====== Configure Access Restrictions On Directories ======

**General Information**

Access restrictions on Apache Web Server/private directories.

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
  * server2.example.com (192.168.1.151) -> Install Apache Web Server here

**Previous Sections Completed**
  * [[linux_wiki:network_services_overview_apache_web_server|Install/Configure]]
    * Except leave listening on port 80/tcp
  * [[linux_wiki:configure_a_virtual_host|Virtual Host Config]]

----

====== Prerequisite: Basic Setup ======

Create the redsite virtualhost.

\\
server2: Add redsite to vhosts.conf<code bash>vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80>
  ServerName redsite.example.com
  DocumentRoot /data/redsite
  ErrorLog logs/redsite-error_log
  CustomLog logs/redsite-access_log combined
  
  <Directory "/data/redsite">
    Options None
    AllowOverride None
    Require all granted
  </Directory>
</VirtualHost>
</code>

\\
Check syntax
<code bash>
apachectl configtest
</code>

\\
Apply Config
<code bash>
apachectl restart
</code>

\\
server1: Update host name resolution
<code bash>
vim /etc/hosts

192.168.1.151 server2 bluesite.example.com redsite.example.com
</code>

----

====== Restrict Access to a Directory ======

===== Setup Directory and SELinux =====

Create the directory structure
<code bash>
mkdir -p /data/redsite/private
</code>

\\
Create an index file
<code bash>
echo '<html><body>This is the <font color=red>RED SITE</font>.</body></html>' > /data/redsite/index.html
</code>

\\
Create a private index file
<code bash>
echo "This is for certain people to view only." > /data/redsite/private/index.html
</code>

\\
SELinux: Check normal httpd content contexts vs new directory
<code bash>
ls -lZ /var/www

ls -lZ /data/redsite
</code>
  * You will see that /var/www/html has "httpd_sys_content_t" and /data/redsite/index.html does not. This will need to be changed.

\\
SELinux: Give new directory the correct SELinux httpd context
<code bash>
semanage fcontext -at httpd_sys_content_t "/data/redsite(/.*)?"
restorecon -Rv /data/redsite/
</code>
  * Reminder: man semanage-fcontext  (EXAMPLE at the bottom)

===== Restrict Access =====

**Help**: Available if you installed 'httpd-manual'<code bash>elinks /usr/share/httpd/manual/howto/auth.html</code>

\\
Create password for the user
<code bash>
htpasswd -c /etc/httpd/conf/userdb user1
</code>
  * Prompted for a password

\\
Edit the vhosts.conf file and add this additional Directory part in the redsite virtualhost
<code bash>vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80>
  ServerName redsite.example.com
  DocumentRoot /data/redsite
  #....SNIP....#

  <Directory "/data/redsite/private">
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile "/etc/httpd/conf/userdb"
    Require valid-user
  </Directory>
</VirtualHost>
</code>

\\
Restart Apache
<code bash>
systemctl restart httpd
</code>

\\
Visit restricted directory
<code bash>
elinks http://redsite.example.com/private/
</code>
  * elinks may need to be installed first (yum install elinks)

----