Service Apps - On Premise - White Paper


         Download icon.png  Download the PDF file

Architecture

Terminology

Instance: Independent Product name - ev sas.png engine used for version upgrades, acceptance, rollbacks.

Tenant: Secure cage on Product name - ev sas.png containing applications.

Apps Connector for Product name - ev itsm.png: Set of files that must be placed on Product name - ev itsm.png front-end Web servers.

  • They are used for interfacing Product name - ev sas.png and Product name - ev itsm.png.
  • They include dedicated keys as signatures between platforms.

Trusted Identity Provider (TIP): Third-party systems such as LDAP or SSO used for authenticating Product name - ev sas.png users.

Logical architecture

By default, each Product name - ev sas.png platform contains two environments called instances. One is the production environment and the other is the acceptance (version migration) environment.

The acceptance and production engines are configured in a strictly identical manner (Service Manager connector, database depending on your options, authentication, etc.) in order to perform full acceptance prior to migration and if required, a rollback.

Each instance is made up of:

  • One URL
  • One distinct set of pages installed on the front-end Web server
  • One MySQL database
  • One resource shared by front-end Web servers if required

Note: We recommend that you keep both instances on each of your platforms (production, preproduction, acceptance) to ensure that acceptance is performed exactly in the conditions specific to each environment. A Product name - ev sas.png acceptance platform is usually linked to a Product name - ev itsm.png acceptance application whose configuration and connection settings (e.g. LDAP) are not identical to the production platform.

Three-tier +1 physical architecture

Objectives

The Product name - ev sas.png platform is based on a three-tier architecture:

  • Web server (application core)
  • MySQL database
  • Access to the Product name - ev itsm.png application via a connector
  • Resource shared by front-end Web servers if required

Nevertheless, the client (Web browser) is an important component of the architecture. It must comply with both the platform and recommendations in order to ensure optimal service to end users.

The Web server tier and database tier must be installed on different servers in the following cases:

  • The Web server is located in the DMZ or is highly exposed to the Internet.
  • A high-availability architecture is required for the project, e.g. MySQL cluster or multiple Web servers.
  • This is required by your platform and/or security constraints.

Several parameters can affect the dimensioning of the project:

  • Number of concurrent users
  • Structure of applications, e.g. number of data sources
  • Security policy, e.g. resilience
  • Availability
  • Production, preproduction or development platforms, etc.

Progressive scaling

The Product name - ev sas.png architecture is scalable. It can be reviewed and modified based on changes in your requirements.

You can start your project with a basic architectural model and review it subsequently, for example, when the number of concurrent users increases, when your security rules change or when functionalities are added to the initial project scope.

Each tier can be scaled separately using more or less resources based on the requirements identified.

Increasing resources vs servers

If you are able to choose between adding greater capacity to a server and adding more servers, the first solution is often better as long as the current machine is able to support increased resources. Advantages:

  • Fewer servers to install and manage
  • Fewer operating system licenses
  • Less space required in bays for physical machines

Layered architectures

Simple architecture

Simple architecture.png

Most resilient architecture

Best resilience architecture.png

Other architectural models

Intermediate architectural models that lie between the simplest solution and the most resilient one are possible.

For example, for a Product name - ev sas.png single-node architecture, you can choose to outsource the MySQL server and place the filer in the LAN while leaving the Web node in the DMZ.

Minimum data flows

Source Destination Ports UDP/TCP
Your users Web server 443 (https) TCP
Product name - ev sas.png Web server Product name - ev itsm.png Web server 443 (https) TCP
Product name - ev sas.png Web server MySQL 3306 TCP
Product name - ev sas.png Web server File server 445 (SMB on Windows 2008/2012) TCP

High availability

Maximum availability is possible using clusters for the database and the Web server.

Caution: Your infrastructure and database team must be able to support the installation and maintenance of the cluster. Logo - EasyVista.png is not responsible for this.

You can set up a load balancer for the Web server tier. It must be able to manage PHP session persistence on the same Web server during its entire existence.

Security of data flows

Web server security

You must add an SSL certificate to the Apache server to ensure the security of data flows between the Web server and clients. During the installation phase, we recommend this to ensure the security of data flows.

Note: SSL encryption can be outsourced on an F5 or HAProxy for example.

Security of data flows between platforms

Data flows in both directions are signed using a pair of SSL keys (2 048 bits).

