Apache HTTP Server Installation and Configuration¶

The Apache HTTP server and the mod_ssl Apache module should have already been installed as dependencies for the td-webportal RPM package. You can verify this with the following command:

[root@webportal ~]# dnf install httpd mod_ssl
Setting up Install Process
Package httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed.
Package mod_ssl-1:2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64 is already installed.
Nothing to do

Update `httpd.conf` and `welcome.conf`¶

Open the web server configuration file /etc/httpd/conf/httpd.conf in a text editor to add the following parameters:

Mutex flock
KeepAlive On
KeepAliveTimeout 2
ServerName <Your ServerName>

For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, FTP directory listings, etc):

ServerSignature Off

By default, the server version and operating system is also displayed in the Server response header field, e.g. Server: Apache/2.4.48 (CentOS). To suppress this output, we suggest updating the ServerTokens option as follows:

ServerTokens Prod

In addition disable the Apache default index page in the configuration file: /etc/httpd/conf.d/welcome.conf, by changing: ErrorDocument 403 /.noindex.html to ErrorDocument 403 default using this call:

sed -i 's/\/\.noindex.html/default/' /etc/httpd/conf.d/welcome.conf

Enable “Prefork” Mode¶

The mod_yvva module requires that apache run in prefork mode. Note that Apache will crash when running in a different mode.

To set the mode, execute:

sed -e '/LoadModule mpm_event_module/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-mpm.conf
sed -e '/#LoadModule mpm_prefork_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-mpm.conf

which will comment out the mpm_event_module and uncomment the mpm_prefork_module. The result should look:

# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines.  See the httpd.conf(5) man
# page for more information on changing the MPM.
...
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
...
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
...
#LoadModule mpm_event_module modules/mod_mpm_event.so

Disable Unneeded Apache Modules¶

The TeamDrive Web Portal only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration.

Apache 2.4¶

In the directory: /etc/httpd/conf.modules.d comment out all modules in the following config files. Using the linux stream editor (sed) with the following regular expression will add a ‘#’ comment sign in each line starting with ‘LoadModule’:

sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-brotli.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-dav.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-lua.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/01-cgi.conf

Re-Enable only the required modules in /etc/httpd/conf.modules.d/00-proxy.conf:

sed -e '/#LoadModule proxy_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/#LoadModule proxy_http_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/#LoadModule proxy_wstunnel_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-proxy.conf

Disable all modules in /etc/httpd/conf.modules.d/00-base.conf and re-enable only the required modules:

sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule actions_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule alias_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule authz_core_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule autoindex_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule dir_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule headers_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule log_config_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule mime_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule negotiation_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule rewrite_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule setenvif_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule slotmem_shm_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule socache_shmcb_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule unixd_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule version_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf

Configure `mod_ssl`¶

The web-based TeamDrive Web Portal Administration Console should be accessed via an encrypted SSL connection. To facilitate this, add the following to the end of the default <VirtualHost> section in /etc/httpd/conf.d/ssl.conf:

Include conf.d/td-webportal.httpd.conf.ssl
</VirtualHost>

Running the Server behind component with SSL offloading functionality¶

If the WebPortal is running behind a load balancer or other network component with ssl offloading functionality, you have to comment in the following settings in /etc/httpd/conf.d/td-webportal.httpd.conf:

# YvvaSet use-x-forwarded=true

and comment out:

RewriteCond     %{SERVER_PORT}  !^443$
RewriteCond     %{REQUEST_URI}  ^/admin.*
RewriteRule     ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

and comment in:

#RewriteCond %{HTTP:X-Forwarded-Proto} =http
#RewriteCond %{REQUEST_URI}  ^/admin.*
#RewriteRule     ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]