-

C h a pter 1 0. P rov i d i n g A p a c h e HTTPD W e b Service

-

P ra c t i c e : C o n f i g u r i n g a We b S e rve r
-

G u i d e d exe rc i se
-

I n t h i s l a b, you w i l l confi g u re a basic h t t pd w e b server to serve o u t a stat i c page from t h e

defa u lt l ocat i o n , as we l l a s t h e Apache h t t pd m a n u a l .

�IWIH
-

Machines� -

O utcomes:
A n Apache h t t pd web server r u n n i n g o n yo u r se rverx m a c h i ne, serv i n g o u t a static page a n d -
t h e com p l ete A p a c h e h t t pd m a n u a l .

Before you begin. . .

-
• Reset yo u r d e s kt o pX m a c h i n e.

• Reset y o u r se rverx m a c h i n e.
-

Yo u have b e e n a s ked to confi g u re a b a s i c web server on you r se rve rX m a c h i ne. T h i s web server
s h o u l d se rve out the text " H e l l o C l a ss!" when the U R L h t t p : / / s e rve rX . e x am p l e . c om/ is
-
req u este d .

To a i d yo u r e n d users i n s u b m itt i n g b u g reports, t h e defa u l t e rror p a g e s h o u l d i n c l u d e a mail to :

refe rence to t h e e m a i l a d d ress webmas t e r@se rve rx . example . com. -

S i nce yo u r o rg a n ization is p l a n n i n g o n f u rt h e r c u sto m i z i n g the b e h a v i o r of

this web se rver, the f u l l A p a c h e h t t pd m a n u a l s h o u l d be ava i l a b l e u n d e r
h t t p : / / s e r v e rx . example . c om/ma n u al / .

D 1. B e g i n by i nsta l l i n g t h e httpd a n d httpd-manual packag es.

D 1 .1 .
l [ s t u d e n t@s e r v e r x - ] $ sudo yum - y install httpd h t t pd - manual ;
�- - - - - -- - ·- -----· ·- · ����
- -- -
--- -- - � -
- -- - - - - - -- _ _ _ _ _J

D 2. Set t h e Serve rAdmin d i rective for the main s ite confi g u ra t i o n to p o i n t to

webmas t e r@se rve rX . example . com.

D 2 .1 . O p e n / e t c / h t t pd/conf / h t t pd . conf i n a text editor w i t h root privi l eg es,

a n d c h a n g e the l i n e t h a t starts w i t h Se rve rAdmin to the fo l l ow i n g :
-
1
l
- -- - -- · · · - -

Se rve rAdmin we bma s t e r@ s e r ve rX . example . com

D 3. C reate the defa u lt content page.

D 3.1 . C reate t h e /var /www/ h t ml/index . h t m l f i l e w i t h a text ed itor a s user root , -

a n d a d d t h e fo l l owing content:

H e l l o Clas s ! -

D 4. Start a n d e n a b l e the h t t pd service.

-

296 R H 254- R H E L7-en-1 -20140711 -

-

G u i d e d exercise
-

D 4.1 . �t u d e n t@se rv e r X - ] $ sudo systemctl start h t t pd . se rvice

- I [ ; t u d e n t @s e r v e r X - ] $ sudo systemctl enable httpd . service

D 5. O p e n a l l t h e re l eva nt ports for h t t p on t h e fi rewa l l on se rve rX.

-

D 5.1 .
[ s t u d e n t@se r v e r X - ] $ sudo firewall - cmd - - permanent - - add - service=http
[ s t u d e n t@se rv e r X - ] $ sudo firewall - cmd - - reload
-

D 6. Test if yo u can a ccess t h e new stat i c page, as we l l as t h e A p a c h e h t t pd m a n u a l , from

- you r d e s k t opX m a c h i ne.

D 6.1 . Fro m d e s k t opX, p o i n t a w e b b rowser a t h t t p : / / s e r ve rX . example . com.

-
D 6.2. Fro m d e s k t o pX, p o i n t a w e b b rowser at
h t t p : / / s e rve rX . e x a m p l e . c om/man u a l.
-

-
RH 25 4- R H E L7-e n -1 -201 40711 297

-
 -

C h a pte r 1 0. Prov i d i n g A p a c h e H T T P D Web Service

-

C o n f i g u ri n g a n d Tro u b l es h o ot i n g V i rt u a l H osts
-

O bj ect ives -

Afte r com p l et i n g t h i s sect i o n , stu d e nts s h o u l d b e a b l e to confi g u re A p a c h e h t t pd to p rovi d e I P­

based a n d n a me-based vi rtu a l hosts.
-

V i rt u a l h osts
Virtual hosts a l low a s i n g l e h t t pd server to se rve c o n t e n t for m u l t i p l e d o m a i ns. B a s e d o n e i t h e r
-·
t h e I P a d d ress of the s e r v e r t h a t was con nected t o , t h e host n a m e req u ested by t h e c l i e n t i n t h e
http req u est, o r a com b i n at i o n of b ot h , h t t pd c a n u s e d i fferent confi g u ration sett i n gs, i n c l u d i n g
a d i fferent Documen t Root. -

V i rt u a l h osts a re typica l l y u s e d when it i s not cost-effective to s p i n u p m u l t i p l e (vi rt u a l ) m a c h i n es

to se rve o u t m a ny l ow-traff i c sites; for exa m p l e, i n a s hared h osti n g enviro n m e nt.
-

Confi g u ri n g vi rt u a l h osts
-
V i rt u a l h osts a re conf i g u re d u s i n g <Vi r t ualHost> b l ocks i n s i d e t h e m a i n
conf i g u ra t i o n . To e a s e a d m i n i st rat i o n , t h ese v i rt u a l h o s t b l ocks a re typica l l y n ot
defi n e d i n s i d e /etc/h t t pd/conf / h t t pd . conf, b u t rat h e r i n separate . conf fi l es i n
-
/ e t c / h t t pd/conf . d /.

T h e fo l l ow i n g i s a n exa m p l e f i l e, / e t c / h t t pd/conf . d / s i t e 1 . conf.

-

<Directory / s r v / s i t e 1/www> C»
Req u i r e all g ra n t e d
-
Allowove r r ide N o n e
< / D i r e c t o ry>

<Vi r t u a l H o s t 192 . 168 . 0 . 1 : 80> f>

Docume n t Root /s r v / s i t e 11www E»

Se rve r N ame s i t e 1 . example . c om 0 -·

Se rve rAdmin webma s t e r@ s i t e1 . example . com C»

E r r o r Log " lo g s / s i t e 1_e r r o r_log " O

-
c u s t omLog " lo g s / s i t e1_acc e s s_log " combined 0
</Vi r t u al H o s t >
·-· -----· ------

O This b l ock p rovi des access to t h e Docume n t Root defi n e d f u rt h e r down.

f) This is t h e m a i n tag of t h e b l ock. The 192 . 168 . e . 1 : 80 pa rt i n d i cates to h t t pd t h a t t h i s
-
b l o c k s h o u l d be considered for a l l connections co m i n g i n o n that I P/port com b i n a t i o n .
E» H e re t h e Docume n t Root is b e i n g set, but o n l y for wit h i n t h i s virt u a l h ost.
O This sett i n g is used to confi g u re name-based v i rt u a l host i n g . I f m u l t i p l e <Vi r t u al H o s t >
-
b l ocks a re d e c l a red for t h e s a m e I P/port c o m b i n a t i o n , t h e b l ock t h a t m a t c h e s Se rve r Name
with the host name : h e a d e r sent in the c l ie n t h t t p req uest w i l l be used.
-
There ca n b e exact l y z e ro or o n e Serve r N ame d i rectives inside a s i n g l e <Vi r t ualHost>
b l ock. I f a s i n g l e v i rt u a l h ost n e e d s to be used for m o re than o n e domain n a m e, o n e o r m o re
Se rve rAlias state m e n t s c a n be used.
-

298 R H 254- R H E L 7-en-1 -20140711 -

-
-

Tro u b l es h o ot i n g v i rt u a l h osts
-

O To h e l p with sort i n g m a i l messages reg a rd i n g t h e d i fferent websites, it is h e l pf u l to set

-
u n i q u e Serve rAdmin a d d resses for a l l v i rt u a l hosts.
O The location for a l l e rro r messages related to t h i s v i rt u a l host.
O T h e location for a l l a ccess messages reg a rd i n g t h i s v i rt u a l host.
-
I f a sett i n g i s not m a d e e x p l i c i t l y for a virtu a l host. the same sett i n g from t h e m a i n config u ra t i o n
w i l l be u s e d .

- N a me-based v s . I P- b a s e d v i rt u a l host i n g
By defa u lt. every v i rt u a l h o s t i s a n I P-based v i rt u a l h o s t , sort i n g t raffic to t h e v i rt u a l h osts based
o n w h a t IP a d d ress t h e c l i e n t had con nected to. I f t h e re a re m u lt i p l e vi rtu a l hosts d e c l a re d for
- a si n g l e I P/port c o m b i n a t i o n , the Serve r N ame and Serve rAlias d i rect i ves w i l l b e c o n s u lted,
effective l y e n a b l i n g n a m e-based v i r t u a l host i n g .

- W i l d c a rd s a n d prio rity
The IP a d d ress pa rt of a <Vi r t ualHos t > d i rective can b e re p l aced with one of two w i l d ca rd s :
_d efault_ a n d * . B o t h have exact l y the s a m e m e a n i n g : " M atch A n yt h i n g ".
-

W h e n a req u est comes i n , h t t pd w i l l f i rst t ry to match a g a i n st v i rt u a l h osts t h a t have a n ex p l i c i t

I P a d d ress s e t . I f t h ose matches fa i l , v i rt u a l h o s t s w i t h a w i l d ca rd I P a d d ress a re i n s pected. I f
- t h ere i s sti l l no m a t c h , t h e " m a i n " se rver confi g u ra t i o n i s u s e d .

I m p o rt a n t
-

A <Vi r t ualHost * : 8 0 > w i l l a l ways m a t c h for reg u l a r http t raffic o n p o rt 8 0/TCP,

effect i ve l y d i sa b l i n g the m a i n server confi g u ra t i o n from ever bei n g used for t raffic on
- p o rt 80/TCP.

If no exact match has been fo u n d for a Serve r N ame o r Se rve rAlias d i rective, a n d t h e re a re
m u lt i p l e v i r t u a l hosts d e f i n e d for t h e I P/port c o m b i n a t i o n t h e req uest c a m e i n o n , t h e first v i rt u a l
host t h a t matches a n I P/port i s u s e d , w i t h first b e i n g s e e n a s t h e o rd e r i n w h i c h v i rt u a l hosts a re
- d e f i n e d i n t h e confi g u ra t i o n f i l e.

W h e n u s i n g m u l t i p l e * . conf f i l es, t hey w i l l be i n c l u d e d i n a l p h a n u m e r i c sort i n g o rd e r. To

- c reate a catch-a l l (defa u lt) v i rt u a l host. t h e confi g u ra t i o n f i l e s h o u l d be n a m e d s o m et h i n g l i ke
ea - default . conf to m a k e s u re t h a t it is i n c l u d e d before a ny othe rs.

- Tro u b l es h o ot i n g v i rt u a l h osts
W h e n t ro u b l eshoot i n g v i r t u a l hosts, t h e re a re a n u m be r of a pproaches t h a t c a n h e l p.

-
• Confi g u re a s e p a rate Documen t Root for e a c h v i rt u a l host, with i d e ntifying content.

• Confi g u re separate l og f i l es, both for error l o g g i n g and access l o g g i n g , for e a c h v i rt u a l host.
-

• Eva l uate t h e order i n which t h e virtual h ost d e f i n i t i o n s a re parsed by h t t pd . I n c l u d e d f i l es a re

read i n a l p ha n u m e ri c sort order based on t h e i r f i l e n a m es.
-
• D i sa b l e v i rt u a l hosts o n e by one to iso l ate the p ro b l e m . V i rtu a l host d e f i n i t i o n s can be
c o m m e nted o u t of the confi g u ra t i o n f i l e(s), a n d i n c l u d e f i l es can be tempora r i l y re n a m e d to
-
somet h i n g that does not e n d in . conf.

· j o u r nalc t l U N IT=h t t pd . se rvice can i s o l ate l o g m essages from j u st t h e

-
h t t pd . se rvice service.

-
R H254- R H E L 7-e n -1-201 40711 299

-
 -

C h a pter 1 0. P rovi d i n g A p a c h e HTTPD Web Service

Refe re n ces
-

h t t pd ( 8 ) m a n page

httpd-manual package contents

---

--

--

..

300 R H254- R H E L7-en-1 -20140711 -

-

Practice: Confi g u ri n g a V i rt u a l H ost

-

P ra ct i ce : C o n f i g u r i n g a Vi rt u a l H o st
-

- G u i d ed exe rc ise

I n t h i s l a b, y o u w i l l config u re a n e w web server t o se rve o u t content fo r m u l t i p l e v i rt u a l hosts.

r'"'* �
-

-
Mac�nem �
Outcomes:
-
A new web s e rver r u n n i n g o n se rve rX, s e rv i n g out content for wwwX . e x am p l e . c o m from
/ s rv/www e . example . com/www / , and a l l other d o m a i n s from / s rv/defau l t /www/ .
-
Before you begin . . .
• Reset y o u r se rverX m a c h i n e.
-
• Reset yo u r d e s k t opX m a c h i n e.

