Chapter 7. Configure the Apache 2 Web Server
Prev			Next

Chapter 7. Configure the Apache 2 Web Server

Important

Please change the example values below to match your specific environment.

Add the apache user to the tungsten group:

shell> sudo usermod -a -G tungsten apache

Create the apache configuration file for the web service:

shell> sudo vim /etc/httpd/conf.d/z01-tungsten-dashboard.conf

For Apache version 2.2:


<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    Header set Access-Control-Allow-Origin *

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		#AuthType Basic
		#AuthName "Tungsten Dashboard - RESTRICTED"
		#AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
		#Require valid-user

	</Directory>

</VirtualHost>

For Apache version 2.4 with no authentication or Role-Based Access Control (RBAC):


<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		Require all granted
	</Directory>

</VirtualHost>

For Apache version 2.4 with auth and RBAC using Basic Auth with an htpasswd-generated file:


<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		#Require all granted
		<RequireAll>
			AuthType Basic
			AuthName "Tungsten Dashboard - RESTRICTED"
			AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
			Require valid-user
		</RequireAll>

	</Directory>

</VirtualHost>

For Apache version 2.4 with auth and RBAC using Basic Auth via LDAP:

shell> sudo yum install -y mod_ldap


<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		#Require all granted
		<RequireAll>
                    AuthType Basic 
                    AuthName "Tungsten Dashboard - RESTRICTED" 
                    AuthBasicProvider ldap 
                    AuthLDAPURL ldap://ldap.ad.demo.com:XXX/DC=ad,DC=demo,DC=com?sAMAccountName?sub 
                    AuthLDAPBindDN ldapuser@ad.demo.com 
                    AuthLDAPBindPassword abcdef123456
                    Require ldap-group CN=DataServicesAdmins,OU=SQL,OU=Groups,OU=London,OU=NewYork,OU=United States,OU=North America,DC=ad,DC=demo,DC=com 
                    Require valid-user 
		</RequireAll>
	</Directory>

</VirtualHost>

Check the configuration and restart the web server:

shell> sudo apachectl configtest
shell> sudo apachectl restart

To use Apache 2.2 Basic Authentication, uncomment the four commented-out lines then run:

To use Apache 2.4 Basic Authentication, select one of the above two RBAC configs then run:

shell> htpasswd -c /volumes/data/www/tungsten/etc/.htpasswd {desiredlogin}
shell> sudo apachectl configtest
shell> sudo apachectl graceful

To enable RBAC security, the $WEBROOT/config.json file will need to be updated with two settings: "enableRBAC": 1 and "administrators": [], for example:

{
    "clusters": {
    },
    "menus": {
    },
    "settings": {
        "administrators": [ "tungsten","admin","root" ],
        "enableRBAC":1
    }
}

When RBAC is enabled (requires web server Basic Auth to be working fully), there are just two roles currently:

admistrator - which gives read-write access to everything to any valid login listed in the "administrators":[] option in the config file.
operator - which is read-only and is the role given to anyone with a valid login

Warning

There are additional steps to take when SELinux is enabled.

shell> sudo -i
shell> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/tungsten/html(/.*)?"
shell> restorecon -Rv /var/www/tungsten/*
shell> semanage port -a -t http_port_t -p tcp 8090
shell> setsebool -P httpd_can_network_connect 1
shell> systemctl restart httpd
shell> systemctl restart php-fpm

Be sure to check in the audit.log for any denied messages containing http or php.

Prev		Next
Chapter 6. Install the Tungsten Dashboard	Home	Chapter 8. Install and Configure HA Proxy

Continuent Documentation

Chapter 7. Configure the Apache 2 Web Server

Important

Warning