Data is encrypted in AES256 using a set of private keys specific to the Product name - ev sas.png platform.

Product name - ev itsm - big.png platform version

You must check the version of Product name - ev itsm.png based on the Product name - ev sas.png version deployed.

In project management, you should update or install the latest fix on the Product name - ev itsm.png platform.

System prerequisites and hardware

Node dimensioning

Standard installation

In most cases, a single node is required to support the load linked to the use of Product name - ev sas.png. The functional load is performed on third-party servers, i.e.EV SM, SQL Server, REST server, etc.

The minimum size of this node is as follows: 

Resource Description
RAM 6 GB
CPU 2 vCPU
Disk 100 GB

To support a greater load, you can subsequently add more CPU or memory based on contention detected by your monitoring systems.

How to improve platform resilience

To enable higher availability or a greater number of concurrent users while maintaining desired levels of performance, you can increase the number of nodes and distribute them behind a load balancer.

System prerequisites

Tier Prerequisite
Web tier
  • OS: Linux, kernel 3 recommended
  • Apache: 2.2 or 2.4
  • PHP: 5.6.x
Database tier
  • OS: Linux, kernel 3 recommended for MySQL database version 5.6
  • For an installation with multiple lines, the MySQL 5.6 client must be installed on each of the front-end Web servers

Web tier

Caution: We are unable to provide the configuration for each Linux distribution. As such, we recommend that you adapt the example provided below. We recommend that you upgrade your version.

OS

Performance can be improved using kernel 3.

List of first distributions with kernel 3: CentOS 7, Red Hat 7, Debian 7, Ubuntu 11.10, etc.

Apache

The following modules must be enabled:

  • so
  • headers
  • expires
  • deflate or filter
  • socache_shmcb
  • reqtimeout
  • mime
  • log_config
  • env
  • macro
  • auth_basic
  • lbmethod_byrequests
  • lbmethod_bytraffic
  • lbmethod_bybusyness
  • lbmethod_heartbeat
  • setenvif
  • version
  • slotmem_shm
  • ssl
  • mpm_prefork
  • unixd
  • alias
  • rewrite
     

To compile Apache, you should adapt the basic compilation below to your environment.

   Example documentation icon FR.png

./configure …
   --enable-authnz-fcgi
   --enable-mods-shared=most
    --enable-mpms-shared=all
    --enable-suexec=shared
              --with-suexec-uidmin=120
              --with-suexec-gidmin=120
              --enable-ssl
              --enable-ssl-staticlib-deps
              --with-sslport=443
              --with-mpm=prefork
              --enable-static-rotatelogs
              --enable-so
              --enable-info
              --enable-dir
              --enable-mime-magic
              --enable-expires
              --enable-headers
              --enable-rewrite
              --enable-cgi
              --enable-cgid
              --enable-cache
              --enable-disk-cache
              --enable-mem-cache
              --enable-slotmem-plain
              --enable-slotmem-shm
              --enable-lbmethod-byrequests
              --enable-lbmethod-bytraffic
              --enable-lbmethod-bybusyness
              --enable-lbmethod-heartbeat
    --enable-dav
              --enable-dav-fs
              --enable-dav-lock
              --enable-deflate
              --with-deflate

 

List of Apache directives:

Type Configuration
Modules
<IfDefine MODSECURITY>
LoadModule security2_module modules/mod_security2.so
</IfDefine>

<IfDefine PP_HTTP>
Define PP
</IfDefine>
<IfDefine PP_HTTPS>
Define PP
</IfDefine>

<IfDefine PP>
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule expires_module modules/mod_expires.so
</IfDefine>

<IfDefine APPSTORE_MACRO_HTTPS>
Define APPSTORE_MACRO
</IfDefine>
<IfDefine APPSTORE_MACRO_HTTP>
Define APPSTORE_MACRO
</IfDefine>

<IfDefine APPSTORE_MACRO>
LoadModule macro_module modules/mod_macro.so
</IfDefine>

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php5_module modules/libphp5.so
Keepalive
  • Static resources have an expiry time of 86 400 seconds (24 hours).
  • You can manage them in mod_headers and mod_expires.
  • The configuration is as follows:
<IfModule mod_mime.c>
   AddType image/ico .ico
   AddType application/x-gzip .tar.gz .gz .tgz
</IfModule>