Ove r t h e past few years, yo u r c o m p a n y h a s b e e n s p i n n i n g u p m a n y w e b se rve rs for new p rojects.

-
U nfort u nate l y, t h e re was no st r u c t u re or coord i n a t i o n betwee n t h e va r i o u s proj e cts.

In an effort to c l e a n u p the m ess, you have been a s ke d to c o n so l i d ate t h ese va r i o u s web se rve rs
-
i nto o n e , serving out t h e d iffe rent d o m a i n s u s i n g n a me-based v i r t u a l h o st i n g .

Fo r n ow, you wi l l o n l y h a v e to s e t u p a default v i r t u a l h o s t t h a t serves o u t a p l a c e h o l d e r s i t e from

- /s rv/default /www / , a n d a v i rt u a l host for wwwX . example . c o m t h a t s e rves o u t content from
/s rv/wwwX . example . com/www .

-
D N S C N A M E reco rds for t h e re l eva n t d o m a i n s have a l re a d y been converted to p o i n t at yo u r
se rve rX m a c h i n e.

-
D 1. Start b y i nsta l l i n g t h e httpd package.

D 1 .1 .
[ s t u d e n t@se r v e r X - ]$ sudo yum install httpd
-

D 2. C reate t h e content d i rectories. The p l a ce h o l d e r site s h o u l d have a n index . h t ml f i l e t h a t

- rea d s :

Coming S o o n !
- ------ --- - - - - - - ---�

The wwwX . example . c o m site s h o u l d have a n index . html t h a t rea ds:

-
: wwwX
\
L _____ __ _ _ - �-�-- - . - -� i

- D 2 .1 . C reate t h e d i rectories.

[ s t u de n t@s e r v e r X - ] $ sudo mkdir -p /srv/{default , wwwX . example . com}/www

-

- R H 254- R H E L7-en-1 -20140711 301

-
 -

C h a pter 1 0. Provi d i n g A p a c h e HTTPD Web Service

-

0 2.2. C reate the index . h t ml f i l es u s i n g a text e d itor.

/s rv/defau l t /www / index . h t ml g ets t h e "Coming Soon ! " text, a n d t h e
-
/ s rv/wwwX . example . com/www/ index . h t m l f i l e s h o u l d rea d "wwwX'' .

0 2 . 3 . The S E L i n u x p o l icy i s a l ready confi g u red for t h e correct f i l e contexts for a ny fi l es

u nd e r s rv/ * /www, b u t you wi l l sti l l have to reset t h e context on t h e f i l es you j u st -

c reated.

-
! [ s t u d e n t@s e rve rX - ] $ sudo restorecon - Rv /s rv/

0 3. C reate a new v i rt u a l h ost defi n i t i o n for t h e _default : 80 virtu a l h ost. T h i s ._.

v i rt u a l h ost s h o u l d se rve o u t content f r o m / s rv/default/www/ , a n d l o g to

logs/default - vh o s t . log using t h e co m b i n e d format.
-
0 3.1 . C reate a n e w f i l e ca l l e d /etc/h t t pd/conf . d/00 - default - vh o s t . conf. Give
it the fo l l o w i n g content:
-

<Vi r t ualH o s t _d efault : 80>

Docume n t Ro o t / s rv/defaul t /www
C u s t om L o g " log s / d efault - vh o s t . lo g " c o m b i n e d
-
</Vi r t ualH o s t >

0 3.2. S i nce i n a defa u l t confi g u rati o n , h t t pd b l o c k s access to all d i rectories, you wi l l -

need t o o p e n u p t h e content d i rectory for yo u r defa u l t vh ost. Add t h e fo l l owing

b l oc k to / e t c / h t t pd/conf . d/00 - default - vhost . conf.
-

<Di r e c t o r y /s rv/default/www>
Req u i r e all g r a n t e d
</D i r e c t o ry>
-

0 4. C reate a new v i rt u a l h ost d e f i n i t i o n for a wwwX . e x a m p l e . com v i rt u a l host i n

/ e t c / h t t pd/conf . d/01 - wwwX . example . com - vh o s t . conf. T h i s v i rt u a l host s h o u l d -

res p o n d to req u ests f o r both wwwx . example . c o m a n d wwwX, serve o u t content f ro m

/s rv/wwwX . example . com/www , a n d store logs i n logs/wwwX . example . com . log.
---

0 4.1 . C reate the f i l e / e t c / h t t pd/conf . d/01 - wwwX . example . com - vh o s t . conf

with the fo l l owing contents:

<Vi r t ualH o s t * : 80>

Serve r N ame wwwX . example . c om
Serve rAlias wwwx -
D o c u me n t Root / s rv/wwwX . example . com/www
C u s t om l o g " lo g s /wwwX . example . c om . lo g " combined
</Vi r t u a l H o s t >
--

<Di r e c t o r y / s rv/wwwX . example . c om/www>

Req u i r e all g r a n t e d
</Di r e c t o ry>

0 5. Sta rt a n d e n a b l e the h t t pd service.

-

302 R H 254- R H E L7 - e n -1 -20140711 -

-
-

G u i d e d exercise
-

D 5.1 .
[ s t ud e n t@ s e r v e r X - ] $ sudo systemctl start httpd . service
-
[ s t u d e n t@ s e r v e r X - ] $ sudo systemctl enable h t t pd . service

D 6. O p e n up t h e fi rewa l l on se rverx to a l l ow traffic to t h e h t t pd se rvice.

-

D 6.1 .
[ s t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - permanent - - add - service=http
[ s t u d e n t@se rv e rX - ] $ sudo firewall - cmd - - reload
-

D 7. Fro m yo u r d e s k t opX syste m , use a web b rowser to visit t h e fo l l ow i n g U R Ls; t h e fi rst two
-
s h o u l d res p o n d with the "wwwX" text, w h i l e the l ast two s h o u l d res p o n d w i t h "Coming
Soon ! ".

• h t t p : / /wwwX . e x a m p l e . c om
-

• h t t p : / /wwwX

- • h t t p : / / s e r v e rX . e x a m p l e . c o m

• h t t p : //172 . 25 . X . 11
-

- RH254- R H E L 7-en-1-201 40711 303

-
 -
-
-
C h a pter 1 0. P rov i d i n g A p a c h e HTTPD Web Service

C o n f i g u r i n g H TT P S
-
O bj e c t i ves
After co m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e t o confi g u re A p a c h e h t t pd to p rovide
-
T L S - e n c rypted v i rt u a l h osts.
-
Tra n s p o rt Laye r S e c u rity (T LS)
Transport Layer Security ( T L S ) is a method for e n c ry p t i n g network com m u n i ca t i o n s. T L S i s the
s u ccessor to Secure Sockets Layer ( S S L). T L S a l l ows a c l i e nt to verify t h e i d e n t ity of t h e s e rver
-
a n d , opt i o n a l l y, a l l ows t h e se rver to verify t h e i d e ntity of t h e c l ient.

