RHCE – Network service – HTTP/HTTPS

Install the packages needed to provide the service

# installs apache webserver
yum install httpd 

Configure SELinux to support the service

## Common file context types ##
# static website folders
httpd_sys_content_t
# dynamic website folders - where writes need to occur via apache user
httpd_sys_rw_content_t
# cgi folder
httpd_sys_script_exec_t
# httpd config
httpd_config_t
# httpd logs
httpd_log_t
# to see all options use
semanage fcontext --list | grep httpd

## common - sebools ##
# running cgi scripts
httpd_enable_cgi
httpd_enable_ftp_server 
# enable use of homedirs for site roots
httpd_enable_homedirs
# to see all 


## SELinux configure ports - next section.

Use SELinux port labeling to allow services to use non-standard ports

# shows the default ports for http
semanage port -l | grep http

# step 1 - modify config to use an alternate port
Listen 1080

# step 2 - Configure SELinux to use alternate port
# you have 2 options here you can just use 

    # option 1 - try to access site via alternate port then run the following
    sealert -a /var/log/audit/audit.log
    # this should return Plugin bind_port error and give you the command to run ( option2)

    # option 2 - remember the following command 
    semanage port -a -t http_port_t -p tcp 1080

Configure the service to start when the system is booted

# enables httpd at boot 
systemctl enable httpd

Configure the service for basic operation

# starts httpd service
systemctl start httpd 

# firewall configuration
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

# browse to hostname/ip to make sure you see the welcome page from apache

Configure host-based and user-based security for the service

# host-based - firewall
## add firewall rule to allow http(s) access
firewall-cmd --permanent --add-service={http,https}

## require all section of /etc/httpd/conf/httpd.conf
<RequireAll>
# to add a host with permission to access 
Require host <hostname>
# to reject host 
Require not <hostname>
</RequireAll>
#####################################################

# user-based - virtual host config
see below - Configure access restrictions on directories

Configure a virtual host

# Step 1 - add file to /etc/httpd/conf.d/<vhostname.conf>
# vhosname.conf
<VirtualHost *:80>
    DocumentRoot "/www/example2"
    ServerName www.example.org
    # Other directives here
</VirtualHost>


# Step 2 - restart httpd service
systemctl restart httpd

Configure access restrictions on directories

# step 1 - make directory and add index.html
mkdir /var/www/html/restricted
echo "You have entered a restricted zone" > /var/www/html/restricted/index.html
restorecon -Rv /var/www/html/restricted

# step 2 - add configuration for /var/www/html/restricted/ - in /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/<file.conf>
<Directory "/var/www/html/restricted">
  AuthType Basic
  AuthName "Password protected area"
  AuthUserFile /etc/httpd/conf/passwd
  # require user
  Require user unrestrictedusr
  # require host - note you can also limit access via host as well
  # Require host lab.dev
</Directory>

# step 3 - create passwd file and adjust permissions
htpasswd -c /etc/httpd/conf/passwd unrestrictedusr
chmod 600 /etc/httpd/conf/passwd
chown apache:apache /etc/httpd/conf/passwd

# step 4 - check config and restart httpd
apachectl configtest
systemctl restart httpd 

# step 5 - verify you can authenticate with your password or hostname
open up browser or use curl (curl -u unrestrictedusr:pword http://127.0.0.1/restricted)

Deploy a basic CGI application – Not completed

# step 1 - add script in cgi-bin
#/var/www/cgi-bin/test.py

# step 2 - turn on httpd_enable_cgi 
setsebool httpd_enable_cgi on

# step 3 - test by browsing to the site
<site>/cgi-bin/<name>

Configure group-managed content

# mkdir for group and restore context
mkdir /var/www/html/<groupName>
restorecon -Rv /var/www/html/<groupName>

# add to /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/<groupName>">
AuthType Basic
AuthName "Password protected area"
AuthGroupFile /etc/httpd/conf/<groupName>
AuthUserFile /etc/httpd/conf/passwd
Require group <groupName>
</Directory>

# /etc/httpd/conf/<groupName> 
team: <usr1> <usr2>

# config pwd for users
htpasswd -c /etc/httpd/conf/passwd <usr(1/2)>

# test then restart service    
apachectl configtest
systemctl restart httpd

Configure TLS security

# open ports
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

# generate cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt

#  Add as .conf file /etc/httpd/conf.d  
<VirtualHost 443>
DocumentRoot /var/www/website
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/ssl/crt/mysitename.crt
SSLCertificateKeyFile /etc/ssl/crt/mysitename.key
</VirtualHost> 

# test then restart service 
apachectl configtest
systemctl restart httpd

Leave a comment

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax