16-09-2021

Install A2enmod Redhat

Last updated: 15 Feb 2018

To install the packages required, simply run as root: # yum install httpd modssl -y If the server already have httpd installed, you only need to install modssl, all the required configuration is done by the installer. Note however that in this case you need to restart httpd, so it can load the ssl module. The Package Manifest document provides lists of packages available in Red Hat Enterprise Linux 7.9.

Apache version 2.4.17 introduced HTTP/2 support. If your server is running Apache version below this version, you need to upgrade Apache to the latest version first.

Please note that the mod_http2 module is rather new, but is finally marked stable. There have been multiple reported security vulnerabilities in 2016 and 2017. 1. mod_http2 module that comes with Apache versions prior to 2.4.26 are insecure. Please make sure to use Apache version 2.4.26 or later.

Upgrade Apache

Depending on the server operating system, you may be able to download the compiled latest version.

I'm not sure why everyone is harshing on your answer; it correctly describes why one will not find the a2enmod scripts in Red Hat-alikes. Personally, my plan is to use puppet to manage a similar layout on my RHEL boxes. – Chad Huneycutt Aug 20 '09 at 2:09. Install Apache PHP Module. The PHP module for Apache is not bundled with Apache. As such, it must be installed in addition to the Apache package. Sudo apt install libapache2-mod-php. Once installed the module will have to be enabled. We accomplish this using the a2enmod command. Sudo a2enmod php. Jan 09, 2020 Install from ISO 1 Launch VMware Workstation 2 Start the Virtual Machine 3 Right click. Categories Apache, Operating System, Server, Technology, Ubuntu, Web Server Tags a2disconf, a2dismod, a2enconf, a2enmod, Apache, Apache2, Disable apach2 modules, Disable apache2 configuration files, Enable apache2 configuration files, Enable.

Windows

You can either compile Apache yourself, or download compiled Windows binaries. We recommend Apache Lounge builds.

Ubuntu / Debain

Apache web server distributed in default software repositories of Ubuntu and Debian do not include mod_http2 needed to enable HTTP/2 functionality. You will need to add a third-party package source with latest Apache version that also inludes mod_http2.

This will install some utilities (if not installed already) that help us add external PPAs. Secondly, we add theondrej/apache2 PPA which contains the latest Apache2builds. Third, we update your systems package information.This is to upgrade your existing Apache2 version to the latest version. After upgrading, the apachectl -vcommand will reveal your upgraded Apache version. This will be 2.4.29 or later.

CentOS / RHEL

Both CentOS and RHEL default repositories come with Apache versions around 2.4.6. Apache official web sitehas information about building the latest Apache server.

Enable HTTP/2 module

Apache's HTTP/2 support comes from the mod_http2 module. Enable it from:If above commands do not work in your system (which is likely the case in CentOS/RHEL), use LoadModuledirective in httpd configuration directory to enable http2 module.

Add HTTP/2 Support

We highly recommend you enable HTTPS support for your web site first. Most web browser simply do not support HTTP/2 overplain text. Besides, there are no excuses to not use HTTPS anymore.HTTP/2 can be enabled site-by-site basis. Locate your web site's Apache virtual host configuration file, and add the followingright after the opening <VirtualHost> tag:Overall, your configuration file should look something like this:After the changes, don't forget to reload/restart Apache.

Push resources

Apache supports HTTP/2 Push feature as well. After enabling Apache HTTP/2, you can add push support simply by settingHTTP Link headers. You can emit them from either/both the Apache configuration file, or from your application.Above is an example header that would trigger Apache to push the /assets/styles.css and/assets/scripts.scc files. Refer to your application code on how to emit HTTP headers.If you would like to make Apache add these headers, you can do so like this, using the mod_headers module.Above example demonstrates Apache configuration that sets 2 Link headers (you can have as many as you need).Supported browsers will decide to preload these resources if necessary.

Troubleshooting

Apache 2.4.27, HTTP/2 not supported in prefork

Starting from Apache 2.4.27, the Apache MPM (Multi-Processing Module) prefork no longer supports HTTP/2. This will be indicated in your Apache error log as follows:
AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.

To fix this, select a different MPM: event or worker. We highly recommend you to use the event prefork.
If you are using PHP, it is likely that PHP is integrated to Apache via the mod_php module, which requires the prefork MPM. If you switch out from preform MPM, you will need to use PHP as FastCGI. To switch to php-fpm

Enable Apache Modules In CentOS By Command Line

, you can do as folllwing. Please note that this assumes you have PHP installed from ondrej/php repository on Ubuntu. The PHP package names could be different in other repositories. Change package name and apt-get commands to match your PHP vendor and package manager.

