Apache HTTP Server Installation and Configuration¶
The Apache HTTP server and the mod_ssl
Apache module should have already
been installed as dependencies for the td-webportal
RPM package.
You can verify this with the following command:
[root@webportal ~]# yum install httpd mod_ssl
Setting up Install Process
Package httpd-2.2.15-30.0.1.el6_5.x86_64 already installed and latest version
Package 1:mod_ssl-2.2.15-30.0.1.el6_5.x86_64 already installed and latest version
Nothing to do
Update httpd.conf
¶
Open the web server configuration file /etc/httpd/conf/httpd.conf
in a text
editor to change the following parameters:
KeepAlive On
KeepAliveTimeout 2
ServerName <Your ServerName>
For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, FTP directory listings, etc):
ServerSignature Off
By default, the server version and operating system is also displayed in the
Server
response header field, e.g. Server: Apache/2.2.15 (CentOS)
.
To suppress this output, we suggest updating the ServerTokens
option as
follows:
ServerTokens Prod
Disable Unneeded Apache Modules¶
The TeamDrive Web Portal only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration.
Apache 2.4¶
In the directory: /etc/httpd/conf.modules.d
comment out all modules in the
following config files. Using the linux stream editor (sed) with the following
regular expression will add a ‘#’ comment sign in each line starting with
‘LoadModule’:
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-dav.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-lua.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/01-cgi.conf
Edit /etc/httpd/conf.modules.d/00-proxy.conf
and enable these modules by
removing the comment ‘#’ in from of each line:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
Edit /etc/httpd/conf.modules.d/00-base.conf
and leave only the following
modules enabled by adding a ‘#’ comment in front of all other modules:
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule headers_module modules/mod_headers.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule version_module modules/mod_version.so
Configure mod_ssl
¶
The web-based TeamDrive Web Portal Administration Console should be accessed
via an encrypted SSL connection. To facilitate this, add the following to the
end of the default <VirtualHost>
section in /etc/httpd/conf.d/ssl.conf
:
Include conf.d/td-webportal.httpd.conf.ssl
</VirtualHost>
Note
The Apache HTTP Server package includes a self-signed SSL certificate for testing purposes. If you connect to the server using a web browser, it will likely raise an error about an untrusted/insecure connection. You should consider replacing this certificate with an appropriate one.
Follow the instructions provided by your certificate authority on how to obtain and install an SSL certificate for the Apache HTTP Server.
Verify your SSL configuration using the service from SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html
and make sure that
the “Handshake Simulation” is working for current platforms and browser. The
following ssl parameters for the apache web server will create an A-rating
and make sure that the handshake is working for current platforms and browser:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Add DOCKER_HOST environment variable to the bottom of the /etc/sysconfig/httpd
file:
DOCKER_HOST=127.0.0.1
Replace “127.0.0.1” with the IP address of the Docker container host if the Docker host machine is not the same as the Web Portal.
As the comment indicates, the IP address “127.0.0.1” must be replaced with
IP address or host name of the Docker host. This is the same value as the
domain name in the DockerHost
setting.
If the Docker host machine is the same as the Web Portal, then the re-write rules containing “127.0.0.1” must not be changed.