See all of the guides.

Part 7: Working with Apache and MariaDB

Apache

Basics

Install a basic Apache web server.

yum groups install -y "Basic Web Server"

vim /etc/httpd/conf/httpd.conf

Enable systemctl enable httpd and start systemctl start httpd

Open the firewall with firewall-cmd --permanent --add-service={http,https} and reload with firewall-cmd --reload.

Configuration options to be aware of:

/etc/httpd/conf/httpd.conf

ServerRoot Directory to root.

ServerName Name of web server. normally FQDN.

Listen The port the service listens on.

user and group account

Include Path is relative to the config root.

DocumentRoot Directory

ErrorLog relative to the server root.

SELinux

Use semanage port -l | grep http to review SELinux settings for the http service.

Set read write to a group for the access to the web root

setfacl -R -m g:groupname:rwX /var/www/root

Set the default ACL for the webroot

setfacl -R -m d:g:groupname:rwx /var/www/root

Virtual Hosts

Files load in alphabetical order.

  • Add a Directory to httpd.conf

vim /etc/httpd/conf/httpd.conf

<Directory "/www/hosts">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

  • Create a default vhost

vim /etc/httpd/conf.d/_default_.conf

<VirtualHost _default_:80>
ServerAdmin email@domain.com
DocumentRoot /var/www/html
</VirtualHost>

  • Create a vhost configuration file

vim /etc/httpd/conf.d/sub.domain.com.conf

<VirtualHost *:80>
ServerAdmin email@domain.com
ServerName sub.domain.com
DocumentRoot /www/hosts/sub.domain.com
ErrorLog logs/sub.domain.com-error_log
CustomLog logs/sub.domain.com-custom_log
</VirtualHost>

  • Restart the Apache service

systemctl restart httpd

  • Check for any SELinux alerts

grep sealert /var/log/message

grep AVC /var/log/audit/audit.log

  • Use semanage -fcontext  to modify tags

For example: semanage fcontext -a -t httpd_sys_content_t "/www/hosts(/.*)

  • Then restorecon -Rv /www/hosts to restore context.

User Authentication

Basic authentication

  • Create a new directory mkdir /var/www/html/secret
  • Edit httpd.conf to change the AllowOveride
    <Directory "/var/www/html/secret">
    AllowOverride AuthConfig
    # Allow open access:
    Require all granted
    </Directory>
  • Make a new default page. vim /var/www/html/secret/default.html
  • Edit vim /etc/httpd/conf/httpd.conf Add
    <Directory "/var/www/html/secret">
    AuthType Basic
    AuthName "Enter ID"
    AuthUserFile /etc/httpd/htpasswd
    Require valid-user
    </Directory>
  • htpasswd -C /etc/httpd/htpasswd username

Remote databases and SELinux. Run the following if SELinux is enabled.

setsebool httpd_can_network_connect_db = 1

setsebool httpd_can_network_connect = 1

TLS/SSL

Install tools to generate keys

yum install -y crypto-utils mod_ssl

Run genkey

genkey fqdn Follow screen instructions.
This is an example of a self signed certificate.

Example genkey output
  • Verify that the SELinux context type is set to cert_t

ls -lZ /etc/pki/tls/private

-rw-------. root root unconfined_u:object_r:cert_t:s0  localhost.key
-r--------. root root unconfined_u:object_r:cert_t:s0  server1.example.com.key

  • Create a virtual host file
    <VirtualHost *:443>
    ServerAdmin email@domain.com
    ServerName sub.domain.com
    DocumentRoot /www/hosts/sub.domain.com
    ErrorLog logs/sub.domain.com-error_log
    CustomLog logs/sub.domain.com-custom_log
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/sub.domain.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/sub.domain.com.key
    SSLCertificateChainFile /etc/pki/tls/certs/domain-ca.crt
    </VirtualHost>
  • Restart services

Troubleshooting

  • virtual hosts must have DocumentRoot
  • Check SELinux for non-default DocumentRoot messages
    man semanage-fcontext has a perfect example
  • Name resolution. Check DNS and/or local hosts file.
  • Review error_log for more information