Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation_win [2020/03/04 14:53] kolarikj [mod_security installation] |
tutorial:adm:server_preparation_win [2021/05/04 08:39] kopro [HTTPd installation and configuration] update configuration for certificates |
||
---|---|---|---|
Line 7: | Line 7: | ||
===== Basic system setup ===== | ===== Basic system setup ===== | ||
* 1 server (can be virtualized) for everything: backend, frontend and database. | * 1 server (can be virtualized) for everything: backend, frontend and database. | ||
- | * OS Windows, ideally | + | * OS Windows, ideally |
- | * PostgreSQL - installed from OpenSCG | + | * PostgreSQL - installed from EnterpriseDB |
- | * Java - installed from Oracle JDK | + | * Java - OpenJDK |
* Apache Tomcat - installed by Tomcat .exe installer | * Apache Tomcat - installed by Tomcat .exe installer | ||
* Services start via system services (services.msc) | * Services start via system services (services.msc) | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
- | Prerequisities - Basic installation of Windows Server | + | Prerequisities - Basic installation of Windows Server |
* Install the **Telnet Client** system feature through **Programs and Features**. This is optional but greatly helps with debugging network problems. | * Install the **Telnet Client** system feature through **Programs and Features**. This is optional but greatly helps with debugging network problems. | ||
* Install [[https:// | * Install [[https:// | ||
Line 23: | Line 23: | ||
* Disable Microsoft IIS if installed. | * Disable Microsoft IIS if installed. | ||
===== PostgreSQL ===== | ===== PostgreSQL ===== | ||
- | On Windows, we use [[https:// | + | On Windows, we use [[https:// |
- | * Leave locations | + | * For installation, |
- | * Make sure you check the option to install | + | * Set location for binaries to '' |
+ | * Set location for database to '' | ||
+ | * Install all components (pgAdmin, StackBuilder, | ||
+ | * Leave the locale | ||
+ | * After installation, | ||
+ | * To enter services menu, get to the Start-> | ||
- | Open the elevated shell (right-click | + | Edit the PostgreSQL configuration file '' |
< | < | ||
- | cd c:/postgresql | + | # DB Version: 12 |
- | pgc install pgadmin3 | + | # OS Type: windows |
- | </ | + | # DB Type: web |
- | If your server does not have Internet access, you can download and install pgAdmin from [[https:// | + | # Total Memory (RAM): 6 GB |
+ | # CPUs num: 4 | ||
+ | # Connections num: 100 | ||
+ | # Data Storage: hdd | ||
- | Edit the PostgreSQL configuration file '' | ||
- | < | ||
listen_addresses = ' | listen_addresses = ' | ||
- | port = 5432 # (change requires restart) | + | max_connections = 100 # (change requires restart) |
- | max_connections = 150 # (change requires restart) | + | |
superuser_reserved_connections = 3 # (change requires restart) | superuser_reserved_connections = 3 # (change requires restart) | ||
shared_buffers = 512MB # min 128kB | shared_buffers = 512MB # min 128kB | ||
- | work_mem = 12815kB # min 64kB | + | work_mem = 9611kB # min 64kB |
maintenance_work_mem = 384MB | maintenance_work_mem = 384MB | ||
- | dynamic_shared_memory_type = windows # the default is the first option | + | |
- | wal_level = hot_standby | + | wal_buffers = 16MB |
- | wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers | + | max_wal_size = 4GB |
- | max_wal_size = 2GB | + | |
min_wal_size = 1GB | min_wal_size = 1GB | ||
checkpoint_completion_target = 0.7 # checkpoint target duration, 0.0 - 1.0 | checkpoint_completion_target = 0.7 # checkpoint target duration, 0.0 - 1.0 | ||
- | max_wal_senders = 5 | + | |
- | wal_keep_segments = 32 | + | |
- | max_replication_slots = 5 | + | |
