The Apache - American Indian indigenous languages from Apache, the implication with superb combat tactics and endless patience, due to its cross-platform security and is widely recognized and has a fast, reliable, simple API expansion. Currently has a high occupancy rate of Web services software market, the world's most used Web server software, open source, cross-platform (runs on Unix, linux, windows in).
Support for IP-based virtual hosting or domain name
support a variety of ways HTTP authentication
integrated proxy server module
Security Socket Layer (SSL)
can be seen in real time and customized service status log
to support multiple modules
Personal user home function
Apache service program has a default is not on the individual user's home page features to create a personal website for all users within the system, it is indeed very practical Oh ~
Step 1: Turn on the individual user home page features:
[root @ linuxprobe ~] # vim /etc/httpd/conf.d/userdir.conf
the UserDir disabled line with a # 17, representing the line is commented out, no longer works.
The sign in front of # UserDir public_html line 23 of the removal, said the bank is enabled.
Note: UserDir parameter indicates the name of the site you need to create a data directory in the user's home directory (ie public_html )
Restart Apache service program:
[root@linuxprobe ~]# systemctl restart httpd
Step 2: Create a personal website user data.
Switch to the home directory of ordinary members linuxprobe:
[root@linuxprobe home]# su - linuxprobe
Last login: Fri May 22 13:17:37 CST 2015 on :0
Create a site data directory public_html:
[linuxprobe@linuxprobe ~]$ mkdir public_html
Home written contents of the file:
[linuxprobe@linuxprobe ~]$ echo "This is linuxprobe's website" > public_html/index.html
Giving access to 755 directory sites:
[linuxprobe@linuxprobe ~]$ chmod -Rf 755 ./
We open a browser, access the address " http://127.0.0.1/~ user name ", nothing else really is an error page, certainly SELinux services mischief.
Step 3: Set SELinux allow policy.
The error is not because the data directory website SELinux security context of the user's home is not set, but because SELinux default Apache service does not allow individual user's home page this feature.
getsebool command queries all the rules SELinux Boolean value in the format: "getsebool -a".
SELinux policy Boolean: only 0/1 both cases, 0 or off is disabled, or on a permit.
setsebool Boolean value command is used to modify the rules in the policy SElinux the format: "setsebool [Options] Boolean value = [0 | 1]".
| parameter |
effect |
| -P |
Permanent |
View and search all the SELinux policy related to the home directory:
[root@linuxprobe ~]# getsebool -a | grep home
ftp_home_dir --> off
git_cgi_enable_homedirs --> off
git_system_enable_homedirs --> off
httpd_enable_homedirs --> off
mock_enable_homedirs --> off
mpd_enable_homedirs --> off
openvpn_enable_homedirs --> on
samba_create_home_dirs --> off
samba_enable_home_dirs --> off
sftpd_enable_homedirs --> off
sftpd_write_ssh_home --> off
spamd_enable_home_dirs --> on
ssh_chroot_rw_homedirs --> off
tftp_home_dir --> off
use_ecryptfs_home_dirs --> off
use_fusefs_home_dirs --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
xdm_write_home --> off
The site features individual user policy settings to allow:
[Root @ linuxprobe ~] # setsebool = -P httpd_enable_homedirs on
Linuxprobe refresh your browser to access the user's personal Web site, and she succeeded:
Step 4: Add password security authentication.
Sometimes I can not expect everyone to pay attention to access their own personal website, then you can use Apache password password authentication increases security by it.
Use htpasswd command to generate a password database (-c parameter for the first generation):
[root@linuxprobe ~]# htpasswd -c /etc/httpd/passwd linuxprobe
New password:
Re-type new password:
Adding password for user linuxprobe
Edit the configuration file open password authentication (specific parameters see below):
[root@linuxprobe ~]# vim /etc/httpd/conf.d/userdir.conf
If the wrong password is entered directly Forbidden:
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required.
Here's User Name is linuxprobe , not the user's password system password, but the password htpasswd command to create a website, do not confuse oh ~
Virtual web hosting features
Apache's virtual hosts (Virtual Host) can make a server-based technology IP, host name or port number, a Web site to provide more services .
