Continuent Documentation

Manual Home
Tungsten Dashboard 1.0 Manual
Page in Other Manuals
Tungsten Clustering (for MySQL) 6.1 Manual
Tungsten Clustering (for MySQL) 7.2 Manual
Tungsten Clustering (for MySQL) 7.1 Manual
Tungsten Clustering (for MySQL) 8.0 Manual
Tungsten Clustering (for MySQL) 7.0 Manual
Breadcrumbs
> Tungsten Dashboard 1.0 Manual
Chapters
1. Overview
2. Prerequisites
3. Security Limitations
4. Configure the Tungsten Cluster Manager API
5. Test Connectivity to the Tungsten Manager API Directly
6. Install the Tungsten Dashboard
7. Enabling Dashboard Security
8. Configure the Apache 2 Web Server
9. Install and Configure HA Proxy
10. Test Connectivity to the Tungsten Manager via HAProxy
11. Configure the Tungsten Dashboard
12. Access the Tungsten Dashboard GUI via a browser
13. Tungsten Dashboard User Interface
14. Send a Dashboard Diagnostic to Support
15. Monitoring Tungsten Clusters Using Prometheus and Grafana
A. Dashboard Frequently Asked Questions (FAQ)
B. Release Notes
C. Upgrade the Tungsten Dashboard
D. UI Operational Scope Table
E. Included External Packages In Use
Children of this Page
Chapter 8. Configure the Apache 2 Web Server
Prev    Next

Chapter 8. Configure the Apache 2 Web Server

Table of Contents

8.1. Example: Web Server on Ubuntu
8.2. Example: Web Server on Amazon Linux 2
8.2.1. Add apache user to tungsten group
8.2.2. Create the Dashboard-specific Web Server Configuration File
8.2.3. Configure Web Server Boot and Restart Process
8.2.4. Populate Logins Using htpasswd
8.2.5. Enable RBAC via config.json
8.2.6. Configure SELinux for Apache

Important

Please change the example values below to match your specific environment.

8.1. Example: Web Server on Ubuntu

This sequence of steps to install and configure Apache 2 and HAProxy on Ubuntu was derived from a session with a customer. YMMV as always.

  • Generate the custom frontend and backend definitions for HAProxy, and prepare the cluster for updates to the configuration of the cluster nodes, if you have not done them already:

    On a single database node per cluster: 

    tungsten@db1 shell> tpm generate-haproxy-for-api
tungsten@db1 shell> echo 'set policy maintenance' | cctrl

  • Update the cluster configuration to support the REST APIv2.

    On all database nodes: 

    tungsten@dbN shell> vi /etc/tungsten/tungsten.ini
==> Ensure that the rest api settings have been added to the above!
tungsten@dbN shell> tpm update
tungsten@dbN shell> tapi ping
==> Create the REST API admin user if you did not do so at install time:
tungsten@dbN shell> tapi --create --create-user tungsten --create-password secret

  • AFTER all tpm updates have been completed, return the cluster to AUTOMATIC mode.:

    On a single database node per cluster: 

    tungsten@db1 shell> echo 'set policy automatic' | cctrl

  • Update the /etc/hosts file to ensure all nodes are reachable.

    On the Dashboard web server host, perform the following steps: 

    shell> nslookup dashboard.customer.org
shell> sudo vi /etc/hosts
==> Ensure this server's hostname exists in the hosts file
==> Ensure that all database nodes exist in the hosts file

  • Install Apache 2 and all other needed software on the Dashboard web server: 

    shell# apt update
shell# apt install apache2
shell# systemctl start apache2
shell# systemctl enable apache2 
shell# systemctl status apache2 
shell# apache2 -V 
shell# apt install php php-curl libapache2-mod-php jq socat haproxy
shell# vi /etc/php/7.4/apache2/php.ini 
==>    enable extension=php_curl by removing the leading semi-colon (;)
shell# systemctl restart apache2

  • In this example, the customer placed the Tungsten Dashboard web root directory onto an NFS mount, so we needed to create that set of directories before installing the Dashboard package: 

    shell# mkdir -p /nfs/tungsten/html /nfs/tungsten/etc /nfs/tungsten/logs
shell# chown -R www-data: /nfs/tungsten
shell# chmod -R ug+rw /nfs/tungsten

  • Create the .htpassword file to provide Basic Authorization functionality. 

    shell# htpasswd -c /nfs/tungsten/etc/.htpasswd tungsten
secret
secret
shell# cat /nfs/tungsten/etc/.htpasswd

