...
- Use stock httpd RPM install (standard NIST install)
- Install mod_ssl and mod_auth_kerb RPMs:
| No Format |
|---|
# yum install mod_ssl
# yum install mod_auth_kerb
|
Configure
Current versions of the various httpd configuration files can be obtained in the touchstone locker, in /mit/touchstone/config/idp2-core/httpd/. The changes to the standard stock versions include:
- In /etc/httpd/conf/httpd.conf, set
ServerName: | No Format |
|---|
ServerName idp.mit.edu:80
|
and set the UseCanonicalName option to On: | No Format |
|---|
UseCanonicalName On
|
- Disable the stock "Welcome" page, by commenting out the lines in
/etc/httpd/conf.d/welcome.conf - In /etc/httpd/conf.d/ssl.conf, set the
SSLRandomSeed options: | No Format |
|---|
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
|
within the VirtualHost block, set the ServerName: | No Format |
|---|
ServerName idp.mit.edu:443
|
set the SSL cipher suite: | No Format |
|---|
SSLCipherSuite HIGH:MEDIUM:EXP:!aNULL:!SSLv2:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP
|
Install the server certificate, key, and CA files in /etc/pki/tls/certs/ and /etc/pki/tls/private/, as appropriate, and set the paths in ssl.conf: | No Format |
|---|
SSLCertificateFile /etc/pki/tls/certs/idp-staging.mit.edu-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp-staging.mit.edu-key.pem
SSLCertificateChainFile /etc/pki/tls/certs/EquifaxCA.pem
SSLCACertificateFile /etc/pki/tls/certs/mitCAclient.pem
|
set the SSL options: | No Format |
|---|
SSLOptions +StrictRequire
|
configure custom logging: | No Format |
|---|
CustomLog logs/ssl_request_log \
"%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"
|
ensure that all access is via SSL: | No Format |
|---|
<Directory />
SSLRequireSSL
</Directory>
|
ensure that all rewrite rules are inherited: | No Format |
|---|
RewriteEngine On
RewriteOptions inherit
|
- Install an HTTP keytab in /etc/httpd/conf/keytab; it must be readable by (only) the apache user. This is used for authentication by HTTP/SPNEGO, as configured in /etc/httpd/conf.d/auth_kerb.conf; install this .conf file auth_kerb.con.
- Install cert-authn.conf from the touchstone locker (XXX), which sets :
- Install these additional conf files from the touchstone locker (/mit/touchstone/config/idp2-core/) in /etc/httpd/conf.d:
- auth_kerb.conf
This configures authentication by HTTP/SPNEGO (replaces version installed by mod_auth_kerb). - cert-authn.conf
This sets up the separate virtual hosts for certificate authentication on ports 446 and 447 (for certificate optional and required, respectively). - idp-attr-query.conf
This sets up the vhosts for back-channel attribute queries on ports 8443 and 8444. - idp-rewrite.conf
This adds various rewrite rules for compatibility, etc. - proxy_ajp.conf
Configures the AJP proxy module for the idp webapp (replaces version installed by httpd). - ssl.conf (see above)
- welcome.conf (see above)
- SELinux context mappings must be added for the non-standard ports configured for certificate authentication and attribute query, so that httpd can use them:
| No Format |
|---|
# semanage port -a -t http_port_t -p tcp 446
# semanage port -a -t http_port_t -p tcp 447
# semanage port -a -t http_port_t -p tcp 8444
|
Disable the stock "Welcome" page, by commenting out the lines in /etc/httpd/conf.d/welcome.conf - Install our standard
robots.txt and favicon.ico files in /var/www/html. The robots.txt should disallow all access: | No Format |
|---|
User-agent: *
Disallow: /
|
Current versions of these files may be found in the touchstone locker, in /mit/touchstone/config/htdocs/. - Make sure httpd is started at boot time:
| No Format |
|---|
# chkconfig httpd on
|
...