1. By default, the website data is saved in the /var/www/html directory, and if you want to change the directory where the website data is saved to the /home/wwwroot directory
[root@myserver ~]# mkdir /home/wwwroot
[root@myserver ~]# echo "other directory Apache" > /home/wwwroot/index.html
[root@myserver ~]# cd /home/wwwroot/
[root@myserver wwwroot]# ll
total 4
-rw-r--r--. 1 root root 23 Jan 31 10:26 index.html
2. Open the main configuration file of the httpd service program, and modify the parameter DocumentRoot on line 122 to define the storage path of the website data to /home/wwwroot. At the same time, you also need to define the directory permissions and modify the path behind Directory to /home /wwwroot. After the configuration file is modified, you can save and exit
3. Restart and visit again and find that it is forbidden
Close selinux to test again 
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC, Mandatory Access Control) security subsystem developed by the US National Security Agency with the help of the Linux open source community. The purpose of the RHEL 7 system using SELinux technology is to restrict each service process so that it can only obtain the resources that it should have obtained.
There are three configuration modes for SELinux service, as follows.
enforcing: Enforcing the security policy mode will intercept illegal requests for services.
permissive: When encountering unauthorized access to a service, only a warning is issued without mandatory interception.
disabled: Do not warn or block unauthorized actions.
View selinux configuration file
Due to SELinux, you can use the setenforce [0|1] command to modify the current operating mode of SELinux (0 is disabled, 1 is enabled). Note that this modification is only temporary and will become invalid after the system restarts
The function of the httpd service program is to allow users to access website content, so SELinux will definitely let users request operations on the website by default. However, we changed the default storage directory of website data to /home/wwwroot, and this caused a problem. The /home directory is used to store the home directory data of ordinary users. Now, the website service provided by httpd requires Go to get the data in the home directory of ordinary users, which obviously violates the supervision principles of SELinux
The SELinux security context set on the file is composed of multiple information items such as user segment, role segment, and type segment. Among them, the user segment system_u represents the identity of the system process, the role segment object_r represents the role of the file directory, and the type segment httpd_sys_content_t represents the system file of the website service. Just use the semanage command to modify the SELinux security context of the current website directory /home/wwwroot to be the same as the original website directory.
semanage command
The semanage command is used to manage SELinux policies, and the format is "semanage [option] [file]".
The SELinux service greatly improves the security of the Linux system and locks the user permissions firmly in the cage. The semanage command can not only set file and directory strategies like the traditional chcon command, but also manage network ports and message interfaces (these new features will be covered later in this chapter). When using semanage command, several frequently used parameters and their functions are as follows:
-l parameter is used for query;
-a parameter is used to add;
-m parameter is used to modify;
The -d parameter is used to delete.
You also need to use the restorecon command to make the set SELinux security context effective immediately. When using the restorecon command, you can add the -Rv parameter to perform recursive operations on the specified directory and display the modification process of the SELinux security context
Personal user homepage function
1. In the httpd service program, the personal user homepage function is not turned on by default. To this end, we need to edit the configuration file below, and then add a pound sign (#) in front of the UserDir disabled parameter on line 17, which means that the httpd service program enables the personal user home page function; at the same time, put the UserDir public_html parameter on line 24 in front Remove the hash sign (#) (UserDir parameter represents the name of the directory where the website data is saved in the user's home directory, that is, the public_html directory). Finally, remember to save after modification
2. Establish a directory and home page file for saving website data in the user's home directory. In addition, you need to modify the permissions of the home directory to 755 to ensure that other people also have the permissions to read the contents inside.
3. Restart the httpd service program, enter the URL in the address bar of the browser, and its format is "URL/~Username" (the tilde is required, and there is no space between the URL, tilde, and username) , In theory, you can see the user’s personal website. Unsurprisingly, the system displays an error page
4. When the httpd service program provides the personal user homepage function, the user's website data directory itself should be stored in the home directory corresponding to this user, so there should be no need to modify the SELinux security context of the home directory. However, the previous article also talked about the concept of SELinux domain. The SELinux domain ensures that the service program cannot perform illegal operations, and can only provide services for users in their own way. Has the personal user homepage function suddenly opened in the httpd service been allowed by SELinux domain to view it with getsebool by default
[root@myserver yhd]# getsebool -a | grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
mysql_connect_http --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off
[root@myserver yhd]#
SELinux domain security policy should be httpd_enable_homedirs, change the value to on
The authenticated user visitor sees the content inside, then you can add the password function to the website
1. First use the htpasswd command to generate a password database. The -c parameter indicates the first generation; later, add the storage file of the password database and the user name to be used for verification.
