This is an old revision of the document!
Network Services Overview: Apache Web Server
General Information
This page covers the Network Services objectives, specifically for the Apache Web Server.
Network Services Objectives
- Install the packages needed to provide the service
- Configure SELinux to support the service
- Use SELinux port labeling to allow services to use non-standard ports
- Configure the service to start when the system is booted
- Configure the service for basic operation
- Configure host-based and user-based security for the service
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all connectivity tests from here
- server2.example.com (192.168.1.151) → Install Apache Web Server here
Install the packages needed to provide the service
Install Apache Web Server (httpd) and manual
yum install httpd httpd-manual
- NOTE: The httpd-manual can come in handy for checking syntax/getting help.
Access the httpd-manual
http://localhost/manual OR elinks /usr/share/httpd/manual/<page|section>
Configure SELinux to support the service
- Service agnostic → Ensure SELinux is running and enabled (RHCSA objective).
Use SELinux port labeling to allow services to use non-standard ports
Configuring the Apache Web Server with a non standard port and allowing port access with selinux.
- Examples: “man semanage-port” has examples for allowing non-standard ports!
- Tip: To see current port labels
semanage port -l | grep http
Change HTTPD's Port
Change httpd port
vim /etc/httpd/conf/httpd.conf Listen 8282
Restart httpd service
systemctl stop httpd systemctl start httpd
- service should fail to start
See why
systemctl status httpd -l
- Should see permission denied to make socket 8282
SELinux: Configure Non Standard Port
View http ports SELinux allows
semanage port -l | grep http
Label port 8282 for the http service
semanage port -a -t http_port_t -p tcp 8282
- semanage port → SELinux port mapping tool
- -a → add a record
- -t http_port_t → Type http_port_t
- -p tcp → Protocol tcp
- 8282 → the port
Configure the service to start when the system is booted
Check Current Service Status
systemctl status httpd
- Also displays if the service is enabled or disabled
Enabling a service to start on boot
systemctl enable httpd
Configure the service for basic operation
Enable and Start the service
systemctl enable httpd
systemctl start httpd
Configure host-based and user-based security for the service
Firewall
Allow access through the firewall
# Standard http/https ports firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload # Non-standard port example firewall-cmd --permanent --add-port=8282/tcp firewall-cmd --reload
Host Based
/etc/httpd/conf/httpd.conf
<Directory "/var/www/html"> # Blacklist "evilserver.local" <RequireAll> Require all granted Require not host evilserver.local </RequireAll> </Directory>
- The above will allow access from all hosts except “evilserver.local”
- Must be inside of a <Directory> context.