Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation_win [2018/12/04 10:18] fiserp [mod_security installation] |
tutorial:adm:server_preparation_win [2020/06/04 08:55] fiserp [HTTPd installation and configuration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Server preparation - Windows ====== | ||
+ | {{tag> | ||
+ | |||
+ | This tutorial shows you how to prepare the server for test or production use of CzechIdM. If you are looking for a much quicker way of installing CzechIdM, use the demo setup described here [[: | ||
+ | |||
+ | ===== Basic system setup ===== | ||
+ | * 1 server (can be virtualized) for everything: backend, frontend and database. | ||
+ | * OS Windows, ideally W2012 and newer | ||
+ | * PostgreSQL - installed from EnterpriseDB | ||
+ | * Java - installed from Oracle JDK | ||
+ | * Apache Tomcat - installed by Tomcat .exe installer | ||
+ | * Services start via system services (services.msc) | ||
+ | |||
+ | ===== Instalation and software configuration ===== | ||
+ | Prerequisities - Basic installation of Windows Server 2012. | ||
+ | * Install the **Telnet Client** system feature through **Programs and Features**. This is optional but greatly helps with debugging network problems. | ||
+ | * Install [[https:// | ||
+ | * Install [[https:// | ||
+ | * Use **checkout-windows, | ||
+ | * **Do not** enable integration with windows cmd. | ||
+ | * Disable unnecessary windows services. | ||
+ | * Disable Microsoft IIS if installed. | ||
+ | ===== PostgreSQL ===== | ||
+ | On Windows, we use [[https:// | ||
+ | * For installation, | ||
+ | * Set location for binaries to '' | ||
+ | * Set location for database to '' | ||
+ | * Install all components (pgAdmin, StackBuilder, | ||
+ | * Leave the locale at '' | ||
+ | * After installation, | ||
+ | * To enter services menu, get to the Start-> | ||
+ | |||
+ | Edit the PostgreSQL configuration file '' | ||
+ | < | ||
+ | listen_addresses = ' | ||
+ | port = 5432 # (change requires restart) | ||
+ | max_connections = 150 # (change requires restart) | ||
+ | superuser_reserved_connections = 3 # (change requires restart) | ||
+ | shared_buffers = 512MB # min 128kB | ||
+ | work_mem = 12815kB # min 64kB | ||
+ | maintenance_work_mem = 384MB | ||
+ | dynamic_shared_memory_type = windows # the default is the first option | ||
+ | wal_level = hot_standby | ||
+ | wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers | ||
+ | max_wal_size = 2GB | ||
+ | min_wal_size = 1GB | ||
+ | checkpoint_completion_target = 0.7 # checkpoint target duration, 0.0 - 1.0 | ||
+ | max_wal_senders = 5 | ||
+ | wal_keep_segments = 32 | ||
+ | max_replication_slots = 5 | ||
+ | effective_cache_size = 4608MB | ||
+ | default_statistics_target = 100 # range 1-10000 | ||
+ | logging_collector = on | ||
+ | log_directory = ' | ||
+ | log_filename = ' | ||
+ | log_truncate_on_rotation = on | ||
+ | log_checkpoints = on | ||
+ | log_line_prefix = '%t [%p]: [%l-1] user=%u, | ||
+ | log_lock_waits = on | ||
+ | log_temp_files = 0 | ||
+ | log_timezone = ' | ||
+ | update_process_title = off | ||
+ | track_io_timing = on | ||
+ | log_autovacuum_min_duration = 0 | ||
+ | datestyle = 'iso, mdy' | ||
+ | timezone = ' | ||
+ | lc_messages = ' | ||
+ | lc_monetary = ' | ||
+ | lc_numeric = ' | ||
