Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation_tmp [2020/03/12 14:49] urbanl |
tutorial:adm:server_preparation_tmp [2020/07/24 08:35] fiserp [DB server configuration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | <note important> | + | <note important> |
+ | |||
+ | **This tutorial is under development, | ||
Author: Ludek Urban | Author: Ludek Urban | ||
Line 5: | Line 7: | ||
- | ====== Server preparation - Linux ====== | + | ====== Server preparation - Linux - CentOS8 |
{{tag> | {{tag> | ||
- | This tutorial shows how to prepare the server for test or production | + | This tutorial shows how to prepare the server for test or production |
===== Basic system setup ===== | ===== Basic system setup ===== | ||
- | * 1 server (can be virtualized) for all: backend, frontend and database. | + | * 1 server (can be virtualized) for everything: backend, frontend and database. |
- | * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation | + | * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation |
- | * It is possible to use Debian but you have to adjust | + | * It is possible to use Debian |
- | * PostgreSQL - installed from a new repository | + | * PostgreSQL |
- | * Java - distribution repository (OpenJDK 1.8) | + | * Java 11 - installed from OS packages. |
- | * Apache Tomcat - manually | + | * Apache Tomcat |
- | * Services | + | * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. |
- | * Services run under dedicated | + | * All services |
+ | * Each service runs under dedicated non-privileged | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
Prerequisities - Basic installation of CentOS 8 | Prerequisities - Basic installation of CentOS 8 | ||
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
- | yum clean all | + | dnf clean all |
- | yum install | + | dnf -y install |
- | yum update -y | + | dnf update -y |
- | # check installed packages. It's recommanded to have them installed. | + | |
- | yum list installed | + | |
# other recommended packages installation | # other recommended packages installation | ||
- | yum install | + | dnf -y install |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
systemctl enable haveged.service | systemctl enable haveged.service | ||
- | # remove unnecessary software | + | |
- | yum remove -y postfix | + | |
- | systemctl stop avahi-daemon.socket avahi-daemon.service | + | |
- | systemctl disable avahi-daemon.socket avahi-daemon.service | + | |
- | yum remove -y avahi-autoipd avahi | + | |
# set the hostname | # set the hostname | ||
hostnamectl set-hostname FQDN_server_name | hostnamectl set-hostname FQDN_server_name | ||
Line 48: | Line 46: | ||
===== PostgreSQL | ===== PostgreSQL | ||
- | <note tip>If you are install | + | <note tip>If you are installing |
- | CentOS8 default repository version of PostgreSQL | + | We install |
- | ==== Database server installation - CentOS8 | + | ==== Database server installation - CentOS8 ==== |
* Software installation on CentOS8(versions can vary): | * Software installation on CentOS8(versions can vary): | ||
<code bash> | <code bash> | ||
# enable module postgres 12 | # enable module postgres 12 | ||
- | yum module enable postgresql: | + | dnf module enable postgresql: |
- | yum install | + | dnf -y install |
</ | </ | ||
- | * create new system | + | * create new directory |
<code bash> | <code bash> | ||
- | mkdir -p / | ||
mkdir -p / | mkdir -p / | ||
chown -R postgres: | chown -R postgres: | ||
Line 68: | Line 65: | ||
</ | </ | ||
- | * Copy of the configuration file for systemd, in which we will make change of directory for data: | + | * Copy the PostgreSQL' |
<code bash> | <code bash> | ||
Line 80: | Line 77: | ||
</ | </ | ||
- | * In the file '' | + | * In the file '' |
< | < | ||
Line 97: | Line 94: | ||
<code bash> | <code bash> | ||
- | /usr/bin/postgresql-setup --initdb --unit postgresql | + | postgresql-setup --initdb --unit postgresql |
</ | </ | ||
Change SELINUX labels: | Change SELINUX labels: | ||
< | < | ||
- | chcon -Rt postgresql_db_t pgsql/ | + | chcon -Rt postgresql_db_t |
chcon -Rt postgresql_log_t / | chcon -Rt postgresql_log_t / | ||
</ | </ | ||
Line 147: | Line 144: | ||
==== DB server configuration ==== | ==== DB server configuration ==== | ||
- | First of all, enable | + | * Enable |
In the file ''/ | In the file ''/ | ||
Line 154: | Line 151: | ||
host all | host all | ||
</ | </ | ||
- | + | and change the value at the end of each line to '' | |
- | and change the value at the end of each line into md5 like this: | + | |
< | < | ||
host all | host all | ||
Line 161: | Line 157: | ||
</ | </ | ||
- | Now we can do DB sizing. | + | * Adjust |
- | In a file ''/ | + | * In following snippet, we presume the system has 3GB of memory |
