A new Linux CentOS server, after installing the PHP environment, found that the Apache default parsing path is/var/www/html, if you do not want to use this default path, you can set a directory yourself. Example: Create a new/data/website folder in the root directory to hold the project. Prepare to work: Create directory under root 1 mkdir data2 cd data3 mkdir website operation steps: 1, vi/etc/httpd/conf/httpd.conf find DocumentRoot "/var/www/html" This section #apache的根目录把/var/www/html this directory to/data/website and find #定义apache/var/www/html this area to change/var/www/html to/data/ Website so we'll get rid of the default path of APAHCE 1 service httpd restart #重启Apache服务器2, access to localhost, will find access denied, this is why? Mainly because your/home/wwwroot/web1/htdocs permissions are 750,apache This user does not have permission to access, you need to change the permissions, can be changed 1 chmod-r 755/data/website then go to access Discovery is working correctly (Apache User: Apache running Apache Group: Apache) At this point, the Apache default site directory changes successfully. Then move your project to the configured directory. Changes to the Apache root directory under Linux: 1. Modify the path in the DocumentRoot and directory, and restart it directly in the/etc/httpd/conf/httpd.conf.
2. However, after the modification, the path is correct, and the directory permissions to 755 also cause problems: No permissions (you don't have permission ...).
3. Ultimate Reason: Linux opens SELinux, close: Setenforce 1 (temporary, restart invalid), modify/etc/selinux/config configuration join enforcing=0 (restart active)
======================================================
Principle: The flow of network packets into the host
First, after the analysis of the firewall: Linux system has built-in firewall mechanism, so your online can not succeed, you have to look at the firewall's face before the line. The default Linux firewall has two mechanisms, both of which are independent, so we have a two-layer firewall preset. The first layer is the packet-filtering NetFilter firewall, and the other is the TCP Wrappers firewall through the software control.
1. Packet filtering firewall: IP Filtering or Net filter
To enter the Linux native of the packet will first through the Linux core preset firewall, is called the NetFilter, simply said, is iptables This software provides firewall features. Why is it called packet filtering? Because he mainly analyzes the TCP/IP packet header to filter the mechanism, the main analysis is the OSI combined second layer, the main control is the MAC, IP, ICMP, TCP and UDP port and state (SYN, ACK ...) and so on. Detailed information we will introduce in the Nineth Chapter firewall.
2. Second layer firewall: TCP Wrappers through NetFilter, the network packet will start to accept Super daemons and tcp_wrappers test, what is that? This is the/etc/hosts.allow and/etc/hosts.deny configuration file function. This function is also for the Header of the TCP analysis again, you can also set some mechanism to resist some IP or port, so that the source of the packet is discarded or passed the test;
Through the control of the firewall, we can discard most of the garbage from the Internet, only allow the online access of our own open services, can achieve the most basic security protection.
Second, the basic function of the Service (daemon): The default firewall is the built-in functionality of Linux, but the firewall is mainly managed by the MAC, IP, Port and other packet header aspects of information, if you want to control some directories can enter, some directories will not be able to use the function, That's going to have to do with the permissions and the related features that the server software provides. For example, you can httpd.conf this configuration file to standardize some IP sources cannot use httpd this service to obtain the host data, so even if the IP through the previous two layer of filtering, he still can not access the host resources Oh! However, it should be noted that if httpd this program is inherently problematic, then the client side will be able to directly exploit the vulnerability of the HTTPD software to invade the host, and do not need to get the root of the host password! So be careful with the software that starts up on the Internet Oh!
Third, the SELinux control of the details of the network services: in order to avoid the previous step of the permission misuse, or the problem of the program caused by the status of the security enhanced Linux (Secure enhanced Linux) to play its function! In short, SELinux can set some rules for the permissions of the network service, so that the function of the program can be limited, so even if the user's file permissions set error, and the program has a problem, the program can do the action is limited, even if the program is using root Also have the same permissions. For example, the previous step of the httpd really was cracker attack and let the other side get root access, because httpd has been controlled by SELinux in the/var/www/html, and can carry out functions have been regulated, so cracker can not make Use this program for further damage to the system. Now this SELinux must be opened Oh!
Four, using the host file system resources: Think about, you use the browser to connect to the WWW host the main purpose is what? Of course, read the host's WWW data! What is the WWW data? That's the file! ^_^! Therefore, the final network packet is actually to the host to request the file system data. We here assume that you want to use HTTPD this program to obtain the system's file data, but httpd by default is a system account name for httpd to start, so: Your Web page Data permissions of course is to let the httpd this program can read it! If your previous San Guan settings are OK, the final permissions are set incorrectly, users still cannot browse your Web data.
Change the Apache default site directory under the CentOS Linux system