effective_cache_size = 4608MB | effective_cache_size = 4608MB | ||
default_statistics_target = 100 # range 1-10000 | default_statistics_target = 100 # range 1-10000 | ||
- | logging_collector | + | random_page_cost |
- | log_directory | + | effective_cache_size |
- | log_filename | + | max_worker_processes |
- | log_truncate_on_rotation | + | max_parallel_workers_per_gather |
- | log_checkpoints | + | max_parallel_workers |
- | log_line_prefix | + | max_parallel_maintenance_workers |
- | log_lock_waits = on | + | |
- | log_temp_files = 0 | + | |
- | log_timezone = ' | + | |
- | update_process_title = off | + | |
track_io_timing = on | track_io_timing = on | ||
log_autovacuum_min_duration = 0 | log_autovacuum_min_duration = 0 | ||
- | datestyle = 'iso, mdy' | ||
- | timezone = ' | ||
- | lc_messages = ' | ||
- | lc_monetary = ' | ||
- | lc_numeric = ' | ||
- | lc_time = ' | ||
- | default_text_search_config = ' | ||
</ | </ | ||
- | Configure the authentication in the '' | + | Configure the authentication in the '' |
< | < | ||
# TYPE DATABASE | # TYPE DATABASE | ||
Line 81: | Line 73: | ||
# IPv4 local & remote connections: | # IPv4 local & remote connections: | ||
host all | host all | ||
- | host all | ||
# IPv6 local connections: | # IPv6 local connections: | ||
host all | host all | ||
</ | </ | ||
- | Open Windows services' | + | < |
- | + | ||
- | < | + | |
===== Java ===== | ===== Java ===== | ||
- | Install the Oracle JDK (minimal | + | Install the openjdk |
+ | |||
+ | === OpenJDK Installation === | ||
+ | |||
+ | Crete directory '' | ||
+ | Then set path and JAVA HOME: | ||
+ | * Open the **sysdm.cpl** (Win+r ant type sysdm.cpl) dialogue and navigate to ''> | ||
+ | * Add this line to PATH variable. < | ||
+ | * Add new variable '' | ||
+ | * Then run '' | ||
- | Install the Java into a standard directory in Program Files. Having finished the installation, | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
Download and install the latest 8.5 branch of Apache Tomcat from [[https:// | Download and install the latest 8.5 branch of Apache Tomcat from [[https:// | ||
- | * Leave the installation paths on default. | + | * Agree with licence agreement |
- | * Let the setup create | + | * Deselect |
- | * Modify the '' | + | * Set shutdown port to " |
- | * Do not install | + | * Modify the '' |
- | * Let the setup create a Tomcat | + | * Leave the installation path on default and click '' |
+ | * When it's done deselect option "start tomcat" | ||
+ | |||
+ | You can also use Tomcat | ||
- | After installation, | + | After installation, |
* '' | * '' | ||
* '' | * '' | ||
- | * Add '' | + | * Add '' |
- | Configure addresses the server will listen on. Open the '' | + | Configure addresses the server will listen on. Open the '' |
* Add '' | * Add '' | ||
* Change port number '' | * Change port number '' | ||
+ | * In the section for '' | ||
+ | * Uncomment the section '' | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | /> | ||
+ | </ | ||
+ | <note important> | ||
+ | The parameter '' | ||
+ | </ | ||
Use the **services.msc** dialogue to set the Apache Tomcat '' | Use the **services.msc** dialogue to set the Apache Tomcat '' | ||
Line 127: | Line 141: | ||
===== HTTPd installation and configuration ===== | ===== HTTPd installation and configuration ===== | ||
- | First, install necessary [[https://go.microsoft.com/fwlink/? | + | First, install necessary [[https://aka.ms/vs/16/ |
Download Apache HTTPd from the [[https:// | Download Apache HTTPd from the [[https:// | ||
Line 137: | Line 151: | ||
</ | </ | ||
- | Open the **services.msc** and reconfigure " | + | Open the **services.msc** and reconfigure " |
+ | * To have '' | ||
+ | * To execute under '' | ||
