Software >> OS >> Unix >> Linux >> RHEL >> 7 >> RHCE >> Section 4 - HTTP/HTTPS


### Configure HTTP virtual host

## configure the default home page

[root@rhel7server1 var]# cat /var/www/html/index.html
<html><body>default home page</body></html>

## test the default page

[root@rhel7server1 var]# curl http://rhel7server1
<html><body>default home page</body></html>

## add a hosts file entry for the new virtual host name

[root@rhel7server1 var]# grep myvhost /etc/hosts
192.168.0.10  rhel7server1.myexample.com rhel7server1 myvhost.myexample.com

## before we configure the virtualhost in apache httpd,
## loading the virtualhost will show the default home page

[root@rhel7server1 var]# curl http://myvhost.myexample.com
<html><body>default home page</body></html>

## we can add our VirtualHost directive
## either (1) directly in /etc/httpd/conf/httpd.conf
## or     (2) creating a new .conf file inside /etc/httpd/conf.d/

## choose method (2)

## one vhost conf file for myvhost.myexample.com

[root@rhel7server1 conf]# vi /etc/httpd/conf.d/myvhost.conf


## another default conf file for all other hostnames


## make the document root directory for the virtual host
## and create the default page (index.html) in that directory

[root@rhel7server1 conf]# mkdir /var/www/html/myvhost

[root@rhel7server1 conf]# cd /var/www/html/myvhost/

[root@rhel7server1 myvhost]# echo "<html><body>virtual host home page</body></html>" > index.html

## validate the VirtualHost settings before restarting

[root@rhel7server1 conf.d]# httpd -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server rhel7server1.myexample.com (/etc/httpd/conf.d/default.conf:1)
         port 80 namevhost rhel7server1.myexample.com (/etc/httpd/conf.d/default.conf:1)
         port 80 namevhost myvhost.myexample.com (/etc/httpd/conf.d/myvhost.conf:1)


## if no error, proceed to restart httpd service

[root@rhel7server1 conf.d]# systemctl restart httpd


## test the virtual host URL

[root@rhel7server1 ~] curl http://myvhost.myexample.com
<html><body>virtual host home page</body></html>


## Other URLs will load the default virtual host

[root@rhel7server1 ~] curl http://localhost
<html><body>default home page</body></html>

[root@rhel7server1 ~] curl http://rhel7server1
<html><body>default home page</body></html>

[root@rhel7server1 ~] curl http://rhel7server1.myexample.com
<html><body>default home page</body></html>





### Restrict a private directory based on the client hostname


[root@rhel7server1 ~]# cd /var/www/html

[root@rhel7server1 ~]# mkdir /var/www/html/hostbased

[root@rhel7server1 html]# cd /var/www/html/hostbased

[root@rhel7server1 hostbased]# echo "<html><body>host based private dir default page</body></html>" > index.html

[root@rhel7server1 hostbased]# ls -dZ /var/www/html/hostbased
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0   /var/www/html/hostbased

[root@rhel7server1 hostbased]# ls -dZ /var/www/html/hostbased/index.html
-rw-r--r--. root root unconfined_u:object_r:var_t:s0   /var/www/html/hostbased/index.html

## make sure the directory and files are the necessary SELinux file context
## httpd_sys_content_t

## if using a different directory eg. /var/www/html/hostbased, where SELinux context
## is not set, set accordingly by

[root@rhel7server1]# semanage fcontext -at httpd_sys_content_t "/var/www/html/hostbased(/.*)?"

[root@rhel7server1]# restorecon -R /var/www/html/hostbased

[root@rhel7server1 ~]# restorecon -R .


## create hostbased.conf in /etc/httpd/conf.d

[root@rhel7server1 conf]# vi /etc/httpd/conf.d/hostbased.conf

## add the following




## validate the config

[root@rhel7server1 conf]# httpd -t
Syntax OK


## restart apache

[root@rhel7server1 conf]# systemctl restart httpd


## test browse the page locally on the server itself - will get permission denied error

[root@rhel7server1 conf.d]# curl http://rhel7server1.myexample.com/hostbased/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /hostbased/
on this server.</p>
</body></html>


## if firewall not yet opened to allow access from other hosts, open first

[root@rhel7server1 conf]# firewall-cmd --permanent --add-service=http

[root@rhel7server1 conf]# firewall-cmd --reload


## test browse from the allowed client - will successfully load the page


[root@rhel7client1 ~]# curl http://rhel7server1.myexample.com/hostbased/
<html><body>host based private dir default page</body></html>




back to Objectives

### Restrict a private directory based on user id


## e.g. user=user1, private dir=/var/user1dir

[root@rhel7server1 ~]# useradd user1

[root@rhel7server1 ~]# mkdir /var/user1dir

[root@rhel7server1 ~]# echo "<html><body>private dir for user1</body></html>" > /var/user1dir/index.html

[root@rhel7server1 ~]# chown -R user1:staff /var/user1dir

[root@rhel7server1 ~]# chmod 0711 /var/user1dir


[root@rhel7server1 ~]# semanage fcontext -at httpd_sys_content_t "/var/user1dir(/.*)?"

