Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation_tmp [2020/03/10 10:14] urbanl [Database server installation - CentOS7] |
tutorial:adm:server_preparation_tmp [2020/03/12 14:53] urbanl [DB server configuration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | <note important> | + | <note important> |
Author: Ludek Urban | Author: Ludek Urban | ||
Line 22: | Line 22: | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
- | Prerequisities - Basic installation of CentOS | + | Prerequisities - Basic installation of CentOS |
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
Line 28: | Line 28: | ||
yum install -y epel-release | yum install -y epel-release | ||
yum update -y | yum update -y | ||
+ | # check installed packages. It's recommanded to have them installed. | ||
+ | yum list installed | ||
# other recommended packages installation | # other recommended packages installation | ||
- | yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc | + | yum install -y mc haveged nmap screen sysstat |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
Line 45: | Line 47: | ||
</ | </ | ||
- | When installing to centos8, check and install | + | ===== PostgreSQL |
- | <code> | + | <note tip>If you are install |
- | # check installed packages. It's recommanded to have them installed. | + | CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option. |
- | yum list installed | + | ==== Database server |
- | # other recommended packages | + | * Software installation on CentOS8(versions can vary): |
- | yum install | + | |
- | </ | + | |
- | When installing on Debian, install these packages: | ||
- | < | ||
- | screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent | ||
- | </ | ||
- | ===== PostgreSQL ===== | ||
- | <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial: | ||
- | CentOS7 default repository version of PostgreSQL is 9.2 but IdM not support that version. In our tutorial, we will install newer version 9.6. Moreover, we install database data into /data not /var/lib which is the default option. | ||
- | ==== Database server installation - CentOS7 and CentOS8 -!CHANGED ==== | ||
- | * Software installation on CentOS7(versions can vary): | ||
<code bash> | <code bash> | ||
- | yum install -y https:// | + | # enable |
- | yum install -y postgresql96-server postgresql96-contrib pgstat2_96 pg_top96 | + | yum module |
- | </ | + | yum install -y postgresql-server |
- | #TODO | + | |
- | * Software installation on CentOS7(versions can vary): | + | |
- | <code bash> | + | |
- | # add repository | + | |
- | yum install -y https:// | + | |
- | # disable centos8 build-in | + | |
- | yum module | + | |
- | # install postgresql components | + | |
- | yum install -y postgresql11-server | + | |
</ | </ | ||
* create new system directory: | * create new system directory: | ||
- | < | + | |
- | mkdir -p / | + | < |
+ | mkdir -p / | ||
+ | mkdir -p / | ||
chown -R postgres: | chown -R postgres: | ||
chmod 700 /data/pgsql | chmod 700 /data/pgsql | ||
</ | </ | ||
+ | |||
* Copy of the configuration file for systemd, in which we will make change of directory for data: | * Copy of the configuration file for systemd, in which we will make change of directory for data: | ||
+ | |||
<code bash> | <code bash> | ||
- | cp / | + | cp / |
</ | </ | ||
- | In the file ''/ | + | |
+ | In the file ''/ | ||
< | < | ||
# Location of database directory | # Location of database directory | ||
- | Environment=PGDATA=/ | + | Environment=PGDATA=/ |
</ | </ | ||
Line 96: | Line 83: | ||
< | < | ||
- | PGDATA=/ | + | PGDATA=/ |
</ | </ | ||
Line 110: | Line 97: | ||
<code bash> | <code bash> | ||
- | /usr/pgsql-11/bin/postgresql96-setup initdb | + | /usr/bin/postgresql-setup |
</ | </ | ||
+ | Change SELINUX labels: | ||
+ | < | ||
+ | chcon -Rt postgresql_db_t pgsql/ | ||
+ | chcon -Rt postgresql_log_t / | ||
+ | </ | ||
* Enable and start database: | * Enable and start database: | ||
<code bash> | <code bash> | ||
- | systemctl start postgresql-11.service | + | systemctl start postgresql.service |
- | systemctl enable postgresql-11.service | + | systemctl enable postgresql.service |
</ | </ | ||
Line 125: | Line 116: | ||
<code bash> | <code bash> | ||
- | [root@tomcat1 system]# systemctl status postgresql-9.6.service -l | + | [root@HOSTNAME data]# systemctl status postgresql.service -l |
