Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_tmp [2020/06/24 12:00]
kolarikj [mod_security configuration - CentOS8]
+++ — (current)
@@ Line 1: / Line 1: @@
-<note important>Instalation pro CentOS8
-**This tutorial is under development, DO NOT USE.**
-Author: Ludek Urban
-</note>
-====== Server preparation - Linux - CentOS8 ======
-{{tag>installation java tomcat quickstart "apache httpd"}}
-This tutorial shows how to prepare the server for test or production usage of CzechIdM. If you are looking for much quicker way of how to start the CzechIdM, use the demo setup described here [[:getting-started|]]
-===== Basic system setup =====
-  * 1 server (can be virtualized) for all: backend, frontend and database.
-  * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation
-    * It is possible to use Debian but you have to adjust the installation guide a little. We tested CzechIdM installation on Stretch.
-  * PostgreSQL - installed from a new repository
-  * Java - distribution repository (OpenJDK 1.8)
-  * Apache Tomcat - manually installed into /opt/tomcat
-  * Services start via systemd in OS
-  * Services run under dedicated user (non-privileged one)
-===== Instalation and software configuration =====
-Prerequisities - Basic installation of CentOS 8
-<code bash>
-# EPEL installation
-yum clean all
-yum install -y epel-release
-yum update -y
-# other recommended packages installation
-yum install -y mc haveged nmap screen sysstat telnet net-tools nano wget  vim-enhanced bzip2 bash-completion lsof zip unzip psmisc policycoreutils-python-utils
-# enable haveged after OS start
-systemctl start haveged.service
-systemctl enable haveged.service
-# remove unnecessary software
-yum remove -y postfix
-systemctl stop avahi-daemon.socket avahi-daemon.service
-systemctl disable avahi-daemon.socket avahi-daemon.service
-yum remove -y avahi-autoipd avahi
-# set the hostname
-hostnamectl set-hostname FQDN_server_name
-hostnamectl status
-# check the network configuration, be sure it is static (/etc/sysconfig/network-scripts/)
-# reboot the server
-</code>
-===== PostgreSQL  =====
-<note tip>If you are install CzechIdM on Sql server, please follow [[tutorial:adm:mssql_database_support|this tutorial]].</note>
-CentOS8 default repository version of PostgreSQL is 10 but IdM not support that version. In our tutorial, we will install newer version 12. Moreover, we install database data into /data not /var/lib which is the default option.
-==== Database server installation - CentOS8 ====
-  * Software installation on CentOS8(versions can vary):
-<code bash>
-# enable module postgres 12
-yum module enable postgresql:12
-yum install -y postgresql-server postgresql-contrib postgresql-libs
-</code>
-  * create new system directory:
-<code bash>
-mkdir -p /data/pgsql/12/data/
-mkdir -p /data/pgsql/12/data/
-chown -R postgres:postgres /data/pgsql/
-chmod 700 /data/pgsql
-</code>
-  * Copy of the configuration file for systemd, in which we will make change of directory for data:
-<code bash>
-cp /usr/lib/systemd/system/postgresql.service /etc/systemd/system/
-</code>
-In the file ''/etc/systemd/system/postgresql.service'' change the directory for data as follows:
-<code>
-# Location of database directory
-Environment=PGDATA=/data/pgsql/12/data/
-</code>
-  * In the file ''~postgres/.bash_profile'' change the variable PGDATA value to:
-<code>
-PGDATA=/data/pgsql/12/data
-</code>
-  * Reload changes:
-<code bash>
-systemctl daemon-reload
-</code>
-  * Initialize database:
-<code bash>
-/usr/bin/postgresql-setup --initdb --unit postgresql
-</code>
-Change SELINUX labels:
-<code>
-chcon -Rt postgresql_db_t /data/pgsql/
-chcon -Rt postgresql_log_t /data/pgsql/12/data/log/
-</code>
-  * Enable and start database:
-<code bash>
-systemctl start postgresql.service
-systemctl enable postgresql.service
-</code>
-  * Check that the database is running:
-<code bash>
-[root@HOSTNAME data]# systemctl status postgresql.service -l
-● postgresql.service - PostgreSQL database server
-   Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; vendor preset: disabled)
-   Active: active (running) since Wed 2020-03-11 10:48:06 CET; 1min 8s ago
- Main PID: 25715 (postmaster)
-    Tasks: 8 (limit: 52428)
-   Memory: 19.8M
-   CGroup: /system.slice/postgresql.service
-           ├─25715 /usr/bin/postmaster -D /data/pgsql/12/data/
-           ├─25716 postgres: logger
-           ├─25718 postgres: checkpointer
-           ├─25719 postgres: background writer
-           ├─25720 postgres: walwriter
-           ├─25721 postgres: autovacuum launcher
-           ├─25722 postgres: stats collector
-           └─25723 postgres: logical replication launcher
-Mar 11 10:48:06 HOSTNAME systemd[1]: Starting PostgreSQL database server...
-Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.255 CET [25715] LOG:  starting PostgreSQL 12.1 on x86_64-redhat-linux-gnu, compiled by gcc (G>
-Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.256 CET [25715] LOG:  listening on IPv6 address "::1", port 5432
-Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.256 CET [25715] LOG:  listening on IPv4 address "127.0.0.1", port 5432
-Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.285 CET [25715] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
-Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.300 CET [25715] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
-Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] LOG:  redirecting log output to logging collector process
-Mar 11 10:48:06 HOSTNAME postmaster[25715]: 2020-03-11 10:48:06.330 CET [25715] HINT:  Future log output will appear in directory "log".
-Mar 11 10:48:06 HOSTNAME systemd[1]: Started PostgreSQL database server.
-</code>
-==== DB server configuration ====
-First of all, enable the password authentication.
-In the file ''/data/pgsql/12/data/pg_hba.conf'' find lines:
-<code>
-host    all             all             127.0.0.1/32            ident
-host    all             all             ::1/128                 ident
-</code>
-and change the value at the end of each line into md5 like this:
-<code>
-host    all             all             127.0.0.1/32            md5
-host    all             all             ::1/128                 md5
-</code>
-Now we can do DB sizing. We presume the system has 3GB dedicated for the db. We can also log the queries logging (those over 200ms). **For particular sizing, use a [[https://pgtune.leopard.in.ua/#/|calculator]]**.
-In a file ''/data/pgsql/12/data/postgresql.conf'' edit (add those if not exist) lines:
-<code>
-max_connections = 100			# (change requires restart)
-shared_buffers = 768MB			# min 128kB
-effective_cache_size = 2304MB
-work_mem = 7864kB
-maintenance_work_mem = 192MB
-min_wal_size = 1GB
-max_wal_size = 2GB
-checkpoint_completion_target = 0.7
-wal_buffers = 16MB
-default_statistics_target = 100
-log_min_duration_statement = 200
-</code>
-Restart DB: ''systemctl restart  postgresql.service''
-<note>If you install the database to a different server than the CzechIdM application itself (Tomcat etc.), don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
-===== Java - CentOS8 =====
-Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.11) from standard OS repository.
-Installation:
-<code bash>
-yum install -y java-11-openjdk-headless java-11-openjdk-devel
-</code>
-Then create the file ''/etc/profile.d/java.sh'' with following:
-<file bash java.sh>
-[ -d /usr/lib/jvm/java-openjdk ] && export JAVA_HOME=/usr/lib/jvm/java-openjdk
-</file>
-===== Tomcat =====
-  * Create a new group and add user for the tomcat to run under:
-<code>
-groupadd -r tomcat
-useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
-getent passwd tomcat
-#tomcat:x:995:993::/opt/tomcat:/bin/nologin
-</code>
-  * change working directory into /opt/tomcat
-<code bash>
-mkdir /opt/tomcat
-cd /opt/tomcat
-</code>
-  * Download Apache Tomcat 8.5.x from the website [[https://tomcat.apache.org/download-80.cgi]] to **/opt/tomcat/**
-    * In our exapmle the version is 8.5.8.
-  * extract files from archive:
-<code bash>
-tar xzf apache-tomcat-8.5.8.tar.gz
-</code>
-  * create a new symbolic link to current user version (we presume there may be more versions at the server in future due to upgrades/updates)
-<code bash>
-cd /opt/tomcat
-ln -s apache-tomcat-8.5.8 current
-</code>
-  * Set rights on files for tomcat user (still working under root):
-<code bash>
-chown -R root:root /opt/tomcat
-chown root:tomcat /opt/tomcat
-chmod 750 /opt/tomcat
-cd /opt/tomcat/current
-chmod o+rX -R ./
-chgrp -R tomcat conf/ bin/ lib/
-chmod g+rwx conf
-chmod g+r conf/*
-chown -R tomcat webapps/ work/ temp/ logs/
-</code>
-==== Start Tomcat automatically after system startup ====
-  * Create startup script (systemd unit), in which we also set the basic JVM parameters:
-<code bash>
-vim /etc/systemd/system/tomcat.service
-</code>
-  * File content of ''/etc/systemd/system/tomcat.service'':
-<file ini tomcat.service>
-# Systemd unit file for tomcat
-[Unit]
-Description=Apache Tomcat Web Application Container
-After=syslog.target network.target
-[Service]
-Type=forking
-PIDFile=/opt/tomcat/current/temp/tomcat.pid
-Environment=JAVA_HOME=/usr/lib/jvm/java-openjdk
-Environment=CATALINA_PID=/opt/tomcat/current/temp/tomcat.pid
-Environment=CATALINA_HOME=/opt/tomcat/current
-Environment=CATALINA_BASE=/opt/tomcat/current
-Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
-Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8'
-ExecStart=/opt/tomcat/current/bin/startup.sh
-ExecStop=/opt/tomcat/current/bin/shutdown.sh
-User=tomcat
-Group=tomcat
-[Install]
-WantedBy=multi-user.target
-</file>
-  * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more.
-  * Tomcat will be started under user ''tomcat:tomcat'' a will use java installed in ''/usr/lib/jvm/java-1.8.0-openjdk''.
-  * After every systemd configuration change it is necessary to reload:
-<code>
-systemctl daemon-reload
-</code>
-  * Test start:
-<code>
-systemctl start tomcat
-</code>
-  * Check that Tomcat runs with desirable parameters:
-<code bash>
-[root@tomcat1 logs]# ps -u tomcat -fwww
-UID        PID  PPID  C STIME TTY          TIME CMD
-tomcat    1602     1  1 09:44 ?        00:00:02 /usr/lib/jvm/java-openjdk/bin/java -Djava.util.logging.config.file=/opt/tomcat/current/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djavax.servlet.request.encoding=UTF-8 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xms512M -Xmx1024M -server -XX:+UseParallelGC -classpath /opt/tomcat/current/bin/bootstrap.jar:/opt/tomcat/current/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat/current -Dcatalina.home=/opt/tomcat/current -Djava.io.tmpdir=/opt/tomcat/current/temp org.apache.catalina.startup.Bootstrap start
-</code>
-  * Stop Apache Tomcat:
-<code>
-systemctl stop tomcat
-</code>
-  * Enable tomcat start after OS start:
-<code bash>
-systemctl enable tomcat
-</code>
-==== Apache Tomcat configuration ====
-=== Interface Management ===
-Apache Tomcat offers two applications for tomcat management available at:
-  * http://localhost:8080/manager
-  * http://localhost:8080/host-manager
-If you want to use them, it is necessary to do following steps.
-First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP.
-Create user like this:
-Create the a new user in the file  ''/opt/tomcat/current/conf/tomcat-users.xml'' and assign him roles "manager-gui" and "admin-gui".
-The documentation of available roles as well as overall configuration of the application is a part of application installation available at http://localhost:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
-The file ''/opt/tomcat/current/conf/tomcat-users.xml'' looks like this:
-<file xml tomcat-users.xml>
-<?xml version="1.0" encoding="UTF-8"?>
-<tomcat-users xmlns="http://tomcat.apache.org/xml"
-              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
-              version="1.0">
-  <role rolename="manager-script"/>
-  <role rolename="manager-gui"/>
-  <role rolename="manager-jmx"/>
-  <role rolename="manager-status"/>
-  <role rolename="admin-gui"/>
-  <user username="admin" password="*****store it somewhere safe*****" roles="manager-gui,manager-status,admin-gui"/>
-</tomcat-users>
-</file>
-If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see ''403 Access Denied'' it might be you did not do this setting.
