Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux HTTPD Linux Server

Apache is the most popular Web server used in the Internet. Based on the HTTP daemon (httpd) provides a secure access to all types of content using the regular HTTP protocol as well as its secure version HTTPS which encrypts the HTTP traffic. Apache is a robust open source Web server developed by the Apache Software Foundation http://www.apache.org.

Apache Web Server

In order to install Apache httpd server, the httpd rpm must be installed.

# yum install httpd

It is also possible install the secure version of Apache (https) with the mod_ssl rpm.

# yum install mod_ssl

Apache Basic Configuration

The two configuration key files are /etc/httpd/conf/httpd.conf for http web server and /etc/httpd/conf.d/ssl.conf for https web server. The default version of these file creates a generic and functional web server.

# cat /etc/httpd/conf/httpd.conf

### Section 1: Global Environment

#It limits what readers see about your Web server when you browse to a nonexistent page. With this option you are not showing which subcomponents are running the httpd server.
ServerTokens OS

#Root location of configuration and log files is determined by the ServerRoot directive.
ServerRoot "/etc/httpd"

#The number of seconds before receives and sends time out when no http activity is generated.
Timeout 120

#TCP/IP port where the httpd server listen, by default 80.
Listen 80

#Load config files from the config directory "/etc/httpd/conf.d".
Include conf.d/*.conf

#The name (or #number) of the user/group to run httpd as.
User apache
Group apache

### Section 2: 'Main' server configuration

#Admin email address, server problems will be emailed automatically to this address.
ServerAdmin root@info.net

#The directory out of which you will serve your documents. By default, all requests are taken from this directory, but symbolic links and aliases may be used to point to other locations.
DocumentRoot "/var/www/html"

#First configure the "default" web directories to be a very restrictive set of features. FollowSymLinks line supports the use of symbolic links for Web pages. AllowOverride None line disables any .htaccess files can allow others users to administer your server.
‹ Directory / ›
      Options FollowSymLinks
      AllowOverride None
‹ /Directory ›

#The next limits access to /var/www/html the default DocumentRoot directive. Indexes setting allows readers to see a list of files if no index.html file is present on DocumentRoot. The Order and Allow lines allow all users to access the Web pages on DocumentRoot.
‹ Directory /var/www/html ›
      Options Indexes FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
‹ /Directory ›

# LogLevel: Control the number of messages logged to the error_log. Possible values include: debug, info, notice, warn, error, crit, alert, emerg. By default log files are located on /var/log/httpd directory.
LogLevel warn

# Explained in more detail in next sections.
### Section 3: Virtual Hosts
...


Note: if 'mod_ssl' rpm has been installed a secure Apache web server (https) will be running by default on port 443 TCP/IP. The configuration file for this sercure web server is on /etc/httpd/conf.d/ssl.conf.

Note: Apache logs are located on /var/log/httpd directory.

Apache Security

Firewall

In order to run an Apache web server through a firewall, the ports 80 (http) and 443 (https) TCP/IP must be open.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

SElinux

By default Apache web server is protected by SElinux in targered mode. In order to allow Apache to be executed through SElinux the following parameters can be configured.

# setsebool -P httpd_enable_cgi 1
Allow cgi scripts to be executed through the web server.

# setsebool -P httpd_enable_home_dirs 1
By default SElinux does not allow to access to users home directories through the web server. This directive makes it possible, but first the home directories must be labelled as web server files :'chcon -R -t httpd_sys_content_t ~user/public_html'.

In addition if some system directory is going to be accessed through the web server, first it must be labelled as SElinux http file. For example if the directory /secwww is going to be used as a web server DocumentRoot.

# chcon -R -u system_u /secwww
# chcon -R -t httpd_sys_content_t /secwww

Host access security

In httpd.conf file the directives allow and deny can regulate access to different areas of the web server based on host names or IP addresses.

‹ Directory /var/www/html/web ›
      ...
      Order deny,allow
      Deny from all
      Allow from .info.net
      Allow from 192.168.30.0/24
      ...
‹ /Directory ›


The line 'Order deny,allow' means that first deny directives are applied and then allow directives. In this case access is denied to all less hosts on .info.net domain or in 192.168.30.0/24 LAN.

User access security

Access to different areas of the web server can be regulated through username and password.

‹ Directory "/var/www/html/marketing" ›
      ...
      AuthType Basic
      AuthName "Password Protected Marketing"
      AuthUserFile /etc/httpd/markpass
      Require user john kate
      ...
‹ /Directory ›


This configuration will allow access only to users john and kate to marketing web area. When a connection is made against marketing web area the web server asks for a username/password that will be authenticated against the password file on /etc/httpd/markpass. In order to create john and kate accounts the command htpasswd can be used.

# htpasswd -c /etc/httpd/markpass john
Password:

# htpasswd /etc/httpd/markpass kate
Password:


Note that '-c' option on htpasswd must be used if the authentication file does not exists (if is the first user that we are creating).

Executable files in Apache

The ScriptAlias directive can be used to enable web directories with executable CGI files. The following ScriptAlias directive links the default cgi-bin directory to /var/www/cgi-bin.

ScriptAlias /cgi-bin/ "/var/www/cgi-bin"

‹ Directory /var/www/cgi-bin ›
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
‹ /Directory ›


Remember to change the SElinux context for this directory to allow SElinux to execute the scripts through Apache.

