linux_wiki:configure_access_restrictions_on_directories

Configure Access Restrictions On Directories

General Information

Access restrictions on Apache Web Server/private directories.

Lab Setup

The following virtual machines will be used:

  • server1.example.com (192.168.1.150) → Perform all connectivity tests from here
  • server2.example.com (192.168.1.151) → Install Apache Web Server here

Previous Sections Completed

Prerequisite: Basic Setup

Create the redsite virtualhost.


server2: Add redsite to vhosts.conf 

vim /etc/httpd/conf.d/vhosts.conf
 
<VirtualHost *:80>
  ServerName redsite.example.com
  DocumentRoot /data/redsite
  ErrorLog logs/redsite-error_log
  CustomLog logs/redsite-access_log combined
 
  <Directory "/data/redsite">
    Options None
    AllowOverride None
    Require all granted
  </Directory>
</VirtualHost>


Check syntax 

apachectl configtest


Apply Config 

apachectl restart


server1: Update host name resolution 

vim /etc/hosts
 
192.168.1.151 server2 bluesite.example.com redsite.example.com

Restrict Access to a Directory

Setup Directory and SELinux

Create the directory structure 

mkdir -p /data/redsite/private


Create an index file 

echo '<html><body>This is the <font color=red>RED SITE</font>.</body></html>' > /data/redsite/index.html


Create a private index file 

echo "This is for certain people to view only." > /data/redsite/private/index.html


SELinux: Check normal httpd content contexts vs new directory 

ls -lZ /var/www
 
ls -lZ /data/redsite
  • You will see that /var/www/html has “httpd_sys_content_t” and /data/redsite/index.html does not. This will need to be changed.


SELinux: Give new directory the correct SELinux httpd context 

semanage fcontext -at httpd_sys_content_t "/data/redsite(/.*)?"
restorecon -Rv /data/redsite/
  • Reminder: man semanage-fcontext (EXAMPLE at the bottom)

Restrict Access

Help: Available if you installed 'httpd-manual' 

elinks /usr/share/httpd/manual/howto/auth.html


Create password for the user 

htpasswd -c /etc/httpd/conf/userdb user1
  • Prompted for a password


Edit the vhosts.conf file and add this additional Directory part in the redsite virtualhost 

vim /etc/httpd/conf.d/vhosts.conf
 
<VirtualHost *:80>
  ServerName redsite.example.com
  DocumentRoot /data/redsite
  #....SNIP....#
 
  <Directory "/data/redsite/private">
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile "/etc/httpd/conf/userdb"
    Require valid-user
  </Directory>
</VirtualHost>


Restart Apache 

systemctl restart httpd


Visit restricted directory 

elinks http://redsite.example.com/private/
  • elinks may need to be installed first (yum install elinks)
  • linux_wiki/configure_access_restrictions_on_directories.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)