T L S i s based a ro u n d t h e concepts of certificates. A certifi cate h a s m u l t i p l e pa rts: a p u b l i c key,

-
se rve r i d e n tity, a n d a s i g n a t u re from a certificate authority. T h e corres p o n d i n g private key is
n ever made p u b l i c. A ny data e n c rypted with the p r i vate key ca n only b e d e c rypted w i t h the
p u b l i c key, and vice versa.
-
D u r i n g the i n it i a l handshake, w h e n sett i n g u p the e n c rypted c o n n e c t i o n , the c l ient and se rver
a g ree on a set of e n c ry pt i o n c i p h e rs s u p p o rted by both the server and the c l i e nt a n d t h ey
-
exc h a n g e bits of ra n d o m data. The c l i e n t uses t h i s ra n d o m data to g e n e rate a session key, a
key t h a t w i l l be u sed for m u c h faster symmetric e n crypt i o n , w h e re t h e s a m e key i s used for both
e n c rypt i o n and decrypt i o n . To m a ke s u re that t h i s key is not c o m p ro m i s e d , it i s sent to the server
e n c rypted with the serve r ' s p u b l i c key ( p a rt of the se rver certifi cate).
-

The fo l l owi n g d i a g ra m s h ows a (s i m p l i f i e d ) vers i o n of a TLS h a n d s h a ke.

C l i e nt H e l l o
I �
f2
���--_ ___���� �

'
�

Server H e l l o/ServerCertificate

C l i e n t KeyExchange

1Bt
§]
Data
-

f2
-

� Sessio n Key

fj
Server Certificate

�
-

Private Key Data

-
Figure 1 0. 1 : A simplified representation of a TLS handshake

304 R H 254- R H E L7 - e n -1 -20140711 -

-
-

Confi g u r i n g T L S certificates
-

1. T h e c l i e n t i n i ti a tes a co n n e c t i o n to the server with a Clie n t Hello messa g e. As pa rt of

t h i s m essage, the c l ient s e n d s a 32-byte ra n d o m n u m be r i n c l u d i n g a t i mesta m p, and a l ist of
-
e n c ry p t i o n p rotoco l s a n d c i p h e rs s u p p o rted by the c l i e nt .

2. T h e se rver res p o n d s with a Serve r H ello message, conta i n i n g a n other 32-byte ra n d o m

-
n u m be r w i t h a t i m esta m p , a n d t h e e n c ry p t i o n p rotoco l a n d c i p h e rs t h e c l i e n t s h o u l d u se.

The se rver a l so s e n d s the server certifi cate, w h i c h c o n s i sts of a p u b l ic key, g e n e ra l server

- i d e n t ity i nfo r m a t i o n l i ke t h e FQ D N , and a s i g nat u re from a t r u sted certificate authority (CA).
This certificate can a l so i n c l u d e the p u b l i c certifi cates for a l l certifi cate a u t h orities t h a t
have s i g n e d t h e certifi cate, u p to a root C A .
-

3. T h e c l i e n t v e r i f i e s t h e se rve r certificate by chec k i n g i f t h e s u p p l ie d i d e ntity i n fo r m a t i o n

matches, a n d by verifyi n g a l l s i g n a t u res, c h e c k i n g if they are m a d e by a CA t r u sted by t h e
- c l i e nt.

I f t h e certifi cate verifies, t h e c l i e nt c reates a session key usi n g t h e ra n d o m n u m be rs

- p revi o u s l y exc h a n g e d . T h e c l i e n t t h e n e n c rypts t h i s sessi o n key u s i n g t h e p u b l ic key from
t h e server certificate, and sends it to t h e se rver using a Cli e n t KeyExchange messa g e.

-
4. The se rve r d e c rypts the sess i o n key, a n d the c l i ent a n d serve r both start e ncrypt i n g a n d
d e c r y p t i n g a l l d a t a s e n d over t h e co n ne ct i o n u s i n g t h e sess i o n key.

-
N ot e
T h i s i s a s i m p l ification o f t h e a c t u a l p roto c o l ; fo r exa m p l e, t h e a ct u a l sess i o n key never
- g ets t ra n s m i tted w i t h a lot c i p h e r s u ites, n ot even in e n c rypted form. The server a n d
c l i e n t b o t h c reate a pre-master key w h i c h g ets exc h a n g e d , a n d b o t h t h e server a n d
c l ie n t ca l c u l ate t h e actu a l sess i o n k e y f r o m t h a t o n e.
-
D u r i n g t h e negotiations, both t h e s e rver a n d c l i e nt a l so use a va riety of methods to
e n s u re a g a i nst re p l a y a n d m a n - i n - t h e- m i d d l e attacks.
-

Co n fi g u ri n g T LS c e rt i f i cates
-
To confi g u re a v i rt u a l host with T L S , m u l t i p l e steps m u st b e com p l eted:

1. O bta i n a (s i g n e d ) certifi cate.

-

2. I n sta l l Apache HTTPD exte n s i o n m od u l e s to s u p port TLS.

3. Confi g u re a v i rt u a l host to use TLS, u s i n g the certificates obta i n e d e a r l i e r.

O bt a i n i n g a certificate
-
When o bta i n i n g a certifi cate, t h e re a re two o p t i o n s : creati n g a se lf-s i g n e d certificate (a
certificate s i g n e d by itse l f, not a n a c t u a l CA), o r crea t i n g a certificate request and having a
reputa b l e CA s i g n t h a t req u est so it beco m e s a certificate.
-
The crypto-utils package conta i n s a u t i l ity ca l l e d gen key that s u p po rts both methods. To c reate a
certificate (s i g n i n g req u est) with gen key, r u n t h e fo l l owi n g com m a n d , w h e re <FQDN> is t h e f u l l y
q u a l i fied d o m a i n n a m e c l ients w i l l u s e t o c o n n ect t o yo u r se rver:
-

[ r oo t @ s e r v e r X - ] # genkey <FQDN>
___ !
-

- R H 25 4- R H E L 7-en-1 -201 40711 305

....
 -

C h a pter 1 0. Prov i d i n g A p a c h e HTTPD Web Service

-

D u ri n g the crea t i o n , gen key w i l l ask for t h e d e s i red key size (c hoose at l east 2048 bits), if a
s i g n i n g req u est shou l d be m a d e (a n swe r i n g no w i l l c reate a s e l f- s i g n e d certifi cate), w h e t h e r t h e
-
private k e y s h o u l d be p rotected w i t h a passphrase, a n d g e n e ra l i nformation a bout t h e i d e nt ity o f
t h e server.