HTTP/2 not enabled on older TLS versions

Mozilla Firefox (among other browsers) does not enable HTTP/2 protocol unless the connection is made over TLS 1.2 andusing modern cipher suits. This is not a technical limitation, but rather a safety precaution. Make sure your that yoursite supports TLS 1.2, and modern cipher suits with AES/CHACHA20 with forward-secrecy key exchanges. In turn, Apachedoes not try to establish an HTTP/2 connection with connections over older cipher configurations either. you can forceApache attempt HTTP/2 upgrade with the following directive, but it will not be as effective because browsers do notsupport HTTP/2 from their end anyway.

HTTP 421: Misdirected Request errors

HTTP/2 is designed to make parralel requests to the server over the same session. If two connections use same TLScertificate and remote IP address, browsers will attempt to reuse an existing connection. Apache can correctly servesuch requests even if those requests belong to different Virtual Hosts. However, if you have different TLS configuration(protocol, client verification, or cipher suits), Apache will reject such requests with an HTTP 421: Misdirected Request error.To prevent this, make sure you keep same TLS settings for all Virtual Hosts that you serve a particular site in.

Foot notes

Reported mod_http2-related security vulnerabilities are as follows.

Skip to end of metadataGo to start of metadata

This document describes the procedure used to install Shibboleth Service Provider (SP) software on Centos, RedHat and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).

Prerequisites

  • Apache must be installed and your website have an SSL certificate installed and SSL enabled. To request a SSL certificate: https://it.cornell.edu/ssl/renew-or-request-ssl-certificate.
  • Shibboleth doesn't support http access. If http access is supported on your site, define a redirect rule in Apache configuration that route http traffic to https.
  • Make sure your server time is accurate.
  • Your server has user shibd available.

Installation

If you are on a CIT Managed Server, please check this document: https://sysdocs.cit.cornell.edu/Documentation/LinuxShibbolethRepository

Otherwise, Install using RPM: https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall

  1. Visit https://shibboleth.net/downloads/service-provider/RPMS/, choose your platform, then click Generate
  2. Copy generated content to /etc/yum.repos.d/shibboleth.repo
  3. sudo yum install shibboleth.x86_64 ( 64 bit OS )
    sudo yum installshibboleth (32 bit OS )

Make sure you are running Ubuntu version 20.04 or above. Otherwise you may have SP 2 instead of SP 3 installed. SP 2 is no longer supported.

sudo apt-get update

sudo apt-get install libapache2-mod-shib2

sudo a2enmod shib

Configuration - Shibboleth SP

After installation Shibboleth configuration files are placed at /etc/shibboleth/. Necessary Apache configuration in /etc/httpd/conf.d/shib.conf(Centos/Redhat), /etc/apache2/conf-available/shib2.conf (Ubuntu). Make sure shib.conf is included in your Apache configuration file. If you are converting CUWebAuth to Shibboleth on a production server, make sure you set 'ShibCompatValidUser' to 'On' in shib.conf to avoid interruption to your website's CUWebAuth authentication. Set it back to 'Off' after you finish the conversion.

Download our sample attribute-map.xmland replace your /etc/shibboleth/attribute-map.xml with downloaded file. Our attribute-map.xml defines all commonly used attributes.

All attributes except groups defined in attribute-map.xml are released by default to all SP. Attribute 'groups' is released on demand. Please specify your group names in Shibboleth Integration Request form. Shibboleth IDP doesn't support nested groups( for example group B is a member of group A, user C is a member of group B, IDP doesn't know user C is a member of group A) . If you have to use nested group, you need to convert nested group to dynamic group.

Download our sample shibboleth2.xml and replace your /etc/shibboleth/shibboleth2.xml with downloaded file. Open shibboleth2.xml in a text editor.

  • Update SP entityID:

Search <ApplicationDefaults entityID='https://mysite.cit.cornell.edu/shibboleth'... >. EntityID is the Unique identifier for your SP. Cornell Shibboleth Identity Provider(IDP) provides service to many applications. This entityID will help Cornell IDP to identify your SP. We recommend you follow shibboleth convention named it 'https://xxx/shibboleth'. It's better not include space or special characters in it( / and : are fine). One SP can server multiple sites in your Apache so it doesnotnecessarily equate to the hostname(s) at which your service runs.

  • Update SP session:
    Search <Sessions lifetime='28800' timeout='3600' ...>

--- lifetime is the maximum duration in seconds that a session maintained by the SP will be valid.The settings shown in the example will set your Shibboleth session lifetime to 28800 (8 hours).

--- timeout is the maximum inactivity allowed between requests in a session maintained by the SP. The settings shown in the example will set your Shibboleth session timeout to 3600 (1 hour).

