Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/03/11 13:40]
urbanl [Apache Tomcat configuration]
+++ tutorial:adm:server_preparation_tmp [2020/03/18 13:44]
urbanl [HTTPd installation and configuration]
@@ Line 1: / Line 1: @@
-<note important>temp pro centos 8
+<note important>Instalation pro centos 8
 Author: Ludek Urban
@@ Line 22: / Line 22: @@
 ===== Instalation and software configuration =====
-Prerequisities - Basic installation of CentOS 7
+Prerequisities - Basic installation of CentOS 8
 <code bash>
 # EPEL installation
@@ Line 28: / Line 28: @@
 yum install -y epel-release
 yum update -y
+# check installed packages. It's recommanded to have them installed.
+yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # other recommended packages installation
-yum install -y net-tools nano wget mc vim-enhanced screen sysstat bzip2 ssmtp bash-completion lsof haveged nmap zip unzip psmisc telnet policycoreutils-python
+yum install -y mc haveged nmap screen sysstat telnet
 # enable haveged after OS start
 systemctl start haveged.service
@@ Line 45: / Line 47: @@
 </code>
--!CHANGED
+===== PostgreSQL  =====
-When installing to centos8, check and install these packages:
-<code>
-# check installed packages. It's recommanded to have them installed.
-yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
-# other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet
-</code>
-When installing on Debian, install these packages:
-<code>
-screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent
-</code>
-===== PostgreSQL -!CHANGED =====
 <note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
 CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option.
-==== Database server installation - CentOS8 -!CHANGED ====
+==== Database server installation - CentOS8 ====
   * Software installation on CentOS8(versions can vary):
@@ Line 155: / Line 144: @@
 </code>
-==== Database server installation - Debian Stretch ====
-Install the database from OS packages:
+==== DB server configuration ====
-<code>
-apt-get install postgresql-9.6
-</code>
-We will move the database - create directory structure:
-<code>
-mkdir -p /data/pgsql/9.6/data/
-chown -R postgres:postgres /data/pgsql/
-chmod -R 700 /data/pgsql
-</code>
-Create the file .bash\_profile in postgres user's home (default /var/lib/postgresql) with following contents:
-<code>
-PGDATA=/data/pgsql/9.6/data
-</code>
-Stop the database:
-<code>
-systemctl stop postgresql
-</code>
-Move database directory (run this as root):
-<code>
-mv /var/lib/postgresql/9.6/main/* /data/pgsql/9.6/data/
-</code>
-In the PostgreSQL configuration file /etc/postgresql/9.6/main/postgresql.conf set the data\_directory property to:
-<code>
-data_directory = '/data/pgsql/9.6/data'
-</code>
-Enable and start the database:
-<code>
-systemctl start postgresql
-systemctl enable postgresql
-</code>
-==== DB server configuration -!CHANGED ====
 First of all, enable the password authentication.
@@ Line 224: / Line 182: @@
 Restart DB: ''systemctl restart  postgresql.service''
-For Debian installation, edit those configuration files instead:
-<code>
-/etc/postgresql/12/main/pg_hba.conf
-/etc/postgresql/12/main/postgresql.conf
-</code>
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
-===== Java - CentOS8 -! CHANGED =====
+===== Java - CentOS8 =====
 Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository.
@@ Line 247: / Line 199: @@
 </file>
-===== Java - Debian =====
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository.
-Installation:
-<code bash>
-apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless
-</code>
-Then create the file ''/etc/profile.d/java.sh'' with following:
-<file bash java.sh>
-[ -d /usr/lib/jvm/java-1.8.0-openjdk-amd64 ] && export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64
-</file>
 ===== Tomcat =====
-  * Create a new group and add user for the tomcat to run under (for Debian, use /usr/sbin/nologin in the useradd):
+  * Create a new group and add user for the tomcat to run under:
 <code>
@@ Line 351: / Line 290: @@
   * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * For Debian, change the JAVA\_HOME to ''JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64''.
   * After every systemd configuration change it is necessary to reload:
@@ Line 433: / Line 371: @@
 It is advised to follow these steps for production usage:
-  * Remove unnecessary aplications that comes with Tomcat:
+  * Remove unnecessary applications that comes with Tomcat:
 <code bash>
@@ Line 445: / Line 383: @@
 <Server port="-1" shutdown="SHUTDOWN">
 </code>
   * Make Tomcat listen only on localhost:
     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
     * In same file configure ajp port(''8009'') to look like this:
-    <Connector protocol="AJP/1.3"
+<code>
+<Connector protocol="AJP/1.3"
                 address="127.0.0.1"
                 secretRequired="true"
@@ Line 455: / Line 395: @@
                 port="8009"
                 redirectPort="8443" />
+</code>
   * Do not show aplication server version:
@@ Line 484: / Line 424: @@
 <file txt tomcat>
 /opt/tomcat/current/logs/catalina.out {
-	rotate COUNT
+	rotate 90
 	daily
 	dateext
@@ Line 508: / Line 448: @@
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note>
-Please note that on Debian, the log is not rotate during the first day, but after the second day.