Procedure virtual host function is very simple, but it may be more difficult to understand the principles which, once set up a test environment, you will surely understand.
1. Based on IP address
This situation is common: a single server with multiple IP addresses, display different web pages when the user accesses different IP address.
Step 1: Use nmtui command to add more IP addresses (192.168.10.10/20/30) of the card:
After restarting the network card device using the ping command to check the correct ( this is very important, be sure to test good and then the next step! ).
Step 2: Create a Web site data directory, respectively.
Three sites were created in the data directory / home / wwwroot directory:
[root@linuxprobe ~]# mkdir -p /home/wwwroot/10
[root@linuxprobe ~]# mkdir -p /home/wwwroot/20
[root@linuxprobe ~]# mkdir -p /home/wwwroot/30
Home files are written in the data directory three sites, the content for the IP address of the site:
[root@linuxprobe ~]# echo "IP:192.168.10.10" > /home/wwwroot/10/index.html
[root@linuxprobe ~]# echo "IP:192.168.10.20" > /home/wwwroot/20/index.html
[root@linuxprobe ~]# echo "IP:192.168.10.30" > /home/wwwroot/30/index.html
Step 3: IP address-based virtual hosts are described in the configuration file.
<VirtualHost 192.168.10.10>
DocumentRoot /home/wwwroot/10
ServerName www.linuxprobe.com
<Directory /home/wwwroot/10 >
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.10.20>
DocumentRoot /home/wwwroot/20
ServerName bbs.linuxprobe.com
<Directory /home/wwwroot/20 >
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.10.30>
DocumentRoot /home/wwwroot/30
ServerName tech.linuxprobe.com
<Directory /home/wwwroot/30 >
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Step 4: Modify the data directory website SELinux security context.
Need to modify the data directory and web site files are SELinux security context:
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10/*
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/20
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/20/*
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/30
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/30/*
立即恢复SELinux安全上下文:
[root@linuxprobe ~]# restorecon -Rv /home/wwwroot
第5步:分别访问192.168.10.10/20/30验证结果:
基于主机名
当服务器无法为每个网站都分配到独立IP地址时,可以试试让Apache服务程序自动识别来源主机名或域名然后跳转到指定的网站。
第1步:配置网卡IP地址与hosts文件。
hosts文件作用是定义IP地址与主机名的映射关系,即强制将某个主机名地址解析到指定的IP地址。
[root@linuxprobe ~]# vim /etc/hosts
//每行只能写一条,格式为IP地址+空格+主机名(域名)。
192.168.10.10 www.linuxprobe.com
192.168.10.10 bbs.linuxprobe.com
192.168.10.10 tech.linuxprobe.com
第2步:分别创建网站数据目录:
[root@linuxprobe ~]# mkdir -p /home/wwwroot/www
[root@linuxprobe ~]# mkdir -p /home/wwwroot/bbs
[root@linuxprobe ~]# mkdir -p /home/wwwroot/tech
分别在网站目录中写入不同的首页文件:
[root@linuxprobe ~]# echo "WWW.linuxprobe.com" > /home/wwwroot/www/index.html
[root@linuxprobe ~]# echo "BBS.linuxprobe.com" > /home/wwwroot/bbs/index.html
[root@linuxprobe ~]# echo "TECH.linuxprobe.com" > /home/wwwroot/tech/index.html
第3步:在配置文件中描述基于主机名称的虚拟主机。
编辑主配置文件(/etc/httpd/conf/httpd.conf),在主配置文件的末尾按下面格式定义虚拟主机信息:
<VirtualHost 192.168.10.10>
DocumentRoot "/home/wwwroot/www"
ServerName "www.linuxprobe.com"
<Directory "/home/wwwroot/www">
AllowOverride None
Require all granted
