This is an old revision of the document!
Configure Access Restrictions On Directories
General Information
Access restrictions on Apache Web Server/private directories.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all connectivity tests from here
- server2.example.com (192.168.1.151) → Install Apache Web Server here
Prerequisite: Basic Setup
Create the redsite virtualhost.
server2: Add redsite to vhosts.conf
vim /etc/httpd/conf.d/vhosts.conf <VirtualHost *:80> ServerName redsite.example.com DocumentRoot /data/redsite ErrorLog logs/redsite-error_log CustomLog logs/redsite-access_log combined <Directory "/data/redsite"> Options None AllowOverride None Require all granted </Directory> </VirtualHost>
Check syntax
apachectl configtest
Apply Config
apachectl restart
server1: Update host name resolution
vim /etc/hosts 192.168.1.151 server2 bluesite.example.com redsite.example.com
Restrict Access to a Directory
Setup Directory and SELinux
Create the directory structure
mkdir -p /data/redsite/private
Create an index file
echo '<html><body>This is the <font color=red>RED SITE</font>.</body></html>' > /data/redsite/index.html
Create a private index file
echo "This is for certain people to view only." > /data/redsite/private/index.html
SELinux: Check normal httpd content contexts vs new directory
ls -lZ /var/www ls -lZ /data/redsite
- You will see that /var/www/html has “httpd_sys_content_t” and /data/redsite/index.html does not. This will need to be changed.
SELinux: Give new directory the correct SELinux httpd context
semanage fcontext -at httpd_sys_content_t "/data/redsite(/.*)?" restorecon -Rv /data/redsite/
- Reminder: man semanage-fcontext (EXAMPLE at the bottom)
Restrict Access
Edit the vhosts.conf file and add this additional Directory part in the redsite virtualhost
vim /etc/httpd/conf.d/vhosts.conf <VirtualHost *:80> ServerName redsite.example.com DocumentRoot /data/redsite #....SNIP....# <Directory "/data/redsite/private"> AuthType Basic AuthName "Restricted Area" AuthUserFile "/etc/httpd/conf/usersdb" Require valid-user </Directory> </VirtualHost>
Create password for the user
htpasswd -c /etc/httpd/conf/usersdb user1
- Prompted for a password
Restart Apache
systemctl restart httpd
Visit restricted directory
elinks http://redsite.example.com/private/
- elinks may need to be installed first (yum install elinks)