  • Install the Tungsten Dashboard software package from your home directory into the web root directory, on NFS in this case: 

    shell# cd
shell# tar xvzf tungsten-dashboard-1.0.15-13.tar.gz
shell# cd tungsten-dashboard-1.0.15-13
shell# cp html/config.php.sample html/config.php
shell# cp html/config.json.sample html/config.json
shell# rsync -a html/ /nfs/tungsten/html/
shell# vi /nfs/tungsten/html/config.json
==> Update the administrators entry if needed:
"administrators":[ tungsten ],
==> Update the enableRBAC entry to 1:
"enableRBAC":1,

  • Configure the Dashboard virtualhost in Apache2:

    For example Apache 2 conf file entries, please see the above section Section 8.2, “Example: Web Server on Amazon Linux 2”. 

    shell# less /etc/apache2/envvars
shell# less /etc/apache2/apache2.conf
shell# vi /etc/apache2/sites-enabled/000-default.conf
==> Edit the existing section to add the needed items
shell# apachectl configtest
shell# systemctl restart apache2
shell# systemctl status apache2
shell# journalctl -xe
shell# cat /var/log/apache2/error.log

  • Validate that the Dashboard web server host is able to reach all the nodes: 

    shell> for host in db1 db2 db3 db4 db5 db6; do
  ping $host
  #telnet $host 8090 
  /usr/bin/curl -s --insecure --user tungsten:secret 'http://${host}:8090/api/v2/manager/status' | jq . 
done

  • Configure and test HAProxy: 

    shell# systemctl enable haproxy 
shell# systemctl start haproxy 
shell# systemctl status haproxy
shell# vi /etc/haproxy/haproxy.cfg
shell# systemctl restart haproxy
shell# systemctl status haproxy
shell# socat stdio /var/run/haproxy.sock | grep -i stat

shell> telnet localhost 8201
shell> telnet localhost 8202
shell> telnet localhost 8203
shell> /usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8201/api/v2/manager/status' | jq .
shell> /usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8202/api/v2/manager/status' | jq .
shell> /usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8203/api/v2/manager/status' | jq .

8.2. Example: Web Server on Amazon Linux 2

8.2.1. Add apache user to tungsten group
8.2.2. Create the Dashboard-specific Web Server Configuration File
8.2.3. Configure Web Server Boot and Restart Process
8.2.4. Populate Logins Using htpasswd
8.2.5. Enable RBAC via config.json
8.2.6. Configure SELinux for Apache

8.2.1. Add apache user to tungsten group

Add the apache user to the tungsten group: 

shell> sudo usermod -a -G tungsten apache

8.2.2. Create the Dashboard-specific Web Server Configuration File

8.2.2. For Apache version 2.2 with no authentication or Role-Based Access Control (RBAC):
8.2.2. For Apache version 2.2 with auth and RBAC using Basic Auth with an htpasswd-generated file:
8.2.2. For Apache version 2.4 with no authentication or Role-Based Access Control (RBAC):
8.2.2. For Apache version 2.4 with auth and RBAC using Basic Auth with an htpasswd-generated file:
8.2.2. For Apache version 2.4 with auth and RBAC using Basic Auth via LDAP:

Create the apache configuration file for the web service: 

shell> sudo vim /etc/httpd/conf.d/z01-tungsten-dashboard.conf

Important

Be sure to check the configuration and correct it until the configtest passes: 

shell> sudo apachectl configtest

Select one of the examples below to populate the web server config file.

For Apache version 2.2 with no authentication or Role-Based Access Control (RBAC): 

<VirtualHost *:80>
ServerName dashboard.yourdomain.com

DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com

  Header set Access-Control-Allow-Origin *

  ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
  CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

<Directory "/volumes/data/www/tungsten/html">
  AllowOverride All
  Options +FollowSymLinks +ExecCGI -Indexes
  Order allow,deny
  Allow from all
</Directory>

</VirtualHost>

For Apache version 2.2 with auth and RBAC using Basic Auth with an htpasswd-generated file: 

<VirtualHost *:80>
ServerName dashboard.yourdomain.com

DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com

  Header set Access-Control-Allow-Origin *

  ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
  CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

<Directory "/volumes/data/www/tungsten/html">
  AllowOverride All
  Options +FollowSymLinks +ExecCGI -Indexes
  Order allow,deny
  Allow from all
  AuthType Basic
  AuthName "Tungsten Dashboard - RESTRICTED"
  AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
  Require valid-user
</Directory>

</VirtualHost>

For Apache version 2.4 with no authentication or Role-Based Access Control (RBAC): 


<VirtualHost *:80>
ServerName dashboard.yourdomain.com

DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com

  ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
  CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

