8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Linux HTTP Server Configuration

This article describes the installation and configuration of a HTTP server on Linux, with specific reference to the information needed for the RHCE EX300 exam.

Remember, the exams are hands-on, so it doesn't matter which method you use to achieve the result, so long as the end product is correct.

Installation
Firewall
SELinux
Virtual Hosts
Private Directories
Group Managed Content
Deploy a Basic CGI Application
SSL Configuration (HTTPS)

Installation

For a minimum HTTP server installation, issue the following command.

# yum install httpd

If you want a more complete installation, you can install the "Web Server" package group.

# yum groupinstall "Web Server"

Make sure the "/etc/hosts" file contains references for the loopback address and the hostname.

127.0.0.1      localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.122.89 rhce1.localdomain rhce1

Turn on the HTTP server and make sure it starts automatically on reboot.

# service httpd start
# chkconfig httpd on

The HTTP server is now installed and running. The HTTP configuration files are located under the "/etc/httpd" directory, with the main configuration file being the "/etc/httpd/conf/httpd.conf" file. The default document root is "/var/www/html". Any files or directories below this point will be visible using a browser once you configure the firewall.

Changes to the "/etc/httpd/conf/httpd.conf" file have to be followed by a reload or a restart of the httpd service.

# service httpd reload
# # OR
# service httpd restart

Firewall

If you are using the Linux firewall, you need to punch a hole in the firewall for port 80 (and 443 for HTTPS) to make sure the HTTP server can be accessed from the network. There are several ways to do this:

The "Firewall Configuration" dialog from the menu (System > Administration > Firewall) or initiated from the command line by running the system-config-firewall command. On the "Trusted Services" section, scroll down the list and check the "WWW (HTTP)" option, then click the "Apply" button.
The text-based "Firewall Configuration" utility (system-config-firewall-tui). This is the text-based version of the above dialog.
Using the iptables service directly, as described here. In this case we could need the following entry.
```
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
```

You can read more about the Linux firewall here.

SELinux

If you are using SELinux, you will need to consider the following points.

The SELinux booleans associated with the httpd service are displayed using the getsebool command.

# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off
#

The setsebool command is used to set a specific boolean value.

# setsebool httpd_use_nfs on
# setsebool httpd_use_nfs off

The httpd_sys_content_t context should be assigned to all content.

# semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
# restorecon -F -R -v /var/www/html

You can check the current context setting on files and directories using the "ls -alZ" command.

More information on SELinux can be found here.

Virtual Hosts

Virtual Hosts allow multiple websites to be hosts by a single physical machine, with each website being apparently independent of each other. The virtual hosts can be IP-based, but are typically name-based, meaning the domain name in the URL used to access the web server determines which virtual host the request is for.

Create the following directories as locations for two virtual hosts. I've also created a test file in both document roots.

# mkdir -p /www/mysite1.com/logs
# mkdir -p /www/mysite1.com/html
# echo "MySite1.com Test file" > /www/mysite1.com/html/test.txt
# mkdir -p /www/mysite2.com/logs
# mkdir -p /www/mysite2.com/html
# echo "MySite2.com Test file" > /www/mysite2.com/html/test.txt

If you are using SELinux, make sure the directories and their contents are assigned the correct context.

# semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
# restorecon -F -R -v /www

Virtual hosts are defined in the "/etc/httpd/conf/httpd.conf" file. The definition of the two virtual hosts are shown below.

NameVirtualHost *:80

<VirtualHost *:80>
    ServerName www.mysite1.com
    Serveralias mysite1.com
    DocumentRoot /www/mysite1.com/html
    ErrorLog /www/mysite1.com/logs/mysite1.com-error_log
</VirtualHost>

<VirtualHost *:80>
    ServerName www.mysite2.com
    Serveralias mysite2.com
    DocumentRoot /www/mysite2.com/html
    ErrorLog /www/mysite2.com/logs/mysite2.com-error_log
</VirtualHost>

Reload or restart the httpd service for the changes to take effect.

# service httpd reload
# # OR
# service httpd restart

Provided the DNS, or hosts file, resolves the names "mysite1.com" and "mysite2.com" to the IP address of the web server, pages under the document roots will now display for each virtual host. To test this you can alter your hosts file with the following entries.

127.0.0.1 mysite1.com mysite1
127.0.0.1 mysite2.com mysite2

You should now see the correct test page under each of the following URLs on the web server.

http://mysite1.com/test.txt
http://mysite2.com/test.txt

Private Directories

Using the virtual hosts we created previous, create a new directory called "private" and place a file in it.

# mkdir /www/mysite1.com/html/private
# echo "MySite1.com Private Test file" > /www/mysite1.com/html/private/test.txt

Create a ".htpasswd" file containing a username/password, then add a second entry.

