Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_win [2019/06/03 12:40]
cernym [HTTPd installation and configuration] 		tutorial:adm:server_preparation_win [2020/03/04 14:53]
kolarikj [mod_security installation]
Line 303: Line 303:
  
 Configure the HTTPS virtual host in the ''C:\Apache24\conf\extra\httpd-ssl.conf'' file. Change ''demo.czechidm.com'' to the name of your server. Configure the HTTPS virtual host in the ''C:\Apache24\conf\extra\httpd-ssl.conf'' file. Change ''demo.czechidm.com'' to the name of your server.
 +<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM due to the SSL settings. If this is your case, you may need to slacken the cipher settings a bit.</note>
 <file apache httpd-ssl.conf> <file apache httpd-ssl.conf>
 Listen 443 Listen 443
  
-SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES+SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA
 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 SSLHonorCipherOrder on  SSLHonorCipherOrder on 
-SSLProtocol all -SSLv2 -SSLv3+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLProxyProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3
 SSLPassPhraseDialog  builtin SSLPassPhraseDialog  builtin
 SSLSessionCache        "shmcb:c:/Apache24/logs/ssl_scache(512000)" SSLSessionCache        "shmcb:c:/Apache24/logs/ssl_scache(512000)"
 SSLSessionCacheTimeout  300 SSLSessionCacheTimeout  300
 +
  
 <VirtualHost _default_:443> <VirtualHost _default_:443>
Line 377: Line 379:
                 SecRuleRemoveById 200003                 SecRuleRemoveById 200003
         </Location>         </Location>
 +        
 + # Modsec can throw false positives on some files due to multipart boundary check
 + <Location "/idm/api/v1/attachments/upload">
 + SecRuleRemoveById 960915
 + SecRuleRemoveById 200003
 + </Location>
    
         # do not log request/response body         # do not log request/response body
Line 420: Line 428:
 Supply SSL certificate and key in x509 PEM form to ''c:/Apache24/conf/server.key'' and ''c:/Apache24/conf/server.crt'' files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates, use for example [[https://www.akadia.com/services/ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl** tool from the Git Bash prompt. Supply SSL certificate and key in x509 PEM form to ''c:/Apache24/conf/server.key'' and ''c:/Apache24/conf/server.crt'' files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates, use for example [[https://www.akadia.com/services/ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl** tool from the Git Bash prompt.
 ===== mod_security installation ===== ===== mod_security installation =====
-Download the mod\_security module from the [[https://www.apachelounge.com/download/VC15/modules/mod_security-2.9.2-win64-VC15.zip|Apache Lounge project]].+Download the mod\_security module from the [[https://www.apachelounge.com/download/VS16/modules/mod_security-2.9.3-win64-VS16.zip|Apache Lounge project]].
 Unpack the zip and perform following actions: Unpack the zip and perform following actions:
   * Copy the ''mod\_security2.so'' int ''C:\Apache24\modules'' directory.   * Copy the ''mod\_security2.so'' int ''C:\Apache24\modules'' directory.
-  * Copy ''libcurl.dll'' and ''yajl.dll'' into ''C:\Apache24\bin'' directory.+  * Copy ''yajl.dll'' into ''C:\Apache24\bin'' directory.
  
 Create general mod\_security configuration file ''C:\Apache24\conf\extra\modsec.conf'': Create general mod\_security configuration file ''C:\Apache24\conf\extra\modsec.conf'':
  • by koulaj