</directory>
</VirtualHost>
<VirtualHost 192.168.10.10>
DocumentRoot "/home/wwwroot/bbs"
ServerName "bbs.linuxprobe.com"
<Directory "/home/wwwroot/bbs">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.10.10>
DocumentRoot "/home/wwwroot/tech"
ServerName "tech.linuxprobe.com"
<Directory "/home/wwwroot/tech">
AllowOverride None
Require all granted
</directory>
</VirtualHost>
读者们可以直接复制上面的参数到主配置文件(/etc/httpd/conf/httpd.conf)的末尾然后重启apache网站服务程序。
因为在红帽RHCSA、RHCE或RHCA考试后都要重启您的实验机再执行判分脚本。
所以请读者在日常工作中也要记得将需要的服务加入到开机启动项中:”systemctl enable httpd“。
第4步:修改网站数据目录的SELinux安全上下文:
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www/*
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/bbs
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/bbs/*
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/tech
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/tech/*
让新的SELinux安全上下文立即生效:
[root@linuxprobe ~]# restorecon -Rv /home/wwwroot/
第5步:分别访问网站验证结果
基于端口号
我们可以让服务器开启多个服务端口后,然后让用户能够通过访问服务器的指定端口来找到想要的网站。
第1步:配置服务器的IP地址:
第2步:分别创建网站数据目录。
分别创建端口为6111,6222的网站数据目录:
[root@linuxprobe ~]# mkdir -p /home/wwwroot/6111
[root@linuxprobe ~]# mkdir -p /home/wwwroot/6222
分别在网站数据目录中写入不同内容的主页文件:
[root@linuxprobe ~]# echo "port:6111" > /home/wwwroot/6111/index.html
[root@linuxprobe ~]# echo "port:6222" > /home/wwwroot/6222/index.html
第3步:在配置文件中描述基于端口号的虚拟主机。
编辑主配置文件(/etc/httpd/conf/httpd.conf),找到约在42行的Listen 80,并在下面追加:
Listen 6111
Listen 6222
然后在主配置文件的末尾按下面格式定义虚拟主机信息:
<VirtualHost 192.168.10.10:6111>
DocumentRoot “/home/wwwroot/6111”
ServerName www.linuxprobe.com
<Directory “/home/wwwroot/6111”>
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.10.10:6222>
DocumentRoot “/home/wwwroot/6222”
ServerName bbs.linuxprobe.com
<Directory “/home/wwwroot/6222”>
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
读者们可以直接复制上面的参数到主配置文件(/etc/httpd/conf/httpd.conf)的末尾然后重启apache网站服务程序。
因为在红帽RHCSA、RHCE或RHCA考试后都要重启您的实验机再执行判分脚本。
所以请读者在日常工作中也要记得将需要的服务加入到开机启动项中:”systemctl enable httpd“。
什么!竟然报错了:
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
这是因为SELinux服务检测到6111与6222端口原本并不属于Apache服务端口,但现在却被以Apache的名义监听了.第4步:修改网站数据目录的SELinux安全上下文并允许端口监听。
修改网站数据目录的安全上下文:
[root@linuxprobe ~]# semanage fcontext -a -t httpd_user_content_t /home/wwwroot
[root@linuxprobe ~]# semanage fcontext -a -t httpd_user_content_t /home/wwwroot/6111
[root@linuxprobe ~]# semanage fcontext -a -t httpd_user_content_t /home/wwwroot/6111/*
[root@linuxprobe ~]# semanage fcontext -a -t httpd_user_content_t /home/wwwroot/6222
[root@linuxprobe ~]# semanage fcontext -a -t httpd_user_content_t /home/wwwroot/6222/*
让新的SElinux安全上下文立即生效:
[root@linuxprobe ~]# restorecon -Rv /home/wwwroot/
使用semanage命令搜索在SELinux系统中有关http服务的端口号:
[root@linuxprobe ~]# semanage port -l| grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
默认包括80,81,443,488,8008,8009,8443,9000却没有咱们定义的端口号,那么添加进去就可以了:
[root@linuxprobe ~]# semanage port -a -t http_port_t -p tcp 6111
[root@linuxprobe ~]# semanage port -a -t http_port_t -p tcp 6222
再来看下SELinux的端口规则(已经添加成功了):
[root@linuxprobe ~]# semanage port -l| grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 6222, 6111, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
再次尝试启动Apache网站服务程序就没有问题了:
[root@linuxprobe ~]# systemctl restart httpd
第5步:分别访问网站验证结果:
