The Chat API server is a custom server - and is not supported by Cisco.
It uses custom code to check the status of a chat page and to confirm if it is open, closed or busy.
It does this via the
The core components are:
yum list --installed | more
sudo yum install httpd
sudo systemctl enable httpd
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --reload
sudo systemctl start httpd
sudo systemctl status httpd
Reference1: https://www.redhat.com/sysadmin/webserver-use-https
Reference2: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-httpd-secure-server
Redhat 8 Security guide - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/securing-services_security-hardening#securing-apache-http-servers_securing-http-servers
The mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.
sudo yum install httpd mod_ssl
sudo systemctl restart httpd
The SSL module install will have created it own SSL Cert with just the hostname and not the FQDN.
So you will need to create your CSR (and if you want a temp Self Signed Cert).
The SSL Conf - ssl.conf file is located in /etc/httpd/conf.d/ directory
You must also open the Firewall on port 443 and then reload the Firewall - as per below commands:
sudo firewall-cmd --permanent --add-port=443/tcp sudo firewall-cmd --reload sudo firewall-cmd --list-all
This step can usually be skipped , i.e. it is not needed - as per above the SSL Module auto creates a temp cert - although it does not match the FQDN - just the hostname.
sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd-tmp.key -x509 -days 30 -out /etc/pki/tls/certs/httpd-tmp.crt
Enter the details of your Self Signed Cert - making sure to include the FQDN when asked. Then update the ssl.conf file to utilise this certificate and restart the apache server.
File: /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/httpd-tmp.crt SSLCertificateKeyFile /etc/pki/tls/private/httpd-tmp.key
Below command saves the CSR file to the /home/user1/ directory. the Below also adds two SAN records - update as required (making one the same as the CN which you will fill in when prompted).
sudo openssl req -newkey rsa:2048 -addext "subjectAltName = DNS:myhomename.dmz.example.com, DNS:webchat.example.com" -nodes -keyout /etc/pki/tls/private/httpd.key -out /home/user1/httpd.csr
Copy the imported signed cert as /etc/pki/tls/certs/httpd.crt
Update the ssl.conf configuration file to utilise the certificate key and cert as per below.
Restart the apache server.
SSLCertificateFile /etc/pki/tls/certs/httpd.crt SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
The Trusted Store like already contains the customers CAs - so likely this step won't be needed.
Copy CA certs to the /etc/pki/ca-trust/source/anchors/ sub directory, and run the command:
sudo update-ca-trust
sudo yum install redis
sudo systemctl enable redis
sudo systemctl start redis
sudo systemctl status redis
Enable PHP 7.4 module instead of the default PHP 7.2 module - (7.2 is the default with RHE 8)
sudo yum module reset php
sudo yum -y module enable php:7.4
sudo yum install php
The core PHP install also by default installed the following modules (some output removed):
Installing: php x86_64 7.4 Installing dependencies: nginx-filesystem noarch 1:1 oniguruma x86_64 6.8 php-common x86_64 7.4 Installing weak dependencies: php-cli x86_64 7.4 php-fpm x86_64 7.4 php-json x86_64 7.4 php-mbstring x86_64 7.4 php-opcache x86_64 7.4 php-pdo x86_64 7.4 php-xml x86_64 7.4
Hence you should not need to install Curl (Common), XML or JSON modules.
sudo yum install php-curl
sudo yum install php-xml
sudo yum install php-json
But you will need to install the Redis modules:
sudo yum install php-redis
However this module was NOT available in the repository…. so an alternative approach is to download and install the module manually using the pecl command line:
sudo yum install php-pear
sudo yum install php-devel
sudo pecl install -O redis-5.3.7.tgz
However this pecl command didn't work - because of the following error:
shtool at '/var/tmp/redis/build/shtool' does not exist or is not executable. Make sure that the file exists and is executable and then rerun this script.
No exec privileges was confirmed with the following command:
[myuser@servername ~]$ mount -l | grep "/var/tmp" /dev/mapper/vgsystem-lvtmp on /var/tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
To enable exec privileges run the following:
sudo mount -o remount,exec /var/tmp/
Then rerun the above command again.
sudo pecl install -O redis-5.3.7.tgz
When running the pecl command - it also failed - as make was not installed - so install this using
sudo yum install make
Following by
sudo pecl install -O redis-5.3.7.tgz
, which now installs successfully!
... Build process completed successfully Installing '/usr/lib64/php/modules/redis.so' install ok: channel://pecl.php.net/redis-5.3.7 configuration option "php_ini" is not set to php.ini location You should add "extension=redis.so" to php.ini
Now revert back exec privileges -
sudo mount -o remount,noexec /var/tmp/
and edit the php file and restart php.
However - do NOT configure the extension via the php.ini as per above, since php also checks the following directory after the ini file. /etc/php.d and json must be enabled BEFORE redis.
So create a new file (chmod a+r) with a higher number than the json file, e.g.
sudo vi /etc/php.d/30-redis.ini
- with the below as an example on how the file should look like.
; Enable redis extension module extension=redis
Also edit each of the other extensions in this folder and disable them if not required.
The JSON extension should already be enabled in the file
20-json.ini
After editing the file - make sure it readable by all as per the other ini files using the following command.
sudo chmod a+r 30-redis.ini
Restart PHP
sudo systemctl restart php-fpm
By default SELinux does not allow Apache to make socket connections. To enable socket connections - use the following command:
sudo /usr/sbin/setsebool -P httpd_can_network_connect=1
For More information can be found here and here.
When using setsebool with the -P to make the boolean change persistent, this updates the policy
Use
sudo semanage boolean -l
to inspect the boolean
Instead of enabling Apache to make socket connects to any network - this can be restricted just to REDIS
Reference: https://blog.ijun.org/2014/11/selinux-allow-httpd-to-connect-to.html Add Redis port (6379) to SELinux policy: However do NOT use below - adding to “http” - this didn't work on one implementation (Redhat 9) - instead add to “redis_port_t” - as per the alternative option below
# semanage port -a -t http_port_t -p tcp 6379 # semanage port -l | egrep '(^http_port_t|6379)' http_port_t tcp 6379, 80, 81, 443, 488, 8008, 8009, 8443, 9000
Instead of adding 6379 to http_port_t - use redis_port_t
semanage port -a -t redis_port_t -p tcp 6379
However below doesn't work for me - as this isn't defined in the RHE9 ?
setsebool -P httpd_can_network_redis 1
php -v
/etc/httpd/conf.d/php.conf
php -i
php -i | grep "Loaded Configuration File"
sudo systemctl restart php-fpm
The firewall-cmd –list-all command shows you all the UDP/TCP ports opened - in below example - you can see only port 80 has been opened.
#sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: 80/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
httpd -M
mkdir /var/lib/rpm/backup cp -a /var/lib/rpm/__db* /var/lib/rpm/backup/
sudo rpmdb --rebuilddb
Reference: https://rpm.org/user_doc/db_recovery.html
Reference: https://sysadminote.com/how-to-fix-thread-died-in-berkeley-db-library/
sudo ls -al /var/log/httpd/
sudo more /var/log/httpd/access_log
sudo more /var/log/httpd/error_log
sudo more /var/log/httpd/ssl_access_log
sudo more /var/log/httpd/ssl_error_log
sudo cat /var/log/httpd/ssl_access_log | grep '19/Mar/2024:12:2' | grep 'chatstatus'
10.123.123.123 - - [19/Mar/2024:12:20:19 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:20:49 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:21:19 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:21:49 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:22:20 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:22:50 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:23:20 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:23:50 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 584 10.123.123.123 - - [19/Mar/2024:12:24:25 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 584 10.123.123.123 - - [19/Mar/2024:12:25:00 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:25:30 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:26:01 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:26:32 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:27:03 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:27:34 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:28:05 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:28:36 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:29:07 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740 10.123.123.123 - - [19/Mar/2024:12:29:38 +0000] "GET /api/chatstatus.php?businessHoursId=5002&chatEntryId=1004 HTTP/1.1" 200 740
sudo ls -al /var/log/php-fpm/
sudo more /var/log/php-fpm/www-error.log
It is possible to set CORs up globally on the web server using the below config (the below is configured in the /etc/httpd/conf.d/ssl.conf configuration file.
However a more flexible and better approach is to use the .htaccess files to set this - as per the example .htaccess file below.
<VirtualHost _default_:443> Header set Access-Control-Allow-Origin "*" #(Lots of other settings) </VirtualHost>
.htaccess files are very useful to be able to set certain configuration. e.g.
To enable .htacess files edit the httpd configuration file - /etc/httpd/conf/httpd.conf In the default document root section:
<Directory "/data/sites/web/79pid-2tb-hostingcom/html">
Change the AllowedOverride None to AllowedOverride All
Default Example:
<Directory "/data/sites/web/79pid-2tb-hostingcom/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Updated Config Example:
<Directory "/data/sites/web/79pid-2tb-hostingcom/html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Then restart Apache -
sudo systemctl restart httpd
Options -Indexes Header set Access-Control-Allow-Origin "*" ExpiresActive On ExpiresDefault now
Options -Indexes ExpiresActive On #Expiry After 4 hours: 4 x 3600 = 14400 ExpiresByType application/javascript A14400
If you don't want to enable COR * for - you can set to specific domains as per https://stackoverflow.com/questions/14467673/enable-cors-in-htaccess
Example - below allows both HTTP and HTTPS - but best to remove the option for HTTP unless for testing)
Options -Indexes
ExpiresActive On
ExpiresDefault now
<ifModule mod_headers.c>
SetEnvIf Origin "http(s)?://(.+\.)?(orourke\.tv|purplepi\.ie)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
</ifModule>
The Apache / httpd modules are configured in the /etc/httpd/conf.modules.d directory.
By commenting (#) out or moving the relevant configuration files to a alternative directory (and restarting httpd), these modules will not be loaded - not loading unnecessary modules can improve performance and security.
For example: to disable the lua module - e.g. update the configuration file as per below: 00-lua.conf
#LoadModule lua_module modules/mod_lua.so
or alternatively move (or delete) the 00-lua.conf out of the conf.modules.d directory.
00-dav.conf 00-lua.conf 00-optional.conf 01-cgi.conf
# This file configures all the proxy modules: LoadModule proxy_module modules/mod_proxy.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_express_module modules/mod_proxy_express.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so #LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
Reference: https://www.tecmint.com/install-php-8-on-centos/
The default Redhat / Fedora Repositories do not have the latest version of PHP.
At the time of writing (July'22) the latest version of PHP available via EPEL Package was 8.0.13
https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
To obtain the latest versions of PHP use the REMI repository. https://rpms.remirepo.net/enterprise/8/
The REMI Repository provides the latest versions of the PHP stack, full featured, and some other software, to the Fedora and Enterprise Linux (RHEL, CentOS, Oracle, Scientific Linux, …) users.
The commands to config and upgrade PHP are as follows:
yum install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm yum module list php yum module reset php yum module enable php:remi-8.0 yum install php
# Running below will show that PHP is unable to load dyanmic library 'redis' which includes the following error: # (/usr/lib64/php/modules/redis.so: undefined symbol: _call_user_function_ex)) in Unknown on line 0 php-fpm -t # Uninstalls Redis PHP module - but leaves extension=redis.so in the php.ini file sudo pecl uninstall redis # Error now changes to unable to load dyanmic libryary 'redis' and while canot open / no such file errors continue it no longer has the undefined symbol error php-fpm -t # Enable Mount privileges sudo mount -o remount,exec /var/tmp/ # This install should now work pecl install -O redis-5.3.7.tgz #Reverse privileges sudo mount -o remount,noexec /var/tmp/ # Should not run without error! php-fpm -t sudo systemctl restart php-fpm
First Check the ssl error file.
sudo more /etc/httpd/logs/ssl_error_log
Example Permissions error: Permission denied (fopen('/etc/pki/tls/certs/httpd.crt','r'))
[Wed Mar 29 09:05:38.687190 2023] [ssl:emerg] [pid 3314624:tid 139686636809664] AH02562: Failed to configure certificate myserver.mydomain.com:443:0 (with chain), check /etc/pki/tls/certs/httpd.crt
[Wed Mar 29 09:05:38.687208 2023] [ssl:emerg] [pid 3314624:tid 139686636809664] SSL Library Error: error:0200100D:system library:fopen:Permission denied (fopen('/etc/pki/tls/certs/httpd.crt','r'))
[Wed Mar 29 09:05:38.687216 2023] [ssl:emerg] [pid 3314624:tid 139686636809664] SSL Library Error: error:20074002:BIO routines:file_ctrl:system lib
[Wed Mar 29 09:05:38.687230 2023] [ssl:emerg] [pid 3314624:tid 139686636809664] SSL Library Error: error:140DC002:SSL routines:use_certificate_chain_file:system lib
If your chmod and chown is all correct on the file, this is probably because you copied a file into a folder - maybe home folder (say) - then mv'd the file into position for NGINX. SeLinux remembers the original file creation location and applies the rights wherever the file is mv'd to - to reset the SeLinux permissions to the current location/file permissions use Reference: https://stackoverflow.com/questions/37994513/nginx-ssl-certificate-permission-ssl-error-0200100dsystem
In our case - the httpd.crt file should have read access at user and group level only and the user:group is root:root
Run the below command to fix
sudo restorecon httpd.crt
Example Error: [Wed Mar 29 09:09:49.039827 2023] [ssl:emerg] [pid 3315423:tid 140186014223808] AH02562: Failed to configure certificate muserver.mydomain.com:443:0 (with chain), check /etc/pki/tls/certs/httpd.crt [Wed Mar 29 09:09:49.039848 2023] [ssl:emerg] [pid 3315423:tid 140186014223808] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Mar 29 09:09:49.039857 2023] [ssl:emerg] [pid 3315423:tid 140186014223808] SSL Library Error: error:140DC009:SSL routines:use_certificate_chain_file:PEM lib
To fix this - have the certificate in PEM (Base64 encoded (ascii)) format PKCS #8
Can redis start from the command line?
/usr/bin/redis-server /etc/redis/redis.conf
Check Logs
more /var/log/redis/redis.log
Example of successfully starting from command line:
2189460:C 30 Oct 2024 17:23:23.802 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo 2189460:C 30 Oct 2024 17:23:23.802 # Redis version=6.2.7, bits=64, commit=00000000, modified=0, pid=2189460, just started 2189460:C 30 Oct 2024 17:23:23.802 # Configuration loaded 2189460:M 30 Oct 2024 17:23:23.803 * Increased maximum number of open files to 10032 (it was originally set to 1024). 2189460:M 30 Oct 2024 17:23:23.803 * monotonic clock: POSIX clock_gettime 2189460:M 30 Oct 2024 17:23:23.803 # A key '__redis__compare_helper' was added to Lua globals which is not on the globals allow list nor listed on the deny list. 2189460:M 30 Oct 2024 17:23:23.803 * Running mode=standalone, port=6379. 2189460:M 30 Oct 2024 17:23:23.803 # Server initialized 2189460:M 30 Oct 2024 17:23:23.803 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' t o /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. 2189460:M 30 Oct 2024 17:23:23.804 * Loading RDB produced by version 6.2.7 2189460:M 30 Oct 2024 17:23:23.804 * RDB age 16829 seconds 2189460:M 30 Oct 2024 17:23:23.804 * RDB memory usage when created 0.78 Mb 2189460:M 30 Oct 2024 17:23:23.804 # Done loading RDB, keys loaded: 0, keys expired: 3. 2189460:M 30 Oct 2024 17:23:23.804 * DB loaded from disk: 0.000 seconds 2189460:M 30 Oct 2024 17:23:23.804 * Ready to accept connections
Example of failing to start due to selinux - TCP port bind been denied. This was corrected by running the command:
semanage port -a -t redis_port_t -p tcp 6379
Note - I also had to delete (-d) the port - which had been added to http_port_t
2119480:C 30 Oct 2024 12:19:54.413 * Supervised by systemd. Please make sure you set appropriate values for TimeoutStartSec and TimeoutStopSec in your service unit. 2119480:C 30 Oct 2024 12:19:54.413 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo 2119480:C 30 Oct 2024 12:19:54.413 # Redis version=6.2.7, bits=64, commit=00000000, modified=0, pid=2119480, just started 2119480:C 30 Oct 2024 12:19:54.413 # Configuration loaded 2119480:M 30 Oct 2024 12:19:54.414 * monotonic clock: POSIX clock_gettime 2119480:M 30 Oct 2024 12:19:54.414 # Warning: Could not create server TCP listening socket 127.0.0.1:6379: bind: Permission denied 2119480:M 30 Oct 2024 12:19:54.414 # Failed listening on port 6379 (TCP), aborting.
systemctl start redis
Example of failing to start from SystemCTL due to DB permissions. In my case - this was caused because I had started it from the command line as root - and the DB file was therefore created by root. This could be fixed by deleting the file /var/liv/redis/dump.rdb or changing its chmod from root:root → redis:redis Also note - this file seems created when redis is shutdown - to store the in memory DB to file. And then it reads it when started back up - which in the below case - it didn't have access to do so!
2189630:C 30 Oct 2024 17:26:39.582 * Supervised by systemd. Please make sure you set appropriate values for TimeoutStartSec and TimeoutStopSec in your service unit. 2189630:C 30 Oct 2024 17:26:39.582 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo 2189630:C 30 Oct 2024 17:26:39.582 # Redis version=6.2.7, bits=64, commit=00000000, modified=0, pid=2189630, just started 2189630:C 30 Oct 2024 17:26:39.582 # Configuration loaded 2189630:M 30 Oct 2024 17:26:39.582 * monotonic clock: POSIX clock_gettime 2189630:M 30 Oct 2024 17:26:39.582 # A key '__redis__compare_helper' was added to Lua globals which is not on the globals allow list nor listed on the deny list. 2189630:M 30 Oct 2024 17:26:39.582 * Running mode=standalone, port=6379. 2189630:M 30 Oct 2024 17:26:39.582 # Server initialized 2189630:M 30 Oct 2024 17:26:39.582 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' t o /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. 2189630:M 30 Oct 2024 17:26:39.583 # Fatal error loading the DB: Permission denied. Exiting.