Part 7: Working with Apache and MariaDB
Apache
Basics
Install a basic Apache web server.
yum groups install -y "Basic Web Server"
vim /etc/httpd/conf/httpd.conf
Enable systemctl enable httpd and start systemctl start httpd
Open the firewall with firewall-cmd --permanent --add-service={http,https} and reload with firewall-cmd --reload.
Configuration options to be aware of:
/etc/httpd/conf/httpd.conf
ServerRoot Directory to root.
ServerName Name of web server. normally FQDN.
Listen The port the service listens on.
user and group account
Include Path is relative to the config root.
DocumentRoot Directory
ErrorLog relative to the server root.
SELinux
Use semanage port -l | grep http to review SELinux settings for the http service.
Set read write to a group for the access to the web root
setfacl -R -m g:groupname:rwX /var/www/root
Set the default ACL for the webroot
setfacl -R -m d:g:groupname:rwx /var/www/root
Virtual Hosts
Files load in alphabetical order.
- Add a
Directoryto httpd.conf
vim /etc/httpd/conf/httpd.conf
<Directory "/www/hosts">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
- Create a default vhost
vim /etc/httpd/conf.d/_default_.conf
<VirtualHost _default_:80>
ServerAdmin email@domain.com
DocumentRoot /var/www/html
</VirtualHost>
- Create a vhost configuration file
vim /etc/httpd/conf.d/sub.domain.com.conf
<VirtualHost *:80>
ServerAdmin email@domain.com
ServerName sub.domain.com
DocumentRoot /www/hosts/sub.domain.com
ErrorLog logs/sub.domain.com-error_log
CustomLog logs/sub.domain.com-custom_log
</VirtualHost>
- Restart the Apache service
systemctl restart httpd
- Check for any SELinux alerts
grep sealert /var/log/message
grep AVC /var/log/audit/audit.log
- Use
semanage -fcontextto modify tags
For example: semanage fcontext -a -t httpd_sys_content_t "/www/hosts(/.*)
- Then
restorecon -Rv /www/hoststo restore context.
User Authentication
Basic authentication
- Create a new directory
mkdir /var/www/html/secret - Edit httpd.conf to change the AllowOveride
<Directory "/var/www/html/secret">
AllowOverride AuthConfig
# Allow open access:
Require all granted
</Directory> - Make a new default page.
vim /var/www/html/secret/default.html - Edit
vim /etc/httpd/conf/httpd.confAdd
<Directory "/var/www/html/secret">
AuthType Basic
AuthName "Enter ID"
AuthUserFile /etc/httpd/htpasswd
Require valid-user
</Directory> - htpasswd -C /etc/httpd/htpasswd username
Remote databases and SELinux. Run the following if SELinux is enabled.
setsebool httpd_can_network_connect_db = 1
setsebool httpd_can_network_connect = 1
TLS/SSL
Install tools to generate keys
yum install -y crypto-utils mod_ssl
Run genkey
genkey fqdn Follow screen instructions.
This is an example of a self signed certificate.
- Verify that the SELinux context type is set to cert_t
ls -lZ /etc/pki/tls/private
-rw-------. root root unconfined_u:object_r:cert_t:s0 localhost.key
-r--------. root root unconfined_u:object_r:cert_t:s0 server1.example.com.key
- Create a virtual host file
<VirtualHost *:443>
ServerAdmin email@domain.com
ServerName sub.domain.com
DocumentRoot /www/hosts/sub.domain.com
ErrorLog logs/sub.domain.com-error_log
CustomLog logs/sub.domain.com-custom_log
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/sub.domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/sub.domain.com.key
SSLCertificateChainFile /etc/pki/tls/certs/domain-ca.crt
</VirtualHost> - Restart services
Troubleshooting
- virtual hosts must have DocumentRoot
- Check SELinux for non-default DocumentRoot messages
man semanage-fcontext has a perfect example - Name resolution. Check DNS and/or local hosts file.
- Review error_log for more information