[root@rhel7server1 ~]# restorecon -Rv /var/user1dir
restorecon reset /var/user1dir context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /var/user1dir/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

[root@rhel7server1 ~]# ls -lZ /var/user1dir
-rw-r--r--. user1 staff unconfined_u:object_r:httpd_sys_content_t:s0 index.html

## edit httpd.conf and

[root@rhel7server1 user1dir]# cd /etc/httpd/conf

[root@rhel7server1 user1dir]# vi httpd.conf

## change DocumentRoot
DocumentRoot "/var"

## restrict /var/user1dir
<Directory "/var/user1dir">
   AllowOverride AuthConfig
</Directory>

## save httpd.conf and then check the syntax with

[root@rhel7server1 conf]# httpd -t
Syntax OK

[root@rhel7server1 conf]# cd /var/user1dir

[root@rhel7server1 user1dir]# vi .htaccess

[root@rhel7server1 user1dir]# cat .htaccess
AuthType Basic
AuthName "Password Protected Private Directory - Enter Login Credentials:"
AuthUserFile "/etc/httpd/conf/.userdb"
Require user user1


## alternatively to allow any authenticated user, use "Require valid-user"


[root@rhel7server1 user1dir]# cd /etc/httpd/conf

[root@rhel7server1 conf]# htpasswd -c .userdb user1
New password:
Re-type new password:
Adding password for user user1

[root@rhel7server1 conf]# cat .userdb
user1:$apr1$t0mAFEjS$sCr1SrxJY1eby6/eYnZ2b0

[root@rhel7server1 conf]# chgrp apache .userdb

[root@rhel7server1 conf]# chmod 0640 .userdb

[root@rhel7server1 conf]# systemctl restart httpd

## test acces to the website

[root@rhel7server1 conf]# firefox http://rhel7server1.myexample.com/user1dir &






### Create a CGI application at the default cgi-bin dir


[root@rhel7server1 ~]# grep cgi-bin /etc/httpd/conf/httpd.conf | grep -v ^#
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">

[root@rhel7server1 cgi-bin]# vi mytime.cgi


## sample CGI script using bash




## sample CGI script using Perl




## set the permission

[root@rhel7server1 cgi-bin]# chmod +x mytime.cgi


## test it

[root@rhel7server1 cgi-bin]# ./mytime.cgi
Content-type: text/html

<html><body>This is the current time on the system 27-06-0120, 10:28:04</body><html>


## check that httpd_enable_cgi is set to on

[root@rhel7server1 cgi-bin]# getsebool -a | grep httpd_enable_cgi
httpd_enable_cgi --> on


## if not on, set it, else skip this step

[root@rhel7server1 cgi-bin]#  setsebool -P httpd_enable_cgi 1


## edit /etc/httpd/conf/httpd.conf

[root@rhel7server1]# vi /etc/httpd/conf/httpd.conf


## modify the cgi-bin dir as follows


<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options +ExecCGI
    AddHandler cgi-script .cgi .pl
    Require all granted
</Directory>


## validate the config

[root@rhel7server1 cgi-bin]# httpd -t
Syntax OK


## restart

[root@rhel7server1 httpd]# systemctl restart httpd


## test load the cgi

[root@rhel7server1 cgi-bin]# curl http://rhel7server1/cgi-bin/mytime.cgi
<html><body>This is the current time on the system 27-06-0120, 10:31:11</body><html>





## for group=dbadmins with members dba1 and dba2 restricted directory /var/dbdir

[root@rhel7server1 ~]# groupadd dbadmins

[root@rhel7server1 ~]# useradd -m -d /home/dba1 -g dbadmins -c "dba1" dba1

[root@rhel7server1 ~]# useradd -m -d /home/dba2 -g dbadmins -c "dba2" dba2

[root@rhel7server1 ~]# mkdir /var/dbdir

[root@rhel7server1 ~]# chgrp dbadmins /var/dbdir


## set the permission on the dir, Note: the --x permission for other is required, otherwise it will not work.
## so set permission to 0771

[root@rhel7server1 ~]# chmod 0771 /var/dbdir

[root@rhel7server1 ~]# echo "<html><body>Private dir for dbadmins group</body></html>" > /var/dbdir/index.html

[root@rhel7server1 ~]# semanage fcontext -at httpd_sys_content_t "/var/dbdir(/.*)?"