2. Edit the configuration file of the personal user homepage function. Modify the parameter information from lines 31 to 35 to the following content, where the content at the beginning of the pound sign (#) is the annotation information added by Mr. Liu Dun, which can be ignored. Then save and exit the configuration file, restart the httpd service program to take effect
Virtual website hosting function
If each server running the Linux system can only run one website, then grassroots webmasters with low popularity and low traffic will be forced to bear high server rental costs, which will obviously also cause a waste of hardware resources. Before the emergence of Virtual Private Server (VPS) and cloud computing technology, IDC service providers have enabled virtual hosting functions in order to make fuller use of server resources and to lower the purchase threshold.
Using the virtual host function, a physical server in a running state can be divided into multiple "virtual servers". However, this technology cannot achieve the hardware resource isolation of the current cloud host technology, allowing these virtual servers to use the hardware resources of the physical server together, and the supplier can only limit the size of the hard disk used space. Due to various considerations (mainly low prices), there are still many companies or individual webmasters using virtual hosts to deploy websites.
Apache's virtual host function is a technology that the server provides multiple websites and provides external access services based on different IP addresses, host domain names or port numbers requested by users. As shown in Figure 10-12, the resources requested by users are different. The content of the obtained web page is also different
1. Based on the IP address, 3 ip addresses can be created
2. Start at line 113 in the configuration file of the httpd service, and write three virtual host website parameters based on IP addresses, then save and exit. Remember to restart the httpd service for these configurations to take effect
[root@myserver wwwroot]# vim /etc/httpd/conf/httpd.conf
3. When you visit the website at this time, you will see the default home page of the httpd service program. Since the SELinux security context of the current /home/wwwroot directory and the website data directory inside does not match the website service, the httpd service program cannot get it These website data directories. We need to manually set the SELinux security context of the new website data directory correctly (see the previous experiment), and use the restorecon command to make the newly set SELinux security context take effect immediately, so that you can immediately see the website access effect
[root@myserver wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@myserver wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/88
[root@myserver wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/88/*
[root@myserver wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/89
[root@myserver wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/89/*
[root@myserver wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/90
[root@myserver wwwroot]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/90/*
[root@myserver wwwroot]# restorecon -Rv /home/wwwroot
Based on host domain name
When the server cannot assign an independent IP address to each website, you can try to let Apache automatically recognize the domain name requested by the user, so as to transmit different content according to different domain name requests. In this case, the configuration is simpler. You only need to ensure that there is an available IP address on the server in the production environment (here, 192.168.1.88 is taken as an example). Since there is no introduction to how to configure the DNS resolution service, it is necessary to manually define the correspondence between the IP address and the domain name. /etc/hosts is a configuration file used in the Linux system to forcibly resolve a host domain name to a specified IP address. Simply put, as long as this file is configured correctly, even if there is no DNS information in the network card parameters, the domain name can still be resolved to an IP address.
1. The configuration file that manually defines the correspondence between the IP address and the domain name will take effect immediately after saving and exiting. You can verify whether the domain name has been successfully resolved to an IP address by pinging these domain names separately
[root@myserver ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.88 www.yhd.com bbs.yhd.com tech.yhd.com
[root@myserver ~]# ping -c 4 www.yhd.com
PING www.yhd.com (192.168.1.88) 56(84) bytes of data.
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=2 ttl=64 time=0.057 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=3 ttl=64 time=0.044 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=4 ttl=64 time=0.041 ms
--- www.yhd.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 110ms
rtt min/avg/max/mdev = 0.041/0.046/0.057/0.010 ms
[root@myserver ~]# ping -c 4 bbs.yhd.com
PING www.yhd.com (192.168.1.88) 56(84) bytes of data.
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=2 ttl=64 time=0.058 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=3 ttl=64 time=0.043 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=4 ttl=64 time=0.047 ms
--- www.yhd.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 104ms
rtt min/avg/max/mdev = 0.039/0.046/0.058/0.010 ms
[root@myserver ~]# ping -c 4 tech.yhd.com
PING www.yhd.com (192.168.1.88) 56(84) bytes of data.