<IfModule mod_headers.c>
   <FilesMatch "(^.+\.(?i:ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4|css|js|html|htm))$">
       Header unset Cache-Control
       Header set Cache-Control "max-age=86400, public"
   </FilesMatch>
   <FilesMatch "(^.+\.(?i:php))$">
       Header unset Cache-Control
       Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
   </FilesMatch>
</IfModule>

<IfModule mod_expires.c>
   ExpiresActive On
   ExpiresByType image/jpg                         "access plus 86400 seconds"
   ExpiresByType image/jpeg                        "access plus 86400 seconds"
   ExpiresByType image/png                         "access plus 86400 seconds"
   ExpiresByType image/gif                         "access plus 86400 seconds"
   ExpiresByType image/ico                         "access plus 86400 seconds"
   ExpiresByType image/icon                        "access plus 86400 seconds"
   ExpiresByType image/x-icon                      "access plus 86400 seconds"
   ExpiresByType text/css                          "access plus 86400 seconds"
   ExpiresByType text/javascript                   "access plus 86400 seconds"
   ExpiresByType text/html                         "access plus 86400 seconds"
   ExpiresByType application/xhtml+xml             "access plus 86400 seconds"
   ExpiresByType application/javascript            "access plus 86400 seconds"
   ExpiresByType application/x-javascript          "access plus 86400 seconds"
   ExpiresByType application/x-shockwave-flash     "access plus 86400 seconds"
</IfModule>
Log format
  • You should adopt our recommendations for formatting logs in order to facilitate analysis using our diagnostic tools.
  • ACCESS*.LOG files contain the information below.
%t Time at which the request was received
%D Time (in microseconds) for processing the request
%H Request protocol
%{Referer}I Referer of the request received
%{User-Agent}I User agent
%U Path of the request without arguments
%a IP address of the requestor
%X Connection status after sending (KeepAlive)
%>s Status of the HTTP code returned by the server
%b Size of the response returned by the server
%r First line of the request (with arguments)
%{SSL_PROTOCOL}x SSL protocol (TLS 1.0, etc.)
%{SSL_CIPHER}x SSL Cipher used
%{PHPSESSID}C PHP Session ID
  • The configuration is as follows:
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "/var/log/httpd/access_log" combined
ErrorLog "/var/log/httpd/error_log"
SSLSessionCache shmcb:/etc/httpd/logs/ssl_scache.log
Performance
HostnameLookups OFF
TimeOut 300
KeepAlive on
MaxKeepAliveRequests 500
KeepAliveTimeout 3
HostnameLookups off
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE [456].*" nokeepalive
AddOutputFilter DEFLATE html php evsa js json htm svg gif tsv png ico css woff ttf eot
prefork module
<IfModule prefork.c>
   StartServers            8
   MinSpareServers         8
   MaxSpareServers        30
   ServerLimit           256
   MaxClients            256
   MaxRequestsPerChild  4000
</IfModule>
Security
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Cookie security - update
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Header edit Set-Cookie "(?i)^((?:(?!;\s?Secure).)+)$" "$1; Secure"
Security
<FilesMatch "^\.">
   Require all denied
</FilesMatch>
Security
<Directory />

   Options -Indexes
   Order deny,allow
   Deny from all
   RewriteEngine on
   RewriteBase /

   RewriteCond %{HTTP_USER_AGENT} almaden [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
   RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
   RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
   RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR]
   RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR]
   RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR]
   RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR]
   RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
   RewriteCond %{HTTP_USER_AGENT} ^CICC [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Collector [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Copier [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
   RewriteCond %{HTTP_USER_AGENT} ^DA [OR]
   RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
   RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
   RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Drip [OR]
   RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR]
   RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
   RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR]
   RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
   RewriteCond %{HTTP_USER_AGENT} email [NC,OR]
   RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]
   RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
   RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
   RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
   RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
   RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR]
   RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
   RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
   RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
   RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR]
   RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
   RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
   RewriteCond %{HTTP_USER_AGENT} ^gotit [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR]
   RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
   RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR]
   RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
   RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR]
   RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR]
   RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR]
   RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
   RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
   RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Iria [OR]
   RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR]
   RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
   RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^JustView [OR]
   RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
   RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
   RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR]
   RewriteCond %{HTTP_USER_AGENT} ^lftp [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR]
   RewriteCond %{HTTP_USER_AGENT} ^likse [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Link [OR]
   RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Memo [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
   RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR]
   RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR]
   RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]
   RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR]
   RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
   RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
   RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
   RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR]
   RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
   RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
   RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR]
   RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
   RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
   RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]
   RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR]
   RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Pump [OR]
   RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR]
   RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR]
   RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]
   RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
   RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
   RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR]
   RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Snake [OR]
   RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR]
   RewriteCond %{HTTP_USER_AGENT} ^sproose [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
   RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR]
   RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
   RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR]
   RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
   RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
   RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Website [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Webster [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
   RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
   RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
   RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Zeus
   RewriteRule ^.* - [F,L]