@@ Line 526: / Line 464: @@
 <code bash>
 yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs
-</code>
-On Debian install those packages and allow modules:
-<code>
-apt-get install apache2 libapache2-mod-security2 modsecurity-crs
-a2enmod ssl
-a2enmod proxy
-a2enmod proxy_ajp
-a2enmod proxy_http
-a2enmod security2
-a2enmod rewrite
-a2enmod headers
 </code>
 HTTPd basic configuration:
-Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment the lines with mod\_mpm\_prefork.so and uncomment mod\_mpm\_worker.so:
+Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:
 <code bash>
@@ Line 572: / Line 498: @@
 </code>
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'' (or ''/etc/apache2/sites-available/vhost-redirect.conf'' for Debian):
+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml>
 <VirtualHost _default_:80>
@@ Line 580: / Line 506: @@
 </code>
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) add following before ending "tag" VirtualHost:
+Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
 <code>
+  Protocols       h2 https/1.1
   ProxyRequests     off
   ProxyPreserveHost on
   ProxyAddHeaders on
-  ProxyPass / ajp://127.0.0.1:8009/
+  ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
-  ProxyPassReverse / ajp://127.0.0.1:8009/
+  ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 </code>
@@ Line 612: / Line 539: @@
 </code>
 <note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
-On Debian, create symlinks to sites-enabled:
-<code>
-cd /etc/apache2/sites-enabled
-ln -s ../sites-available/vhost-redirect.conf 01vhost-redirect.conf
-ln -s ../sites-available/ssl.conf 02ssl.conf
-</code>
 Syntax check before httpd restart:
@@ Line 630: / Line 550: @@
 </code>
+Allow in SELINUX to httpd connect to network:
+<code>
+/usr/sbin/setsebool -P httpd_can_network_connect 1
+</code>
 Enable httpd after OS start:
 <code bash>
@@ Line 636: / Line 561: @@
 ===== mod_security configuration =====
-Mod_security files locations (on CentOS7):
+Mod_security files locations (on CentOS8):
   * Audit log: ''/var/log/httpd/modsec\_audit.log''
@@ Line 655: / Line 580: @@
 ==== Disabling mod_security rules ====
-In the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) deactivate following rules and set their logging:
+In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 <code xml>
 <IfModule mod_security2.c>
@@ Line 693: / Line 618: @@
 </code>
-==== mod_security configuration - CentOS7  ====
+==== mod_security configuration - CentOS8  ====
-In the file /etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf, find the rule with id=900012 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
+In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf, find the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
-Whole rule after the changes looks like this:
+Whole rules after the changes looks like this:
 <code>
-SecAction \
+# Default HTTP policy: allowed_methods (rule 900200)
-  "id:'900012', \
+SecRule &TX:allowed_methods "@eq 0" \
-  phase:1, \
+    "id:901160,\
-  t:none, \
+    phase:1,\
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE', \
+    pass,\
-  setvar:'tx.allowed_request_content_type=application/hal+json|application/json|text/plain|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \
+    nolog,\
-  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
-  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
-  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
-  nolog, \
-  pass"
-</code>
-==== mod_security configuration - Debian ====
-Enable mod\_security configuration:
-<code>
-cd /etc/modsecurity
-cp modsecurity.conf-recommended modsecurity.conf
-</code>
-Uncomment following rules in the ''/etc/modsecurity/crs/crs-setup.conf'' and change them accordingly (add allowed content types and allowed HTTP methods):
-<code>
-SecAction \
- "id:900200,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
-SecAction \
+# Default HTTP policy: allowed_request_content_type (rule 900220)
- "id:900220,\
+SecRule &TX:allowed_request_content_type "@eq 0" \
-  phase:1,\
+    "id:901162,\
-  nolog,\
+    phase:1,\
-  pass,\
+    pass,\
-  t:none,\
+    nolog,\
-  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
+    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
 </code>
@@ Line 799: / Line 702: @@
 The patch of httpd should come soon so the first option is OK too.
-===== SSO =====
-If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial:adm:sso_ad_domain#configure_apache_httpd_-_linux|SSO installation guide]] for more details.
-====== nginx as reverse proxy ======
-In case that you want to use nginx instead of Apache httpd, the configuration is as follows.
-<code ini>
-server {
-	listen   *:443 ssl http2;
-	server_name  idm.domain.tld;
-	client_max_body_size 1G;
-	ssl on;
-	ssl_certificate      /path/to/fullchain.pem;
-	ssl_certificate_key  /path/to/privkey.pem;
-	gzip on;
-	gzip_proxied any;
-	gzip_types
-        	text/css
-       		text/javascript
-        	text/xml
-       		text/plain
-        	application/javascript
-       		application/x-javascript
-        	application/json;
-	location / {
-		proxy_hide_header X-Frame-Options;
-		add_header X-Frame-Options SAMEORIGIN;
-		proxy_pass http://localhost:8080/;
-		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto "https";
-		proxy_ssl_session_reuse off;
-		proxy_redirect off;
-		# WebSocket support
-		proxy_http_version 1.1;
-    		proxy_set_header Upgrade $http_upgrade;
-    		proxy_set_header Connection "upgrade";
-	}
-}
-</code>