Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
tutorial:adm:server_preparation_win [2020/03/04 14:53] kolarikj [mod_security installation] |
tutorial:adm:server_preparation_win [2021/12/14 09:25] urbanl [Change Tomcat logging properties] |
||
---|---|---|---|
Line 7: | Line 7: | ||
===== Basic system setup ===== | ===== Basic system setup ===== | ||
* 1 server (can be virtualized) for everything: backend, frontend and database. | * 1 server (can be virtualized) for everything: backend, frontend and database. | ||
- | * OS Windows, ideally | + | * OS Windows, ideally |
- | * PostgreSQL - installed from OpenSCG | + | * PostgreSQL - installed from EnterpriseDB |
- | * Java - installed from Oracle JDK | + | * Java - OpenJDK |
* Apache Tomcat - installed by Tomcat .exe installer | * Apache Tomcat - installed by Tomcat .exe installer | ||
* Services start via system services (services.msc) | * Services start via system services (services.msc) | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
- | Prerequisities - Basic installation of Windows Server | + | Prerequisities - Basic installation of Windows Server |
* Install the **Telnet Client** system feature through **Programs and Features**. This is optional but greatly helps with debugging network problems. | * Install the **Telnet Client** system feature through **Programs and Features**. This is optional but greatly helps with debugging network problems. | ||
* Install [[https:// | * Install [[https:// | ||
Line 23: | Line 23: | ||
* Disable Microsoft IIS if installed. | * Disable Microsoft IIS if installed. | ||
===== PostgreSQL ===== | ===== PostgreSQL ===== | ||
- | On Windows, we use [[https:// | + | On Windows, we use [[https:// |
- | * Leave locations | + | * For installation, |
- | * Make sure you check the option to install | + | * Set location for binaries to '' |
+ | * Set location for database to '' | ||
+ | * Install all components (pgAdmin, StackBuilder, | ||
+ | * Leave the locale | ||
+ | * After installation, | ||
+ | * To enter services menu, get to the Start-> | ||
- | Open the elevated shell (right-click | + | Edit the PostgreSQL configuration file '' |
< | < | ||
- | cd c:/postgresql | + | # DB Version: 12 |
- | pgc install pgadmin3 | + | # OS Type: windows |
- | </ | + | # DB Type: web |
- | If your server does not have Internet access, you can download and install pgAdmin from [[https:// | + | # Total Memory (RAM): 6 GB |
+ | # CPUs num: 4 | ||
+ | # Connections num: 100 | ||
+ | # Data Storage: hdd | ||
- | Edit the PostgreSQL configuration file '' | ||
- | < | ||
listen_addresses = ' | listen_addresses = ' | ||
- | port = 5432 # (change requires restart) | + | max_connections = 100 # (change requires restart) |
- | max_connections = 150 # (change requires restart) | + | |
superuser_reserved_connections = 3 # (change requires restart) | superuser_reserved_connections = 3 # (change requires restart) | ||
shared_buffers = 512MB # min 128kB | shared_buffers = 512MB # min 128kB | ||
- | work_mem = 12815kB # min 64kB | + | work_mem = 9611kB # min 64kB |
maintenance_work_mem = 384MB | maintenance_work_mem = 384MB | ||
- | dynamic_shared_memory_type = windows # the default is the first option | + | |
- | wal_level = hot_standby | + | wal_buffers = 16MB |
- | wal_buffers = 16MB # min 32kB, -1 sets based on shared_buffers | + | max_wal_size = 4GB |
- | max_wal_size = 2GB | + | |
min_wal_size = 1GB | min_wal_size = 1GB | ||
checkpoint_completion_target = 0.7 # checkpoint target duration, 0.0 - 1.0 | checkpoint_completion_target = 0.7 # checkpoint target duration, 0.0 - 1.0 | ||
- | max_wal_senders = 5 | + | |
- | wal_keep_segments = 32 | + | |
- | max_replication_slots = 5 | + | |
effective_cache_size = 4608MB | effective_cache_size = 4608MB | ||
default_statistics_target = 100 # range 1-10000 | default_statistics_target = 100 # range 1-10000 | ||
- | logging_collector | + | random_page_cost |