   AllowOverride None
   AllowOverrideList None

</Directory>
Header security
  • Used to configure values returned in the header by a HTTP request.
  • The configuration is as follows:
SetEnvIfNoCase Request_URI \.(?i:gif|jpg|jpeg|pngi|jar)$ no-gzip
FileETag none

<IfModule mod_headers.c>
   Header unset Server
   Header unset ETag
   Header set X-Frame-Options: "sameorigin"
   Header append Vary User-Agent env=!dont-vary
   Header set X-Content-Type-Options "nosniff"
   Header set X-XSS-Protection "1; mode=block"
</IfModule>
Product name - ev sas.png configuration
ServerName ${APPSTORE_HTTP_SERVER_NAME}
Listen ${APPSTORE_HTTP_SERVER_NAME}:${APPSTORE_HTTP_PORT}
<VirtualHost ${APPSTORE_HTTP_SERVER_NAME}:${APPSTORE_HTTP_PORT}>

   DirectoryIndex index.php index.html index.xhtml index.htm

   ServerName ${APPSTORE_HTTP_SERVER_NAME}
   DocumentRoot "/var/www/argo"

   LogLevel warn
   # CustomLog "|/usr/sbin/rotatelogs -l /etc/httpd/logs/access.log.%Y%m%d 86400" default_argo
   # ErrorLog  "|/usr/sbin/rotatelogs -l /etc/httpd/logs/error.log.%Y%m%d 86400"

   CustomLog "/var/log/httpd/access_log" combined
   ErrorLog "/var/log/httpd/error_log"


   AddOutputFilterByType DEFLATE text/html text/plain text/xml application/javascript text/javascript text/css

</VirtualHost>
File security
<Directory "/var/www/argo*">
   Options -Indexes
   <FilesMatch "\.*$">
       deny from all
   </FilesMatch>
   <FilesMatch "((^$)|(^.+\.(?i:html|php|evsa|tar.gz|js|json|htm|svg|gif|tsv|jpeg|jpg|png|ico|css|woff|woff2|ttf|eot|hpf)$)|backgroundImage|backgroundImageMobile|collection|robots.txt|)">
       allow from all
   </FilesMatch>

   RewriteEngine On

   RewriteBase "/"
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteCond %{REQUEST_URI} !(\/.*\/+)
   RewriteRule /var/www/argo*/([^/]+)/?$ /index.php?ev_shorturl=$1 [QSA,L]
</Directory>

# php & html files not allowed in resources, other files will be forced to download

<Directory "/var/www/argo*/resources">
   Require all granted
   Options -Indexes
   <FilesMatch "\.(php|php5|htm|html)$">
       Deny from all
   </FilesMatch>
   # RSA keys...
   <FilesMatch "^(50[0-9]{3}_[a-fA-F0-9]{13})$">
       Deny from all
   </FilesMatch>
   # SEZV-15-070
   Header set Content-Disposition attachment
   # Removed due to IE11 mime types bug
   # ForceType application/octet-stream
</Directory>

# Needed for AppStore rest wsdl (/var/www/argo/api).
# The purpose of this rewrite is to redirect any call to rest
# to index.php with parameters heritance.
# The rule is apply from /api to any subfolders.
# The file or directory called must do not exists to rewrite
# The uri must start with /api

<Directory "/var/www/argo*/api/v1">
   Options -Indexes +FollowSymLinks
   RewriteEngine On
   # LogLevel alert rewrite:trace4
   <FilesMatch "\.*$">
       allow from all
   </FilesMatch>
   RewriteBase "/api/v1/"
   Require all granted
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteCond expr "%{REQUEST_URI} -strmatch '/api/v1/*'"
   RewriteRule ^ /api/v1/index.php [QSA,L]
</Directory>

#

<Directory "/var/www/argo*/api">
   Options -Indexes +FollowSymLinks
   RewriteEngine On
   # LogLevel alert rewrite:trace4
   <FilesMatch "\.*$">
       allow from all
   </FilesMatch>
   RewriteBase "/api/"
   Require all granted
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteCond expr "%{REQUEST_URI} -strmatch '/api/*'"
   RewriteRule ^ /index.php [QSA,L]
</Directory>

PHP

PHP version 5.6.x is required.