+ | lc_time = ' | ||
+ | default_text_search_config = ' | ||
+ | </ | ||
+ | |||
+ | Configure the authentication in the '' | ||
+ | < | ||
+ | # TYPE DATABASE | ||
+ | |||
+ | # IPv4 local & remote connections: | ||
+ | host all | ||
+ | host all | ||
+ | # IPv6 local connections: | ||
+ | host all | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | ===== Java ===== | ||
+ | Install the Oracle JDK (minimal version is 1.8). You can download it from [[http:// | ||
+ | |||
+ | Install the Java into a standard directory in Program Files. Having finished the installation, | ||
+ | |||
+ | ===== Tomcat ===== | ||
+ | Download and install the latest 8.5 branch of Apache Tomcat from [[https:// | ||
+ | * Leave the installation paths on default. | ||
+ | * Let the setup create '' | ||
+ | * Modify the '' | ||
+ | * Do not install the example application. | ||
+ | * Let the setup create a Tomcat windows service. | ||
+ | |||
+ | After installation, | ||
+ | * '' | ||
+ | * '' | ||
+ | * Add '' | ||
+ | |||
+ | Configure addresses the server will listen on. Open the '' | ||
+ | * Add '' | ||
+ | * Change port number '' | ||
+ | * In the section for '' | ||
+ | * Uncomment the section '' | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | /> | ||
+ | </ | ||
+ | <note important> | ||
+ | The parameter '' | ||
+ | </ | ||
+ | |||
+ | Use the **services.msc** dialogue to set the Apache Tomcat '' | ||
+ | <note important> | ||
+ | * Locate the '' | ||
+ | </ | ||
+ | |||
+ | For roles and advanced management configuration, | ||
+ | |||
+ | ====== Apache httpd as a reverse proxy ====== | ||
+ | |||
+ | It is possible to open Apache Tomcat to the network directly, but somewhat inconvenient. You want the users to access CzechIdM on user-friendly ports 80/tcp or 443/tcp. So we use Apache httpd as a reverse proxy and add a few security features along the way. | ||
+ | Apache httpd will allow access to data via https on port 443/tcp and http on port 80/tcp. Communication via http protocol is enabled, but we redirect all communication to https. | ||
+ | Communication between Apache httpd and Tomcat takes place on local machine via AJP protocol. In httpd, there will be mod_security installed (optional but recommended), | ||
+ | |||
+ | The configuration example is written for the server which allows access to its services under the name " | ||
+ | |||
+ | ===== HTTPd installation and configuration ===== | ||
+ | First, install necessary [[https:// | ||
+ | |||
+ | Download Apache HTTPd from the [[https:// | ||
+ | |||
+ | Fire up an elevated shell and install the Apache HTTPd service: | ||
+ | < | ||
+ | cd C: | ||
+ | httpd.exe -k install | ||
+ | </ | ||
+ | |||
+ | Open the **services.msc** and reconfigure " | ||
+ | * To have '' | ||
+ | * To execute under '' | ||
+ | |||
+ | Configure the HTTPd in its core config file '' | ||
+ | <file apache httpd.conf> | ||
+ | Define SRVROOT " | ||
+ | ServerRoot " | ||
+ | |||
+ | Listen 80 | ||
+ | |||
+ | LoadModule access_compat_module modules/ | ||
+ | LoadModule actions_module modules/ | ||
+ | LoadModule alias_module modules/ | ||
+ | LoadModule allowmethods_module modules/ | ||
+ | LoadModule asis_module modules/ | ||
+ | LoadModule auth_basic_module modules/ | ||
+ | LoadModule authn_core_module modules/ | ||