- | ● postgresql-9.6.service - PostgreSQL | + | ● postgresql.service - PostgreSQL database server |
- | | + | |
- | | + | |
- | Main PID: 2626 (postmaster) | + | Main PID: 25715 (postmaster) |
- | | + | Tasks: 8 (limit: 52428) |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | └─2634 postgres: stats collector | + | |
+ | | ||
+ | ├─25722 postgres: stats collector | ||
+ | | ||
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME postmaster[25715]: |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME |
- | lis 18 23:50:06 tomcat1.localdomain | + | Mar 11 10:48:06 HOSTNAME postmaster[25715]: |
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME postmaster[25715]: | ||
+ | Mar 11 10:48:06 HOSTNAME | ||
+ | Mar 11 10:48:06 HOSTNAME | ||
</ | </ | ||
- | ==== Database server installation - Debian Stretch ==== | + | |
- | Install the database from OS packages: | + | |
- | < | + | |
- | apt-get install postgresql-9.6 | + | |
- | </ | + | |
- | We will move the database - create directory structure: | + | |
- | < | + | |
- | mkdir -p / | + | |
- | chown -R postgres: | + | |
- | chmod -R 700 / | + | |
- | </ | + | |
- | Create the file .bash\_profile in postgres user's home (default / | + | |
- | < | + | |
- | PGDATA=/ | + | |
- | </ | + | |
- | Stop the database: | + | |
- | < | + | |
- | systemctl stop postgresql | + | |
- | </ | + | |
- | Move database directory (run this as root): | + | |
- | < | + | |
- | mv / | + | |
- | </ | + | |
- | In the PostgreSQL configuration file / | + | |
- | < | + | |
- | data_directory = '/ | + | |
- | </ | + | |
- | Enable and start the database: | + | |
- | < | + | |
- | systemctl start postgresql | + | |
- | systemctl enable postgresql | + | |
- | </ | + | |
==== DB server configuration ==== | ==== DB server configuration ==== | ||
First of all, enable the password authentication. | First of all, enable the password authentication. | ||
- | In the file ''/ | + | In the file ''/ |
< | < | ||
host all | host all | ||
Line 194: | Line 162: | ||
Now we can do DB sizing. We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular sizing, use a [[https:// | Now we can do DB sizing. We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular sizing, use a [[https:// | ||
- | In a file ''/ | + | In a file ''/ |
< | < | ||
max_connections = 100 # (change requires restart) | max_connections = 100 # (change requires restart) | ||
Line 213: | Line 181: | ||
</ | </ | ||
- | Restart DB: '' | + | Restart DB: '' |
- | + | ||
- | For Debian installation, | + | |
- | < | + | |
- | / | + | |
- | / | + | |
- | </ | + | |
< | < | ||
- | ===== Java - CentOS7 | + | ===== Java - CentOS8 |
- | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. | + | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository. |
Installation: | Installation: | ||
<code bash> | <code bash> | ||
- | yum install -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel | + | yum install -y java-11-openjdk-headless java-11-openjdk-devel |
</ | </ | ||
Line 237: | Line 199: | ||
</ | </ | ||
- | ===== Java - Debian ===== | ||
- | |||
- | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. | ||
- | |||
- | Installation: | ||
- | <code bash> | ||
- | apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless | ||
- | </ | ||
- | |||
- | Then create the file ''/ | ||
- | <file bash java.sh> | ||
- | [ -d / | ||
- | </ | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
Line 423: | Line 372: | ||
It is advised to follow these steps for production usage: | It is advised to follow these steps for production usage: | ||
- | * Remove unnecessary | + | * Remove unnecessary |
<code bash> | <code bash> | ||
Line 435: | Line 384: | ||
<Server port=" | <Server port=" | ||
</ | </ | ||
+ | -! CHANGED | ||
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
- | * In the ''/ | + | * In the ''/ |
+ | * In same file configure ajp port('' | ||
+ | |||
+ | < | ||
+ | address=" | ||
+ | secretRequired=" | ||
+ | secret=" | ||
+ | port=" | ||
+ | redirectPort=" | ||
* Do not show aplication server version: | * Do not show aplication server version: | ||
Line 465: | Line 424: | ||
<file txt tomcat> | <file txt tomcat> | ||
/ | / | ||
- | rotate | + | rotate |
daily | daily | ||
dateext | dateext | ||
Line 507: | Line 466: | ||