- | Configure the HTTPd in its core config file '' | + | Configure the HTTPd in its core config file '' |
<file apache httpd.conf> | <file apache httpd.conf> | ||
- | ServerRoot " | ||
- | |||
- | Listen 80 | ||
+ | #uncomment these modules | ||
LoadModule access_compat_module modules/ | LoadModule access_compat_module modules/ | ||
- | LoadModule actions_module modules/ | ||
- | LoadModule alias_module modules/ | ||
- | LoadModule allowmethods_module modules/ | ||
- | LoadModule asis_module modules/ | ||
- | LoadModule auth_basic_module modules/ | ||
- | LoadModule authn_core_module modules/ | ||
- | LoadModule authn_file_module modules/ | ||
- | LoadModule authz_core_module modules/ | ||
- | LoadModule authz_groupfile_module modules/ | ||
- | LoadModule authz_host_module modules/ | ||
- | LoadModule authz_user_module modules/ | ||
- | LoadModule autoindex_module modules/ | ||
- | LoadModule cgi_module modules/ | ||
LoadModule deflate_module modules/ | LoadModule deflate_module modules/ | ||
- | LoadModule dir_module modules/ | ||
- | LoadModule env_module modules/ | ||
LoadModule filter_module modules/ | LoadModule filter_module modules/ | ||
+ | LoadModule http2_module modules/ | ||
LoadModule headers_module modules/ | LoadModule headers_module modules/ | ||
- | LoadModule include_module modules/ | ||
- | LoadModule isapi_module modules/ | ||
- | LoadModule log_config_module modules/ | ||
- | #LoadModule log_debug_module modules/ | ||
- | LoadModule mime_module modules/ | ||
- | #LoadModule mime_magic_module modules/ | ||
- | LoadModule negotiation_module modules/ | ||
LoadModule proxy_module modules/ | LoadModule proxy_module modules/ | ||
LoadModule proxy_ajp_module modules/ | LoadModule proxy_ajp_module modules/ | ||
- | #LoadModule proxy_balancer_module modules/ | ||
- | #LoadModule proxy_connect_module modules/ | ||
- | #LoadModule proxy_express_module modules/ | ||
- | #LoadModule proxy_html_module modules/ | ||
LoadModule proxy_http_module modules/ | LoadModule proxy_http_module modules/ | ||
LoadModule proxy_wstunnel_module modules/ | LoadModule proxy_wstunnel_module modules/ | ||
- | #LoadModule reqtimeout_module modules/ | ||
LoadModule rewrite_module modules/ | LoadModule rewrite_module modules/ | ||
- | LoadModule setenvif_module modules/ | ||
LoadModule socache_shmcb_module modules/ | LoadModule socache_shmcb_module modules/ | ||
LoadModule ssl_module modules/ | LoadModule ssl_module modules/ | ||
LoadModule unique_id_module modules/ | LoadModule unique_id_module modules/ | ||
- | #LoadModule vhost_alias_module modules/ | ||
- | LoadModule security2_module modules/ | ||
- | < | + | #add modsecurity module: |
- | # jsme na oknech, tohle se nepouzije | + | LoadModule security2_module modules/mod_security2.so |
- | User daemon | + | |
- | Group daemon | + | |
- | </IfModule> | + | |
- | # ' | + | #change ServerName and Server Admin |
- | # | + | |
ServerAdmin root@demo.czechidm.com | ServerAdmin root@demo.czechidm.com | ||
ServerName demo.czechidm.com | ServerName demo.czechidm.com | ||
- | < | + | #uncomment include vhosts a ssl configuration |
- | AllowOverride none | + | |
- | Require all denied | + | |
- | </ | + | |
- | + | ||
- | DocumentRoot " | + | |
- | < | + | |
- | Options -Indexes -FollowSymLinks -MultiViews | + | |
- | AllowOverride None | + | |
- | Require all granted | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | DirectoryIndex index.html | + | |
- | </ | + | |
- | + | ||
- | <Files " | + | |
- | Require all denied | + | |
- | </ | + | |
- | + | ||
- | ErrorLog " | + | |
- | LogLevel warn | + | |
- | + | ||
- | < | + | |
- | LogFormat "%h %l %u %t \" | + | |
- | LogFormat "%h %l %u %t \" | + | |
- | < | + | |
- | | + | |
- | LogFormat "%h %l %u %t \" | + | |