+ | LoadModule authn_file_module modules/ | ||
+ | LoadModule authz_core_module modules/ | ||
+ | LoadModule authz_groupfile_module modules/ | ||
+ | LoadModule authz_host_module modules/ | ||
+ | LoadModule authz_user_module modules/ | ||
+ | LoadModule autoindex_module modules/ | ||
+ | LoadModule cgi_module modules/ | ||
+ | LoadModule deflate_module modules/ | ||
+ | LoadModule dir_module modules/ | ||
+ | LoadModule env_module modules/ | ||
+ | LoadModule filter_module modules/ | ||
+ | LoadModule headers_module modules/ | ||
+ | LoadModule include_module modules/ | ||
+ | LoadModule isapi_module modules/ | ||
+ | LoadModule log_config_module modules/ | ||
+ | #LoadModule log_debug_module modules/ | ||
+ | LoadModule mime_module modules/ | ||
+ | #LoadModule mime_magic_module modules/ | ||
+ | LoadModule negotiation_module modules/ | ||
+ | LoadModule proxy_module modules/ | ||
+ | LoadModule proxy_ajp_module modules/ | ||
+ | #LoadModule proxy_balancer_module modules/ | ||
+ | #LoadModule proxy_connect_module modules/ | ||
+ | #LoadModule proxy_express_module modules/ | ||
+ | #LoadModule proxy_html_module modules/ | ||
+ | LoadModule proxy_http_module modules/ | ||
+ | LoadModule proxy_wstunnel_module modules/ | ||
+ | #LoadModule reqtimeout_module modules/ | ||
+ | LoadModule rewrite_module modules/ | ||
+ | LoadModule setenvif_module modules/ | ||
+ | LoadModule socache_shmcb_module modules/ | ||
+ | LoadModule ssl_module modules/ | ||
+ | LoadModule unique_id_module modules/ | ||
+ | #LoadModule vhost_alias_module modules/ | ||
+ | LoadModule security2_module modules/ | ||
+ | |||
+ | < | ||
+ | # jsme na oknech, tohle se nepouzije | ||
+ | User daemon | ||
+ | Group daemon | ||
+ | </ | ||
+ | |||
+ | # ' | ||
+ | # | ||
+ | ServerAdmin root@demo.czechidm.com | ||
+ | ServerName demo.czechidm.com | ||
+ | |||
+ | < | ||
+ | AllowOverride none | ||
+ | Require all denied | ||
+ | </ | ||
+ | |||
+ | DocumentRoot " | ||
+ | < | ||
+ | Options -Indexes -FollowSymLinks -MultiViews | ||
+ | AllowOverride None | ||
+ | Require all granted | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | DirectoryIndex index.html | ||
+ | </ | ||
+ | |||
+ | <Files " | ||
+ | Require all denied | ||
+ | </ | ||
+ | |||
+ | ErrorLog " | ||
+ | LogLevel warn | ||
+ | |||
+ | < | ||
+ | LogFormat "%h %l %u %t \" | ||
+ | LogFormat "%h %l %u %t \" | ||
+ | < | ||
+ | # You need to enable mod_logio.c to use %I and %O | ||
+ | LogFormat "%h %l %u %t \" | ||
+ | </ | ||
+ | CustomLog " | ||
+ | #CustomLog " | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | ScriptAlias /cgi-bin/ " | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | #Scriptsock cgisock | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | AllowOverride None | ||
+ | Options None | ||
+ | Require all granted | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | RequestHeader unset Proxy early | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | TypesConfig conf/ | ||
+ | AddType application/ | ||
+ | AddType application/ | ||
+ | </ | ||
+ | |||
+ | # Virtual hosts | ||
+ | Include conf/ | ||
+ | |||
+ | # Configure mod_proxy_html to understand HTML4/ | ||
+ | < | ||
+ | Include conf/ | ||
+ | </ | ||
+ | |||
+ | # Secure (SSL/TLS) connections | ||
+ | Include conf/ | ||
