Please change the example values below to match your specific environment.
Please change the example values below to match your specific environment.
Add the apache
user to the
tungsten
group:
shell> sudo usermod -a -G tungsten apache
Create the apache
configuration file for the web
service:
shell> sudo vim /etc/httpd/conf.d/z01-tungsten-dashboard.conf
For Apache version 2.2:
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
Header set Access-Control-Allow-Origin *
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#AuthType Basic
#AuthName "Tungsten Dashboard - RESTRICTED"
#AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
#Require valid-user
</Directory>
</VirtualHost>
For Apache version 2.4 with no authentication or Role-Based Access Control (RBAC):
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
For Apache version 2.4 with auth and RBAC using Basic Auth with an htpasswd-generated file:
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#Require all granted
<RequireAll>
AuthType Basic
AuthName "Tungsten Dashboard - RESTRICTED"
AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
Require valid-user
</RequireAll>
</Directory>
</VirtualHost>
For Apache version 2.4 with auth and RBAC using Basic Auth via LDAP:
shell> sudo yum install -y mod_ldap
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#Require all granted
<RequireAll>
AuthType Basic
AuthName "Tungsten Dashboard - RESTRICTED"
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.ad.demo.com:XXX/DC=ad,DC=demo,DC=com?sAMAccountName?sub
AuthLDAPBindDN ldapuser@ad.demo.com
AuthLDAPBindPassword abcdef123456
Require ldap-group CN=DataServicesAdmins,OU=SQL,OU=Groups,OU=London,OU=NewYork,OU=United States,OU=North America,DC=ad,DC=demo,DC=com
Require valid-user
</RequireAll>
</Directory>
</VirtualHost>
Check the configuration and restart the web server:
shell>sudo apachectl configtest
shell>sudo apachectl restart
To use Apache Basic Authentication, edit the Apache configuration file appropriate to your version (2.2. or 2.4, see below), then run the below three commands:
To use Apache 2.2 Basic Authentication, uncomment the four commented-out lines in the example.
To use Apache 2.4 Basic Authentication, select one of the above two example RBAC configs and edit the Apache configuration file accordingly.
shell>htpasswd -c /volumes/data/www/tungsten/etc/.htpasswd {desiredlogin}
shell>sudo apachectl configtest
shell>sudo apachectl graceful
To enable RBAC security, the
$WEBROOT/config.json
file will need to be
updated with two settings: "enableRBAC": 1
and
"administrators": []
, for example:
{
"clusters": {
},
"menus": {
},
"settings": {
"administrators": [ "tungsten","admin","root" ],
"enableRBAC":1
}
}
When RBAC is enabled (requires web server Basic Auth to be working fully), there are just two roles currently:
admistrator
- which gives read-write access
to everything to any valid login listed in the
"administrators":[]
option in the config
file.
operator
- which is read-only and is the role
given to anyone with a valid login
There are additional steps to take when SELinux is enabled.
shell>sudo -i
shell>semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/tungsten/html(/.*)?"
shell>restorecon -Rv /var/www/tungsten/*
shell>semanage port -a -t http_port_t -p tcp 8090
shell>setsebool -P httpd_can_network_connect 1
shell>systemctl restart httpd
shell>systemctl restart php-fpm
Be sure to check in the audit.log
for any
denied
messages containing http
or php
.
This sequence of steps to install and configure Apache 2 and HAProxy on Ubuntu was derived from a session with a customer. YMMV as always.
Generate the custom frontend and backend definitions for HAProxy, and prepare the cluster for updates to the configuration of the cluster nodes, if you have not done them already:
On a single database node per cluster:
tungsten@db1 shell>tpm generate-haproxy-for-api
tungsten@db1 shell>echo 'set policy maintenance' | cctrl
Update the cluster configuration to support the REST APIv2.
On all database nodes:
tungsten@dbN shell>vi /etc/tungsten/tungsten.ini
==> Ensure that the rest api settings have been added to the above! tungsten@dbN shell>tpm update
tungsten@dbN shell>tapi ping
==> Create the REST API admin user if you did not do so at install time: tungsten@dbN shell>tapi --create --create-user tungsten --create-password secret
AFTER all tpm updates have been completed, return the cluster to AUTOMATIC mode.:
On a single database node per cluster:
tungsten@db1 shell> echo 'set policy automatic' | cctrl
Update the /etc/hosts
file to ensure all nodes
are reachable.
On the Dashboard web server, perform the following steps as the root user or use sudo for all steps:
tungsten@db1 shell>XXX
shell#nslookup dashboard.customer.org
shell#vi /etc/hosts
==> Ensure this server's hostname exists in the hosts file ==> Ensure that all database nodes exist in the hosts file
Install Apache 2 and all other needed software on the Dashboard web server:
shell#apt update
shell#apt install apache2
shell#systemctl start apache2
shell#systemctl enable apache2
shell#systemctl status apache2
shell#apache2 -V
shell#apt install php php-curl libapache2-mod-php jq socat haproxy
shell#vi /etc/php/7.4/apache2/php.ini
==> enable extension=php_curl by removing the leading semi-colon (;) shell#systemctl restart apache2
In this example, the customer placed the Tungsten Dashboard web root directory onto an NFS mount, so we needed to create that set of directories before installing the Dashboard package:
shell#mkdir -p /nfs/tungsten/html /nfs/tungsten/etc /nfs/tungsten/logs
shell#chown -R www-data: /nfs/tungsten
shell#chmod -R ug+rw /nfs/tungsten
Create the .htpassword
file to provide Basic
Authorization functionality.
shell#htpasswd -c /nfs/tungsten/etc/.htpasswd tungsten
secret
secret
shell#cat /nfs/tungsten/etc/.htpasswd
Install the Tungsten Daashboard software package from your home directory into the web root directory, on NFS in this case:
shell#cd
shell#tar xvzf tungsten-dashboard-1.0.15-10.tar.gz
shell#cd tungsten-dashboard-1.0.15-10
shell#cp html/config.php.sample html/config.php
shell#rsync -a html/ /nfs/tungsten/html/
shell#vi /nfs/tungsten/html/config.json
==> Update the administrators entry if needed:"administrators":[ tungsten ],
==> Update the enableRBAC entry to 1:"enableRBAC":1,
Configure the Dashboard virtualhost in Apache2:
For example Apache 2 conf file entries, please see the above section Section 7.1, “Example: Web Server on Amazon Linux 2”.
shell#less /etc/apache2/envvars
shell#less /etc/apache2/apache2.conf
shell#vi /etc/apache2/sites-enabled/000-default.conf
==> Edit the existing section to add the needed items shell#apachectl configtest
shell#systemctl restart apache2
shell#systemctl status apache2
shell#journalctl -xe
shell#cat /var/log/apache2/error.log
Validate that the Dashboard web server host is able to reach all the nodes:
shell> for host in db1 db2 db3 db4 db5 db6; do
ping $host
#telnet $host 8090
/usr/bin/curl -s --insecure --user tungsten:secret 'http://${host}:8090/api/v2/manager/status' | jq .
done
Configure and test HAProxy:
shell#systemctl enable haproxy
shell#systemctl start haproxy
shell#systemctl status haproxy
shell#vi /etc/haproxy/haproxy.cfg
shell#systemctl restart haproxy
shell#systemctl status haproxy
shell#socat stdio /var/run/haproxy.sock | grep -i stat
shell>telnet localhost 8201
shell>telnet localhost 8202
shell>telnet localhost 8203
shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8201/api/v2/manager/status' | jq .
shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8202/api/v2/manager/status' | jq .
shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8203/api/v2/manager/status' | jq .