Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/03/11 14:14]
urbanl [HTTPd installation and configuration]
+++ tutorial:adm:server_preparation_tmp [2020/03/12 12:35]
urbanl [mod_security configuration - CentOS7]
@@ Line 587: / Line 587: @@
   ProxyPreserveHost on
   ProxyAddHeaders on
-  ProxyPass / ajp://127.0.0.1:8009/
+  ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
-  ProxyPassReverse / ajp://127.0.0.1:8009/
+  ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 </code>
@@ Line 694: / Line 694: @@
 </code>
-==== mod_security configuration - CentOS7  ====
+==== mod_security configuration - CentOS8  ====
-In the file /etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf, find the rule with id=900012 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
+In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf, find the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
-Whole rule after the changes looks like this:
+Whole rules after the changes looks like this:
 <code>
-SecAction \
+# Default HTTP policy: allowed_methods (rule 900200)
-  "id:'900012', \
+SecRule &TX:allowed_methods "@eq 0" \
-  phase:1, \
+    "id:901160,\
-  t:none, \
+    phase:1,\
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE', \
+    pass,\
-  setvar:'tx.allowed_request_content_type=application/hal+json|application/json|text/plain|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \
+    nolog,\
-  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
-  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
-  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
+# Default HTTP policy: allowed_request_content_type (rule 900220)
-  nolog, \
+SecRule &TX:allowed_request_content_type "@eq 0" \
-  pass"
+    "id:901162,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
 </code>
@@ Line 804: / Line 808: @@
 If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial:adm:sso_ad_domain#configure_apache_httpd_-_linux|SSO installation guide]] for more details.
-====== nginx as reverse proxy ======
+====== INSTALACTNI NAVOD ======
-In case that you want to use nginx instead of Apache httpd, the configuration is as follows.
+<note important>Tato cast se vlozi do instalacniho navodu pro IdM</note>
+==== 2. JDBC driver installation - CentOS8 ====
+**CentOS**
-<code ini>
+Install the package with PostgreSQL JDBC driver:
-server {
-	listen   *:443 ssl http2;
-	server_name  idm.domain.tld;
-	client_max_body_size 1G;
-	ssl on;
-	ssl_certificate      /path/to/fullchain.pem;
-	ssl_certificate_key  /path/to/privkey.pem;
-	gzip on;
-	gzip_proxied any;
-	gzip_types
-        	text/css
-       		text/javascript
-        	text/xml
-       		text/plain
-        	application/javascript
-       		application/x-javascript
-        	application/json;
-	location / {
+<code bash>
-		proxy_hide_header X-Frame-Options;
+yum install -y postgresql-jdbc
-		add_header X-Frame-Options SAMEORIGIN;
+</code>
-		proxy_pass http://localhost:8080/;
-		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto "https";
-		proxy_ssl_session_reuse off;
-		proxy_redirect off;
-		# WebSocket support
+allow Tomcat to use the driver:
-		proxy_http_version 1.1;
-    		proxy_set_header Upgrade $http_upgrade;
+<code bash>
-    		proxy_set_header Connection "upgrade";
+ln -s /usr/share/java/postgresql-jdbc.jar /opt/tomcat/current/lib/
-	}
-}
 </code>
+==== Application properties ====
+  * The most important file is **/opt/czechidm/etc/application-production.properties** (application-PROFILE.properties, where the PROFILE is the profile you run the IdM under). You can use most of the file as-is, there is a bit of configuration needed though. This is a template file:
+<file properties application-production.properties>
+# Doc: https://wiki.czechidm.com/devel/dev/configuration/backend
+idm.pub.app.instanceId=idm-primary
+idm.pub.app.stage=production
+spring.datasource.url=jdbc:postgresql://localhost:5432/czechidm
+spring.datasource.username=czechidm
+spring.datasource.password=********** TODO *********
+spring.datasource.driver-class-name=org.postgresql.Driver
+spring.datasource.validationQuery=SELECT 1
+spring.datasource.test-on-borrow=true
+spring.jpa.generate-ddl=false
+spring.jpa.hibernate.ddl-auto=none
+flyway.enabled=true
+scheduler.properties.location=quartz-production.properties
+logging.config=/opt/czechidm/etc/logback-spring.xml
+idm.sec.core.demo.data.enabled=false
+# attachments will be stored under this path.
+# new directories for attachment will be created in this folder (permissions has to be added)
+# System.getProperty("user.home")/idm_data will be used if no path is given
+idm.sec.core.attachment.storagePath=/opt/czechidm/data
+# configuration property for default backup
+idm.sec.core.backups.default.folder.path=/opt/czechidm/backup
+idm.pub.security.allowed-origins=http://localhost
+# Generate JWT token security string as "cat /dev/urandom | tr -dc 'a-z0-9' | head -c VALUE" where VALUE can be from 1 to 255.
+# We recommend the VALUE to be at least 25.
+idm.sec.security.jwt.secret.token=********** TODO *********
+idm.sec.security.jwt.expirationTimeout=36000000
+# Cipher secret key for crypt values in confidential storage
+# for crypt values is used secretKey or secretKey defined by file - secretKeyPath
+#cipher.crypt.secret.key=XXXXXXXXXXXXXXXX
+cipher.crypt.secret.keyPath=/opt/czechidm/etc/secret.key
+# Defaults for: emailer.*
+# test.enabled=true means mail WILL NOT be sent
+idm.sec.core.emailer.test.enabled=true
+# http://camel.apache.org/mail.html
+idm.sec.core.emailer.protocol=smtp
+idm.sec.core.emailer.host=something.tld
+idm.sec.core.emailer.port=25
+# idm.sec.core.emailer.username=czechidm@domain.tld
+# idm.sec.core.emailer.password=password
+idm.sec.core.emailer.from=czechidm@localhost
+# Default user role will be added automatically, after an identity is logged in
+# could contains default authorities and authority policies configuration
+# for adding autocomplete or all record read permission etc.
+idm.sec.core.role.default=userRole
+# Admin user role
+idm.sec.core.role.admin=superAdminRole
+# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size.
+spring.servlet.multipart.max-file-size=100MB
+spring.servlet.multipart.max-request-size=100MB
+</file>