This is an old revision of the document!
Configure Access Restrictions On Directories
General Information
Access restrictions on Apache Web Server/private directories.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all connectivity tests from here
- server2.example.com (192.168.1.151) → Install Apache Web Server here
Prerequisite: Basic Setup
Setup host name resolution (Most likely not needed on exam as they should have proper DNS)
vim /etc/hosts 192.168.1.150 server1 testsite.example.com
- IP Address will differ depending upon network setup
Change website name in main config file
vim /etc/httpd/conf/httpd.conf ServerAdmin root@testsite.example.com ServerName testweb.example.com
Check syntax
apachectl configtest
Apply Config
apachectl restart
Restrict Access to a Directory
Setup Directory and SELinux
Create a directory
mkdir /var/user1dir
Change permissions
chown user1:user1 /var/user1dir chmod 711 /var/user1dir
Create an index file
echo "This is user1's index.html" > /var/user1dir/index.html
SELinux: Check normal httpd content contexts vs new directory
ls -lZ /var/www ls -lZ /var/user1dir
- You will see that /var/www/html has “httpd_sys_content_t” and /var/user1dir/index.html does not. This will need to be changed.
SELinux: Give new directory the correct SELinux httpd context
semanage fcontext -at httpd_sys_content_t "/var/user1dir(/.*)?" restorecon -Rv /var/user1dir/
Restrict Access
Change document root
vim /etc/httpd/conf/httpd.conf DocumentRoot "/var"
Allow an “AuthConfig” override (htaccess file) for the /var/user1dir file
<Directory /var/user1dir> AllowOverride AuthConfig </Directory>
Create htaccess file in user1's directory
vim /var/user1dir/.htaccess AuthType Basic AuthName "Password Protected Private Dir - Enter Login Credentials:" AuthUserFile "/etc/httpd/conf/.userdb" Require user valid-user
Create password for the user
htpasswd -c /etc/httpd/conf/.userdb user1
- Prompted for a password
Change permissions on the userdb file
chown :apache /etc/httpd/conf/.userdb chmod 640 /etc/httpd/conf/.userdb
Restart Apache
systemctl restart httpd
Visit restricted directory
elinks http://testsite.example.com/user1dir
- elinks may need to be installed first (yum install elinks)