-Add your IP address into application configuration files. In files ''/opt/tomcat/current/webapps/manager/META-INF/context.xml'' and ''/opt/tomcat/current/webapps/host-manager/META-INF/context.xml'' add net mask for your IP (both files should have the same content):
-In my case, I want to access to Tomcat management from network 192.168.0.0/24:
-<file xml context.xml>
-<?xml version="1.0" encoding="UTF-8"?>
-<Context antiResourceLocking="false" privileged="true" >
-  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
-         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.\d+\.\d+" />
-</Context>
-</file>
-Again, restart the tomcat:
-<code bash>
-systemctl restart tomcat
-</code>
-===  Apache Tomcat configuration recommended for production usage ===
-It is advised to follow these steps for production usage:
-  * Remove unnecessary applications that comes with Tomcat:
-<code bash>
-rm -rf /opt/tomcat/current/webapps/{examples,docs,ROOT,host-manager,manager}
-</code>
-  * Turn off the shutdown port:
-    * In the config file ''/opt/tomcat/current/conf/server.xml'' set value -1 from 8005 to the Server port tag, thus you deactivate it:
-<code xml>
-<Server port="-1" shutdown="SHUTDOWN">
-</code>
-  * Make Tomcat listen only on localhost:
-    * In the ''/opt/tomcat/current/conf/server.xml'' add the ''address="127.0.0.1"'' property to configuration of ''8080'' port.
-  * Set the ''maxSwallowSize'' for the HTTP/1.1 connector:
-    * In the ''/opt/tomcat/current/conf/server.xml'', locate the configuration for port 8080 and add the ''maxSwallowSize="-1"'' property therein.
-  * In same file configure ajp port(''8009'') to look like this:
-<code>
-<Connector protocol="AJP/1.3"
-                address="127.0.0.1"
-                secretRequired="true"
-                secret="***password for ajp port***"
-                port="8009"
-                redirectPort="8443" />
-</code>
-  * Do not show aplication server version:
-    * In the file ''/opt/tomcat/current/conf/web.xml'' set showServerInfo to false (default is true):
-<code xml>
-    <servlet>
-        <servlet-name>default</servlet-name>
-        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
-        <init-param>
-            <param-name>debug</param-name>
-            <param-value>0</param-value>
-        </init-param>
-        <init-param>
-            <param-name>listings</param-name>
-            <param-value>false</param-value>
-        </init-param>
-        <init-param>
-            <param-name>showServerInfo</param-name>
-            <param-value>false</param-value>
-        </init-param>
-        <load-on-startup>1</load-on-startup>
-    </servlet>
-</code>
-=== Rotating Tomcat logs ===
-Default Tomcat logger appneds to the logfile, it is therefore safe to use simple ''logrotate'' configuration. Save following as ''/etc/logrotate.d/tomcat'', adjust log retention (the ''rotate COUNT'') as necessary.
-<file txt tomcat>
-/opt/tomcat/current/logs/catalina.out {
-	rotate 90
-	daily
-	dateext
-	copytruncate
-	missingok
-	notifempty
-	compress
-}
-</file>
-It is possible that, on some distros, SELinux will deny acces to the logfile for logrotate because ''logrotate_t'' is only allowed in the ''/var/log'' and subfolders. The logrotate will error to the ''/var/log/messages'' line similar to ''Sep  3 03:48:01 server.tld logrotate: ALERT exited abnormally with [1]''.
-If this happens, set the permissive mode for logrotate:
-<code>
-semanage permissive -a logrotate_t
-</code>
-<note warning>
-Evaluate impact of SELinux adjustments **before** you implement them. Proper mitigation heavily depends on habits and security policies of your organization.