<Directory "/volumes/data/www/tungsten/html">
  AllowOverride All
  Options +FollowSymLinks +ExecCGI -Indexes
  Order allow,deny
  Allow from all
  Require all granted
</Directory>

</VirtualHost>

For Apache version 2.4 with auth and RBAC using Basic Auth with an htpasswd-generated file: 


<VirtualHost *:80>
ServerName dashboard.yourdomain.com

DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com

  ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
  CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

<Directory "/volumes/data/www/tungsten/html">
  AllowOverride All
  Options +FollowSymLinks +ExecCGI -Indexes
  Order allow,deny
  Allow from all
  #Require all granted
  <RequireAll>
    AuthType Basic
    AuthName "Tungsten Dashboard - RESTRICTED"
    AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
    Require valid-user
  </RequireAll>

</Directory>

</VirtualHost>

For Apache version 2.4 with auth and RBAC using Basic Auth via LDAP: 

shell> sudo yum install -y mod_ldap

<VirtualHost *:80>
ServerName dashboard.yourdomain.com

DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com

  ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
  CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined

<Directory "/volumes/data/www/tungsten/html">
  AllowOverride All
  Options +FollowSymLinks +ExecCGI -Indexes
  Order allow,deny
  Allow from all
  #Require all granted
  <RequireAll>
                  AuthType Basic 
                  AuthName "Tungsten Dashboard - RESTRICTED" 
                  AuthBasicProvider ldap 
                  AuthLDAPURL ldap://ldap.ad.demo.com:XXX/DC=ad,DC=demo,DC=com?sAMAccountName?sub 
                  AuthLDAPBindDN ldapuser@ad.demo.com 
                  AuthLDAPBindPassword abcdef123456
                  Require ldap-group CN=DataServicesAdmins,OU=SQL,OU=Groups,OU=London,OU=NewYork,OU=United States,OU=North America,DC=ad,DC=demo,DC=com 
                  Require valid-user 
  </RequireAll>
</Directory>

</VirtualHost>

8.2.3. Configure Web Server Boot and Restart Process

Configure start-at-boot and restart the web server: 

shell> sudo chkconfig httpd on
shell> sudo service httpd restart
shell> sudo service httpd status
~OR~
shell> sudo systemctl enable httpd
shell> sudo systemctl restart httpd
shell> sudo systemctl status httpd

8.2.4. Populate Logins Using htpasswd

Ensure that the WEBROOT/etc/.htpasswd file contains one or more login/password pairs using the htpasswd command. 

shell> htpasswd -c /volumes/data/www/tungsten/etc/.htpasswd {desiredlogin}

8.2.5. Enable RBAC via config.json

To enable RBAC security, the $WEBROOT/html/config.json file will need to be updated with two settings: "enableRBAC": 1 and "administrators": [], for example: 

{
  "clusters": {
  },
  "menus": {
  },
  "settings": {
      "administrators": [ "tungsten","admin","root" ],
      "enableRBAC":1
  }
}

When RBAC is enabled (requires web server Basic Auth to be working fully), there are just two roles currently:

  • administrator - which gives read-write access to everything to any valid login listed in the "administrators":[] option in the config file.

  • operator - which is read-only and is the role given to anyone with a valid login. There is NO explicit entry for "operators" in the config file.

8.2.6. Configure SELinux for Apache

Warning

There are additional steps to take when SELinux is enabled.

To check if SELinux is enabled: 

shell> getenforce
shell> sestatus

These are example extra steps to take if SELinux is enabled: 

shell> sudo -i
shell> chcon -R -t httpd_sys_rw_content_t /volumes/data/www/tungsten/html
shell> chcon -R -t httpd_sys_rw_content_t /volumes/data/www/tungsten/logs
shell> semanage fcontext -a -t httpd_sys_rw_content_t "/volumes/data/www/tungsten/html(/.*)?"
shell> semanage fcontext -a -t httpd_sys_rw_content_t "/volumes/data/www/tungsten/logs(/.*)?"
shell> restorecon -Rv /volumes/data/www/tungsten/*
shell> semanage port -a -t http_port_t -p tcp 8090
shell> setsebool -P httpd_can_network_connect 1
shell> systemctl restart httpd
shell> systemctl restart php-fpm

Be sure to check in the audit.log for any denied messages containing http or php.

Here are two example commands to run to help troubleshoot selinux and httpd: 

shell> ausearch -m avc -c httpd
shell> grep httpd /var/log/audit/audit.log
Prev   Next
Chapter 7. Enabling Dashboard Security Home Chapter 9. Install and Configure HA Proxy
Copyright © 2025 Continuent, Ltd.1 (415) 529-4901Terms of UsePrivacy & CookiesLegal NoticeExhibits