====== Network Services Overview: Apache Web Server ======

**General Information**

This page covers the Network Services objectives, specifically for the Apache Web Server. 

**Network Services Objectives**
  * Install the packages needed to provide the service
  * Configure SELinux to support the service
  * Use SELinux port labeling to allow services to use non-standard ports
  * Configure the service to start when the system is booted
  * Configure the service for basic operation
  * Configure host-based and user-based security for the service

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
  * server2.example.com (192.168.1.151) -> Install Apache Web Server here

----

====== Install the packages needed to provide the service ======

Install Apache Web Server (httpd) and manual
<code bash>
yum install httpd httpd-manual
</code>
  * **NOTE:** The httpd-manual can come in handy for checking syntax/getting help.

\\
Access the httpd-manual
<code bash>
http://localhost/manual
OR
elinks /usr/share/httpd/manual/<page|section>
</code>

----

====== Configure SELinux to support the service ======

  * Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]].
  * **IMPORTANT**: View all label types<code bash># Install package
yum install setools-console

# View all label types
seinfo -t

# Find Apache types
seinfo -t | grep httpd
</code>

----

====== Use SELinux port labeling to allow services to use non-standard ports ======

Configuring the Apache Web Server with a non standard port and allowing port access with selinux.

  * Examples: "man semanage-port" has examples for allowing non-standard ports!
  * Tip: To see current port labels<code bash>semanage port -l | grep http</code>


__**Change HTTPD's Port**__

Change httpd port
<code bash>
vim /etc/httpd/conf/httpd.conf

Listen 8282
</code>

\\
Restart httpd service
<code bash>
systemctl stop httpd
systemctl start httpd
</code>
  * service should fail to start

\\
See why
<code bash>
systemctl status httpd -l
</code>
  * Should see permission denied to make socket 8282

\\
__**SELinux: Configure Non Standard Port**__

View http ports SELinux allows
<code bash>
semanage port -l | grep http
</code>

\\
Label port 8282 for the http service
<code bash>
semanage port -a -t http_port_t -p tcp 8282
</code>
  * semanage port -> SELinux port mapping tool
  * -a -> add a record
  * -t http_port_t -> Type http_port_t
  * -p tcp -> Protocol tcp
  * 8282 -> the port

----

====== Configure the service to start when the system is booted ======

Check Current Service Status
<code bash>
systemctl status httpd
</code>
  * Also displays if the service is enabled or disabled

\\
Enabling a service to start on boot
<code bash>
systemctl enable httpd
</code>

----

====== Configure the service for basic operation ======

Enable and Start the service
<code bash>
systemctl enable httpd
systemctl start httpd
</code>

----

====== Configure host-based and user-based security for the service ======

===== Firewall =====

Allow access through the firewall
<code bash>
# Standard http/https ports
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

# Non-standard port example
firewall-cmd --permanent --add-port=8282/tcp
firewall-cmd --reload
</code>

===== Host Based =====

/etc/httpd/conf/httpd.conf
<code bash>
<Directory "/var/www/html">
  
  # Blacklist "server1"
  <RequireAll>
    Require all granted
    Require not host server1
  </RequireAll>
  
</Directory>
</code>
  * The above will allow access from all hosts except "server1"
  * Must be inside of a <Directory> context.

===== User Based =====

See [[linux_wiki:configure_access_restrictions_on_directories#restrict_access|Restrict Access to a Directory]].

----