Apache HTTP Server Installation and Configuration

The Apache HTTP server and the mod_ssl Apache module should have already been installed as dependencies for the td-webportal RPM package. You can verify this with the following command:

[root@webportal ~]# yum install httpd mod_ssl
Setting up Install Process
Package httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed.
Package mod_ssl-1:2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed.
Nothing to do

Update httpd.conf

Open the web server configuration file /etc/httpd/conf/httpd.conf in a text editor to change the following parameters:

Mutex flock
KeepAlive On
KeepAliveTimeout 2
ServerName <Your ServerName>

For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, FTP directory listings, etc):

ServerSignature Off

By default, the server version and operating system is also displayed in the Server response header field, e.g. Server: Apache/2.4.37 (CentOS). To suppress this output, we suggest updating the ServerTokens option as follows:

ServerTokens Prod

Enable “Prefork” Mode

The mod_yvva module requires that apache run in prefork mode. Note that Apache will crash when running in a different mode.

To set the mode, execute:

sed -e '/LoadModule mpm_event_module/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-mpm.conf
sed -e '/#LoadModule mpm_prefork_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-mpm.conf

which will comment out the mpm_event_module and uncomment the mpm_prefork_module. The result should look:

# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines.  See the httpd.conf(5) man
# page for more information on changing the MPM.
...
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
...
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
...
#LoadModule mpm_event_module modules/mod_mpm_event.so

Disable Unneeded Apache Modules

The TeamDrive Web Portal only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration.

Apache 2.4

In the directory: /etc/httpd/conf.modules.d comment out all modules in the following config files. Using the linux stream editor (sed) with the following regular expression will add a ‘#’ comment sign in each line starting with ‘LoadModule’:

sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-dav.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-lua.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/01-cgi.conf

Re-Enable only the required modules in /etc/httpd/conf.modules.d/00-proxy.conf:

sed -e '/#LoadModule proxy_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/#LoadModule proxy_http_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/#LoadModule proxy_wstunnel_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf

Disable all modules in /etc/httpd/conf.modules.d/00-base.conf and re-enable only the required modules:

sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule actions_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule alias_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule authz_core_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule autoindex_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule dir_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule headers_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule log_config_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule mime_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule negotiation_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule rewrite_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule setenvif_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule slotmem_shm_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule socache_shmcb_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule unixd_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule version_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf

Configure mod_ssl

The web-based TeamDrive Web Portal Administration Console should be accessed via an encrypted SSL connection. To facilitate this, add the following to the end of the default <VirtualHost> section in /etc/httpd/conf.d/ssl.conf:

Include conf.d/td-webportal.httpd.conf.ssl
</VirtualHost>

Note

The Apache HTTP Server package includes a self-signed SSL certificate for testing purposes. If you connect to the server using a web browser, it will likely raise an error about an untrusted/insecure connection. You should consider replacing this certificate with an appropriate one.

Follow the instructions provided by your certificate authority on how to obtain and install an SSL certificate for the Apache HTTP Server.

Verify your SSL configuration using the service from SSL Labs: https://www.ssllabs.com/ssltest/analyze.html and make sure that the “Handshake Simulation” is working for current platforms and browser. The following ssl parameters on CentOS 7 for the Apache Web Server will create an A-rating and make sure that the handshake is working for current platforms and browser (for CentOS 8 no changes on the default configurations are necessary):

SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS