Add ons to help Monitor and Manage OSCAR
Java Melody
Java Melody is an open source tool for monitoring JAVA EE web applications
With this you will be able to :
- monitor average response times and number of executions
- make decisions before problems become too serious
- optimize based on the more limiting response times
- find the root causes of response times
- verify the real improvement after optimizations
https://github.com/javamelody/javamelody/wiki
Configuration of Java Melody
Java Melody is already integrated in OSCAR 19, but it is disabled by default. If needed certain steps must be taken to enable and secure it’s operation. The first two settings are usually accomplished by the DEB. Note that even with these steps the jdbc is NOT picked up by Java Melody with OSCAR 19 on Tomcat 9
1) Server must be using SSL
2) Turn on headless (add to CATALINA_OPTS)
-Djava.awt.headless=true
3) Create a user, and add them to “monitoring” role. This is done in tomcat-users.xml. for example. This secures the monitoring to those who provide the credentials.
<role rolename="monitoring"/> <user username="melody" password="*****" roles="monitoring"/>
4) Turn on your instance in the monitoring filter section of var/lib/tomcat9/webapps/oscar/WEB-INF/web.xml. for example so it looks like
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>system-actions-enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>disabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
5) If OSCAR is not reloaded with this change, you will need to restart tomcat
Now access your server with /monitoring in the url, so for example
https://localhost:8443/oscar/monitoring
supply the username and password you set for the monitoring user
and you should see
PhpMyAdmin
Many users prefer a graphic interface to maintain MariaDB rather than using the Shell. As phpMyAdmin is a known target for malicious actors, and the login is your MariaDB password, best practice is to harden the webserver. Apache2 is the default and should be used although it may require additional configuration if you are using Certbot or are running a Tomcat-Apache connector.
PhpMyAdmin with Apache
sudo apt install phpmyadmin php-mbstring php-zip php-gd php-json php-curl
When the phpmyadmin installer gives you the choice of Apache or Lighttpd you must hit [Space] to select the option [*] BEFORE you hit [OK] or no configuration of the webserver will take place.
Run the installation as above. Test that the base installation is working by going to http://localhost/phpmyadmin
The following are instructions to secure Apache2 with phpMyAdmin on port 80. It is never a good idea to put anything sensitive on port 80 and expose it to the internet. Additional complication to serve on 443 are beyond the scope of these instructions.
PhpMyAdmin and UFW
One simple approach is to configure your firewall to prevent access to Apaches 80 (and potentially 443) ports. Leave external access only to Tomcat on 8443 which will give access to OSCAR. You will probably want a single or a range of workstations to access phpMyAdmin. This can be set by specific ip (more secure) or CIDR range (more convenient). For example if your workstation’s external IP is 203.0.113.101 and you wish to add access to phpMyAdmin from that workstation you will use the following command on the UFW on the machine that serves OSCAR and phpMyAdmin. (Replace the example with your desired IP or range.)
sudo ufw allow from 203.0.113.101
to any port 80
A reasonable configuration for UFW with OSCAR and the above machines access to phpMyAdmin may look similar to the below.
sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 8443 ALLOW Anywhere 3306 DENY Anywhere 8080 DENY Anywhere 80 ALLOW 203.0.113.101 80 DENY Anywhere Apache Secure DENY Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 8443 (v6) ALLOW Anywhere (v6) 3306 (v6) DENY Anywhere (v6) 8080 (v6) DENY Anywhere (v6) 80 (v6) DENY Anywhere (v6) Apache Secure (v6) DENY Anywhere (v6)
Notes: Standard OSCAR installation will configure MariaDb (3306), Tomcat on 8080, and Apache Secure (443) to prevent access or not bind those ports. The above UFW configuration is a belt and suspenders approach to provide a layered defense in case there is a vulnerability in any given layer.
That might be enough if you never touch your firewall. However if you are opening port 80 from time to time for Certbot, there is a (short) time where this will be exposing your phpMyAdmin to the internet. Not to mention something can happen along the way and port 80 will be open for longer than you think. Thus to layer defend phpMyAdmin consider an additional security measure.
PhpMyAdmin and .htaccess
If you want to harden further one way of doing this is to place a gateway in front of the entire application by using Apache’s built-in .htaccess
authentication and authorization functionalities.
The older approach would be to use a .htaccess
file override and is illustrated elsewhere on the internet. Apache now suggests the more efficient approach when you add htaccess directives to your <directory> configuration by editing, in this case, your phpMyAdmin installation’s Apache configuration file.
Below we will use nano to edit the phpmyadmin.conf
file. Feel free to use your favorite text editor in its stead.
Add lines to the <Directory /usr/share/phpmyadmin>
section of the configuration file, like this:
<Directory
/usr/share/phpmyadmin> Options SymLinksIfOwnerMatch DirectoryIndex index.php AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user .....
</Directory>
Here is what each of these lines mean:
AuthType Basic
: This type will implement password authentication using a password file containing the hashed password(s).AuthName
: This used to set the message for the authentication dialog box. This is usually no longer displayed for security. Keep it generic in case.AuthUserFile
: This sets the location of the password file that will be used for authentication. This should be outside of the directories that are being served.Require valid-user
: This is essential to ensure only authenticated users are given access to this resource.
When you are finished, save and close the file.
The location that you selected for your password file was /etc/apache2/.htpasswd
. You can now create this file and pass it an initial user (“restricteduser” here) with the htpasswd
utility:
You will be prompted to select and confirm a password for the user you are creating. Afterwards, the file is created with the hashed password that you entered. You can cat the file to ensure that the username and (hashed) password are present
If you want to add an additional user to the file, you need to do so without the -c
flag, like this:
Then restart Apache to put it all into effect
Now, when you access your phpMyAdmin subdirectory (and only that directory), you will be prompted once per session for the additional account name and password that you just configured. Test by logging in to either of the following as appropriate from the Apache machine or the LAN.
http://localhost/phpmyadmin
http://IP/phpmyadmin
After entering the Apache authentication (the username and password you supplied earlier), you’ll be taken to the regular phpMyAdmin authentication page to enter your MariaDB credentials. If you don’t supply correct authentication (worth testing) Apache will serve you an “unauthorized” error page.
Documentation copyright © 2012-2024 by Peter Hutten-Czapski MD under the Creative Commons Attribution-Share Alike 3.0 Unported License