Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/03/27 14:18]
urbanl [Database server installation - CentOS8]
+++ tutorial:adm:server_preparation_tmp [2020/07/24 07:56]
fiserp [Server preparation - Linux - CentOS8]
@@ Line 1: / Line 1: @@
 <note important>Instalation pro CentOS8
-This tutorial is in development
+**This tutorial is under development, DO NOT USE.**
 Author: Ludek Urban
@@ Line 11: / Line 11: @@
 {{tag>installation java tomcat quickstart "apache httpd"}}
-This tutorial shows how to prepare the server for test or production usage of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:getting-started|]]
+This tutorial shows how to prepare the server for test or production use of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:getting-started|]]
 ===== Basic system setup =====
@@ Line 208: / Line 208: @@
 useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
 getent passwd tomcat
-tomcat:x:995:993::/opt/tomcat:/bin/nologin
+#tomcat:x:995:993::/opt/tomcat:/bin/nologin
 </code>
@@ Line 386: / Line 386: @@
   * Make Tomcat listen only on localhost:
     * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
-    * In same file configure ajp port(''8009'') to look like this:
+  * Set the ''maxSwallowSize'' for the HTTP/1.1 connector:
+    * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.
+  * In same file configure ajp port(''8009'') to look like this:
 <code>
@@ Line 565: / Line 569: @@
   * Audit log: ''/var/log/httpd/modsec\_audit.log''
   * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''
-  * basic configuration file for mod\_security: ''/etc/httpd/modsecurity.d/modsecurity\_crs\_10\_config.conf''
+  * basic configuration file for mod\_security: '' /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''
   * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''
@@ Line 579: / Line 583: @@
 ==== Disabling mod_security rules ====
+These rules are disabled for modsec_crs 3.0.
 In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 <code xml>
 <IfModule mod_security2.c>
-        SecRuleRemoveById 981173
+        SecRuleRemoveById 942430
-        SecRuleRemoveById 960015
+        SecRuleRemoveById 942431
-        SecRuleRemoveById 950109
+        SecRuleRemoveById 920300
+        SecRuleRemoveById 920230
         # Allow Czech signs
-        SecRuleRemoveById 981318
+        SecRuleRemoveById 942110
-        SecRuleRemoveById 981242
+        SecRuleRemoveById 942330
-        SecRuleRemoveById 960024
+        SecRuleRemoveById 942460
-        SecRuleRemoveById 981245
+        SecRuleRemoveById 942260
         # Too restrictive for login format
-        SecRuleRemoveById 960035
+        SecRuleRemoveById 920440
         # Needed by Websockets
         <Location "/idm/api/v1/websocket-info/">
-                SecRuleRemoveById 970901
+                SecRuleRemoveById 950100
         </Location>
-        # These break Certificate Authority module
-	<Location "/idm/api/v1/crt/certificates/action/validate">
-		SecRuleRemoveById 960915
-		SecRuleRemoveById 200003
-	</Location>
-	# Modsec can throw false positives on some files due to multipart boundary check
-	<Location "/idm/api/v1/attachments/upload">
-		SecRuleRemoveById 960915
-		SecRuleRemoveById 200003
-	</Location>
         # do not log request/response body
         SecAuditLogParts ABFHZ
@@ Line 620: / Line 616: @@
 ==== mod_security configuration - CentOS8  ====
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf, find the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods.
+In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf
-Whole rules after the changes looks like this:
+  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:
 <code>
@@ Line 631: / Line 628: @@
     nolog,\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
+</code>
+  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:
+<code>
 # Default HTTP policy: allowed_request_content_type (rule 900220)
 SecRule &TX:allowed_request_content_type "@eq 0" \