Tutorials‎ > ‎

A basic CentOS 7 Server with Apache TomCat installation (Also applicable for RHEL)

Installation
Install Centos 7.x with:
  1. "Security Profile" set to "Draft PCI-DSS v3 Control Baseline for Centos 7"
  2. "Software Selection" set to "Minimal Install"
  3. "Kdump" set to "disabled"
and encrypted separate partition or logical volume for:
  1. /                              +/- 50GB
  2. /boot                      +/- 500MB
  3. /tmp                       +/- 10GB
  4. /var                         +/- 20GB
  5. /var/tmp                +/- 10GB
  6. /var/log                  +/- 10GB
  7. /home

Tips:

  • ntp: this is the classic package, already existing in RHEL 6, RHEL 5, etc.
  • chrony: this is a new solution better suited for portable PC or servers with network connection problems (time synchronization is quicker). chrony is the default package in RHEL 7.

After installation

Install additional packages

yum install wget vim unzip

Disabling Shutdown Via Ctrl-Alt-Del

ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target

Limit your SSH logins using GeoIP


Install Apache HTTPD Loadbalancer

Install the following packages:
yum install httpd mod_ssl

Secure (HTTPS) Apache with Let's Encrypt on CentOS 7


Switch from prefork to worker MPM (source)

Apache MPM (Multi-Processing Modules) are Apache modules for creating child processes in Apache. There are many Apache MPM available, Each of them works in his own way. If you are using default Apache installation, Apache will use Prefork MPM by default.

Event MPM is launched with many improvements from worker MP. I prefer to use the Event MPM which is an improvement over the Worker MPM. Event MPM is that Event has a dedicated thread which handles all Keep Alive connections and requests.

Enable Event MPM in Apache, edit '/etc/httpd/conf.modules.d/00-mpm.conf'.
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

LoadModule mpm_event_module modules/mod_mpm_event.so

After making above changes just restart your Apache servers:
systemctl restart httpd

Check Active MPM in Apache

Now you have successfully enabled Event MPM in your Apache server. To verify current MPM enabled on your server use following command:
httpd -V | grep MPM
Server MPM:     event

Creating the Virtual Host File (source)

It's common when using Apache for virtual hosts to create to different directories to storing the virtual host information. The first directory called sites-available will hold the configuration file for each virtual host. When we are ready to go live on the web with the virtual host information we will create a link to this file and place it in the sites-enabled directory. Both folders will be created in the '/etc/httpd' directory.

To create the sites-available folder issue the following command:
mkdir /etc/httpd/sites-available

To create the sites-enabled folder issue the following command:
mkdir /etc/httpd/sites-enabled

We now need to instruct Apache to look into the /etc/httpd/sites-enabled folder for the virtual host configuration files. Remember we will be creating the files in the sites-available folder, then placing a link to that file in the sites-enabled folder.

We will need to edit the '/etc/httpd/conf/httpd.conf' file by entering the command:
vi /etc/httpd/conf/httpd.conf

Scroll down to the bottom of the file and append the following line of code:
IncludeOptional sites-enabled/*.conf

Be sure to save the file. We will need to restart the Apache service for it to now read the files within the sites-enabled directory. I will do this at the end of the lesson after we have created the virtual host files and links.

To create the first virtual host file enter the following command in the terminal:
vi /etc/httpd/sites-available/example.com.conf

Now within this file we are going to use VirtualHost tags for each file. Enter the following information in the file:
<VirtualHost *:80>
ServerName example.com
ServerAlias example.com
redirect permanent / https://example.com/
</virtualhost>

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName example.com
ServerAlias example.com
ServerAdmin webadmin@example.com

CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn

ProxyRequests On
ProxyPreserveHost On
ProxyStatus On

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

#SSL
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/httpd/ssl/apache.crt SSLCertificateKeyFile /etc/httpd/ssl/apache.key

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Enable the Virtual Host Files

Now that we have web pages in each of the web sites we can enable the virtual hosts and reset the Apache web server. We will need to create a link from the sites-available folder to the sites-enabled folder for each domain.

To enable the example.com domain issue the following command in the terminal:
ln -s /etc/httpd/sites-available/example.com.conf /etc/httpd/sites-enabled/example.com.conf

Now lets restart Apache by issuing the following command:
service httpd restart

Allow HTTP and HTTPS through firewall

Run the commands:
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

Install Java

If you want to use keys longer than 256 for cryptography in Java, you will have to install the JCE Unlimited Strength Jurisdiction Policy.
But there is a much simpler way to do this on Linux. RHEL / CentOS come with unlimited strength JCE build into their own OpenJDK packages.
yum install java-1.8.0-openjdk

Install Apache Tomcat Server