<code bash> | <code bash> | ||
yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
- | </ | ||
- | |||
- | On Debian install those packages and allow modules: | ||
- | < | ||
- | apt-get install apache2 libapache2-mod-security2 modsecurity-crs | ||
- | a2enmod ssl | ||
- | a2enmod proxy | ||
- | a2enmod proxy_ajp | ||
- | a2enmod proxy_http | ||
- | a2enmod security2 | ||
- | a2enmod rewrite | ||
- | a2enmod headers | ||
</ | </ | ||
HTTPd basic configuration: | HTTPd basic configuration: | ||
- | Change MPM to worker (lower system requirements) - in the file ''/ | + | Change MPM to worker (lower system requirements) - in the file ''/ |
<code bash> | <code bash> | ||
Line 567: | Line 514: | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
ProxyAddHeaders on | ProxyAddHeaders on | ||
- | ProxyPass / ajp:// | + | ProxyPass / ajp:// |
- | ProxyPassReverse / ajp:// | + | ProxyPassReverse / ajp:// |
</ | </ | ||
Line 593: | Line 540: | ||
</ | </ | ||
< | < | ||
- | |||
- | On Debian, create symlinks to sites-enabled: | ||
- | < | ||
- | cd / | ||
- | ln -s ../ | ||
- | ln -s ../ | ||
- | </ | ||
Syntax check before httpd restart: | Syntax check before httpd restart: | ||
Line 611: | Line 551: | ||
</ | </ | ||
+ | Allow in SELINUX to httpd connect to network: | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
Enable httpd after OS start: | Enable httpd after OS start: | ||
<code bash> | <code bash> | ||
Line 617: | Line 562: | ||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
- | Mod_security files locations (on CentOS7): | + | Mod_security files locations (on CentOS8): |
* Audit log: ''/ | * Audit log: ''/ | ||
Line 674: | Line 619: | ||
</ | </ | ||
- | ==== mod_security configuration - CentOS7 | + | ==== mod_security configuration - CentOS8 |
- | In the file / | + | In the file / |
- | Whole rule after the changes looks like this: | + | Whole rules after the changes looks like this: |
< | < | ||
- | SecAction \ | + | # Default HTTP policy: allowed_methods (rule 900200) |
- | "id:' | + | SecRule &TX: |
- | phase:1, \ | + | "id:901160,\ |
- | t:none, \ | + | phase:1,\ |
- | setvar:' | + | pass,\ |
- | setvar:' | + | nolog,\ |
- | setvar:' | + | setvar:' |
- | setvar:' | + | |
- | setvar:' | + | |
- | nolog, \ | + | |
- | pass" | + | |
- | </ | + | |
- | + | ||
- | ==== mod_security configuration - Debian ==== | + | |
- | Enable mod\_security configuration: | + | |
- | < | + | |
- | cd / | + | |
- | cp modsecurity.conf-recommended modsecurity.conf | + | |
- | </ | + | |
- | + | ||
- | Uncomment following rules in the ''/ | + | |
- | < | + | |
- | SecAction | + | |
- | " | + | |
- | phase:1,\ | + | |
- | | + | |
- | | + | |
- | | + | |
- | setvar:' | + | |
- | SecAction | + | # Default HTTP policy: allowed_request_content_type (rule 900220) |
- | " | + | SecRule & |
- | phase:1,\ | + | "id:901162,\ |
- | | + | phase:1,\ |
- | | + | pass,\ |
- | | + | nolog,\ |
- | setvar:' | + | setvar:' |
</ | </ | ||
Line 780: | Line 703: | ||
The patch of httpd should come soon so the first option is OK too. | The patch of httpd should come soon so the first option is OK too. | ||
- | ===== SSO ===== | ||
- | If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial: | ||
- | ====== nginx as reverse proxy ====== | ||
- | In case that you want to use nginx instead of Apache httpd, the configuration is as follows. | ||
- | <code ini> | ||
- | server { | ||
- | listen | ||
- | server_name | ||
- | client_max_body_size 1G; | ||
- | ssl on; | ||
- | ssl_certificate | ||
- | ssl_certificate_key | ||
- | gzip on; | ||
- | gzip_proxied any; | ||
- | gzip_types | ||
- | text/css | ||
- | | ||
- | text/xml | ||
- | | ||
- | application/ | ||
- | | ||
- | application/ | ||
- | |||
- | location / { | ||
- | proxy_hide_header X-Frame-Options; | ||
- | add_header X-Frame-Options SAMEORIGIN; | ||
- | proxy_pass http:// | ||
- | proxy_set_header Host $host; | ||
- | proxy_set_header X-Real-IP $remote_addr; | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | proxy_set_header X-Forwarded-Proto " | ||
- | proxy_ssl_session_reuse off; | ||
- | proxy_redirect off; | ||
- | |||
- | # WebSocket support | ||
- | proxy_http_version 1.1; | ||
- | proxy_set_header Upgrade $http_upgrade; | ||
- | proxy_set_header Connection " | ||
- | } | ||
- | } | ||
- | </ | ||