See all of the guides.

Part 7: Working with Apache and MariaDB



Install a basic Apache web server.

yum groups install -y "Basic Web Server"

vim /etc/httpd/conf/httpd.conf

Enable systemctl enable httpd and start systemctl start httpd

Open the firewall with firewall-cmd --permanent --add-service={http,https} and reload with firewall-cmd --reload.

Configuration options to be aware of:


ServerRoot Directory to root.

ServerName Name of web server. normally FQDN.

Listen The port the service listens on.

user and group account

Include Path is relative to the config root.

DocumentRoot Directory

ErrorLog relative to the server root.


Use semanage port -l | grep http to review SELinux settings for the http service.

Set read write to a group for the access to the web root

setfacl -R -m g:groupname:rwX /var/www/root

Set the default ACL for the webroot

setfacl -R -m d:g:groupname:rwx /var/www/root

Virtual Hosts

Files load in alphabetical order.

  • Add a Directory to httpd.conf

vim /etc/httpd/conf/httpd.conf

<Directory "/www/hosts">
AllowOverride None
# Allow open access:
Require all granted

  • Create a default vhost

vim /etc/httpd/conf.d/_default_.conf

<VirtualHost _default_:80>
DocumentRoot /var/www/html

  • Create a vhost configuration file

vim /etc/httpd/conf.d/

<VirtualHost *:80>
DocumentRoot /www/hosts/
ErrorLog logs/
CustomLog logs/

  • Restart the Apache service

systemctl restart httpd

  • Check for any SELinux alerts

grep sealert /var/log/message

grep AVC /var/log/audit/audit.log

  • Use semanage -fcontext  to modify tags

For example: semanage fcontext -a -t httpd_sys_content_t "/www/hosts(/.*)

  • Then restorecon -Rv /www/hosts to restore context.

User Authentication

Basic authentication

  • Create a new directory mkdir /var/www/html/secret
  • Edit httpd.conf to change the AllowOveride
    <Directory "/var/www/html/secret">
    AllowOverride AuthConfig
    # Allow open access:
    Require all granted
  • Make a new default page. vim /var/www/html/secret/default.html
  • Edit vim /etc/httpd/conf/httpd.conf Add
    <Directory "/var/www/html/secret">
    AuthType Basic
    AuthName "Enter ID"
    AuthUserFile /etc/httpd/htpasswd
    Require valid-user
  • htpasswd -C /etc/httpd/htpasswd username

Remote databases and SELinux. Run the following if SELinux is enabled.

setsebool httpd_can_network_connect_db = 1

setsebool httpd_can_network_connect = 1


Install tools to generate keys

yum install -y crypto-utils mod_ssl

Run genkey

genkey fqdn Follow screen instructions.
This is an example of a self signed certificate.

Example genkey output
  • Verify that the SELinux context type is set to cert_t

ls -lZ /etc/pki/tls/private

-rw-------. root root unconfined_u:object_r:cert_t:s0  localhost.key
-r--------. root root unconfined_u:object_r:cert_t:s0

  • Create a virtual host file
    <VirtualHost *:443>
    DocumentRoot /www/hosts/
    ErrorLog logs/
    CustomLog logs/
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/
    SSLCertificateKeyFile /etc/pki/tls/private/
    SSLCertificateChainFile /etc/pki/tls/certs/domain-ca.crt
  • Restart services


  • virtual hosts must have DocumentRoot
  • Check SELinux for non-default DocumentRoot messages
    man semanage-fcontext has a perfect example
  • Name resolution. Check DNS and/or local hosts file.
  • Review error_log for more information