- | log_directory | + | effective_cache_size |
- | log_filename | + | max_worker_processes |
- | log_truncate_on_rotation | + | max_parallel_workers_per_gather |
- | log_checkpoints | + | max_parallel_workers |
- | log_line_prefix | + | max_parallel_maintenance_workers |
- | log_lock_waits = on | + | |
- | log_temp_files = 0 | + | |
- | log_timezone = ' | + | |
- | update_process_title = off | + | |
track_io_timing = on | track_io_timing = on | ||
log_autovacuum_min_duration = 0 | log_autovacuum_min_duration = 0 | ||
- | datestyle = 'iso, mdy' | ||
- | timezone = ' | ||
- | lc_messages = ' | ||
- | lc_monetary = ' | ||
- | lc_numeric = ' | ||
- | lc_time = ' | ||
- | default_text_search_config = ' | ||
</ | </ | ||
- | Configure the authentication in the '' | + | Configure the authentication in the '' |
< | < | ||
# TYPE DATABASE | # TYPE DATABASE | ||
Line 81: | Line 73: | ||
# IPv4 local & remote connections: | # IPv4 local & remote connections: | ||
host all | host all | ||
- | host all | ||
# IPv6 local connections: | # IPv6 local connections: | ||
host all | host all | ||
</ | </ | ||
- | Open Windows services' | + | < |
- | + | ||
- | < | + | |
===== Java ===== | ===== Java ===== | ||
- | Install the Oracle JDK (minimal | + | Install the openjdk |
+ | |||
+ | === OpenJDK Installation === | ||
+ | |||
+ | Crete directory '' | ||
+ | Then set path and JAVA HOME: | ||
+ | * Open the **sysdm.cpl** (Win+r ant type sysdm.cpl) dialogue and navigate to ''> | ||
+ | * Add this line to PATH variable. < | ||
+ | * Add new variable '' | ||
+ | * Then run '' | ||
- | Install the Java into a standard directory in Program Files. Having finished the installation, | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
- | Download and install the latest 8.5 branch of Apache Tomcat from [[https:// | ||
- | * Leave the installation paths on default. | ||
- | * Let the setup create '' | ||
- | * Modify the '' | ||
- | * Do not install the example application. | ||
- | * Let the setup create a Tomcat windows service. | ||
- | After installation, | + | Download and install |
- | * '' | + | |
- | * '' | + | |
- | * Add '' | + | |
- | Configure addresses the server will listen on. Open the '' | + | * Agree with licence agreement |
- | * Add '' | + | * Deselect '' |
- | * Change port number '' | + | * Set shutdown port to " |
+ | * Modify the '' | ||
+ | * Leave the installation path on default and click '' | ||
+ | * When it's done deselect option "start tomcat" | ||
+ | |||
+ | You can also use Tomcat 9.0.45 and newer, those installers set the service account to '' | ||
+ | |||
+ | After installation, | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | * Add '' | ||
+ | |||
+ | Configure addresses the server will listen on. Open the '' | ||
+ | |||
+ | * Add '' | ||
+ | * Change port number '' | ||
+ | * In the section for '' | ||
+ | * Uncomment the section '' | ||
+ | < | ||
+ | |||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | /> | ||
+ | |||
+ | </ | ||
+ | |||
+ | Use the **services.msc** | ||
+ | |||
+ | * Locate the '' | ||
- | Use the **services.msc** dialogue to set the Apache Tomcat '' | ||
- | <note important> | ||
- | * Locate the '' | ||
</ | </ | ||
- | For roles and advanced management configuration, | + | For roles and advanced management configuration, |
+ | |||
+ | ==== Change Tomcat logging properties ==== | ||
+ | |||
+ | In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log . | ||
+ | |||
+ | After change of these tomcat setting and setting-up **logback-spring.xml** in [[.: | ||
+ | |||
+ | Make these changes in file '' | ||
+ | < | ||
+ | |||
+ | handlers = 1catalina.org.apache.juli.AsyncFileHandler | ||
+ | #handlers = java.util.logging.ConsoleHandler, | ||
+ | |||
+ | .handlers = 1catalina.org.apache.juli.AsyncFileHandler | ||
+ | #.handlers = java.util.logging.ConsoleHandler, | ||
