Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/03/12 14:53]
urbanl [DB server configuration]
+++ tutorial:adm:server_preparation_tmp [2020/06/24 12:00]
kolarikj [mod_security configuration - CentOS8]
@@ Line 1: / Line 1: @@
-<note important>Instalation pro centos 8
+<note important>Instalation pro CentOS8
+**This tutorial is under development, DO NOT USE.**
 Author: Ludek Urban
@@ Line 5: / Line 7: @@
-====== Server preparation - Linux ======
+====== Server preparation - Linux - CentOS8 ======
 {{tag>installation java tomcat quickstart "apache httpd"}}
@@ Line 28: / Line 30: @@
 yum install -y epel-release
 yum update -y
-# check installed packages. It's recommanded to have them installed.
-yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet
+yum install -y mc haveged nmap screen sysstat telnet net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # enable haveged after OS start
 systemctl start haveged.service
@@ Line 102: / Line 102: @@
 Change SELINUX labels:
 <code>
-chcon -Rt postgresql_db_t pgsql/
+chcon -Rt postgresql_db_t /data/pgsql/
 chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
 </code>
@@ Line 202: / Line 202: @@
 ===== Tomcat =====
-  * Create a new group and add user for the tomcat to run under (for Debian, use /usr/sbin/nologin in the useradd):
+  * Create a new group and add user for the tomcat to run under:
 <code>
@@ Line 208: / Line 208: @@
 useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat
-tomcat:x:995:993::/opt/tomcat:/bin/nologin
+#tomcat:x:995:993::/opt/tomcat:/bin/nologin
 </code>
@@ Line 290: / Line 290: @@
   * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * For Debian, change the JAVA\_HOME to ''JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64''.
   * After every systemd configuration change it is necessary to reload:
@@ Line 384: / Line 383: @@
 <Server port="-1" shutdown="SHUTDOWN">
 </code>
--! CHANGED
   * Make Tomcat listen only on localhost:
     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
-    * In same file configure ajp port(''8009'') to look like this:
-    <Connector protocol="AJP/1.3"
+  * Set the ''maxSwallowSize'' for the HTTP/1.1 connector:
+    * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.
+  * In same file configure ajp port(''8009'') to look like this:
+<code>
+<Connector protocol="AJP/1.3"
                 address="127.0.0.1"
                 secretRequired="true"
@@ Line 395: / Line 399: @@
                 port="8009"
                 redirectPort="8443" />
+</code>
   * Do not show aplication server version:
@@ Line 448: / Line 452: @@
   * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
 </note>
-Please note that on Debian, the log is not rotate during the first day, but after the second day.
@@ Line 500: / Line 502: @@
 </code>
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'' (or ''/etc/apache2/sites-available/vhost-redirect.conf'' for Debian):
+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml>
 <VirtualHost _default_:80>
@@ Line 508: / Line 510: @@
 </code>
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) add following before ending "tag" VirtualHost:
+Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
 <code>
+  Protocols       h2 https/1.1
   ProxyRequests     off
   ProxyPreserveHost on
@@ Line 566: / Line 569: @@
   * Audit log: ''/var/log/httpd/modsec\_audit.log''
   * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''
-  * basic configuration file for mod\_security: ''/etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf''
+  * basic configuration file for mod\_security: '' /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''
   * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''
@@ Line 581: / Line 584: @@
 ==== Disabling mod_security rules ====
-In the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) deactivate following rules and set their logging:
+These rules are disabled for modsec_crs 3.0.
+In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 <code xml>
 <IfModule mod_security2.c>
-        SecRuleRemoveById 981173
+        SecRuleRemoveById 942430
-        SecRuleRemoveById 960015
+        SecRuleRemoveById 942431
-        SecRuleRemoveById 950109
+        SecRuleRemoveById 920300
+        SecRuleRemoveById 920230
         # Allow Czech signs
-        SecRuleRemoveById 981318
+        SecRuleRemoveById 942110
-        SecRuleRemoveById 981242
+        SecRuleRemoveById 942330
-        SecRuleRemoveById 960024
+        SecRuleRemoveById 942460
-        SecRuleRemoveById 981245
+        SecRuleRemoveById 942260
         # Too restrictive for login format
-        SecRuleRemoveById 960035
+        SecRuleRemoveById 920440
         # Needed by Websockets
         <Location "/idm/api/v1/websocket-info/">
-                SecRuleRemoveById 970901
+                SecRuleRemoveById 950100
         </Location>
-        # These break Certificate Authority module
-	<Location "/idm/api/v1/crt/certificates/action/validate">
-		SecRuleRemoveById 960915
-		SecRuleRemoveById 200003
-	</Location>
-	# Modsec can throw false positives on some files due to multipart boundary check
-	<Location "/idm/api/v1/attachments/upload">
-		SecRuleRemoveById 960915
-		SecRuleRemoveById 200003
-	</Location>
         # do not log request/response body
         SecAuditLogParts ABFHZ
@@ Line 621: / Line 616: @@
 ==== mod_security configuration - CentOS8  ====
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf, find the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
+In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf
-Whole rules after the changes looks like this:
+  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:
 <code>
@@ Line 632: / Line 628: @@
     nolog,\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
+</code>
+  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:
+<code>
 # Default HTTP policy: allowed_request_content_type (rule 900220)
 SecRule &TX:allowed_request_content_type "@eq 0" \
@@ Line 680: / Line 680: @@
 </IfModule>
 </code>
-===== Workaround for slow HTTPD shutdown =====
-In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https://bugzilla.redhat.com/show_bug.cgi?id=906321]].
-Workaround is to edit '''/usr/lib/systemd/system/httpd.service''' and add the option:
-<code>
-KillMode=none
-</code>
-Then reload systemd:
-<code>
-systemctl daemon-reload
-</code>
-It is absolutely correct to create new versions of unity in /etc, that has the option:
-<code>
-cp /usr/lib/systemd/system/httpd.service /etc/systemd/system/httpd.service
-vim /etc/systemd/system/httpd.service # add parametr KillMode=none
-systemctl daemon-reload
-</code>
-The patch of httpd should come soon so the first option is OK too.