# cd /www/mysite1.com/html/private
# htpasswd -cmb .htpasswd user1 password1
# htpasswd -mb .htpasswd user2 password2

Edit the "/etc/httpd/conf/httpd.conf" file with an entry such as the following.

<Directory "/www/mysite1.com/html/private">
   AuthType basic
   AuthName "Private Access"
   AuthUserFile "/www/mysite1.com/html/private/.htpasswd"
   Require valid-user
   Order allow,deny
   Allow from all
</Directory>

Reload or restart the httpd service for the changes to take effect.

# service httpd reload
# # OR
# service httpd restart

You should now be prompted for a username/password when trying to access the following file.

http://mysite1.com/private/test.txt

Group Managed Content

Using the virtual hosts defined previously, we will enable group managed content for "mysite1.com".

Create a group that the users will be part of.

# groupadd webdevs

Add the necessary users to the group.

# # Create new users.
# useradd -g webdevs user1
# useradd -g webdevs user2
#
# # Modify existing users.
# usermod -g webdevs user1
# usermod -g webdevs user2

Change the ownership and permissions of the directories holding the group managed content.

# chown -R apache.webdevs /www/mysite1.com/html
# chmod -R 775 /www/mysite1.com/html
# chmod -R g+s /www/mysite1.com/html

# su - user1
$ umask 002
$ echo "Test by user1" > /www/mysite1.com/html/group-test.txt
$ exit
logout
# su - user2
$ umask 002
$ echo "Test by user2" >> /www/mysite1.com/html/group-test.txt
$ exit
logout
#

The file with both users content is visible using the following URL.

http://mysite1.com/group-test.txt

Notice the umask setting, which allows read/write permission for the group. This setting can be placed in the "~/.bashrc" or the "~/.bash_profile" file for each user.

Deploy a Basic CGI Application

Create a directory called "cgi-bin" under an existing virtual host.

# mkdir /www/mysite2.com/html/gci-bin

Create a simple CGI application in the directory, for example a file called "helloworld.pl" with the following contents.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "helloWorld!";

Change the ownership and make sure the file is executable.

# chown apache.apache helloworld.pl
# chmod u+x helloworld.pl

Edit the "/etc/httpd/conf/httpd.conf" file, adding the following entries to the virtual host definition.

ScriptAlias /cgi-bin/ /www/mysite2.com/html/gci-bin/
Options +ExecCGI
AddHandler cgi-script .pl .cgi

So the complete definition looks like this.

<VirtualHost *:80>
    ServerName www.mysite2.com
    Serveralias mysite2.com
    DocumentRoot /www/mysite2.com/html
    ErrorLog /www/mysite2.com/logs/mysite2.com-error_log
    # Below added to support CGI applications
    ScriptAlias /cgi-bin/ /www/mysite2.com/html/gci-bin/
    Options +ExecCGI
    AddHandler cgi-script .pl .cgi
</VirtualHost>

Reload or restart the httpd service for the changes to take effect.

# service httpd reload
# # OR
# service httpd restart

The CGI application can now be run will the following URL.

http://mysite2.com/cgi-bin/helloworld.pl

If you prefer the "cgi-bin" directory to be placed in a different location, simply alter the "ScriptAlias" entry to reflect the changed location.

SSL Configuration (HTTPS)

HTTPS configuration is not a requirement of the RHCE exam, but it is useful to know, so I included it.

If they are not already installed, install the mod_ssl, openssl and crypto-utils packages.

# yum install mod_ssl openssl crypto-utils

The installation of the mod_ssl package creates the "/etc/httpd/conf.d/ssl.conf" configuration file, which includes references to the default self-signed localhost certificate and key. This is sufficient for testing SSL configuration. The httpd service must be restarted for the module to be loaded, but we will do that later.

The genkey command can generate a certificate request or a new self-signed certificate. For this test I created a new self-signed certificate. Remember, if you encrypt the certificate with a passphrase, you will need to enter it every time you start the HTTP server.

# genkey --makeca rhce1.localdomain

Move the key and certificate to the relevant directories.

# mv /etc/pki/CA/private/rhce1.localdomain /etc/pki/tls/private/rhce1.localdomain
# mv /etc/pki/CA/rhce1.localdomain /etc/pki/tls/certs/rhce1.localdomain

Add/modify the following lines in the "/etc/httpd/conf.d/ssl.conf" file.

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!DES:!DHE:!RSA

SSLCertificateFile /etc/pki/tls/certs/rhce1.localdomain
SSLCertificateKeyFile /etc/pki/tls/private/rhce1.localdomain
#SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt

Notice the "SSLCACertificateFile" entry is commented out. If you are using a real certificate, you will probably need to download the intermediate bundle from the CA and reference it using this tag.

Restart the HTTP server.

# service httpd restart

Provided you have the correct firewall settings, you should now be able to access your applications using HTTPS.

https://rhce1.localdomain

For more information see:

Hope this helps. Regards Tim...

Back to the Top.