Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/03/12 14:51]
urbanl [INSTALACTNI NAVOD] 		tutorial:adm:server_preparation_tmp [2020/06/18 13:16]
urbanl [Disabling mod_security rules] Changed modsec crs to 3.0
Line 1: Line 1:
-<note important>Instalation pro centos 8+<note important>Instalation pro CentOS8  
 + 
 +**This tutorial is under development, DO NOT USE.**
  
 Author: Ludek Urban Author: Ludek Urban
Line 5: Line 7:
  
  
-====== Server preparation - Linux ======+====== Server preparation - Linux - CentOS8 ======
  
 {{tag>installation java tomcat quickstart "apache httpd"}} {{tag>installation java tomcat quickstart "apache httpd"}}
Line 28: Line 30:
 yum install -y epel-release yum install -y epel-release
 yum update -y yum update -y
-# check installed packages. It's recommanded to have them installed. 
-yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils 
 # other recommended packages installation # other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet+yum install -y mc haveged nmap screen sysstat telnet net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # enable haveged after OS start # enable haveged after OS start
 systemctl start haveged.service systemctl start haveged.service
Line 102: Line 102:
 Change SELINUX labels: Change SELINUX labels:
 <code> <code>
-chcon -Rt postgresql_db_t pgsql/+chcon -Rt postgresql_db_t /data/pgsql/
 chcon -Rt postgresql_log_t /data/pgsql/12/data/log/ chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
 </code> </code>
Line 182: Line 182:
  
 Restart DB: ''systemctl restart  postgresql.service'' Restart DB: ''systemctl restart  postgresql.service''
- 
-For Debian installation, edit those configuration files instead: 
-<code> 
-/etc/postgresql/12/main/pg_hba.conf 
-/etc/postgresql/12/main/postgresql.conf 
-</code> 
  
 <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note> <note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
Line 208: Line 202:
 ===== Tomcat ===== ===== Tomcat =====
  
-  * Create a new group and add user for the tomcat to run under (for Debian, use /usr/sbin/nologin in the useradd):+  * Create a new group and add user for the tomcat to run under:
  
 <code> <code>
Line 214: Line 208:
 useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat getent passwd tomcat
-tomcat:x:995:993::/opt/tomcat:/bin/nologin+#tomcat:x:995:993::/opt/tomcat:/bin/nologin
 </code> </code>
  
Line 296: Line 290:
  
   * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.   * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * For Debian, change the JAVA\_HOME to ''JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64''. 
   * After every systemd configuration change it is necessary to reload:   * After every systemd configuration change it is necessary to reload:
  
Line 390: Line 383:
 <Server port="-1" shutdown="SHUTDOWN"> <Server port="-1" shutdown="SHUTDOWN">
 </code> </code>
--! CHANGED+
   * Make Tomcat listen only on localhost:   * Make Tomcat listen only on localhost:
     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
-    * In same file configure ajp port(''8009'') to look like this: 
  
-    <Connector protocol="AJP/1.3"+  * Set the ''maxSwallowSize'' for the HTTP/1.1 connector: 
 +    * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein. 
 + 
 +  * In same file configure ajp port(''8009'') to look like this: 
 + 
 +<code> 
 +<Connector protocol="AJP/1.3"
                 address="127.0.0.1"                 address="127.0.0.1"
                 secretRequired="true"                 secretRequired="true"
Line 401: Line 399:
                 port="8009"                 port="8009"
                 redirectPort="8443" />                 redirectPort="8443" />
 +</code>
  
   * Do not show aplication server version:   * Do not show aplication server version:
Line 454: Line 452:
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note> </note>
- 
-Please note that on Debian, the log is not rotate during the first day, but after the second day. 
  
