====== Network Services Overview: Apache Web Server ======
**General Information**
This page covers the Network Services objectives, specifically for the Apache Web Server.
**Network Services Objectives**
* Install the packages needed to provide the service
* Configure SELinux to support the service
* Use SELinux port labeling to allow services to use non-standard ports
* Configure the service to start when the system is booted
* Configure the service for basic operation
* Configure host-based and user-based security for the service
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> Perform all connectivity tests from here
* server2.example.com (192.168.1.151) -> Install Apache Web Server here
----
====== Install the packages needed to provide the service ======
Install Apache Web Server (httpd) and manual
yum install httpd httpd-manual
* **NOTE:** The httpd-manual can come in handy for checking syntax/getting help.
\\
Access the httpd-manual
http://localhost/manual
OR
elinks /usr/share/httpd/manual/
----
====== Configure SELinux to support the service ======
* Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]].
* **IMPORTANT**: View all label types# Install package
yum install setools-console
# View all label types
seinfo -t
# Find Apache types
seinfo -t | grep httpd
----
====== Use SELinux port labeling to allow services to use non-standard ports ======
Configuring the Apache Web Server with a non standard port and allowing port access with selinux.
* Examples: "man semanage-port" has examples for allowing non-standard ports!
* Tip: To see current port labelssemanage port -l | grep http
__**Change HTTPD's Port**__
Change httpd port
vim /etc/httpd/conf/httpd.conf
Listen 8282
\\
Restart httpd service
systemctl stop httpd
systemctl start httpd
* service should fail to start
\\
See why
systemctl status httpd -l
* Should see permission denied to make socket 8282
\\
__**SELinux: Configure Non Standard Port**__
View http ports SELinux allows
semanage port -l | grep http
\\
Label port 8282 for the http service
semanage port -a -t http_port_t -p tcp 8282
* semanage port -> SELinux port mapping tool
* -a -> add a record
* -t http_port_t -> Type http_port_t
* -p tcp -> Protocol tcp
* 8282 -> the port
----
====== Configure the service to start when the system is booted ======
Check Current Service Status
systemctl status httpd
* Also displays if the service is enabled or disabled
\\
Enabling a service to start on boot
systemctl enable httpd
----
====== Configure the service for basic operation ======
Enable and Start the service
systemctl enable httpd
systemctl start httpd
----
====== Configure host-based and user-based security for the service ======
===== Firewall =====
Allow access through the firewall
# Standard http/https ports
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
# Non-standard port example
firewall-cmd --permanent --add-port=8282/tcp
firewall-cmd --reload
===== Host Based =====
/etc/httpd/conf/httpd.conf
# Blacklist "server1"
Require all granted
Require not host server1
* The above will allow access from all hosts except "server1"
* Must be inside of a context.
===== User Based =====
See [[linux_wiki:configure_access_restrictions_on_directories#restrict_access|Restrict Access to a Directory]].
----