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=3 ttl=64 time=0.044 ms
64 bytes from www.yhd.com (192.168.1.88): icmp_seq=4 ttl=64 time=0.045 ms
--- www.yhd.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 62ms
rtt min/avg/max/mdev = 0.039/0.042/0.045/0.008 ms
[root@myserver ~]#
2. Create three directories in /home/wwwroot to save the data of different websites, and write the homepage files of the website into them. Each homepage file should have information that clearly distinguishes the content of different websites, so that we can check the effect more intuitively later
[root@myserver ~]# mkdir -p /home/wwwroot/www
[root@myserver ~]# mkdir -p /home/wwwroot/bbs
[root@myserver ~]# mkdir -p /home/wwwroot/tech
[root@myserver ~]# echo "www.yhd.com" > /home/wwwroot/www/index.html
[root@myserver ~]# echo "bbs.yhd.com" > /home/wwwroot/bbs/index.html
[root@myserver ~]# echo "tech.yhd.com" > /home/wwwroot/tech/index.html3. Starting at about line 113 in the configuration file of the httpd service, add three virtual host website parameters based on the host name, and then save and exit. Remember to restart the httpd service for these configurations to take effect
4. Because the current website data directory is still in the /home/wwwroot directory, it is still necessary to correctly set the SELinux security context of the website data directory file to make it consistent with the website service function. Finally, remember to use the restorecon command to make the newly configured SELinux security context take effect immediately, so that you can immediately access the virtual host website
[root@myserver ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@myserver ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www
[root@myserver ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www/*
[root@myserver ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/bbs
[root@myserver ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/bbs/*
[root@myserver ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/tech
[root@myserver ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/tech/*
[root@myserver ~]# restorecon -Rv /home/wwwroot
[root@myserver ~]# systemctl restart httpd
Based on port number
The port number-based virtual host function allows users to access website resources on the server through a specified port number. When using Apache to configure the virtual website host function, the configuration method based on the port number is the most complicated. Therefore, we must not only consider the configuration factors of the httpd service program, but also the monitoring of the newly opened ports by the SELinux service. Generally speaking, it is more reasonable to use port numbers such as 80, 443, 8080 to provide website access services. If you use other port numbers, it will be restricted by SELinux services.
1. Create two directories in /home/wwwroot for saving data of different websites, and write the homepage files of the website into them. Each homepage file should have information that clearly distinguishes the content of different websites, so that we can check the effect more intuitively later
[root@myserver www]# mkdir -p /home/wwwroot/6111
[root@myserver www]# mkdir -p /home/wwwroot/6222
[root@myserver www]# echo "port:6111" > /home/wwwroot/6111/index.html
[root@myserver www]# echo "port:6222" > /home/wwwroot/6222/index.html
[root@myserver www]#2. Add parameters for monitoring ports 6111 and 6222 in the httpd service configuration file. vim /etc/httpd/conf/httpd.conf
43 #
44 #Listen 12.34.56.78:80
45 Listen 80
46 Listen 6111
47 Listen 6222
3. In the configuration file of the httpd service, write two virtual host website parameters based on the port number respectively, and then save and exit. Remember to restart the httpd service for these configurations to take effect
4. Because we store the website data directory in the /home/wwwroot directory, it is still necessary to correctly set the SELinux security context of the website data directory file to make it consistent with the website service function. Finally, remember to use the restorecon command to make the newly configured SELinux security context take effect immediately
[root@myserver www]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@myserver www]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111
[root@myserver www]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111/*
[root@myserver www]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6222
[root@myserver www]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6222/*
[root@myserver www]# restorecon -Rv /home/wwwroot/
[root@myserver www]#
[root@myserver www]# systemctl restart httpd
[root@myserver www]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@myserver www]#5. The port numbers related to HTTP protocol allowed by SELinux do not include 6111 and 6222 by default, so these two port numbers need to be added manually. The operation will take effect immediately, and it will still take effect after the system restarts. After setting, restart the httpd service program, and then you can see the content of the webpage
Apache access control
Apache can control the access to the resources on the website based on information such as the source host name, source IP address, or browser characteristics on the source host. It allows a host to access website resources on the server through the Allow instruction, and prohibits access through the Deny instruction. When allowing or prohibiting access to website resources, the Order command is also used. This command is used to define the order in which the Allow or Deny commands work. The matching principle is to match in order. If the match is successful, the following default commands are executed. For example, "Order Allow, Deny" means that the source host is matched with the allow rule first, if the match is successful, the access request is allowed, otherwise, the access request is denied
1. First create a new subdirectory in the website data directory on the server, and create a home page file containing the word Successful in this subdirectory
[root@myserver /]# echo "Successful" > /var/www/html/server/index.html
[root@myserver /]# vim /etc/httpd/conf/httpd.conf2. Open the configuration file of the httpd service and add the following rules to restrict the access of the source host. The meaning of this rule is to allow the host using the Firefox browser to access the home page file on the server, and all other requests will be rejected.
<Directory "/var/www/html/server">
SetEnvIf User-Agent "Firefox" ff=1
Order allow,deny
Allow from env=ff
</Directory>