+ | |||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | |||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | |||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | |||
+ | ### | ||
+ | ### | ||
+ | ### | ||
+ | |||
+ | # | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # | ||
+ | |||
+ | </ | ||
+ | |||
+ | In 1catalina file handler change log level to " | ||
+ | |||
+ | < | ||
+ | # | ||
+ | # | ||
+ | 1catalina.org.apache.juli.AsyncFileHandler.level = INFO | ||
+ | 1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/ | ||
+ | 1catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat | ||
+ | 1catalina.org.apache.juli.AsyncFileHandler.rotatable = false | ||
+ | 1catalina.org.apache.juli.AsyncFileHandler.suffix = .log | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then in file '' | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | | ||
+ | |||
+ | </ | ||
====== Apache httpd as a reverse proxy ====== | ====== Apache httpd as a reverse proxy ====== | ||
Line 127: | Line 215: | ||
===== HTTPd installation and configuration ===== | ===== HTTPd installation and configuration ===== | ||
- | First, install necessary [[https://go.microsoft.com/fwlink/? | + | |
+ | First, install necessary [[https://aka.ms/vs/16/ | ||
Download Apache HTTPd from the [[https:// | Download Apache HTTPd from the [[https:// | ||
Line 133: | Line 222: | ||
Fire up an elevated shell and install the Apache HTTPd service: | Fire up an elevated shell and install the Apache HTTPd service: | ||
< | < | ||
+ | |||
cd C: | cd C: | ||
httpd.exe -k install | httpd.exe -k install | ||
+ | |||
</ | </ | ||
- | Open the **services.msc** and reconfigure " | + | Open the **services.msc** and reconfigure " |
- | Configure the HTTPd in its core config file '' | + | * To have '' |
- | <file apache httpd.conf> | + | * To execute under '' |
- | ServerRoot " | + | |
- | Listen 80 | + | Configure the HTTPd in its core config file '' |
+ | <file apache httpd.conf> | ||
+ | #uncomment these modules | ||
LoadModule access_compat_module modules/ | LoadModule access_compat_module modules/ | ||
- | LoadModule actions_module modules/ | ||
- | LoadModule alias_module modules/ | ||
- | LoadModule allowmethods_module modules/ | ||
- | LoadModule asis_module modules/ | ||
- | LoadModule auth_basic_module modules/ | ||
- | LoadModule authn_core_module modules/ | ||
- | LoadModule authn_file_module modules/ | ||
- | LoadModule authz_core_module modules/ | ||
- | LoadModule authz_groupfile_module modules/ | ||
- | LoadModule authz_host_module modules/ | ||
- | LoadModule authz_user_module modules/ | ||
- | LoadModule autoindex_module modules/ | ||
- | LoadModule cgi_module modules/ | ||
LoadModule deflate_module modules/ | LoadModule deflate_module modules/ | ||
- | LoadModule dir_module modules/ | ||
- | LoadModule env_module modules/ | ||
LoadModule filter_module modules/ | LoadModule filter_module modules/ | ||
+ | LoadModule http2_module modules/ | ||
LoadModule headers_module modules/ | LoadModule headers_module modules/ | ||
- | LoadModule include_module modules/ | ||
- | LoadModule isapi_module modules/ | ||
- | LoadModule log_config_module modules/ | ||
- | #LoadModule log_debug_module modules/ | ||
- | LoadModule mime_module modules/ | ||
- | #LoadModule mime_magic_module modules/ | ||
- | LoadModule negotiation_module modules/ | ||
LoadModule proxy_module modules/ | LoadModule proxy_module modules/ | ||
LoadModule proxy_ajp_module modules/ | LoadModule proxy_ajp_module modules/ | ||
- | #LoadModule proxy_balancer_module modules/ | ||
- | #LoadModule proxy_connect_module modules/ | ||
- | #LoadModule proxy_express_module modules/ | ||
- | #LoadModule proxy_html_module modules/ | ||
LoadModule proxy_http_module modules/ | LoadModule proxy_http_module modules/ | ||
LoadModule proxy_wstunnel_module modules/ | LoadModule proxy_wstunnel_module modules/ | ||
- | #LoadModule reqtimeout_module modules/ | ||
