Deploy a static web site using Apache Services

1. Website Service Program

Web service, generally refers to a service that allows a user to access various resources in the Internet through a browser. The Apache program is one of the Web service programs with a high market share, which is widely recognized across platforms and security and has fast, reliable and simple API extensions. Apache is also the default Web service program in Rhel 5, 6, and 7 systems.

The first step: Mount the system image in the optical device to the/media/cdrom directory.

Step Two: Create a configuration file for the Yum repository using the Vim editor.

Step three: Install the Apache service program. When installing with the Yum command, the package name of the Apache service followed by the command is httpd. If the Yum install Apache command is executed directly, the system will error.

Fourth step: Start the HTTPD service program and add it to the boot entry, so that it can follow the system boot up and run, thus continuing to provide users with WEB services.

Enter http://127.0.0.1 in the browser (this is Firefox) and you will see the default page for the HTTPD service program that provides the WEB service.

2. Configure service file Parameters

HTTPD main configuration file and storage location of the service program:

There are three types of information in the main configuration file of the HTTPD service program: Comment Line information, global configuration, and zone configuration.

Global configuration parameter is a kind of overall configuration parameters, can be used for all sub-sites, both to ensure that the child site normal access, but also effectively reduce the workload of frequent write repeated parameters. The zone configuration parameters are set individually for each individual subweb. In the HTTPD server master configuration file, the most common parameters are the following table:

The DocumentRoot parameter is used to define the save path to the Web site data, the default value of which is to store the site data in the/var/www/html directory, and the current site's popular first page name is index.html, so you can/var/www/ The HTML directory writes a file, replacing the default first page of the HTTPD service program, which takes effect immediately.

By default, the site data is saved in the/var/www/html directory, if you want to save the site data directory to modify the/home/wwwroot directory, how to do it?

The first step: Create a saved directory of your website data and make a home page file.

The second step: Open httpd's main configuration file, about line 119th is used to define the site data save path Parameters DocumentRoot modified to/home/wwwroot, but also need to be about 124th row to define the directory permissions of the parameters directory after the path is also revised to /home/wwwroot. Once the profile has been modified, it can be saved and exited.

The third step: Restart the HTTPD service verification effect, found the HTTPD service program to see the default first page. Supposedly, the default first page of the HTTPD service is displayed only if the site's first page file does not exist or if the user's permissions are insufficient. When we tried to access the http://127.0.0.1/index.html page, we found that the page showed "forbidden,you Don T has permission to access/index.html in this Server. ". And all this is what SELinux is doing.

3.SELinux Security Subsystem

SELinux (security-enhanced Linux) is a security subsystem of the U.S. National Security Agency (mac,mandatory access Control), developed with the help of the Linux open source community. The purpose of the RHEL 7 system is to use selinux technology to constrain the individual service processes to obtain only the resources that should have been acquired.

For example, when you download a beauty chart software on your computer, it silently listens to the password information entered in the browser in the background when you are engrossed in using it to beautify the photo, which is clearly not what it should do. The SELinux security subsystem is designed to prevent this, and it can monitor violations in many ways: restricting the functionality of the service program (SELinux domain restrictions can ensure that the service program does not do anything special) Access restrictions on file resources (the SELinux security context ensures that file resources can only be accessed by the service program to which they belong).

The SELinux service has three configuration modes:

• Enforcing: Enforces the security policy mode, which will intercept illegal requests from the service.
• Permissive: When a service is over-privileged, only a warning is issued without force interception.
• Disabled: The act of exceeding authority does not warn or intercept.

I'm enforcing here by default (you can view the service's main profile/etc/selinux/config).

Change the current operating mode of SELinux to Disabled (via command Setenforce [0|1],0 rep disabled, 1 for enable), which fails after rebooting the system and can be used to view the running status of the SELinux service through the Getenforce command.

Then you can see the normal page content.

The function of the HTTPD service program is to allow users to access the content of the site, so SELinux will definitely release the user's request operation to the site by default. However, we have modified the default save directory for site data to/home/wwwroot, which creates a problem. The/home directory is used to store data for ordinary users ' homes, and now httpd provides Web services to get data from a common user's home directory, which is clearly in violation of SELinux's regulatory principles.

Restore the SELinux service to the mandatory security policy mode, and then see whether the saved directory for the original site data and the Save directory for the current Web site data have different SELinux security context values:

The user segment System_u represents the identity of the system process, the role segment Object_r represents the role of the file directory, and the type segment httpd_sys_content_t the system file that represents the Web site service.