- | </ | + | |
- | CustomLog " | + | |
- | #CustomLog " | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | ScriptAlias /cgi-bin/ " | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | #Scriptsock cgisock | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | AllowOverride None | + | |
- | Options None | + | |
- | Require all granted | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | RequestHeader unset Proxy early | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | TypesConfig conf/ | + | |
- | AddType application/ | + | |
- | AddType application/ | + | |
- | </ | + | |
- | + | ||
- | # Virtual hosts | + | |
Include conf/ | Include conf/ | ||
- | |||
- | # Configure mod_proxy_html to understand HTML4/ | ||
- | < | ||
- | Include conf/ | ||
- | </ | ||
- | |||
- | # Secure (SSL/TLS) connections | ||
Include conf/ | Include conf/ | ||
- | # Note: The following must must be present to support | + | # Include modsec configuration if module is loaded |
- | # | + | < |
- | # but a statically compiled-in mod_ssl. | + | Include conf/ |
- | < | + | |
- | | + | |
- | SSLRandomSeed connect builtin | + | |
</ | </ | ||
- | # Include modsec | ||
- | # if you do not want to use it, comment-out the section below | ||
- | < | ||
- | Include conf/ | ||
- | </ | ||
</ | </ | ||
- | Configure the HTTP-> | + | Configure the HTTP-> |
<file apache httpd-vhosts.conf> | <file apache httpd-vhosts.conf> | ||
# Virtual Hosts | # Virtual Hosts | ||
Line 346: | Line 254: | ||
</ | </ | ||
+ | Protocols | ||
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
ProxyAddHeaders on | ProxyAddHeaders on | ||
- | ProxyPass / ajp:// | + | ProxyPass / ajp:// |
- | ProxyPassReverse / ajp:// | + | ProxyPassReverse / ajp:// |
RewriteEngine On | RewriteEngine On | ||
Line 375: | Line 284: | ||
| | ||
# These break Certificate Authority module | # These break Certificate Authority module | ||
- | < | + | < |
SecRuleRemoveById 960915 | SecRuleRemoveById 960915 | ||
SecRuleRemoveById 200003 | SecRuleRemoveById 200003 | ||
Line 387: | Line 296: | ||
# do not log request/ | # do not log request/ | ||
- | SecAuditLogParts | + | SecAuditLogParts |
</ | </ | ||
Line 427: | Line 336: | ||
Supply SSL certificate and key in x509 PEM form to '' | Supply SSL certificate and key in x509 PEM form to '' | ||
+ | |||
+ | Self-signed cert and key for testing purposes can be created like this: | ||
+ | < | ||
+ | openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes | ||
+ | </ | ||
===== mod_security installation ===== | ===== mod_security installation ===== | ||
- | Download the mod\_security module from the [[https:// | + | Download the mod\_security module |
Unpack the zip and perform following actions: | Unpack the zip and perform following actions: | ||
* Copy the '' | * Copy the '' | ||
Line 493: | Line 407: | ||
Create empty directories '' | Create empty directories '' | ||
- | Mod\_security will become operational but will have no filtering rules. To obtain filtering rules, please visit [[https://www.modsecurity.org/|Mod Security project | + | Mod\_security will become operational but will have no filtering rules. To obtain filtering rules, please visit [[https://github.com/coreruleset/ |
- | < | + | |
+ | Create directory '' | ||
+ | From downloaded zip copy all rules from '' | ||
+ | Then downloaded zip copy rule configuration '' | ||
+ | |||
+ | < | ||
+ | </note> | ||
+ | |||
+ | Now in file '' | ||
+ | < | ||
+ | SecAction \ | ||
+ | " | ||
+ | phase:1, \ | ||
+ | t:none, \ | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | nolog, \ | ||
+ | pass" | ||
+ | |||
+ | </code> | ||
Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors. | Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors. |