LoadModule rewrite_module modules/ | LoadModule rewrite_module modules/ | ||
- | LoadModule setenvif_module modules/ | ||
LoadModule socache_shmcb_module modules/ | LoadModule socache_shmcb_module modules/ | ||
LoadModule ssl_module modules/ | LoadModule ssl_module modules/ | ||
LoadModule unique_id_module modules/ | LoadModule unique_id_module modules/ | ||
- | #LoadModule vhost_alias_module modules/ | ||
- | LoadModule security2_module modules/ | ||
- | < | + | #add modsecurity module: |
- | # jsme na oknech, tohle se nepouzije | + | |
- | | + | |
- | Group daemon | + | |
- | </IfModule> | + | |
- | # ' | + | #change ServerName and Server Admin |
- | # | + | |
ServerAdmin root@demo.czechidm.com | ServerAdmin root@demo.czechidm.com | ||
ServerName demo.czechidm.com | ServerName demo.czechidm.com | ||
- | < | + | #uncomment include vhosts a ssl configuration |
- | AllowOverride none | + | |
- | Require all denied | + | |
- | </ | + | |
- | + | ||
- | DocumentRoot " | + | |
- | < | + | |
- | Options -Indexes -FollowSymLinks -MultiViews | + | |
- | AllowOverride None | + | |
- | Require all granted | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | DirectoryIndex index.html | + | |
- | </ | + | |
- | + | ||
- | <Files " | + | |
- | Require all denied | + | |
- | </ | + | |
- | + | ||
- | ErrorLog " | + | |
- | LogLevel warn | + | |
- | + | ||
- | < | + | |
- | LogFormat "%h %l %u %t \" | + | |
- | LogFormat "%h %l %u %t \" | + | |
- | < | + | |
- | | + | |
- | LogFormat "%h %l %u %t \" | + | |
- | </ | + | |
- | CustomLog " | + | |
- | #CustomLog " | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | ScriptAlias /cgi-bin/ " | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | #Scriptsock cgisock | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | AllowOverride None | + | |
- | Options None | + | |
- | Require all granted | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | RequestHeader unset Proxy early | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | TypesConfig conf/ | + | |
- | AddType application/ | + | |
- | AddType application/ | + | |
- | </ | + | |
- | + | ||
- | # Virtual hosts | + | |
Include conf/ | Include conf/ | ||
- | |||
- | # Configure mod_proxy_html to understand HTML4/ | ||
- | < | ||
- | Include conf/ | ||
- | </ | ||
- | |||
- | # Secure (SSL/TLS) connections | ||
Include conf/ | Include conf/ | ||
- | # Note: The following must must be present to support | + | # Include modsec |
- | # | + | |
- | # but a statically compiled-in mod_ssl. | + | |
- | < | + | |
- | SSLRandomSeed startup builtin | + | |
- | SSLRandomSeed connect builtin | + | |
- | </ | + | |
- | + | ||
- | # Include modsec | + | |
- | # if you do not want to use it, comment-out the section below | + | |
< | < | ||
Include conf/ | Include conf/ | ||
</ | </ | ||
+ | |||
+ | |||
</ | </ | ||
- | Configure the HTTP->HTTPS redirect in the '' | + | Configure the HTTP→HTTPS redirect in the '' |
<file apache httpd-vhosts.conf> | <file apache httpd-vhosts.conf> | ||
# Virtual Hosts | # Virtual Hosts | ||
Line 300: | Line 288: | ||
# Redirect / https:// | # Redirect / https:// | ||
</ | </ | ||
+ | |||
</ | </ | ||
- | Configure the HTTPS virtual host in the '' | + | Configure the HTTPS virtual host in the '' |
- | < | + | |
<file apache httpd-ssl.conf> | <file apache httpd-ssl.conf> | ||
Listen 443 | Listen 443 | ||
Line 309: | Line 298: | ||
SSLCipherSuite ALL: | SSLCipherSuite ALL: | ||
SSLProxyCipherSuite HIGH: | SSLProxyCipherSuite HIGH: | ||
- | SSLHonorCipherOrder on | + | SSLHonorCipherOrder on |
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | ||
SSLProxyProtocol all -SSLv2 -SSLv3 | SSLProxyProtocol all -SSLv2 -SSLv3 | ||
Line 315: | Line 304: | ||
SSLSessionCache | SSLSessionCache | ||
SSLSessionCacheTimeout | SSLSessionCacheTimeout | ||
- | |||
< | < | ||
Line 343: | Line 331: | ||
