Differences
This shows you the differences between two versions of the page.
|
linux_wiki:network_services_overview_apache_web_server [2018/04/07 22:52] billdozor [Host Based] |
linux_wiki:network_services_overview_apache_web_server [2019/05/25 23:50] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Network Services Overview: Apache Web Server ====== | ||
| - | |||
| - | **General Information** | ||
| - | |||
| - | This page covers the Network Services objectives, specifically for the Apache Web Server. | ||
| - | |||
| - | **Network Services Objectives** | ||
| - | * Install the packages needed to provide the service | ||
| - | * Configure SELinux to support the service | ||
| - | * Use SELinux port labeling to allow services to use non-standard ports | ||
| - | * Configure the service to start when the system is booted | ||
| - | * Configure the service for basic operation | ||
| - | * Configure host-based and user-based security for the service | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Lab Setup ====== | ||
| - | |||
| - | The following virtual machines will be used: | ||
| - | * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here | ||
| - | * server2.example.com (192.168.1.151) -> Install Apache Web Server here | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Install the packages needed to provide the service ====== | ||
| - | |||
| - | Install Apache Web Server (httpd) and manual | ||
| - | <code bash> | ||
| - | yum install httpd httpd-manual | ||
| - | </ | ||
| - | * **NOTE:** The httpd-manual can come in handy for checking syntax/ | ||
| - | |||
| - | \\ | ||
| - | Access the httpd-manual | ||
| - | <code bash> | ||
| - | http:// | ||
| - | OR | ||
| - | elinks / | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Configure SELinux to support the service ====== | ||
| - | |||
| - | * Service agnostic -> [[linux_wiki: | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Use SELinux port labeling to allow services to use non-standard ports ====== | ||
| - | |||
| - | Configuring the Apache Web Server with a non standard port and allowing port access with selinux. | ||
| - | |||
| - | * Examples: "man semanage-port" | ||
| - | * Tip: To see current port labels< | ||
| - | |||
| - | |||
| - | __**Change HTTPD' | ||
| - | |||
| - | Change httpd port | ||
| - | <code bash> | ||
| - | vim / | ||
| - | |||
| - | Listen 8282 | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | Restart httpd service | ||
| - | <code bash> | ||
| - | systemctl stop httpd | ||
| - | systemctl start httpd | ||
| - | </ | ||
| - | * service should fail to start | ||
| - | |||
| - | \\ | ||
| - | See why | ||
| - | <code bash> | ||
| - | systemctl status httpd -l | ||
| - | </ | ||
| - | * Should see permission denied to make socket 8282 | ||
| - | |||
| - | \\ | ||
| - | __**SELinux: | ||
| - | |||
| - | View http ports SELinux allows | ||
| - | <code bash> | ||
| - | semanage port -l | grep http | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | Label port 8282 for the http service | ||
| - | <code bash> | ||
| - | semanage port -a -t http_port_t -p tcp 8282 | ||
| - | </ | ||
| - | * semanage port -> SELinux port mapping tool | ||
| - | * -a -> add a record | ||
| - | * -t http_port_t -> Type http_port_t | ||
| - | * -p tcp -> Protocol tcp | ||
| - | * 8282 -> the port | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Configure the service to start when the system is booted ====== | ||
| - | |||
| - | Check Current Service Status | ||
| - | <code bash> | ||
| - | systemctl status httpd | ||
| - | </ | ||
| - | * Also displays if the service is enabled or disabled | ||
| - | |||
| - | \\ | ||
| - | Enabling a service to start on boot | ||
| - | <code bash> | ||
| - | systemctl enable httpd | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Configure the service for basic operation ====== | ||
| - | |||
| - | Enable and Start the service | ||
| - | <code bash> | ||
| - | systemctl enable httpd | ||
| - | systemctl start httpd | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Configure host-based and user-based security for the service ====== | ||
| - | |||
| - | ===== Firewall ===== | ||
| - | |||
| - | Allow access through the firewall | ||
| - | <code bash> | ||
| - | # Standard http/https ports | ||
| - | firewall-cmd --permanent --add-service=http | ||
| - | firewall-cmd --permanent --add-service=https | ||
| - | firewall-cmd --reload | ||
| - | |||
| - | # Non-standard port example | ||
| - | firewall-cmd --permanent --add-port=8282/ | ||
| - | firewall-cmd --reload | ||
| - | </ | ||
| - | |||
| - | ===== Host Based ===== | ||
| - | |||
| - | / | ||
| - | <code bash> | ||
| - | < | ||
| - | | ||
| - | # Blacklist " | ||
| - | < | ||
| - | Require all granted | ||
| - | Require not host server1 | ||
| - | </ | ||
| - | | ||
| - | </ | ||
| - | </ | ||
| - | * The above will allow access from all hosts except " | ||
| - | * Must be inside of a < | ||
| - | |||
| - | ===== User Based ===== | ||
| - | |||
| - | See [[linux_wiki: | ||
| - | |||
| - | ---- | ||