+ | |||
+ | # Note: The following must must be present to support | ||
+ | # | ||
+ | # but a statically compiled-in mod_ssl. | ||
+ | < | ||
+ | SSLRandomSeed startup builtin | ||
+ | SSLRandomSeed connect builtin | ||
+ | </ | ||
+ | |||
+ | # Include modsec | ||
+ | # if you do not want to use it, comment-out the section below | ||
+ | < | ||
+ | Include conf/ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Configure the HTTP-> | ||
+ | <file apache httpd-vhosts.conf> | ||
+ | # Virtual Hosts | ||
+ | # | ||
+ | # Required modules: mod_log_config | ||
+ | |||
+ | < | ||
+ | ServerName demo.czechidm.com | ||
+ | ErrorLog " | ||
+ | CustomLog " | ||
+ | |||
+ | # this is for stable deployment | ||
+ | Redirect permanent / https:// | ||
+ | |||
+ | # this one is for debugging before going live | ||
+ | # Redirect / https:// | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Configure the HTTPS virtual host in the '' | ||
+ | < | ||
+ | <file apache httpd-ssl.conf> | ||
+ | Listen 443 | ||
+ | |||
+ | SSLCipherSuite ALL: | ||
+ | SSLProxyCipherSuite HIGH: | ||
+ | SSLHonorCipherOrder on | ||
+ | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | ||
+ | SSLProxyProtocol all -SSLv2 -SSLv3 | ||
+ | SSLPassPhraseDialog | ||
+ | SSLSessionCache | ||
+ | SSLSessionCacheTimeout | ||
+ | |||
+ | |||
+ | < | ||
+ | ServerName demo.czechidm.com | ||
+ | ServerAdmin root@demo.czechidm.com | ||
+ | ErrorLog " | ||
+ | TransferLog " | ||
+ | CustomLog " | ||
+ | |||
+ | SSLEngine on | ||
+ | |||
+ | SSLCertificateFile " | ||
+ | SSLCertificateKeyFile " | ||
+ | # | ||
+ | |||
+ | SSLVerifyClient none | ||
+ | |||
+ | < | ||
+ | SSLOptions +StdEnvVars | ||
+ | </ | ||
+ | < | ||
+ | SSLOptions +StdEnvVars | ||
+ | </ | ||
+ | |||
+ | BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 | ||
+ | |||
+ | # workaround for bad font handling in IE 11 | ||
+ | < | ||
+ | Header set Cache-Control " | ||
+ | </ | ||
+ | |||
+ | ProxyRequests | ||
+ | ProxyPreserveHost on | ||
+ | ProxyAddHeaders on | ||
+ | ProxyPass / ajp:// | ||
+ | ProxyPassReverse / ajp:// | ||
+ | |||
+ | RewriteEngine On | ||
+ | RewriteRule " | ||
+ | |||
+ | < | ||
+ | SecRuleRemoveById 981173 | ||
+ | SecRuleRemoveById 960015 | ||
+ | SecRuleRemoveById 950109 | ||
+ | |||
+ | # Allow Czech signs | ||
+ | SecRuleRemoveById 981318 | ||
+ | SecRuleRemoveById 981242 | ||
+ | SecRuleRemoveById 960024 | ||
+ | SecRuleRemoveById 981245 | ||
+ | |||
+ | # Too restrictive for login format | ||
+ | SecRuleRemoveById 960035 | ||
+ | |||
+ | # Needed by Websockets | ||
+ | < | ||
+ | SecRuleRemoveById 970901 | ||
+ | </ | ||
+ | | ||
+ | # These break Certificate Authority module | ||
+ | < | ||
+ | SecRuleRemoveById 960915 | ||
+ | SecRuleRemoveById 200003 | ||
+ | </ | ||
+ | | ||
+ | # Modsec can throw false positives on some files due to multipart boundary check | ||
+ | < | ||
+ | SecRuleRemoveById 960915 | ||
+ | SecRuleRemoveById 200003 | ||
+ | </ | ||
+ | |||
+ | # do not log request/ | ||
+ | SecAuditLogParts ABFHZ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # Compress HTML, CSS, JavaScript, Text, XML and fonts | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE font/ | ||
+ | AddOutputFilterByType DEFLATE font/otf | ||
