[[linux_wiki:network_services_overview_apache_web_server]]

Network Services Overview: Apache Web Server

General Information

This page covers the Network Services objectives, specifically for the Apache Web Server.

Network Services Objectives

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service

Lab Setup

The following virtual machines will be used:

  • server1.example.com (192.168.1.150) → Perform all connectivity tests from here
  • server2.example.com (192.168.1.151) → Install Apache Web Server here

Install the packages needed to provide the service

Install Apache Web Server (httpd) and manual

yum install httpd httpd-manual
  • NOTE: The httpd-manual can come in handy for checking syntax/getting help.


Access the httpd-manual

http://localhost/manual
OR
elinks /usr/share/httpd/manual/<page|section>

Configure SELinux to support the service


Use SELinux port labeling to allow services to use non-standard ports

Configuring the Apache Web Server with a non standard port and allowing port access with selinux.

  • Examples: “man semanage-port” has examples for allowing non-standard ports!
  • Tip: To see current port labels
    semanage port -l | grep http

Change HTTPD's Port

Change httpd port

vim /etc/httpd/conf/httpd.conf
 
Listen 8282


Restart httpd service

systemctl stop httpd
systemctl start httpd
  • service should fail to start


See why

systemctl status httpd -l
  • Should see permission denied to make socket 8282


SELinux: Configure Non Standard Port

View http ports SELinux allows

semanage port -l | grep http


Label port 8282 for the http service

semanage port -a -t http_port_t -p tcp 8282
  • semanage port → SELinux port mapping tool
  • -a → add a record
  • -t http_port_t → Type http_port_t
  • -p tcp → Protocol tcp
  • 8282 → the port

Configure the service to start when the system is booted

Check Current Service Status

systemctl status httpd
  • Also displays if the service is enabled or disabled


Enabling a service to start on boot

systemctl enable httpd

Configure the service for basic operation

Enable and Start the service

systemctl enable httpd
systemctl start httpd

Configure host-based and user-based security for the service

Allow access through the firewall

# Standard http/https ports
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
 
# Non-standard port example
firewall-cmd --permanent --add-port=8282/tcp
firewall-cmd --reload

/etc/httpd/conf/httpd.conf

<Directory "/var/www/html">
 
  # Blacklist "server1"
  <RequireAll>
    Require all granted
    Require not host server1
  </RequireAll>
 
</Directory>
  • The above will allow access from all hosts except “server1”
  • Must be inside of a <Directory> context.
  • linux_wiki/network_services_overview_apache_web_server.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)