The following modules must be enabled:

  • session
  • sockets
  • curl
  • json
  • libxml
  • iconv
  • zlib
  • dom
  • filter
  • OPcache
  • Mcrypt
  • openssl
     

To compile PHP, you should adapt the basic compilation below to your environment.

   Example documentation icon FR.png

./configure ….
           --with-zlib
           --enable-bcmath
           --enable-calendar
           --enable-ftp
           --with-gettext
           --enable-mbstring
           --with-mysql
           --with-mysqli
           --with-pdo-mysql
           --with-bz2
           --enable-dba=shared
           --enable-soap
           --enable-sockets
           --enable-shmop
           --enable-exif
           --with-gd
           --enable-intl
           --with-mcrypt=static
           --with-unixODBC=/usr
           --enable-zip
           --enable-wddx
           --enable-sysvsem
           --enable-sysvshm
           --enable-sysvmsg
           --with-mhash
           --with-readline
           --with-libedit
           --with-pdo-odbc=unixODBC,/usr
           --enable-zend-signals
           --enable-opcache
           --with-jpeg-dir
           --with-png-dir
           --with-freetype-dir

 

The following parameters must be updated in the PHP.ini file:

Type Configuration
Language
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions =
disable_classes =
zend.enable_gc = On
Security
expose_php = Off
display_errors = Off
session.use_cookies = 1
session.use_only_cookies = 1
session.save_path = /xxxx/xxx/sessions
[openssl]  ==>  Folder for storing sessions
openssl.cafile =/xxx/xxx/*.pem  ==>  Folder for storing the certificate
Performance
memory_limit = -1
max_execution_time = 30
post_max_size = 100M
auto_globals_jit = Off
max_input_time = 60
max_input_vars = 20000
Upload
file_uploads = On
upload_max_filesize = 100M
max_file_uploads = 20
Error management
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
error_log  ==>  Folder for storing logs
Data handling
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = off
default_mimetype = "text/html"
;default_charset = "UTF-8"
Session
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = Off
session.bug_compat_warn = Off
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
Fopen wrappers
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
PCRE
pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000
MySQL
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.connect_timeout = 60
mysql.trace_mode = Off
MySQLi
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.reconnect = Off
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
MSSQL
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatibility_mode = Off
mssql.secure_connection = Off
Pdo_mysql
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
ODBC
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
SOAP
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5

Zend Loader

The set of pages shipped is encrypted using the Zend Loader module. This module must be implemented on each Web server on the platforms.

The Zend Loader component is available at the following URL based on your PHP version:

http://www.zend.com/en/products/loader/downloads#Linux

This module is made up of two files, opcache.so and ZendGuardLoader.so. These files must be placed on the servers and run by Apache/PHP.

  • Place the files in the folder called /yyyyy/easyvista.lic.
  • Modify the PHP.ini file by adding the following:
zend_extension=<full_path_to_ZendGuardLoader.so>
zend_extension=<full_path_to_opcache.so>
zend_loader.license_path=<full_path_to_License_File>
  • Restart Apache.

File sharing for installations with multiple lines

In this configuration, you must set up shared folders for Web servers.

This sharing contains two folders for each instance, resources and activities, containing information on the configuration of your applications. They must be available in real-time on all front-end Web servers.

Mounting points or symbolic links are used instead of application folders.

Website pages are hosted locally on each of the servers as well as PHP session files.

Miscellaneous

You can use a reverse proxy between end clients and Product name - ev sas.png.

Caution: You are responsible for the selection, installation and configuration of the reverse proxy.

The configuration of the reverse proxy must ensure that its use is transparent to end users. It must ensure the transfer of parameters using the GET and POST methods, adequate management of HTTP headers, compression of the cache and resources, seamless uploading and downloading, etc.

Caution: The installation, configuration and maintenance of the reverse proxy are not included in the installation of Product name - ev sas.png or in the Technical Support we provide.

Database tier

OS

Supported: Any OS that supports your database system (DBMS).