Install A2enmod Redhat

--- postData='ss:mem' postTemplate='postTemplate.html'

Add it to <Session ..> if your website has web form. Web form POST data will be saved in the Shibboleth memory cache rather than discarded when a user requires authentication after filling out a web form. 'postTemplate.html' is located in /etc/shibboleth directory. Modify it to meet your website's style.

More information: https://wiki.shibboleth.net/confluence/display/SP3/Sessions

  • Update the support contact:

Search<ErrorssupportContact='root@localhost' helpLocation='/about.html'styleSheet='/shibboleth-sp/main.css' />. Change the email address to your application's support email address. Change the helpLocation to your application's help page.

If Shibboleth is installed via RPM, signing/encryption key and certificate files are generated automatically. Check if you have sp-signing-cert.pem, sp-signing-key.pem, sp-encrypt-key.pem, sp-encrypt-cert.pem in /etc/shibboleth directory. If they are not there, generate them.

Shibboleth Configuration Check

In the command line, execute the following command to see whether the Shibboleth Service Provider can load the default configuration:

sudo LD_LIBRARY_PATH=/opt/shibboleth/lib64 shibd -t

The last line of the output should read:

overall configuration is loadable, check consolefornon-fatal problems

If there are any ERROR log entries, we strongly recommend you resolve these. Messages with log level WARN are generally not problematic but you should understand the causes of these warning messages and run the configuration check again when you are finished with your setup.

Logs for Shibboleth SP are located at /var/log/shibboleth/. Take a look at /var/log/shibboleth/shibd_warn.log and make sure there is no error in there. You need to fix error if there is any and restart shibd and httpd.

Start Shibboleth Service Provider and Apache

shibd is installed to /usr/sbin and may be managed using service and chkconfig (on System V platforms) or with systemctl (on systemd platforms, some additional information available).

On Centos 7, you can start shibd and apache by running

sudo systemctl start shibd

Requirements

sudo systemctl start httpd

After you run the command, make sure shibd and httpd are running.

Register Service Provider with Cornell IDP

Navigate to https://yoursiteDomain/Shibboleth.sso/Metadata and download it.Open your downloaded file with text editor. Some browser doesn't show metadata correctly in the browser. DO NOT copy the content in the browser. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in Apache require Shibboleth authentication, you can get SP's metadata by navigating to one of the site, then you need to manually add assertion consumer service url for each of the other sites in your SP's metadata.

Submit your shibboleth integration request from https://shibrequest.cit.cornell.edu. On the second page of the request form, select 'No' for question 'Has the application service provider's metadata been published with InCommon?'. Use text editor open your SP's metadata, copy the content of the metadata and paste it in the 'Service Provider's metadata field. Once the form is submitted, Identity Management team get a Remedy case. We'll configure your SP in IDP in 1 - 2 business day. We'll notify you when the configuration is complete.

Configuration - Apache Access control

After you are notified that your metadata has been integrated in Cornell IDP, you can continue your configuration.

Open /etc/httpd/conf.d/shib.conf in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file.

Addition configuration information can be found at https://wiki.shibboleth.net/confluence/display/SP3/Apache

After you finish the configuration, restart Apache.

Enable Apache Modules in CentOS by command line

Test SP integration with IdP

Confirm you are able to log in with your netID and user's attributes are properly released. To verify attribute release, in shibboleth2.xml, you need to set showAttributeValues to true and restart shibd, httpd.

<Handler type='Session' Location='/Session' showAttributeValues='true'/>

  1. Using a web browser, visit the /secure directory (or other protected location) of your SP.
  2. If you are prompted to log in, that means that your SP is properly integrated with Cornell IdP.
  3. After you log in, open a new tab of the same browser and point your web browser to https://<your dns name>/Shibboleth.sso/Session. Your browser should return a status page that show you all the attributes and values released to your SP.

Auto start shibd after server reboot

sudo systemctl enable shibd

A2enmod Ssl

Retrieve Shibboleth Attributes in Application

I Need To Enable ' Mod_headers ' - CentOS

By default, Shibboleth attributes that released to your shibboleth SP are available to your application as environment variables, not available in HTTP headers. In your application, you should get authenticated user's netID from server variable REMOTE_USER.

Detail and examples about attribute access.

Install A2enmod Centos

If you have tomcat in your environment, since environment variables are not passed by mod_proxy_ajp unless they have AJP_ prefixes, you'll need to add attributePrefix='AJP_' to the <ApplicationDefaults> element in your configuration:

<ApplicationDefaultsid='default'entityID='xxx' REMOTE_USER='uid'attributePrefix='AJP_'>

Need Help?

contact idmgmt@cornell.edu