Chapter 7. Configure the Apache 2 Web Server

Important

Please change the example values below to match your specific environment.

Add the apache user to the tungsten group:

shell> sudo usermod -a -G tungsten apache

Create the apache configuration file for the web service:

shell> sudo vim /etc/httpd/conf.d/z01-tungsten-dashboard.conf

For Apache version 2.2:


<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    Header set Access-Control-Allow-Origin *

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		#AuthType Basic
		#AuthName "Tungsten Dashboard - RESTRICTED"
		#AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
		#Require valid-user

	</Directory>

</VirtualHost>

For Apache version 2.4 with no authentication or Role-Based Access Control (RBAC):


<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		Require all granted
	</Directory>

</VirtualHost>

For Apache version 2.4 with auth and RBAC using Basic Auth with an htpasswd-generated file:


<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		#Require all granted
		<RequireAll>
			AuthType Basic
			AuthName "Tungsten Dashboard - RESTRICTED"
			AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
			Require valid-user
		</RequireAll>

	</Directory>

</VirtualHost>

For Apache version 2.4 with auth and RBAC using Basic Auth via LDAP:

shell> sudo yum install -y mod_ldap

<VirtualHost *:80>
	ServerName dashboard.yourdomain.com

	DocumentRoot /volumes/data/www/tungsten/html
	DirectoryIndex index.php
	ServerAdmin dashboard.apache.admin@yourdomain.com

    ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
    CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

	<Directory "/volumes/data/www/tungsten/html">
		AllowOverride All
		Options +FollowSymLinks +ExecCGI -Indexes
		Order allow,deny
		Allow from all
		#Require all granted
		<RequireAll>
                    AuthType Basic 
                    AuthName "Tungsten Dashboard - RESTRICTED" 
                    AuthBasicProvider ldap 
                    AuthLDAPURL ldap://ldap.ad.demo.com:XXX/DC=ad,DC=demo,DC=com?sAMAccountName?sub 
                    AuthLDAPBindDN ldapuser@ad.demo.com 
                    AuthLDAPBindPassword abcdef123456
                    Require ldap-group CN=DataServicesAdmins,OU=SQL,OU=Groups,OU=London,OU=NewYork,OU=United States,OU=North America,DC=ad,DC=demo,DC=com 
                    Require valid-user 
		</RequireAll>
	</Directory>

</VirtualHost>

Check the configuration and restart the web server:

shell> sudo apachectl configtest
shell> sudo apachectl restart

To use Apache 2.2 Basic Authentication, uncomment the four commented-out lines then run:

To use Apache 2.4 Basic Authentication, select one of the above two RBAC configs then run:

shell> htpasswd -c /volumes/data/www/tungsten/etc/.htpasswd {desiredlogin}
shell> sudo apachectl configtest
shell> sudo apachectl graceful

To enable RBAC security, the $WEBROOT/config.json file will need to be updated with two settings: "enableRBAC": 1 and "administrators": [], for example:

{
    "clusters": {
    },
    "menus": {
    },
    "settings": {
        "administrators": [ "tungsten","admin","root" ],
        "enableRBAC":1
    }
}

When RBAC is enabled (requires web server Basic Auth to be working fully), there are just two roles currently:

  • admistrator - which gives read-write access to everything to any valid login listed in the "administrators":[] option in the config file.

  • operator - which is read-only and is the role given to anyone with a valid login

Warning

There are additional steps to take when SELinux is enabled.

shell> sudo -i
shell> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/tungsten/html(/.*)?"
shell> restorecon -Rv /var/www/tungsten/*
shell> semanage port -a -t http_port_t -p tcp 8090
shell> setsebool -P httpd_can_network_connect 1
shell> systemctl restart httpd
shell> systemctl restart php-fpm

Be sure to check in the audit.log for any denied messages containing http or php.