+ | AddOutputFilterByType DEFLATE font/ttf | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE image/ | ||
+ | AddOutputFilterByType DEFLATE text/css | ||
+ | AddOutputFilterByType DEFLATE text/html | ||
+ | AddOutputFilterByType DEFLATE text/ | ||
+ | AddOutputFilterByType DEFLATE text/plain | ||
+ | AddOutputFilterByType DEFLATE text/xml | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | AddOutputFilterByType DEFLATE application/ | ||
+ | |||
+ | # Remove browser bugs (only needed for really old browsers) | ||
+ | BrowserMatch ^Mozilla/4 gzip-only-text/ | ||
+ | BrowserMatch ^Mozilla/ | ||
+ | BrowserMatch \bMSIE !no-gzip !gzip-only-text/ | ||
+ | Header append Vary User-Agent | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Supply SSL certificate and key in x509 PEM form to '' | ||
+ | |||
+ | Self-signed cert and key for testing purposes can be created like this: | ||
+ | < | ||
+ | openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes | ||
+ | </ | ||
+ | ===== mod_security installation ===== | ||
+ | Download the mod\_security module from the [[https:// | ||
+ | Unpack the zip and perform following actions: | ||
+ | * Copy the '' | ||
+ | * Copy '' | ||
+ | |||
+ | Create general mod\_security configuration file '' | ||
+ | <file apache modsec.conf> | ||
+ | < | ||
+ | # ModSecurity Core Rules Set configuration | ||
+ | IncludeOptional conf/ | ||
+ | IncludeOptional conf/ | ||
+ | | ||
+ | # Default recommended configuration | ||
+ | SecRuleEngine On | ||
+ | SecRequestBodyAccess On | ||
+ | SecRule REQUEST_HEADERS: | ||
+ | " | ||
+ | SecRequestBodyLimit 13107200 | ||
+ | SecRequestBodyNoFilesLimit 131072 | ||
+ | SecRequestBodyInMemoryLimit 131072 | ||
+ | SecRequestBodyLimitAction Reject | ||
+ | SecRule REQBODY_ERROR "!@eq 0" \ | ||
+ | " | ||
+ | SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ | ||
+ | " | ||
+ | failed strict validation: \ | ||
+ | PE %{REQBODY_PROCESSOR_ERROR}, | ||
+ | BQ %{MULTIPART_BOUNDARY_QUOTED}, | ||
+ | BW %{MULTIPART_BOUNDARY_WHITESPACE}, | ||
+ | DB %{MULTIPART_DATA_BEFORE}, | ||
+ | DA %{MULTIPART_DATA_AFTER}, | ||
+ | HF %{MULTIPART_HEADER_FOLDING}, | ||
+ | LF %{MULTIPART_LF_LINE}, | ||
+ | SM %{MULTIPART_MISSING_SEMICOLON}, | ||
+ | IQ %{MULTIPART_INVALID_QUOTING}, | ||
+ | IP %{MULTIPART_INVALID_PART}, | ||
+ | IH %{MULTIPART_INVALID_HEADER_FOLDING}, | ||
+ | FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" | ||
+ | |||
+ | SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ | ||
+ | " | ||
+ | |||
+ | SecPcreMatchLimit 1000 | ||
+ | SecPcreMatchLimitRecursion 1000 | ||
+ | |||
+ | SecRule TX:/^MSC_/ " | ||
+ | " | ||
+ | |||
+ | SecResponseBodyAccess Off | ||
+ | # SecDebugLog / | ||
+ | # SecDebugLogLevel 0 | ||
+ | SecAuditEngine RelevantOnly | ||
+ | SecAuditLogRelevantStatus " | ||
+ | SecAuditLogParts ABIJDEFHZ | ||
+ | SecAuditLogType Serial | ||
+ | SecAuditLog logs/ | ||
+ | SecArgumentSeparator & | ||
+ | SecCookieFormat 0 | ||
+ | SecTmpDir modsec_tmp | ||
+ | SecDataDir modsec_lib | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Create empty directories '' | ||
+ | |||
+ | Mod\_security will become operational but will have no filtering rules. To obtain filtering rules, please visit [[https:// | ||
+ | < | ||
+ | |||
+ | Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors. |