Afte r t h e p rocess has co m p l eted, a n u m b e r of f i l es w i l l be g e n e rated: -

• / e t c / p ki / t l s / p r ivat e/<fqdn> . key: T h i s is the p r i vate key. The private key s h o u l d be

kept at 0600 o r 0400 p e r m issions, and an S E L i n u x context of c e r t_t. This key f i l e s h o u l d -

n ever b e s h a red w i t h t h e o u t s i d e w o r l d .

• / e t c / p ki/ t ls/c e r t s / < fqdn> . 0 . c s r: T h i s fi l e i s o n l y g e n e rated if you req u ested a s i g n i n g

req u est. T h i s i s t h e f i l e t h a t y o u s e n d t o you r CA t o g e t it s i g n e d . Yo u never n e e d to s e n d t h e
p r i vate key t o you r CA.
-
• / e t c / p ki/t ls/c e r t s/ < fqdn> . c r t : T h i s i s t h e p u b l i c certifi cate. T h i s file i s only g e n e rated
when a s e l f-sig ned certificate i s req u ested. I f a s i g n i n g req u est was req u ested and sent to a CA,
t h i s i s t h e fi l e that w i l l be ret u r n e d from t h e CA. P e r m i s s i o n s s h o u l d be kept at 0644, with a n -
S E L i n u x context o f c e r t_t.

I n sta l l A p a c h e H T T P D mod u l es
-
A p a c h e HTTPD needs a n exte n s i o n m od u l e to be i n sta l l ed to a c t i vate T L S s u p port. O n Red Hat
Enterprise Linux 7, you c a n i n sta l l t h i s m od u l e using t h e mod_ssl package.
-
T h i s package w i l l automatica l l y e n a b l e h t t pd for a defa u lt v i rt u a l host l i ste n i n g o n port 443/
TCP. T h i s defa u l t v i rt u a l host i s confi g u red in the f i l e /et c / h t t pd/conf . d / s s l . conf.
-
Confi g u re a virt u a l host w i t h TLS
Virtual h osts with T L S a re confi g u red i n the s a m e way as reg u l a r virt u a l h osts, with s o m e
a d d itio n a l para m eters. I t i s poss i b l e to use n a m e-based v i rt u a l host i n g with T L S , b u t some o l d e r
....
b rowsers a re n ot compat i b l e w i t h t h i s a p p roach.

T h e fo l l ow i n g is a s i m p l if i e d vers i o n of / e t c / h t t pd/conf . d / s s l . conf:

L i s t e n 4 4 3 h t t p s C» l
SSLPas s P h r ase D ialog exec : / u s r /libexec / h t t pd - s sl - pass - d ialog f)
SSLSe s s ioncache s hmcb : / r u n / h t t pd / s s lc ac h e ( 512000 )
SSLSe s s ionCac heTime o u t 300
SSLRandomseed s t a r t u p file : / de v/ u r andom 256
-
SSLRand omseed connect b u i l t i n
S S L C r y p t oDevice b u i l t i n

<Vi r t ualHost _d efault_ : 443> E>

.....
E r r o r Log l o g s / s s l_e rro r_log
T r a n s f e r Log log s / s s l_acc e s s_log
Log Level wa r n

SSLEngine on O -

SSLP r o tocol all - SSLv2 C>

SSLCi p h e r S u i t e H I G H : M E D I U M : ! aN U L L : ! Mos e» -

SSLCe r t ificateFile / e t c / p k i / t l s / c e r t s/localho s t . c r t t»

SSLCe r t ificat eKeyFile / e t c / p k i / t l s / p rivate/localh o s t . key C)

C u s t omLog l o g s / s s l_ r e q u e s t_log \

�
" %t %h %{SS L_PROTOCO L } x %{SSL_C I P H E R } x \ "%r \ " %b "
r t ualH o s t >
-

306 RH254- R H E L 7 - e n -1 -20140711 -

-
-

Confi g u r i n g forwa rd secrecy

-

O T h i s d i rective i n st r u cts h t t ps to l isten o n p o rt 443/TCP. The seco n d a rg u m e n t ( h t t ps) i s

o pt i o n a l , s i n c e h t t p s i s t h e defa u l t p rotoc o l for p o r t 443/TCP.
-
G I f t h e private key i s e n c rypted with a pass p h rase, h t t pd needs a method of req u est i n g a
pass p h rase from a user at t h e conso l e at sta rt u p. T h i s d i rective s pecifies w h a t progra m to
execute to ret ri eve t h a t pass p h rase.
-
0 T h i s is t h e v i rt u a l host d e f i n i t i o n for a catch-a l l v i rt u a l h ost on port 443/TCP.
O T h i s is t h e d i rective t h a t a ct u a l l y t u r n s on T LS for t h i s v i r t u a l host.
- O T h i s d i rective s p e c i fies t h e l ist of protoco l s t h a t h t t pd is wi l l i n g to speak w i t h c l i e nts. Fo r
a d d e d sec u rity, t h e o l d e r, u n safe SS Lv3 p rotoco l s h o u l d a l so be d i s a b l ed :

I
-
SSLP r o t oc o l all - SSLv2 - SSLv3

O T h i s d i rective l i sts w h a t e n cryption c i p h e rs h t t pd i s w i l l i n g to use w h e n co m m u n i ca t i n g

- w i t h c l i e nts. T h e s e l ect i o n o f ci phers c a n h ave b i g i m pacts o n both p e rfo r m a n c e a n d
sec u rity.
O This d i rective i n st r u cts h t t pd w h e re it c a n read t h e certificate fo r t h i s v i rt u a l host.
-
O T h i s d i rective i n st r u cts h t t pd w h e re it ca n read t h e p r i vate key for t h i s v i rt u a l host. h t t pd
rea d s a l l private keys before privi leges a re d ro p p e d , so f i l e permissions on t h e p r i vate key
can re m a i n l o c ke d d o w n .
-
I f a certificate s i g n e d by a n C A i s u sed, a n d t h e certificate i t s e l f does not h ave copies of a l l t h e
CA certifi cates used i n s i g n i n g , u p to a root CA, e m be d d e d i n it, t h e server wi l l a l so n e e d t o
p rov i d e a certificate chain, a c o p y of a l l C A certifi cates u s e d i n t h e s i g n i n g process c o n catenated
-
toget h e r. The SS LCe r t i ficat eChainF ile d i rective i s used to i d e ntify s u c h a fi l e.

