====== Configure Access Restrictions On Directories ======
**General Information**
Access restrictions on Apache Web Server/private directories.
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
* server2.example.com (192.168.1.151) -> Install Apache Web Server here
**Previous Sections Completed**
* [[linux_wiki:network_services_overview_apache_web_server|Install/Configure]]
* Except leave listening on port 80/tcp
* [[linux_wiki:configure_a_virtual_host|Virtual Host Config]]
----
====== Prerequisite: Basic Setup ======
Create the redsite virtualhost.
\\
server2: Add redsite to vhosts.confvim /etc/httpd/conf.d/vhosts.conf
ServerName redsite.example.com
DocumentRoot /data/redsite
ErrorLog logs/redsite-error_log
CustomLog logs/redsite-access_log combined
Options None
AllowOverride None
Require all granted
\\
Check syntax
apachectl configtest
\\
Apply Config
apachectl restart
\\
server1: Update host name resolution
vim /etc/hosts
192.168.1.151 server2 bluesite.example.com redsite.example.com
----
====== Restrict Access to a Directory ======
===== Setup Directory and SELinux =====
Create the directory structure
mkdir -p /data/redsite/private
\\
Create an index file
echo 'This is the RED SITE.' > /data/redsite/index.html
\\
Create a private index file
echo "This is for certain people to view only." > /data/redsite/private/index.html
\\
SELinux: Check normal httpd content contexts vs new directory
ls -lZ /var/www
ls -lZ /data/redsite
* You will see that /var/www/html has "httpd_sys_content_t" and /data/redsite/index.html does not. This will need to be changed.
\\
SELinux: Give new directory the correct SELinux httpd context
semanage fcontext -at httpd_sys_content_t "/data/redsite(/.*)?"
restorecon -Rv /data/redsite/
* Reminder: man semanage-fcontext (EXAMPLE at the bottom)
===== Restrict Access =====
**Help**: Available if you installed 'httpd-manual'elinks /usr/share/httpd/manual/howto/auth.html
\\
Create password for the user
htpasswd -c /etc/httpd/conf/userdb user1
* Prompted for a password
\\
Edit the vhosts.conf file and add this additional Directory part in the redsite virtualhost
vim /etc/httpd/conf.d/vhosts.conf
ServerName redsite.example.com
DocumentRoot /data/redsite
#....SNIP....#
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/etc/httpd/conf/userdb"
Require valid-user
\\
Restart Apache
systemctl restart httpd
\\
Visit restricted directory
elinks http://redsite.example.com/private/
* elinks may need to be installed first (yum install elinks)
----