Apache HTTP Server Installation and Configuration¶
The Apache HTTP server and the mod_ssl Apache module should have already
been installed as dependencies for the td-webportal RPM package.
You can verify this with the following command:
[root@webportal ~]# yum install httpd mod_ssl
Setting up Install Process
Package httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed.
Package mod_ssl-1:2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed.
Nothing to do
Update httpd.conf¶
Open the web server configuration file /etc/httpd/conf/httpd.conf in a text
editor to change the following parameters:
KeepAlive On
KeepAliveTimeout 2
ServerName <Your ServerName>
For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, FTP directory listings, etc):
ServerSignature Off
By default, the server version and operating system is also displayed in the
Server response header field, e.g. Server: Apache/2.4.37 (CentOS).
To suppress this output, we suggest updating the ServerTokens option as
follows:
ServerTokens Prod
Enable “Prefork” Mode¶
The mod_yvva module requires that apache run in prefork mode. Note that
Apache will crash when running in a different mode.
To set the mode, execute:
sed -e '/LoadModule mpm_event_module/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-mpm.conf
sed -e '/#LoadModule mpm_prefork_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-mpm.conf
which will comment out the mpm_event_module and uncomment the mpm_prefork_module. The result should look:
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines.  See the httpd.conf(5) man
# page for more information on changing the MPM.
...
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
...
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
...
#LoadModule mpm_event_module modules/mod_mpm_event.so
Disable Unneeded Apache Modules¶
The TeamDrive Web Portal only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration.
Apache 2.4¶
In the directory: /etc/httpd/conf.modules.d comment out all modules in the
following config files. Using the linux stream editor (sed) with the following
regular expression will add a ‘#’ comment sign in each line starting with
‘LoadModule’:
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-dav.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-lua.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/01-cgi.conf
Re-Enable only the required modules in /etc/httpd/conf.modules.d/00-proxy.conf:
sed -e '/#LoadModule proxy_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/#LoadModule proxy_http_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/#LoadModule proxy_wstunnel_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf
Disable all modules in /etc/httpd/conf.modules.d/00-base.conf and re-enable
only the required modules:
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule actions_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule alias_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule authz_core_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule autoindex_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule dir_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule headers_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule log_config_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule mime_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule negotiation_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule rewrite_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule setenvif_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule slotmem_shm_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule socache_shmcb_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule unixd_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule version_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
Configure mod_ssl¶
The web-based TeamDrive Web Portal Administration Console should be accessed
via an encrypted SSL connection. To facilitate this, add the following to the
end of the default <VirtualHost> section in /etc/httpd/conf.d/ssl.conf:
Include conf.d/td-webportal.httpd.conf.ssl
</VirtualHost>
Note
The Apache HTTP Server package includes a self-signed SSL certificate for testing purposes. If you connect to the server using a web browser, it will likely raise an error about an untrusted/insecure connection. You should consider replacing this certificate with an appropriate one.
Follow the instructions provided by your certificate authority on how to obtain and install an SSL certificate for the Apache HTTP Server.
Verify your SSL configuration using the service from SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html and make sure that
the “Handshake Simulation” is working for current platforms and browser. The
following ssl parameters on CentOS 7 for the Apache Web Server will create an
A-rating and make sure that the handshake is working for current platforms and
browser (for CentOS 8 no changes on the default configurations are necessary):
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Create teamdrive user¶
The docker service will run as a non root user teamdrive. Create the user and
add the apache user to the teamdrive group to allow access apache to the docker
socket:
adduser teamdrive
usermod -a -G teamdrive apache
It’s no necessary to define a password for this user.