This is an old revision of the document!
Configure Access Restrictions On Directories
General Information
Access restrictions on Apache Web Server/private directories.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all connectivity tests from here
- server2.example.com (192.168.1.151) → Install Apache Web Server here
Prerequisite: Basic Setup
Create the redsite virtualhost.
server2: Add redsite to vhosts.conf
vim /etc/httpd/conf.d/vhosts.conf <VirtualHost *:80> ServerName redsite.example.com DocumentRoot /data/redsite ErrorLog logs/redsite-error_log CustomLog logs/redsite-access_log combined </VirtualHost>
Check syntax
apachectl configtest
Apply Config
apachectl restart
server1: Update host name resolution
vim /etc/hosts 192.168.1.151 server2 bluesite.example.com redsite.example.com
Restrict Access to a Directory
Setup Directory and SELinux
Create a directory
mkdir /var/user1dir
Change permissions
chown user1:user1 /var/user1dir chmod 711 /var/user1dir
Create an index file
echo "This is user1's index.html" > /var/user1dir/index.html
SELinux: Check normal httpd content contexts vs new directory
ls -lZ /var/www ls -lZ /var/user1dir
- You will see that /var/www/html has “httpd_sys_content_t” and /var/user1dir/index.html does not. This will need to be changed.
SELinux: Give new directory the correct SELinux httpd context
semanage fcontext -at httpd_sys_content_t "/var/user1dir(/.*)?" restorecon -Rv /var/user1dir/
Restrict Access
Change document root
vim /etc/httpd/conf/httpd.conf DocumentRoot "/var"
Allow an “AuthConfig” override (htaccess file) for the /var/user1dir file
<Directory /var/user1dir> AllowOverride AuthConfig </Directory>
Create htaccess file in user1's directory
vim /var/user1dir/.htaccess AuthType Basic AuthName "Password Protected Private Dir - Enter Login Credentials:" AuthUserFile "/etc/httpd/conf/.userdb" Require user valid-user
Create password for the user
htpasswd -c /etc/httpd/conf/.userdb user1
- Prompted for a password
Change permissions on the userdb file
chown :apache /etc/httpd/conf/.userdb chmod 640 /etc/httpd/conf/.userdb
Restart Apache
systemctl restart httpd
Visit restricted directory
elinks http://testsite.example.com/user1dir
- elinks may need to be installed first (yum install elinks)