-There are some possibilities:
-  * Set permissive mode for logrotate as above.
-  * Set permissive mode for whole SELinux. (This will drop the SELinux's protective function.)
-  * Adjust particular SELinux labels. Example ([[https://access.redhat.com/solutions/39006|here]]).
-</note>
-====== Apache httpd as a reverse proxy ======
-It is possible to open Apache Tomcat to the network directly, but little inconvenient. You want the users to access the CzechIdM on user-friendly ports 80/tcp or 443/tcp, which is not easy to setup in Tomcat itself running under nonprivileged user. So we use Apache httpd as a reverse proxy.
-Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol will be enabled, but we will redirect all communication to https.
-Communication between Apache httpd and Tomcat will take place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), which serves as an application firewall.
-The configuration example is written for the server which allows access to its services under the name "demo.czechidm.com".
-===== HTTPd installation and configuration =====
-Install httpd and mod\_security:
-<code bash>
-yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs
-</code>
-HTTPd basic configuration:
-Change MPM to worker (lower system requirements) - in the file ''/etc/httpd/conf.modules.d/00-mpm.conf'' comment all lines but mod\_mpm\_worker.so:
-<code bash>
-# Select the MPM module which should be used by uncommenting exactly
-# one of the following LoadModule lines:
-# prefork MPM: Implements a non-threaded, pre-forking web server
-# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
-#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
-# worker MPM: Multi-Processing Module implementing a hybrid
-# multi-threaded multi-process web server
-# See: http://httpd.apache.org/docs/2.4/mod/worker.html
-#
-LoadModule mpm_worker_module modules/mod_mpm_worker.so
-# event MPM: A variant of the worker MPM with the goal of consuming
-# threads only for connections with active processing
-# See: http://httpd.apache.org/docs/2.4/mod/event.html
-#
-#LoadModule mpm_event_module modules/mod_mpm_event.so
-</code>
-Disable "welcome" page:
-<code bash>
-cd /etc/httpd/conf.d
-mv welcome.conf welcome.conf-DISABLED
-touch welcome.conf
-</code>
-Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/etc/httpd/conf.d/vhost-redirect.conf'':
-<code xml>
-<VirtualHost _default_:80>
-   DocumentRoot /var/www/html
-   Redirect permanent / https://SERVER/
-</VirtualHost>
-</code>
-Set the  proxy in the virtualhost for https (443/tcp) - at the end of the file ''/etc/httpd/conf.d/ssl.conf'' add following before ending "tag" VirtualHost:
-<code>
-  Protocols       h2 https/1.1
-  ProxyRequests     off
-  ProxyPreserveHost on
-  ProxyAddHeaders on
-  ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
-  ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
-</code>
-In IE 11, CzechIdM  has problems with missing icons. Icons are created by special fonts and those fonts are handled badly in the IE. It is necessary to set ''Cache-Control'' HTTP header. We need to set it only for font files:
-<code>
-# workaround for bad font handling in IE 11
-<LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$">
-        Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate"
-</LocationMatch>
-</code>
-Identity manager CzechIdM will be available on address https://server/idm/ It is possible to forward from / to /idm/, so that the user does not need to type the whole URL.
-To do so, add following lines to the virtualhost config file (ssl.conf):
-<code>
-RewriteEngine On
-RewriteRule "^/$"  "/idm/" [R]
-</code>
-We also have to secure the communication. **Edit** corresponding lines in ''ssl.conf'' so they look like this.
-<code>
-SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA
-SSLHonorCipherOrder on
-</code>
-<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
-Syntax check before httpd restart:
-<code>
-httpd -t -D DUMP_VHOST
-</code>
-httpd restart and reload configuration changes:
-<code>
-systemctl restart httpd
-</code>
-Allow in SELINUX to httpd connect to network:
-<code>
-/usr/sbin/setsebool -P httpd_can_network_connect 1
-</code>
-Enable httpd after OS start:
-<code bash>
-systemctl enable httpd.service
-</code>
-===== mod_security configuration =====
-Mod_security files locations (on CentOS8):
-  * Audit log: ''/var/log/httpd/modsec\_audit.log''
-  * Directory with activated rules: ''/etc/httpd/modsecurity.d/activated\_rules/''
-  * basic configuration file for mod\_security: '' /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf''
-  * The file for chosen rules deactivation: ''/etc/httpd/conf.d/ssl.conf''
-The default set of rules is relatively strict. CzechIdM cannot run with the default configuration of mod_security.