[root@rhel7server1 ~]# restorecon -R /var/dbdir/

[root@rhel7server1 ~]# ls -ldZ /var/dbdir
drwxrwx---. root dbadmins unconfined_u:object_r:httpd_sys_content_t:s0 /var/dbdir

[root@rhel7server1 ~]# cd /etc/httpd/conf

[root@rhel7server1 conf]# vi httpd.conf


## change DocumentRoot to /var

#DocumentRoot "/var/www/html"
DocumentRoot "/var"


## add the following into httpd.conf

<Directory "/var/dbdir">
   AllowOverride AuthConfig
</Directory>


## validate the config

[root@rhel7server1 conf]# httpd -t
Syntax OK

[root@rhel7server1 conf]# cd /var/dbdir

[root@rhel7server1 dbdir]# vi .htaccess


## add the following and save

AuthType Basic
AuthName "Password Protected dbadmin content - enter credentials"
AuthUserFile "/etc/httpd/conf/.grouppassworddb"
AuthGroupFile "/etc/httpd/conf/.groupdb"
Require group dbadmins


## create the AuthGroupFile file

[root@rhel7server1 dbdir]# cd /etc/httpd/conf

[root@rhel7server1 conf]# echo "dbadmins: dba1 dba2" > .groupdb


## change group ownership and permission

[root@rhel7server1 conf]# chgrp apache .groupdb

[root@rhel7server1 conf]# chmod 0640 .groupdb


## create the AuthUserFile for the group members

[root@rhel7server1 conf]# htpasswd -c .grouppassworddb dba1
New password:
Re-type new password:
Adding password for user dba1

[root@rhel7server1 conf]# htpasswd .grouppassworddb dba2
New password:
Re-type new password:
Adding password for user dba2


## restart httpd service

[root@rhel7server1 conf]# systemctl restart httpd


## test the website with firefox

[root@rhel7server1 conf]# firefox http://rhel7server1.myexample.com/dbdir &










## install the required software packages

[root@rhel7server1 httpd]# yum -y install mod_ssl openssl
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
...
Complete!

root@rhel7server1 httpd]# cd /etc/pki/tls/certs

[root@rhel7server1 certs]# ll
total 16
lrwxrwxrwx. 1 root root   49 Apr 21  2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root   55 Apr 21  2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-------. 1 root root 1419 Jun 14 08:09 localhost.crt
-rwxr-xr-x. 1 root root  610 May 17  2017 make-dummy-cert
-rw-r--r--. 1 root root 2516 May 17  2017 Makefile
-rwxr-xr-x. 1 root root  829 May 17  2017 renew-dummy-cert

## generate CSR and private key with openssl

[root@rhel7server1 certs]# openssl req -new -newkey rsa:2048 -nodes -keyout rhel7server1.myexample.com.key -out rhel7server1.myexample.com.csr
Generating a 2048 bit RSA private key
..........................+++
.......................................+++
writing new private key to 'rhel7server1.myexample.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:TX
Locality Name (eg, city) [Default City]:Houston
Organization Name (eg, company) [Default Company Ltd]:MyExample
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:rhel7server1.myexample.com
Email Address []:admin@myexample.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

## generate the self signed cert

root@rhel7server1 certs]# openssl x509 -req -days 365 -signkey rhel7server1.myexample.com.key -in rhel7server1.myexample.com.csr -out rhel7server1.myexample.com.crt
Signature ok
subject=/C=US/ST=TX/L=Houston/O=MyExample/OU=IT/CN=rhel7server1.myexample.com/emailAddress=admin@myexample.com
Getting Private key

## move the private key file to the private key folder

root@rhel7server1 certs] mv /etc/pki/tls/certs/rhel7server1.myexample.com.key /etc/pki/tls/private/


## verify that SSL module (mod_ssl) is loaded, we will use mod_ssl module rathern than mod_nss for the TLS encryption,
## these 2 provide the same functionality (TLS encryption) but use different library (OpenSSL and NSS respectively
## and are mutually exclusive

[root@rhel7server1]# httpd -D DUMP_MODULES | grep ssl
 ssl_module (shared)


## edit ssl.conf

[root@rhel7server1 conf.d]# vi /etc/httpd/conf.d/ssl.conf

## modify as follows


[root@rhel7server1 conf.d]# mkdir /var/www/html/myexample

## test the config

[root@rhel7server1 conf.d]# httpd -t
Syntax OK

[root@rhel7server1 conf.d]# echo "<html><body>Secure Site home page</body></html>" > /var/www/html/myexample/index.html

[root@rhel7server1 conf.d]# chown -R apache:apache /var/www/html/myexample

## restart apache

[root@rhel7server1 conf]# systemctl restart httpd


## open firewall for https


[root@rhel7server1 ~]# firewall-cmd --permanent --add-service=https

[root@rhel7server1 ~]# firewall-cmd --reload


## test the website with firefox, and accept the exception for self-signed cert

[root@rhel7server1 conf]# firefox https://rhel7server1.myexample.com &



## view the certificat from the "padlock" icon