For the current situation, we only need to use the Semanage command to modify the SELinux security context of the current site Directory/home/wwwroot to be the same as the original site directory.

3.1 semanage Command

The Semanage command is used to manage selinux policies in the format "semanage [options] [file]". Common parameters and functions:-l Query,-a add,-m modify,-D Delete

Add a new SELinux security context to the new Web site data directory, so that the directory and all the files in it can be accessed by the HTTPD service program:

After setting up, you also need to use the Restorecon command to make the settings take effect immediately, the-RV parameter to recursively manipulate the specified directory, and to display the modification process for the SELinux security context. Finally, refresh the page again, you can see the content of the Web page normally.

4. Personal User Homepage Features

The Personal User Homepage feature provided by the HTTPD service program allows all users in the system to manage their own websites in their home directories, and it is easy to access them.

The first step: in the HTTPD service program, the User home page feature is not turned on by default. To edit the configuration file/etc/httpd/conf.d/userdir.conf, precede the 17 line with the Userdir disabled parameter preceded by a pound sign (#), indicating that the HTTPD service program to open the Personal User homepage function, while the 24th row of Userdir The pound sign (#) before the public_html parameter is removed (the Userdir parameter indicates the name of the directory where the site data is saved in the user's home directory, i.e. the public_html directory).

The second step: in the user home directory to create a directory to save the site data and the first page file. Also need to change the permissions of the home directory to 755, to ensure that others have permission to read the contents.

The third step: Restart the HTTPD service program, enter the URL in the address bar of the browser, its format is "URL/~ user name", the system displays the error page, or selinux problem.

Fourth step: Think about the cause of the error. When the HTTPD service program provides personal user homepage functionality, the user's Web site data directory itself should be stored in the home directory corresponding to the user, so there should be no need to modify the SELinux security context of the home directory. The Linux domain ensures that the service program cannot perform the offending operation and can only provide services to the user Benbon. Is this user homepage feature suddenly opened in the httpd service to be allowed by the SELinux domain by default?

Use the Getsebool directory to query and filter all security policies related to the HTTP protocol, off is disabled, on is allowed.

Roughly guessing the relevant strategic uses by name. The SELinux domain security policy for the HTTPD service's Personal User home page feature should be httpd_enable_homedirs. The Boolean value of each rule in the SELinux policy is then modified by the Setsebool command. The-p parameter indicates that the modification takes effect immediately and takes effect permanently.

Sometimes, the owner of the site does not want to directly display the content of the Web page, just want to let authenticated users see the content inside, then you can add password function in the site.

First step: Generate the password database using the HTPASSWD command first. The-c parameter indicates the first build, followed by adding the storage file for the password database, and verifying the user name to be used (the user does not have to be a local account already in the system).

Step two: Edit the profile of the Personal User Homepage feature. Modify the content starting with 31 lines as follows. Restart the httpd service.

When a user wants to access a user's personal site again, they must enter an account and password to access it properly.

5. Virtual Host function

If each server running a Linux system can only run a Web site, then the popularity of low, small flow of grassroots owners will be forced to bear the high cost of server leasing, which obviously will also cause the waste of hardware resources. Apache's virtual hosting feature is a technology that provides multiple Web sites with access to the service externally, based on different IP addresses, host domain names, or port numbers that are requested by the server.

5.1 Based on IP address

If a server has multiple IP addresses, and each IP address corresponds to each site one by one deployed on the server, the page resources for different sites are accessed when a user requests access to a different IP address. Moreover, each website has a separate IP address, which is also beneficial for SEO. Therefore, it is most common to provide virtual Web site host functionality in this way.

The current experiment is configured by the Nmtui command with the following IP:

After configuring and restarting the NIC (systemctl restart network) service, check the connectivity of the network:

The first step is to create 3 directories in/home/wwwroot that are used to store data from different Web sites, and write them to the home page file of the site, respectively. Each home file should have a clear distinction between the content of different sites, so that later can be more intuitive to check the effect.

The second step: in the configuration file of the HTTPD service, start at approximately 113 lines, append to three IP address-based virtual host website parameters, and restart the httpd service.

