Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/06/18 13:18]
urbanl [Disabling mod_security rules] 		tutorial:adm:server_preparation_tmp [2020/07/24 08:00]
fiserp [Basic system setup]
Line 11: Line 11:
 {{tag>installation java tomcat quickstart "apache httpd"}} {{tag>installation java tomcat quickstart "apache httpd"}}
  
-This tutorial shows how to prepare the server for test or production usage of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:getting-started|]]+This tutorial shows how to prepare the server for test or production use of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:getting-started|]]
  
 ===== Basic system setup ===== ===== Basic system setup =====
-  * 1 server (can be virtualized) for all: backend, frontend and database.  +  * 1 server (can be virtualized) for everything: backend, frontend and database.  
-  * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation +  * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation 
-    * It is possible to use Debian but you have to adjust the installation guide a little. We tested CzechIdM installation on Stretch+    * It is possible to use Debian (we tested on Stretch) or other distributions, but you have to adjust steps in this guide accordingly
-  * PostgreSQL - installed from a new repository +  * PostgreSQL 12.x - installed from OS packages. 
-  * Java - distribution repository (OpenJDK 1.8) +  * Java 11 installed from OS packages
-  * Apache Tomcat - manually installed into /opt/tomcat +  * Apache Tomcat 8.5.x - installed manually into ''/opt/tomcat''
-  * Services start via systemd in OS +  * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. 
-  * Services run under dedicated user (non-privileged one) +  * All services start via systemd. 
 +  * Each service runs under dedicated non-privileged user.
 ===== Instalation and software configuration ===== ===== Instalation and software configuration =====
 Prerequisities - Basic installation of CentOS 8 Prerequisities - Basic installation of CentOS 8
Line 616: Line 616:
 ==== mod_security configuration - CentOS8  ==== ==== mod_security configuration - CentOS8  ====
  
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conffind the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods. +In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf 
-Whole rules after the changes looks like this:+ 
 +  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:
  
 <code> <code>
Line 627: Line 628:
     nolog,\     nolog,\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
 +</code>
  
 +  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:
 +
 +<code>
 # Default HTTP policy: allowed_request_content_type (rule 900220) # Default HTTP policy: allowed_request_content_type (rule 900220)
 SecRule &TX:allowed_request_content_type "@eq 0" \ SecRule &TX:allowed_request_content_type "@eq 0" \