Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Network Services Overview: Apache Web Server ====== **General Information** This page covers the Network Services objectives, specifically for the Apache Web Server. **Network Services Objectives** * Install the packages needed to provide the service * Configure SELinux to support the service * Use SELinux port labeling to allow services to use non-standard ports * Configure the service to start when the system is booted * Configure the service for basic operation * Configure host-based and user-based security for the service ---- ====== Lab Setup ====== The following virtual machines will be used: * server1.example.com (192.168.1.150) -> Perform all connectivity tests from here * server2.example.com (192.168.1.151) -> Install Apache Web Server here ---- ====== Install the packages needed to provide the service ====== Install Apache Web Server (httpd) and manual <code bash> yum install httpd httpd-manual </code> * **NOTE:** The httpd-manual can come in handy for checking syntax/getting help. \\ Access the httpd-manual <code bash> http://localhost/manual OR elinks /usr/share/httpd/manual/<page|section> </code> ---- ====== Configure SELinux to support the service ====== * Service agnostic -> [[linux_wiki:set_enforcing_and_permissive_modes_for_selinux|Ensure SELinux is running and enabled (RHCSA objective)]]. * **IMPORTANT**: View all label types<code bash># Install package yum install setools-console # View all label types seinfo -t # Find Apache types seinfo -t | grep httpd </code> ---- ====== Use SELinux port labeling to allow services to use non-standard ports ====== Configuring the Apache Web Server with a non standard port and allowing port access with selinux. * Examples: "man semanage-port" has examples for allowing non-standard ports! * Tip: To see current port labels<code bash>semanage port -l | grep http</code> __**Change HTTPD's Port**__ Change httpd port <code bash> vim /etc/httpd/conf/httpd.conf Listen 8282 </code> \\ Restart httpd service <code bash> systemctl stop httpd systemctl start httpd </code> * service should fail to start \\ See why <code bash> systemctl status httpd -l </code> * Should see permission denied to make socket 8282 \\ __**SELinux: Configure Non Standard Port**__ View http ports SELinux allows <code bash> semanage port -l | grep http </code> \\ Label port 8282 for the http service <code bash> semanage port -a -t http_port_t -p tcp 8282 </code> * semanage port -> SELinux port mapping tool * -a -> add a record * -t http_port_t -> Type http_port_t * -p tcp -> Protocol tcp * 8282 -> the port ---- ====== Configure the service to start when the system is booted ====== Check Current Service Status <code bash> systemctl status httpd </code> * Also displays if the service is enabled or disabled \\ Enabling a service to start on boot <code bash> systemctl enable httpd </code> ---- ====== Configure the service for basic operation ====== Enable and Start the service <code bash> systemctl enable httpd systemctl start httpd </code> ---- ====== Configure host-based and user-based security for the service ====== ===== Firewall ===== Allow access through the firewall <code bash> # Standard http/https ports firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload # Non-standard port example firewall-cmd --permanent --add-port=8282/tcp firewall-cmd --reload </code> ===== Host Based ===== /etc/httpd/conf/httpd.conf <code bash> <Directory "/var/www/html"> # Blacklist "server1" <RequireAll> Require all granted Require not host server1 </RequireAll> </Directory> </code> * The above will allow access from all hosts except "server1" * Must be inside of a <Directory> context. ===== User Based ===== See [[linux_wiki:configure_access_restrictions_on_directories#restrict_access|Restrict Access to a Directory]]. ---- linux_wiki/network_services_overview_apache_web_server.txt Last modified: 2019/05/25 23:50(external edit)