Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/03/12 14:54]
urbanl [HTTPd installation and configuration] 		tutorial:adm:server_preparation_tmp [2020/06/18 10:36]
urbanl [mod_security configuration] changed basic configuration file
Line 1: Line 1:
-<note important>Instalation pro centos 8+<note important>Instalation pro CentOS8  
 + 
 +**This tutorial is under development, DO NOT USE.**
  
 Author: Ludek Urban Author: Ludek Urban
Line 5: Line 7:
  
  
-====== Server preparation - Linux ======+====== Server preparation - Linux - CentOS8 ======
  
 {{tag>installation java tomcat quickstart "apache httpd"}} {{tag>installation java tomcat quickstart "apache httpd"}}
Line 28: Line 30:
 yum install -y epel-release yum install -y epel-release
 yum update -y yum update -y
-# check installed packages. It's recommanded to have them installed. 
-yum list installed  net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils 
 # other recommended packages installation # other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet+yum install -y mc haveged nmap screen sysstat telnet net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
 # enable haveged after OS start # enable haveged after OS start
 systemctl start haveged.service systemctl start haveged.service
Line 102: Line 102:
 Change SELINUX labels: Change SELINUX labels:
 <code> <code>
-chcon -Rt postgresql_db_t pgsql/+chcon -Rt postgresql_db_t /data/pgsql/
 chcon -Rt postgresql_log_t /data/pgsql/12/data/log/ chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
 </code> </code>
Line 208: Line 208:
 useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat getent passwd tomcat
-tomcat:x:995:993::/opt/tomcat:/bin/nologin+#tomcat:x:995:993::/opt/tomcat:/bin/nologin
 </code> </code>
  
Line 383: Line 383:
 <Server port="-1" shutdown="SHUTDOWN"> <Server port="-1" shutdown="SHUTDOWN">
 </code> </code>
--! CHANGED+
   * Make Tomcat listen only on localhost:   * Make Tomcat listen only on localhost:
     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
-    * In same file configure ajp port(''8009'') to look like this: 
  
-    <Connector protocol="AJP/1.3"+  * Set the ''maxSwallowSize'' for the HTTP/1.1 connector: 
 +    * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein. 
 + 
 +  * In same file configure ajp port(''8009'') to look like this: 
 + 
 +<code> 
 +<Connector protocol="AJP/1.3"
                 address="127.0.0.1"                 address="127.0.0.1"
                 secretRequired="true"                 secretRequired="true"
Line 394: Line 399:
                 port="8009"                 port="8009"
                 redirectPort="8443" />                 redirectPort="8443" />
 +</code>
  
   * Do not show aplication server version:   * Do not show aplication server version:
Line 508: Line 513:
  
 <code> <code>
 +  Protocols       h2 https/1.1
   ProxyRequests     off   ProxyRequests     off
   ProxyPreserveHost on   ProxyPreserveHost on
Line 563: Line 569:
   * Audit log: ''/var/log/httpd/modsec\_audit.log''   * Audit log: ''/var/log/httpd/modsec\_audit.log''
   * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''   * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''
-  * basic configuration file for mod\_security: ''/etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf''+  * basic configuration file for mod\_security: '' /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''
   * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''   * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''
  
Line 578: Line 584:
 ==== Disabling mod_security rules ==== ==== Disabling mod_security rules ====
  
-In the file ''/etc/httpd/conf.d/ssl.conf'' (or ''/etc/apache2/sites-available/ssl.conf'' for Debian) deactivate following rules and set their logging:+In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 <code xml> <code xml>
 <IfModule mod_security2.c> <IfModule mod_security2.c>
Line 677: Line 683:
 </IfModule> </IfModule>
 </code> </code>
- 
-===== Workaround for slow HTTPD shutdown ===== 
-In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https://bugzilla.redhat.com/show_bug.cgi?id=906321]]. 
-Workaround is to edit '''/usr/lib/systemd/system/httpd.service''' and add the option: 
-<code> 
-KillMode=none 
-</code> 
-Then reload systemd: 
- 
-<code> 
-systemctl daemon-reload 
-</code> 
- 
-It is absolutely correct to create new versions of unity in /etc, that has the option: 
- 
-<code> 
-cp /usr/lib/systemd/system/httpd.service /etc/systemd/system/httpd.service 
-vim /etc/systemd/system/httpd.service # add parametr KillMode=none 
-systemctl daemon-reload 
-</code> 
- 
-The patch of httpd should come soon so the first option is OK too. 
- 
- 
- 
-