W h e n defi n i n g a n e w T L S - e n c rypted v i rt u a l h ost, it is not needed to copy t h e e n t i re contents of

-
ssl . conf. O n l y a <Vi r t ualHost> b l o c k w i t h the SS LEngine On d i rective, a n d c o n fi g u ra t i o n
f o r certi ficates, i s strict l y n e e d e d . The fo l l owi n g i s a n exa m p l e o f a n a m e-based T L S v i rt u a l h ost:

....
<Vi r t ualHost * : 443>
Serve r N ame demo . example . com
S S L E n g i n e on
-
SSLCe r t ificat e F ile / e t c / p k i / t l s / c e r t s/demo . example . com . c r t
SSLCe r t ific a t e KeyF ile / e t c / p k i / tl s / p r iv a t e /demo . example . com . key
SSLCe r t ific a t eChain File / e t c / p k i / t l s /c e r t s /example - c a . c r t
-
</Vi r t ualHo s t >

T h i s exa m p l e m i sses s o m e i m portant d i rectives s u c h a s Documen t Root; t h ese w i l l b e i n h erited

- from t h e main confi g u ra t i o n .

Wa r n i n g
Not defi n i n g w h a t p rotoc o l s a n d c i p h e rs c a n b e u s e d w i l l res u l t i n h t t pd u s i n g
defa u l t o pt i o n s f o r t hese. h t t pd defa u lts a re not c o n s i d e re d sec u re, a n d it i s h i g h l y
reco m m e n d e d to rest rict b o t h to a m o re s e c u re s u bset.

Confi g u ri n g fo rwa rd sec re cy

- I f a weaker e n c r y p t i o n c i p h e r h a s been u s e d , a n d t h e p rivate key of t h e server h a s b e e n
c o m p ro m ised-for exa m p l e, a fter a se rve r brea k - i n o r a b u g i n t h e crypto code-a n a t t a c k e r co u l d
poss i b l y d e c rypt a record e d sess i o n .
-

- R H 254- R H E L 7-en-1 -20140711 307

 -

C h a pter 1 0 . P rovi d i n g A p a c h e HTTPD W e b Service

-

Protect i n g a g a i n st t h ese types of att a c ks i s ca l l ed e n s u ri n g forward secrecy. Fo rwa rd secrecy can

be esta b l i s h e d by caref u l l y t u n i n g t h e a l l owed c i p hers i n t h e SSLCipherSuite d i rective, a nd
-
havi n g t h e server a l ways select t h e most p refe rred c i p h e r from t h i s l i st t h a t both t h e server a n d
t h e c l ient s u p port.

The fo l l owi n g i s an exa m p l e that, at the d ate of p u b l ication, was c o n s i d e re d t h e best set of -

c i p h e rs to a l l ow. T h i s l i st p r i o ritizes c i p h e rs t h a t perform t h e i n it i a l sess i o n key exc h a n g e u s i n g

e l l i pt i c c u rve Diffie- H e l l ma n ( E EC D H ) a l g o r i t h m s . U s i n g D i ffie- H e l l ma n , t h e a c t u a l sess i o n key i s
-
n e v e r tra n s m itted, b u t rat h e r ca l c u l ated by both s i d es.

I
..--- . .· - ---�----��--.

j
SSLCip h e r S u i t e " EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA
+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA2 56 EECDH+aRSA+RC4 EECDH E D H +aRSA RC4 ! aN U L L -

I e N U L L ! LOW ! 3DES ! MD5 ! EXP ! PSK ! SRP ! DS S "

i SSLHono r C i p h e r O r d e r on
L____ -----�� -

The SS LHono rCiph e r O r d e r On d i rective i n st r u cts h t t pd to a l ways prefer c i p h e rs l i sted

e a r l i e r o n in the SSLCipherSuite l i st, reg a rd l ess of the c l i e nt p refere n ce.
-

I m p o rt a n t
-
Secu rity research i s a n a l ways o n g o i n g a r m s race. I t i s reco m m e n d e d t h a t
a d m i n i st rators re-eva l uate t h e i r s e l ected c i p he rs on a reg u l a r basis.

Confi g u ri n g H TT P St r i ct Tra n s port S e c u rity ( H STS)

-
A c o m m o n m i sconfi g u ra t i o n , a n d o n e t h a t wi l l res u l t i n wa r n i n g s i n most m o d e r n b rowsers, i s
h a v i n g a web p a g e t h a t is se rved o u t over h t t ps i n c l ude resou rces served o u t over c l e a r-text
h t t p.

To p rotect a g a i n st t h i s type of misconf i g u ra t i o n , a d d t h e fo l l o w i n g l i ne i n s i d e a <Vi r t ualHost>

b l oc k t h a t h a s TLS e n a b l e d :
r--··-�---��---- -- -

I
----�--,
I Head e r always set S t r ic t - T r a n s po r t - Se c u r i t y " max - age=15 7 6 8 0 0 0 "
I
-
S e n d i n g t h i s extra h e a d e r i nforms c l i e nts t h a t t h ey a re not a l l owed to fetc h a ny resou rces for
t h i s page t h a t a re not se rved u s i n g T L S .
-
A n o t h e r poss i b l e iss u e c o m e s f r o m c l i e nts c o n n e c t i n g ove r h t t p to a reso u rce t h ey s h o u l d have
been u s i n g h t t p s for.

S i m p l y n ot servi n g a n y content over h t t p wo u l d a l l eviate t h i s issue, b u t a m o re s u bt l e a p p roach -

is to a utomatica l l y red i rect c l ients connecting over h t t p to t h e s a m e resou rce using h t t ps.

To set up t h ese redi rects, config u re a h t t p v i rt u a l host for the same Se rve r Name a n d -

Se rve rAlias a s t h e T L S p rotected v i rt u a l h ost ( a catch-a l l v i rt u a l h ost c a n be used), a n d add

t h e fo l l o w i n g l i nes inside t h e <Vi r t ualHost * : 80> b l ock:
-

j
i Rew r i t e E n g i n e o n
Rew r i t e R u le A ( / . * ) $ h t t p s : //%{ HTTP_POST}$1 [ r e d i r e c t = 3 0 1 ]
L- -

T h e Rewrit eEngine on d i rective t u r n s on t h e U R L rewrite m od u l e for t h i s v i rtu a l h ost,

and the Rew r i t eRule matches any resou rce (" ( / . * ) $) and red i rects i t u s i n g a http Moved
-

308 R H 254- R H E L 7 ·en-1 -20140711 -

-
-

Confi g u r i n g H TT P Strict Tra n s p o rt S e c u rity ( H STS)

-

Permanen t ly message ( [ r e d i r e c t = 30 1 ] ) to the s a m e res o u rc e s e rved out over htt ps. The
-
%{HTTP _HOST} va ria b l e uses the h o st n a m e that was req u ested by the c l i e nt. w h i l e t h e $1 pa rt
i s a b a c k - reference to w h a teve r was m a t c h e d between the fi rst set of p a re n t h eses i n the reg u l a r
expre ss i o n .
-

R Refe re n ces
- h t t pd(8) m a n p a g e

httpd-manua/ contents
-
Q u a l ys SSL L a bs: S S L/T L S D e p l oy m e n t Best Practices
https://www.ss l l a bs.com/p rojects/best- p ract i ces/

- R H 254- R H E L7-en-1 -20140711 309

-
 -

C h a pter 1 0. Prov i d i n g A p a c h e HTTPD Web Service

-

P ra ct i ce : C o n f i g u ri n g a T L S - e n a b l e d Vi rt u a l
-

H ost
-

G u i d ed exe rc i se
-
I n t h i s l a b, you w i l l confi g u re T L S - e n c rypted v i rt u a l hosts.

Reso u rces:
-

Files: h t t p : //clas s room . example . com/ p u b /example - ca . c r t

• h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / t l s / c e r t s /wwwX . c r t
-

• h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / t l s / p r i v a t e /wwwX . k e y

-
• h t t p : / / c l a s s r o o m . e x am p l e . c o m / p u b / t l s / c e r t s /we b a p pX . c r t

h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / t l s / p r iv a t e /we b a p pX . k ey
-
Machines: d e s k t opX and se rverX

Outcomes:
-
A web server config u red w i t h two v i r t u a l hosts, wwwX . example . com a n d
we bappX . example . com, b o t h p rotected b y T L S .
-
Before you begin. . .
• Reset yo u r se rve rX syste m .

-
• Reset yo u r desk topX system.

Yo u r company h a s d e c i d e d to sta rt se l l i n g J i m W h i te h u rst a c t i o n f i g u res o n l i ne. S i nce m ost Red

H a t fa ns e njoy privacy and s e c u rity, t h e website w i l l need to b e p rotected w i t h TLS. -

Yo u have been a s ked to conf i g u re a web server o n y o u r se rverX m a c h i n e to h ost this site.
This web server w i l l n e e d to host two virtual hosts: h t t p s : I /wwwx . e x a m p l e . c o m a n d ·-

h t t p s : / / we b a p pX . e x a m p l e . c o m . T h e n o n e n c rypted vers i o n o f these two sites s h o u l d send

b rowsers a n a utomatic redi rect to t h e e n c rypted vers i o n .
-
Certificates a n d private keys f o r t h ese t w o sites h a v e a l re a d y
b e e n prov i d e d . The cert i f i cates ca n b e down l o a d e d from
h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / U s / c e r t s / {www , we b a p p }X . c r t , and the p rivate -

keys can be fou n d at

h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / U s / p r iv a t e / {www , we b a p p } X . k e y . The public
p a r t o f t h e s i g n i n g CA ca n b e fo u n d a t -

h t t p : / / c las s r oom . e xample . c o m / p u b/example - c a . c r t .

Content for t h ese sites s h o u l d b e served out o f /s rv/wwwX/www a n d /s rv/webappX/www, -

res pect i v e l y. S i nce yo u r web d e s i g n e rs a re cu rre n t l y on a two-week l u nc h break, you w i l l h ave to
p rovide tem pora ry content that u n i q u e l y identifies each host you rse l f.
-
C u stom l o g fi l es a re not req u i red for n ow.

D 1. I n sta l l b o t h t h e httpd a n d mod_ss/ pac k a g es.

-

31 0 R H 254- R H E L 7-en-1 -201 40711 -

-
-

G u i d ed exercise
-

D 1 .1 .
! [ s t u d e n t @s e r v e r X - ] $ sudo yum install ht tpd mod_ssl
-

D 2. C reate t h e content d i rectories, with i d e ntifyi n g content a n d a p p ropriate S E L i n u x

contexts.
-

D 2.1 . C reate t h e t w o d i rectories.

- i
i [ s t u d e n t@ s e r v e r X - ] $ sudo mkdir - p / s rv/{www, webapp}X/www

- D 2.2. I n b o t h content d i rectories, create a n index . html f i l e with d i st i n ct content.

[ s t u d e n t@se r v e r X - ] $ sudo vim /s rv/wwwX/www/ index . html

- [ s t u d e n t@ s e r v e r X - ] $ sudo vim /s rv/webappX/www/index . html

D 2.3. Reset t h e S E L i n u x context o n y o u r new d i rectories.

I
-

i
[ s t u d e n t@ s e r v e r X - ] $ sudo restorecon - Rv /srv/
-

D 3. Dow n l oa d a l l the n e e d e d certificates and private keys to t h e i r correct l ocat i o n s with t h e i r

correct p e r m i s s i o n s.
-

D 3.1 . Dow n l oa d t h e CA certificate u s e d to s i g n yo u r certifi cates.

- [ s t u d e n t@ s e r v e r X - ] $ cd /etc/pki/tls/cer t s
[ s t u d e n t@se r v e r x c e r t s ] $ s u d o wget h t t p : //classroom . example . com/pub/
example - ca . c r t
-

D 3 . 2 . W h i l e sti l l i n t h e c e r t s d i recto ry, d ow n l o a d t h e t w o certificates for yo u r v i rt u a l

hosts.
-

[ s t ud e n t@ s e r v e r X c e r t s ] $
certs/wwwX . c r t
- [ s t u d e n t@se r v e r x c e r t s ] $
certs/webappX . crt
I
I
sudo wget h t t p : //class room . example . com/pub/tls/ I
sudo wget h t t p , //cla••,� . ex"""le . com/pub/tl•/

-
D 3.3. Switch to t h e p r ivat e d i rectory a nd d o w n l o a d t h e p rivate keys. Do not forget to
set t h e p e r m i s s i o n s on the p rivate keys to 0600.

I
-
[ s t u d e n t@ s e r v e r x c e r t s ] $ cd /etc/pki/tls/private

l
[ s t u d e n t@se r v e r X p r ivate ] $ sudo wget h t t p : //class room . example . com/pub/tls/ 1

h t t p : //classroom . example . com/pub/tlsl j

private/wwwX . key
- [ s t u d e n t@ s e r v e r X p r ivat e ] $ sudo wget
private/webappX . key 1

[ s t u d e n t@ s e r v e r X p r ivate ] $ sudo chmod 0600 w*X . key

__J
I
-

D 4. Confi g u re t h e T L S n a me-based v i rt u a l host for y o u r wwwx . example . com d o m a i n

i n a new f i l e c a l l e d / e t c / h t t pd/conf . d /wwwX . conf. You ca n use t h e exist i n g
- / e t c /h t t pd/conf . d / s s l . c o n f a s a te m p l ate, b u t if y o u d o , d o n o t forget to s t r i p o u t
a l l t h e content o u t s i d e of t h e <Vi r t u al H o s t > b l oc k .