Third step: Visit the website at this time, you will see the default first page of the HTTPD service program. is still the problem of SELinux. Because the SELinux security context of the current/home/wwwroot directory and the Web site data directory in it does not match the Web services, the HTTPD service cannot get to these Web site data directories. You need to manually set the SELinux security context for the new Web site data directory correctly, and use the Restorecon command to have the newly set SELinux security context take effect immediately, so that you can see the effect of the site's access.

5.2 Based on host domain name

When the server is unable to assign a separate IP address to each site, you can try to have Apache automatically recognize the domain name requested by the user, thus transmitting different content according to different domain name requests. /etc/hosts is a configuration file in a Linux system that forces a host domain name to be resolved to a specified IP address. Simply put, as long as this file is configured correctly, the domain name can be resolved to an IP address even if there is no DNS information in the NIC parameters.

The first step: Manually define the IP address and domain name corresponding to the relationship between the configuration file, save and exit will take effect immediately. You can verify that the domain name has been successfully resolved to an IP address by pinging the domain names individually.

The second step is to create three directories in/home/wwwroot that are used to store data from different Web sites, and write them to the home page file of the site respectively. Each home file should have a clear distinction between the content of different sites, so that later can be more intuitive to check the effect.

Step three: start at approximately 113 lines in the configuration file for the httpd service, and append to the three host-name-based web host site parameters, respectively. Restart the httpd service.

Fourth step: The current Web site Data directory is still in the/home/wwwroot directory, so it is necessary to correctly set the SELinux security context of the Web site data Catalog file, so that it matches the functionality of the Web site services. Then use the Restorecon command to have the newly configured SELinux security context take effect immediately.

5.3 Based on port number

The port number-based virtual host feature allows users to access site resources on the server through the specified port number. When using Apache to configure the virtual Web site host feature, you need to consider not only the configuration factors of the HTTPD service program, but also the monitoring of the newly opened port by the SELinux service. In general, the use of 80, 443, 8080 and other port numbers to provide site access Services is reasonable, if the use of other port numbers will be limited by the SELinux service.

The first step is to create two directories in/home/wwwroot that are used to store data from different Web sites, and write them to the home page file of the site, respectively. Each home file should have a clear distinction between the content of different sites, so that later can be more intuitive to check the effect.

Step two: Add the parameters for listening to ports 6111 and 6222, respectively, on lines 43rd and 44th of the HTTPD service configuration file.

Step three: start at approximately 113 lines in the configuration file for the HTTPD service and append to the two virtual host Web site parameters based on the port number. Restart the httpd service.

Fourth step: Set the SELinux security context for the Web site data Catalog file. Use the Restorecon command to have the newly configured SELinux security context take effect immediately.

After setting up the test connection, an error message appears. This is because the SELinux service detects that 6111 and 6222 ports are not originally part of the Apache service, but is now being used in the name of the HTTPD service program, so SELinux will refuse to use the Apache service for both ports. Use the Semanage command to query and filter out all port lists that are related to the HTTP protocol and that are allowed by the SELinux service:

Fifth step: Manually add the 6111 and 6222 port numbers to the HTTP protocol-related port number that SELinux allows. This action takes effect immediately and is permanently valid.

Restart the HTTPD service to test again to see the correct results.

6.Apache of Access control

Apache can control access to resources on the site based on information such as the source host name, source IP address, or browser features on the source host. It allows a host to access the site resources on the server through the Allow directive, which is forbidden by the deny instruction. When you allow or disallow access to site resources, the order directive is used to define the order in which an allow or deny instruction functions, and the matching principle is to match in order, and then execute the following default instruction if the match succeeds. For example, "Order allow, deny" means that the source host is matched to the permit rule first, the access request is allowed if the match succeeds, and the access request is denied instead.

The first step is to create a new subdirectory in the Web site data directory on the server and a subdirectory that contains the first page file containing the successful word.

Step Two: Open the configuration file for the HTTPD service and add the following rule after line 129th to restrict access to the source host. This rule is meant to allow the host of the Firefox browser to access the home page file on the server, except that all requests will be rejected.

In addition to matching the browser characteristics of the source host, you can also access control by matching the IP address of the source host. For example, we allow only hosts with IP addresses for 192.168.10.20 to access the site resources, so you can add the following rules after the 129th line of the httpd service configuration file. This means that access is denied when you restart the HTTPD service and then use the native (that is, the server, whose IP address is 192.168.10.10) to access the first page of the site.

Deploy a static web site using Apache Services