-Each rule is identified by a unique ID. If you want to deactivate the whole rule, it is advised to write the rule ID into ssl.conf like this:
-<code xml>
-  <IfModule mod_security2.c>
-    SecRuleRemoveById RULE_ID
-  </IfModule>
-</code>
-==== Disabling mod_security rules ====
-These rules are disabled for modsec_crs 3.0.
-In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
-<code xml>
-<IfModule mod_security2.c>
-        SecRuleRemoveById 942430
-        SecRuleRemoveById 942431
-        SecRuleRemoveById 920300
-        SecRuleRemoveById 920230
-        # Allow Czech signs
-        SecRuleRemoveById 942110
-        SecRuleRemoveById 942330
-        SecRuleRemoveById 942460
-        SecRuleRemoveById 942260
-        # Too restrictive for login format
-        SecRuleRemoveById 920440
-        # Needed by Websockets
-        <Location "/idm/api/v1/websocket-info/">
-                SecRuleRemoveById 950100
-        </Location>
-        # do not log request/response body
-        SecAuditLogParts ABFHZ
-</IfModule>
-</code>
-==== mod_security configuration - CentOS8  ====
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf
-  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:
-<code>
-# Default HTTP policy: allowed_methods (rule 900200)
-SecRule &TX:allowed_methods "@eq 0" \
-    "id:901160,\
-    phase:1,\
-    pass,\
-    nolog,\
-    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
-</code>
-  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:
-<code>
-# Default HTTP policy: allowed_request_content_type (rule 900220)
-SecRule &TX:allowed_request_content_type "@eq 0" \
-    "id:901162,\
-    phase:1,\
-    pass,\
-    nolog,\
-    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain|application/hal+json'"
-</code>
-===== mod_deflate configuration =====
-It is advised to set up gzip so the users get minimum of data from the frontend server.
-In the file ''/etc/httpd/conf.d/ssl.conf'' we add following configuration and restart the server:
-<code xml>
-<IfModule mod_deflate.c>
-        # Compress HTML, CSS, JavaScript, Text, XML and fonts
-        AddOutputFilterByType DEFLATE application/javascript
-        AddOutputFilterByType DEFLATE application/rss+xml
-        AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
-        AddOutputFilterByType DEFLATE application/x-font
-        AddOutputFilterByType DEFLATE application/x-font-opentype
-        AddOutputFilterByType DEFLATE application/x-font-otf
-        AddOutputFilterByType DEFLATE application/x-font-truetype
-        AddOutputFilterByType DEFLATE application/x-font-ttf
-        AddOutputFilterByType DEFLATE application/x-javascript
-        AddOutputFilterByType DEFLATE application/xhtml+xml
-        AddOutputFilterByType DEFLATE application/xml
-        AddOutputFilterByType DEFLATE font/opentype
-        AddOutputFilterByType DEFLATE font/otf
-        AddOutputFilterByType DEFLATE font/ttf
-        AddOutputFilterByType DEFLATE image/svg+xml
-        AddOutputFilterByType DEFLATE image/x-icon
-        AddOutputFilterByType DEFLATE text/css
-        AddOutputFilterByType DEFLATE text/html
-        AddOutputFilterByType DEFLATE text/javascript
-        AddOutputFilterByType DEFLATE text/plain
-        AddOutputFilterByType DEFLATE text/xml
-        AddOutputFilterByType DEFLATE application/json
-        AddOutputFilterByType DEFLATE application/hal+json
-        # Remove browser bugs (only needed for really old browsers)
-        BrowserMatch ^Mozilla/4 gzip-only-text/html
-        BrowserMatch ^Mozilla/4\.0[678] no-gzip
-        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-        Header append Vary User-Agent
-</IfModule>
-</code>