Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/07/24 09:15]
fiserp [Apache Tomcat configuration] 		tutorial:adm:server_preparation_tmp [2020/07/24 11:35]
fiserp [mod_security configuration - CentOS8]
Line 480: Line 480:
 HTTPd basic configuration: HTTPd basic configuration:
  
-Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:+Change MPM to worker - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment-out all lines but mod\_mpm\_worker.so:
  
 <code bash> <code bash>
Line 510: Line 510:
 </code> </code>
  
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':+Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
 <code xml> <code xml>
 <VirtualHost _default_:80> <VirtualHost _default_:80>
Line 544: Line 544:
 </code> </code>
  
-We also have to secure the communication. **Edit** corresponding lines in ''ssl.conf'' so they look like this. +Syntax check before httpd restart
-<code> +
-SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA +
-SSLHonorCipherOrder on +
-</code> +
-<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note> +
- +
-Syntax check before httpd restart:+
 <code> <code>
 httpd -t -D DUMP_VHOST httpd -t -D DUMP_VHOST
 +# or apachectl configtest
 </code> </code>
  
Line 624: Line 617:
 ==== mod_security configuration - CentOS8  ==== ==== mod_security configuration - CentOS8  ====
  
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf+Edit the file ''/etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''.
  
-  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:+  * find the rule ''900200'' and add methods ''PUT'', ''DELETE'' and ''PATCH'' on the line starting ''tx.allowed\_methods''. It should look like this after change:
  
 <code> <code>
Line 638: Line 631:
 </code> </code>
  
-  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:+  * find the rule ''900220'' and add support for content type ''application/hal+json'' on the line starting with ''tx.allowed\_request\_content\_type''. Result should look like this:
  
 <code> <code>