |
- | In the file ''/ | + | It is advised to set up gzip so the users get minimum of data from the frontend server. In the file ''/ |
<code xml> | <code xml> | ||
< | < | ||
Line 792: | Line 808: | ||
AddOutputFilterByType DEFLATE text/plain | AddOutputFilterByType DEFLATE text/plain | ||
AddOutputFilterByType DEFLATE text/xml | AddOutputFilterByType DEFLATE text/xml | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
# Remove browser bugs (only needed for really old browsers) | # Remove browser bugs (only needed for really old browsers) | ||
Line 799: | Line 817: | ||
Header append Vary User-Agent | Header append Vary User-Agent | ||
</ | </ | ||
- | </ | ||
- | ===== Workaround for slow HTTPD shutdown ===== | ||
- | In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https:// | ||
- | Workaround is to edit '''/ | ||
- | < | ||
- | KillMode=none | ||
</ | </ | ||
- | Then reload systemd: | ||
- | < | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | It is absolutely correct to create new versions of unity in /etc, that has the option: | ||
- | |||
- | < | ||
- | cp / | ||
- | vim / | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | The patch of httpd should come soon so the first option is OK too. | ||
- | |||
- | ===== SSO ===== | ||
- | |||
- | If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial: | ||
- | |||
- | ====== nginx as reverse proxy ====== | ||
- | |||
- | In case that you want to use nginx instead of Apache httpd, the configuration is as follows. | ||
- | |||
- | <code ini> | ||
- | server { | ||
- | listen | ||
- | server_name | ||
- | client_max_body_size 1G; | ||
- | ssl on; | ||
- | ssl_certificate | ||
- | ssl_certificate_key | ||
- | gzip on; | ||
- | gzip_proxied any; | ||
- | gzip_types | ||
- | text/css | ||
- | | ||
- | text/xml | ||
- | | ||
- | application/ | ||
- | | ||
- | application/ | ||
- | |||
- | location / { | ||
- | proxy_hide_header X-Frame-Options; | ||
- | add_header X-Frame-Options SAMEORIGIN; | ||
- | proxy_pass http:// | ||
- | proxy_set_header Host $host; | ||
- | proxy_set_header X-Real-IP $remote_addr; | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | proxy_set_header X-Forwarded-Proto " | ||
- | proxy_ssl_session_reuse off; | ||
- | proxy_redirect off; | ||
- | |||
- | # WebSocket support | ||
- | proxy_http_version 1.1; | ||
- | proxy_set_header Upgrade $http_upgrade; | ||
- | proxy_set_header Connection " | ||
- | } | ||
- | } | ||
- | </ | ||