MySQL

Supported: MySQL 5.6

We recommend a dedicated database server for Product name - ev sas.png. The MySQL instance must be present at the very least.

A MySQL database is created for each Product name - ev sas.png instance:

  • ARGO01
  • AGRO02

Database creation scripts and object creation scripts are shipped with the software.

Web browser

Versions

NotesSupportedBrowsers

Notes

  • Browsers not listed below are not supported.
  • While Product name - ev itsm.png or Product name - ev sas.png might run without major issues in compatible browser versions, Logo - EasyVista.png do not fix bugs in them if they may not appear in the supported browser versions.
  • Current and (Current-1): Denotes that Logo - EasyVista.png supports the current stable version of the browser and the version that preceded it.
             Example documentation icon EN.png  Current version of the browser: 22  ==>  Supported versions: 22 and 21
SupportedBrowsers_evSAS
Product name - ev sas.png Browser Compatible Version Supported Version
Microsoft Internet Explorer 10+ None
Microsoft Edge 12+ Current and (Current-1)
Google Chrome 40+ Current and (Current-1)
Mozilla Firefox 39+ Current and (Current-1)
Apple Safari 7.1+ Current
iOS 7+ Current

      Specific Limits

Operating System Limits, Constraints, Versions
Android Native Android browsers are not supported. Use Chrome for Android.
TV screens Modern TVs usually integrate a pseudo navigator with lots of limitations. If you want to show Product name - ev sas.png pages on big screens, do not use the native browser integrated with the TV, but use one of the browsers listed above on a connected PC.
Any Operating System Beta version of browsers are not supported

Configuration

Pop-ups and JavaScript must be enabled and authorized for Product name - ev sas.png.

The limit of the local cache and temp files must be adequate (> 10 MB).

If you are using the SSL protocol, you should check that the cache is authorized for the secure page.

In Internet Explorer: In the Security Settings dialog box, scroll down to Downloads and select the Enable option for Automatic prompting for file downloads.

Antivirus

On the client workstation, the local antivirus software should not check .JS (JavaScript) files systematically because this can lead to performance issues when displaying pages.

Miscellaneous

Product name - ev sas.png does not require Applets or ActiveX on the client browser.

Cookies

Product name - ev sas.png uses cookies in order to improve website functionalities and user experience. These cookies do not contain personal or sensitive data.

Your browser must authorize Product name - ev sas.png to create cookies.

Disk space required

This section provides a configuration for the resources required for running Product name - ev sas.png. It does not take into consideration additional data volumes based on your specific operating constraints such as:

  • Backups performed locally prior to outsourcing
  • Storage of session files based on the project
  • Apache, PHP, MySQL components, etc.
  • PHP session files
     

The table below shows the disk space required for running Product name - ev sas.png:

Server Information Size
PHP Core pages On each Linux server 4 GB
Sharing Resource shared by all front-end Web servers for application design, etc. 20 GB expandable based on project requirements
MySQL databases Two databases, ARGO01 and ARGO02, on the same MySQL engine/platform 1 GB for databases Product name - ev sas.png

Test and development platforms, etc.

To determine the appropriate architectural model and dimensioning for your platform, you should answer the questions below:

1. Do you want to test the response time and load capacity of the platform?

  • Yes: The platform must be identical to your production platform. Note that the cost will be identical for this architecture despite the fact that it is infrequently used.
  • No: The platform is only used for testing version upgrades and specific developments to the interface. You can set up a simpler architecture or even a virtual environment.

2. Do you want to validate the entire integration context and requirements (LDAP, SSO, etc.)?

  • Yes: The platform must be identical to your production platform in terms of OS and network location.
  • No: The platform is only used for testing version upgrades and specific developments to the interface. You can set up a simpler architecture or even a virtual environment.

Migration, authentication, etc.

Elements such as the migration process and authentication methods are described in the Product name - ev sas.png SaaS white paper. They are applicable to an on-premise installation.

Tags:
Last modified by Unknown User on 2018/05/25 14:31
Created by Administrator XWiki on 2018/04/27 13:30

Shortcuts

Recent Updates

Haven't been here in a while? Here's what changed recently:

-   Product name - ev itsm.png
-   Product name - ev sas.png

Interesting Content

How to Automate Integration
Add a Shortcut to an App
History
Quick Dashboard
Full text search - Stop Words

Powered by XWiki ©, EasyVista 2018