# workaround for bad font handling in IE 11 | # workaround for bad font handling in IE 11 | ||
< | < | ||
- | Header set Cache-Control " | + | Header set Cache-Control " |
</ | </ | ||
+ | Protocols | ||
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
ProxyAddHeaders on | ProxyAddHeaders on | ||
- | ProxyPass / ajp:// | + | ProxyPass / ajp:// |
- | ProxyPassReverse / ajp:// | + | ProxyPassReverse / ajp:// |
RewriteEngine On | RewriteEngine On | ||
Line 359: | Line 348: | ||
SecRuleRemoveById 960015 | SecRuleRemoveById 960015 | ||
SecRuleRemoveById 950109 | SecRuleRemoveById 950109 | ||
- | + | ||
# Allow Czech signs | # Allow Czech signs | ||
SecRuleRemoveById 981318 | SecRuleRemoveById 981318 | ||
Line 365: | Line 354: | ||
SecRuleRemoveById 960024 | SecRuleRemoveById 960024 | ||
SecRuleRemoveById 981245 | SecRuleRemoveById 981245 | ||
- | + | ||
# Too restrictive for login format | # Too restrictive for login format | ||
SecRuleRemoveById 960035 | SecRuleRemoveById 960035 | ||
- | + | ||
- | # Needed by Websockets | + | # Needed by Websockets |
< | < | ||
SecRuleRemoveById 970901 | SecRuleRemoveById 970901 | ||
</ | </ | ||
- | | + | |
# These break Certificate Authority module | # These break Certificate Authority module | ||
- | < | + | < |
SecRuleRemoveById 960915 | SecRuleRemoveById 960915 | ||
SecRuleRemoveById 200003 | SecRuleRemoveById 200003 | ||
</ | </ | ||
- | | + | |
- | # Modsec can throw false positives on some files due to multipart boundary check | + | # Modsec can throw false positives on some files due to multipart boundary check |
- | < | + | < |
- | SecRuleRemoveById 960915 | + | SecRuleRemoveById 960915 |
- | SecRuleRemoveById 200003 | + | SecRuleRemoveById 200003 |
- | </ | + | </ |
- | + | ||
# do not log request/ | # do not log request/ | ||
- | SecAuditLogParts | + | SecAuditLogParts |
</ | </ | ||
Line 415: | Line 404: | ||
AddOutputFilterByType DEFLATE application/ | AddOutputFilterByType DEFLATE application/ | ||
AddOutputFilterByType DEFLATE application/ | AddOutputFilterByType DEFLATE application/ | ||
- | + | ||
# Remove browser bugs (only needed for really old browsers) | # Remove browser bugs (only needed for really old browsers) | ||
BrowserMatch ^Mozilla/4 gzip-only-text/ | BrowserMatch ^Mozilla/4 gzip-only-text/ | ||
Line 424: | Line 413: | ||
</ | </ | ||
+ | |||
</ | </ | ||
- | Supply SSL certificate and key in x509 PEM form to '' | + | Supply SSL certificate and key in x509 PEM form to '' |
+ | |||
+ | Self-signed cert and key for testing purposes can be created like this: | ||
+ | < | ||
+ | |||
+ | openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes | ||
+ | |||
+ | </ | ||
+ | |||
===== mod_security installation ===== | ===== mod_security installation ===== | ||
- | Download the mod\_security module from the [[https:// | + | Download the mod\_security module |
Unpack the zip and perform following actions: | Unpack the zip and perform following actions: | ||
* Copy the '' | * Copy the '' | ||
Line 493: | Line 492: | ||
Create empty directories '' | Create empty directories '' | ||
- | Mod\_security will become operational but will have no filtering rules. To obtain filtering rules, please visit [[https://www.modsecurity.org/|Mod Security project | + | Mod\_security will become operational but will have no filtering rules. To obtain filtering rules, please visit [[https://github.com/coreruleset/ |
- | < | + | |
+ | Create directory '' | ||
+ | From downloaded zip copy all rules from '' | ||
+ | Then downloaded zip copy rule configuration '' | ||
+ | |||
+ | < | ||
+ | </note> | ||
+ | |||
+ | Now in file '' | ||
+ | < | ||
+ | SecAction \ | ||
+ | " | ||
+ | phase:1, \ | ||
+ | t:none, \ | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | setvar:' | ||
+ | nolog, \ | ||
+ | pass" | ||
+ | |||
+ | </code> | ||
Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors. | Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors. |