+ | * We also log queries running longer than 200ms. | ||
+ | In a file ''/ | ||
< | < | ||
- | max_connections = 100 # (change requires restart) | + | # This is an EXAMPLE. Use the calculator to adjust for your deployment! |
- | shared_buffers = 768MB # min 128kB | + | # DB Version: 12 |
+ | # OS Type: linux | ||
+ | # DB Type: web | ||
+ | # Total Memory (RAM): 3 GB | ||
+ | # Connections num: 100 | ||
+ | # Data Storage: ssd | ||
+ | max_connections = 100 | ||
+ | shared_buffers = 768MB | ||
effective_cache_size = 2304MB | effective_cache_size = 2304MB | ||
- | work_mem = 7864kB | ||
maintenance_work_mem = 192MB | maintenance_work_mem = 192MB | ||
- | |||
- | min_wal_size = 1GB | ||
- | max_wal_size = 2GB | ||
checkpoint_completion_target = 0.7 | checkpoint_completion_target = 0.7 | ||
wal_buffers = 16MB | wal_buffers = 16MB | ||
- | |||
default_statistics_target = 100 | default_statistics_target = 100 | ||
+ | random_page_cost = 1.1 | ||
+ | effective_io_concurrency = 200 | ||
+ | work_mem = 3932kB | ||
+ | min_wal_size = 1GB | ||
+ | max_wal_size = 4GB | ||
log_min_duration_statement = 200 | log_min_duration_statement = 200 | ||
Line 182: | Line 188: | ||
Restart DB: '' | Restart DB: '' | ||
- | |||
- | For Debian installation, | ||
- | < | ||
- | / | ||
- | / | ||
- | </ | ||
< | < | ||
Line 208: | Line 208: | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
- | * Create a new group and add user for the tomcat to run under (for Debian, use / | + | * Create a new group and add user for the tomcat to run under: |
< | < | ||
Line 214: | Line 214: | ||
useradd -r -s / | useradd -r -s / | ||
getent passwd tomcat | getent passwd tomcat | ||
- | tomcat: | + | #tomcat: |
</ | </ | ||
Line 296: | Line 296: | ||
* Tomcat will be started under user '' | * Tomcat will be started under user '' | ||
- | * For Debian, change the JAVA\_HOME to '' | ||
* After every systemd configuration change it is necessary to reload: | * After every systemd configuration change it is necessary to reload: | ||
Line 390: | Line 389: | ||
<Server port=" | <Server port=" | ||
</ | </ | ||
- | -! CHANGED | + | |
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
* In the ''/ | * In the ''/ | ||
- | * In same file configure ajp port('' | ||
- | | + | * Set the '' |
+ | * In the ''/ | ||
+ | |||
+ | * In same file configure ajp port('' | ||
+ | |||
+ | < | ||
+ | < | ||
address=" | address=" | ||
secretRequired=" | secretRequired=" | ||
Line 401: | Line 405: | ||
port=" | port=" | ||
redirectPort=" | redirectPort=" | ||
+ | </ | ||
* Do not show aplication server version: | * Do not show aplication server version: | ||
Line 454: | Line 458: | ||
* Adjust particular SELinux labels. Example ([[https:// | * Adjust particular SELinux labels. Example ([[https:// | ||
</ | </ | ||
- | |||
- | Please note that on Debian, the log is not rotate during the first day, but after the second day. | ||
Line 506: | Line 508: | ||
</ | </ | ||
- | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string ' | + | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string ' |
<code xml> | <code xml> | ||
< | < | ||
Line 514: | Line 516: | ||
</ | </ | ||
- | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | + | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ |
< | < | ||
+ | Protocols | ||
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
Line 572: | Line 575: | ||
* Audit log: ''/ | * Audit log: ''/ | ||
* Directory with activated rules: ''/ | * Directory with activated rules: ''/ | ||
- | * basic configuration file for mod\_security: | + | * basic configuration file for mod\_security: |
* The file for chosen rules deactivation: | * The file for chosen rules deactivation: | ||
Line 587: | Line 590: | ||
==== Disabling mod_security rules ==== | ==== Disabling mod_security rules ==== | ||
- | In the file ''/ | + | These rules are disabled for modsec_crs 3.0. |
+ | |||
+ | In the file ''/ | ||
<code xml> | <code xml> | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | | ||
+ | | ||
# Allow Czech signs | # Allow Czech signs | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
| | ||
# Too restrictive for login format | # Too restrictive for login format | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | |||
# Needed by Websockets | # Needed by Websockets | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
</ | </ | ||
| | ||
- | # These break Certificate Authority module | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | |||
- | # Modsec can throw false positives on some files due to multipart boundary check | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | |||
# do not log request/ | # do not log request/ | ||
SecAuditLogParts ABFHZ | SecAuditLogParts ABFHZ | ||
