Differences
This shows you the differences between two versions of the page.
linux_wiki:network_services_overview_apache_web_server [2018/04/07 22:52] billdozor [Host Based] |
linux_wiki:network_services_overview_apache_web_server [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Network Services Overview: Apache Web Server ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | This page covers the Network Services objectives, specifically for the Apache Web Server. | ||
- | |||
- | **Network Services Objectives** | ||
- | * Install the packages needed to provide the service | ||
- | * Configure SELinux to support the service | ||
- | * Use SELinux port labeling to allow services to use non-standard ports | ||
- | * Configure the service to start when the system is booted | ||
- | * Configure the service for basic operation | ||
- | * Configure host-based and user-based security for the service | ||
- | |||
- | ---- | ||
- | |||
- | ====== Lab Setup ====== | ||
- | |||
- | The following virtual machines will be used: | ||
- | * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here | ||
- | * server2.example.com (192.168.1.151) -> Install Apache Web Server here | ||
- | |||
- | ---- | ||
- | |||
- | ====== Install the packages needed to provide the service ====== | ||
- | |||
- | Install Apache Web Server (httpd) and manual | ||
- | <code bash> | ||
- | yum install httpd httpd-manual | ||
- | </ | ||
- | * **NOTE:** The httpd-manual can come in handy for checking syntax/ | ||
- | |||
- | \\ | ||
- | Access the httpd-manual | ||
- | <code bash> | ||
- | http:// | ||
- | OR | ||
- | elinks / | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure SELinux to support the service ====== | ||
- | |||
- | * Service agnostic -> [[linux_wiki: | ||
- | |||
- | ---- | ||
- | |||
- | ====== Use SELinux port labeling to allow services to use non-standard ports ====== | ||
- | |||
- | Configuring the Apache Web Server with a non standard port and allowing port access with selinux. | ||
- | |||
- | * Examples: "man semanage-port" | ||
- | * Tip: To see current port labels< | ||
- | |||
- | |||
- | __**Change HTTPD' | ||
- | |||
- | Change httpd port | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | Listen 8282 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Restart httpd service | ||
- | <code bash> | ||
- | systemctl stop httpd | ||
- | systemctl start httpd | ||
- | </ | ||
- | * service should fail to start | ||
- | |||
- | \\ | ||
- | See why | ||
- | <code bash> | ||
- | systemctl status httpd -l | ||
- | </ | ||
- | * Should see permission denied to make socket 8282 | ||
- | |||
- | \\ | ||
- | __**SELinux: | ||
- | |||
- | View http ports SELinux allows | ||
- | <code bash> | ||
- | semanage port -l | grep http | ||
- | </ | ||
- | |||
- | \\ | ||
- | Label port 8282 for the http service | ||
- | <code bash> | ||
- | semanage port -a -t http_port_t -p tcp 8282 | ||
- | </ | ||
- | * semanage port -> SELinux port mapping tool | ||
- | * -a -> add a record | ||
- | * -t http_port_t -> Type http_port_t | ||
- | * -p tcp -> Protocol tcp | ||
- | * 8282 -> the port | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the service to start when the system is booted ====== | ||
- | |||
- | Check Current Service Status | ||
- | <code bash> | ||
- | systemctl status httpd | ||
- | </ | ||
- | * Also displays if the service is enabled or disabled | ||
- | |||
- | \\ | ||
- | Enabling a service to start on boot | ||
- | <code bash> | ||
- | systemctl enable httpd | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure the service for basic operation ====== | ||
- | |||
- | Enable and Start the service | ||
- | <code bash> | ||
- | systemctl enable httpd | ||
- | systemctl start httpd | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configure host-based and user-based security for the service ====== | ||
- | |||
- | ===== Firewall ===== | ||
- | |||
- | Allow access through the firewall | ||
- | <code bash> | ||
- | # Standard http/https ports | ||
- | firewall-cmd --permanent --add-service=http | ||
- | firewall-cmd --permanent --add-service=https | ||
- | firewall-cmd --reload | ||
- | |||
- | # Non-standard port example | ||
- | firewall-cmd --permanent --add-port=8282/ | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ===== Host Based ===== | ||
- | |||
- | / | ||
- | <code bash> | ||
- | < | ||
- | | ||
- | # Blacklist " | ||
- | < | ||
- | Require all granted | ||
- | Require not host server1 | ||
- | </ | ||
- | | ||
- | </ | ||
- | </ | ||
- | * The above will allow access from all hosts except " | ||
- | * Must be inside of a < | ||
- | |||
- | ===== User Based ===== | ||
- | |||
- | See [[linux_wiki: | ||
- | |||
- | ---- | ||