  
Line 506: Line 502:
 </code> </code>
  
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'' (or ''/etc/apache2/sites-available/vhost-redirect.conf'' for Debian):+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml> <code xml>
 <VirtualHost _default_:80> <VirtualHost _default_:80>
Line 514: Line 510:
 </code> </code>
  
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) add following before ending "tag" VirtualHost:+Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
  
 <code> <code>
 +  Protocols       h2 https/1.1
   ProxyRequests     off   ProxyRequests     off
   ProxyPreserveHost on   ProxyPreserveHost on
Line 572: Line 569:
   * Audit log: ''/var/log/httpd/modsec\_audit.log''   * Audit log: ''/var/log/httpd/modsec\_audit.log''
   * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''   * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''
-  * basic configuration file for mod\_security: ''/etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf''+  * basic configuration file for mod\_security: '' /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''
   * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''   * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''
  
Line 587: Line 584:
 ==== Disabling mod_security rules ==== ==== Disabling mod_security rules ====
  
-In the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) deactivate following rules and set their logging:+These rules are disabled for modsec_crs 3.0 
 +In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 <code xml> <code xml>
 <IfModule mod_security2.c> <IfModule mod_security2.c>
-        SecRuleRemoveById 981173 +        SecRuleRemoveById 942430 
-        SecRuleRemoveById 960015 +        SecRuleRemoveById 942431 
-        SecRuleRemoveById 950109+        SecRuleRemoveById 920300 
 +        SecRuleRemoveById 920230
  
         # Allow Czech signs         # Allow Czech signs
-        SecRuleRemoveById 981318 +        SecRuleRemoveById 942110 
-        SecRuleRemoveById 981242 +        SecRuleRemoveById 942330 
-        SecRuleRemoveById 960024 +        SecRuleRemoveById 942460 
-        SecRuleRemoveById 981245+        SecRuleRemoveById 942260
                  
         # Too restrictive for login format         # Too restrictive for login format
-        SecRuleRemoveById 960035+        SecRuleRemoveById 920440
  
         # Needed by Websockets          # Needed by Websockets 
         <Location "/idm/api/v1/websocket-info/">         <Location "/idm/api/v1/websocket-info/">
-                SecRuleRemoveById 970901+                SecRuleRemoveById 950100
         </Location>         </Location>
-         
-        # These break Certificate Authority module 
- <Location "/idm/api/v1/crt/certificates/action/validate"> 
- SecRuleRemoveById 960915 
- SecRuleRemoveById 200003 
- </Location> 
- 
- # Modsec can throw false positives on some files due to multipart boundary check 
- <Location "/idm/api/v1/attachments/upload"> 
- SecRuleRemoveById 960915 
- SecRuleRemoveById 200003 
- </Location> 
  
         # do not log request/response body         # do not log request/response body
Line 646: Line 633:
     nolog,\     nolog,\
     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"     setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
-</code> 
- 
-==== mod_security configuration - Debian ==== 
-Enable mod\_security configuration: 
-<code> 
-cd /etc/modsecurity 
-cp modsecurity.conf-recommended modsecurity.conf 
-</code> 
- 
-Uncomment following rules in the ''/etc/modsecurity/crs/crs-setup.conf'' and change them accordingly (add allowed content types and allowed HTTP methods): 
-<code> 
-SecAction \ 
- "id:900200,\ 
-  phase:1,\ 
-  nolog,\ 
-  pass,\ 
-  t:none,\ 
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" 
- 
-SecAction \ 
- "id:900220,\ 
-  phase:1,\ 
-  nolog,\ 
-  pass,\ 
-  t:none,\ 
-  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'" 
 </code> </code>
  
Line 712: Line 673:
 </IfModule> </IfModule>
 </code> </code>
- 
-===== Workaround for slow HTTPD shutdown ===== 
-In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https://bugzilla.redhat.com/show_bug.cgi?id=906321]]. 
-Workaround is to edit '''/usr/lib/systemd/system/httpd.service''' and add the option: 
-<code> 
-KillMode=none 
-</code> 
-Then reload systemd: 
- 
-<code> 
-systemctl daemon-reload 
-</code> 
- 
-It is absolutely correct to create new versions of unity in /etc, that has the option: 
- 
-<code> 
-cp /usr/lib/systemd/system/httpd.service /etc/systemd/system/httpd.service 
-vim /etc/systemd/system/httpd.service # add parametr KillMode=none 
-systemctl daemon-reload 
-</code> 
- 
-The patch of httpd should come soon so the first option is OK too. 
- 
- 
- 
-