Line 627: | Line 622: | ||
==== mod_security configuration - CentOS8 | ==== mod_security configuration - CentOS8 | ||
- | In the file / | + | In the file / |
- | Whole rules after the changes looks like this: | + | |
+ | * find the rule 900200 and add methods | ||
< | < | ||
Line 638: | Line 634: | ||
nolog,\ | nolog,\ | ||
setvar:' | setvar:' | ||
+ | </ | ||
+ | * find the rule 900220 and add support for content\_type=application/ | ||
+ | |||
+ | < | ||
# Default HTTP policy: allowed_request_content_type (rule 900220) | # Default HTTP policy: allowed_request_content_type (rule 900220) | ||
SecRule & | SecRule & | ||
Line 646: | Line 646: | ||
nolog,\ | nolog,\ | ||
setvar:' | setvar:' | ||
- | </ | ||
- | |||
- | ==== mod_security configuration - Debian ==== | ||
- | Enable mod\_security configuration: | ||
- | < | ||
- | cd / | ||
- | cp modsecurity.conf-recommended modsecurity.conf | ||
- | </ | ||
- | |||
- | Uncomment following rules in the ''/ | ||
- | < | ||
- | SecAction \ | ||
- | " | ||
- | phase:1,\ | ||
- | nolog,\ | ||
- | pass,\ | ||
- | t:none,\ | ||
- | setvar:' | ||
- | |||
- | SecAction \ | ||
- | " | ||
- | phase:1,\ | ||
- | nolog,\ | ||
- | pass,\ | ||
- | t:none,\ | ||
- | setvar:' | ||
</ | </ | ||
Line 713: | Line 687: | ||
</ | </ | ||
- | ===== Workaround for slow HTTPD shutdown ===== | ||
- | In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https:// | ||
- | Workaround is to edit '''/ | ||
- | < | ||
- | KillMode=none | ||
- | </ | ||
- | Then reload systemd: | ||
- | < | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | It is absolutely correct to create new versions of unity in /etc, that has the option: | ||
- | |||
- | < | ||
- | cp / | ||
- | vim / | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | The patch of httpd should come soon so the first option is OK too. | ||
- | |||
- | |||
- | ====== INSTALACTNI NAVOD ====== | ||
- | |||
- | <note important> | ||
- | |||
- | |||
- | |||
- | ==== Application properties ==== | ||
- | |||
- | * The most important file is **/ | ||
- | |||
- | <file properties application-production.properties> | ||
- | # Doc: https:// | ||
- | |||
- | idm.pub.app.instanceId=idm-primary | ||
- | idm.pub.app.stage=production | ||
- | |||
- | spring.datasource.url=jdbc: | ||
- | spring.datasource.username=czechidm | ||
- | spring.datasource.password=********** TODO ********* | ||
- | spring.datasource.driver-class-name=org.postgresql.Driver | ||
- | spring.datasource.validationQuery=SELECT 1 | ||
- | spring.datasource.test-on-borrow=true | ||
- | spring.jpa.generate-ddl=false | ||
- | spring.jpa.hibernate.ddl-auto=none | ||
- | flyway.enabled=true | ||
- | |||
- | |||
- | scheduler.properties.location=quartz-production.properties | ||
- | |||
- | logging.config=/ | ||
- | |||
- | idm.sec.core.demo.data.enabled=false | ||
- | |||
- | # attachments will be stored under this path. | ||
- | # new directories for attachment will be created in this folder (permissions has to be added) | ||
- | # System.getProperty(" | ||
- | idm.sec.core.attachment.storagePath=/ | ||
- | # configuration property for default backup | ||
- | idm.sec.core.backups.default.folder.path=/ | ||
- | |||
- | |||
- | idm.pub.security.allowed-origins=http:// | ||
- | # Generate JWT token security string as "cat / | ||
- | # We recommend the VALUE to be at least 25. | ||
- | idm.sec.security.jwt.secret.token=********** TODO ********* | ||
- | idm.sec.security.jwt.expirationTimeout=36000000 | ||
- | |||
- | # Cipher secret key for crypt values in confidential storage | ||
- | # for crypt values is used secretKey or secretKey defined by file - secretKeyPath | ||
- | # | ||
- | cipher.crypt.secret.keyPath=/ | ||
- | |||
- | # Defaults for: emailer.* | ||
- | # test.enabled=true means mail WILL NOT be sent | ||
- | idm.sec.core.emailer.test.enabled=true | ||
- | # http:// | ||
- | idm.sec.core.emailer.protocol=smtp | ||
- | idm.sec.core.emailer.host=something.tld | ||
- | idm.sec.core.emailer.port=25 | ||
- | # idm.sec.core.emailer.username=czechidm@domain.tld | ||
- | # idm.sec.core.emailer.password=password | ||
- | idm.sec.core.emailer.from=czechidm@localhost | ||
- | |||
- | # Default user role will be added automatically, | ||
- | # could contains default authorities and authority policies configuration | ||
- | # for adding autocomplete or all record read permission etc. | ||
- | idm.sec.core.role.default=userRole | ||
- | # Admin user role | ||
- | idm.sec.core.role.admin=superAdminRole | ||
- | |||
- | # Max file size of uploaded file. Values can use the suffixed " | ||
- | spring.servlet.multipart.max-file-size=100MB | ||
- | spring.servlet.multipart.max-request-size=100MB | ||
- | </ | ||
- | |||
- | |||
- | |||
- |