# chcon -t httpd_sys_script_exec_t /var/www/cgi-bin

Makes sure the Apache can execute cgi scripts through SElinux.

# setsebool -P httpd_enable_cgi 1

Limiting resources and rejecting DoS attacks

There are some configuration parameters that can be used to limit the system resources that Apache can take from the system in order to minimize the impact of a DoS Attack .

# StartServers: number of server processes to start when httpd is started. More httpd process are started if required until reach 'MaxClients' limit.
StartServers 8

# ServerLimit: maximum value for MaxClients for the lifetime of the server. Is limits the maximum number of simultaneous clients that can connect to the web server.
ServerLimit 256

# MaxClients: maximum number of server processes allowed to start. It limits the maximum number of simultaneous httpd process on the web server. The MaxClients directive sets the limit of simultaneous requests that can be served, if there are requests past the Maxclients they will be queued.
MaxClients 256

Apache Virtual Hosts

An useful feature of Apache is its ability to manage different web sites using a single IP address creating multiple virtual hosts on the same web server on the file /etc/httpd/conf/httpd.conf. The final result is that multiple domain names such as www.info.net and www.example.net can be served on the same web server using the same IP address. It is also possible configure virtual hosts on the secure web server configuring it on file /etc/httpd/conf.d/ssl.conf .

# cat /etc/http/conf/httpd.conf
...

### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.

NameVirtualHost *:80
...
‹ VirtualHost *:80 ›
      ServerAdmin webmaster@info.net
      DocumentRoot /var/www/info.net
      ServerName www.info.net
      ErrorLog logs/www.info.net-error_log
      CustomLog logs/www.info.net-access_log common
‹ /VirtualHost ›

‹ VirtualHost *:80 ›
      ServerAdmin webmaster@example.net
      DocumentRoot /var/www/example.net
      ServerName www.example.net
      ErrorLog logs/www.example.net-error_log
      CustomLog logs/www.example.net-access_log common
‹ /VirtualHost ›


In this case two web sites has been configured on the same web server : www.info.net (DocumentRoot on /var/www/info.net and logs on www.info.net*log) and www.example.net (DocumentRoot on /var/www/example.net and logs on www.example.net*log) . Lets create a index.html for each web server and label it as web server files for SElinux.

# mkdir -p /var/www/info.net
# echo "info net web page" > /var/www/info.net/index.html
# mkdir -p /var/www/example.net
# echo "example net web page" > /var/www/example.net/index.html

# chcon -R -u system_u /var/www/info.net
# chcon -R -t httpd_sys_content_t /var/www/info.net
# chcon -R -u system_u /var/www/example.net
# chcon -R -t httpd_sys_content_t /var/www/example.net


And finally restart the Apache web server with the new configuration.

# /etc/init.d/httpd restart

In order to test the result add the following lines on /etc/hosts files just to resolve the hostnames www.info.net and www.example.com to the Apache web server IP 192.168.1.10.

# echo "192.168.1.10 www.info.net" >> /etc/hosts
# echo "192.168.1.10 www.example.net" >> /etc/hosts


Lets check the httpd.conf content with the command 'httpd'

# httpd -t
Syntax OK

# httpd -D DUMP_VHOSTS

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80       is a NameVirtualHost
      default server www.info.net (/etc/httpd/conf/httpd.conf:1013)
      port 80 namevhost www.info.net (/etc/httpd/conf/httpd.conf:1013)
      port 80 namevhost www.example.net (/etc/httpd/conf/httpd.conf:1021)
Syntax OK


And finally access to www.info.net and www.example.net and verify that the corresponding index.html page is displayed.

# elinks http://www.info.net
--> info net web page

# elinks http://www.example.net
--> example net web page

Questions

1.- The Apache web server daemon httpd is executed by default as root user (true/false).

2.- In order to install a secure Apache web server the rpm 'https' must be installed (true/false).

3.- With Apache is possible customize the error code messages (true/false).

4.- Which httpd.conf configuration parameter is used to configure the system directory that contains the file/directories that form the web server?.

5.- Which httpd.conf configuration parameter is used to allow to follow symbolic links on a web sever directory?.

6.- Which command can be used in order to test the httpd.conf content?.

7.- Which command can be used in order test the the httpd.conf virtual host configuration?.

8.- Which SElinux command must be used in order to label a system directory to be used as web server directory?.

9.- Which httpd.conf configuration parameter must be used in order to configure where the Apache web server configuration is stored?.

A - ServerTokens
B - ServerAdmin
C - DocumentRoot
D - ServerRoot

10.- Which httpd.conf configuration parameter must used to set the file that is displayed when the directory that contains that file is requested on a web server?.

A - DirectoryIndex
B - DirectoryRoot
C - Both of them
D - None of them

Labs

1.- Create on rhel6 (192.168.1.10) a security dir /var/security accessible on https://server.example.com/secure and allow only access from 192.168.1.0/24 to authenticated users listed in /etc/httpd/secure. User donna/donna and mike/mike must have access. (http://sever.example.com must be accessible from everywhere):.

2.- On web server configured on the previous example(http://sever.example.com) allow all users share their /home/user/public_html ro via Apache. Make sure that works with SElinux.:

3.- Configure vhosts on rhel6 (192.168.1.10) in https web server for host1.example.com (/host1) and host2.example.com (/host2).

-- This page is part of Linux Server online tutorial --