-
RH254- R H E L 7-en-1-201 40711 311

-
 -

C h a pter l O. P rov i d i n g A p a c h e H T T P D Web Service

-

D o not forget to add a n automatic red i rect from t h e non-TLS-based http site to t h e TLS­
e n c rypted https site.
-

D 4.1 . C reate / e t c / h t t pd/conf . d/wwwX . conf w i t h t h e fo l l owi n g content:

-
I <Vi r t ualHo s t * : 443>
S e r v e r N ame wwwX . example . com
S S L E n g i n e On
SSLP r o t ocol all - SSLv2 - SSLV3 -
SSLCip h e r S u i t e H I G H : M E D I U M : ! aN ull : ! MOS
SSLHo n o rCiphe r O r d e r on
SSLCe r t ificateFile / e t c / p k i / t l s / c e r t s /wwwX . c r t
-
SSLCe r t ificat eKeyFile / e t c / p k i / t l s / p rivate/wwwX . key
SSLCe r t ificat eChain F ile / e t c / p k i / t l s /c e r t s/example - c a . c r t
Document Root / s r v/wwwX/www
</Vi r t u al H o s t >

D 4.2. Add a <Directo ry> block for / s rv/wwwX/www to

/ e t c/ h t t pd/conf . d /wwwX . conf l i ke t h e fo l l o w i n g : -

< D i r e c t o r y / s r v/wwwX/www>
R e q u i r e all g ra n t e d -

</ D i r e c t o ry>

-
D 4.3. To acco m p l i s h the a utomatic redi rect from http to https, a d d the fo l l ow i n g b l o c k
to / e t c / h t t pd/conf . d/wwwX . conf:

-
<Vi r t ualHost * : 80>
S e r v e r N ame wwwx . example . com
Rew r i t eEngine o n
Rew r i t e Rule A { / . * ) $ h t t p s : / /%{ HTTP_HOST}$1 [ r e d i r e c t = 3 0 1 ] -

</Vi r t ualH o s t >

D 5. Confi g u re the webappX . example . com v i rt u a l host by copyi n g the confi g u ra t i o n for yo u r -

wwwx . example . c o m virtua l host. a n d c h a n g i n g every occurrence o f wwwx to webappX.

D 5.1 . Copy t h e configuration to / e t c /h t t pd/conf . d/webappX . conf. -

[ s t u d e n t@se rve rx - ] $ sudo cp /etc/ht tpd/conf . d/{www , webapp}X . conf

-

D 5.2. R e p l a ce every occ u r re n ce of wwwx w i t h webappX in the new confi g u ration f i l e.

-

[ s t u d e n t@serverX - ] $ sudo sed - i ' s/wwwX/webappX/g ' /etc/httpd/conf . d/

webappX . conf
-

D 6. Sta rt a n d e n a b l e the h t t pd . se rvice, a n d open the rel eva nt fi rewa l l ports.

D 6.1 . Start a n d e n a b l e h t t pd . se rvice. -

[ s t u d e n t@s e r v e r X - ] $ sudo systemc tl start httpd . service

[ s t u d e n t@serverX - ] $ sudo systemctl enable httpd . se rvice ·-

·-

312 R H254- R H E L 7-en-1 -20140711 ·-

-
-

G u i d e d exercise
-

D 6.2. Open both t h e h t t p and h t t p s ports o n t h e f i rewa l l .

���
-
[ s t udent@serverX - ] $ sudo firewall - cmd - - permanent - - add - service=http - ­

, add - service=https
t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - reload
-

D 7. Test yo u r new confi g u ra t i o n from yo u r d e s k t opX system. Yo u w i l l have to i m port t h e

-
h t t p : I / c l a s s r o o m . e x a m p l e . c o m / p u b / e x a m p l e - c a . c r t i nto t h e l i st o f t rusted CA
certificates for you r browser a s p a rt of this p rocess.

Perfo r m a l l of t h e fo l l ow i n g steps o n y o u r d e s k t opX syste m .

-

D 7.1 . Dow n l o a d t h e example - c a . c r t certifi cate to yo u r h o m e d i recto ry.

j
-
[ s t u d e n t @d e s k t o p X - ] $ wget http : //class room . example . com/pub/example - c a . c r t
L _ _

- D 7.2 . L a u n c h fi refox a n d o p e n t h e Edit > Preferences d i a l o g . N avigate t o t h e Adva n ced

> Certifi cates tab.

- D 7.3. C l i c k View Certificates, then u s e t h e I m port b utto n . N a v i g ate to t h e file you

j u st d ow n l oa d e d a n d click O p e n . In t h e res u l t i n g d i a l og , c h e c k Trust t h i s CA to
i d e nt ify websites a n d c l i c k O K .
-

C l ose a l l o p e n d i a l o g s.

-
D 7.4. Poi n t yo u r browser at both and
h t t p : / / wwwwX . e x am p l e . c o m
Both s h o u l d redi rect to t h e i r h t t ps
h t t p : / / we b a p pX . e x am p l e . c o m .
cou nterpart a utomat ica l l y, w i t h o u t a certifi cate wa r n i n g .
-

N ote
- W h e n t ro u b l eshoot i n g a web server u s i n g f i refox, it c a n b e u s ef u l t o e m pty t h e
c a c h e from wit h i n t h e P references d i a l og . T h e C l e a r N o w b utton c a n be fou n d
i n t h e Advanced > N etwork t a b . I f t h e c a c h e i s n ot c l e a re d i n betwee n se rver
- resta rts, fi refox m i g ht s h ow o l d , outdated i nfo r m a t i o n .

-
D 8. Bonus question:

W i t h o ut f u rt h e r config u ra t i o n , a v i s i t to h t t p : / / s e r v e rX . e x am p l e . c o m wi l l
-
a l so res u l t i n a red i rect t o h t t ps . W h y i s t h is, a n d how co u l d you p revent t h i s from
happening?
-
Answer:

T h i s h a p p e n s because t h e re is a n e x p l i cit catc h-a l l v i rt u a l host d e f i n e d for * : 80, res u l t i n g

-
i n t h e fi rst v i rtu a l host fo r * : 80 b e i n g u s e d a s a defa u l t v i rt u a l host. S i nce t h i s is t h e
v i r tu a l h o s t f o r y o u r webappX d o m a i n , t h e red i rect r u l e i s i n c l u d e d .
-
T h i s c a n b e solved by d e fi n i n g e i t h e r a <Vi r t u alHost _default_ : 8 0 >
b l oc k , o r by defi n i n g a <Vi r t ual H o s t * : 80> b l oc k i n a l o c a t i o n w h e re
-

- RH254- R H E L7-en-1 -201 40711 313

-
 ...

C h a pte r 1 0. P rovi d i n g A p a c h e HTTPD Web Service

.....

it w i l l be parsed before a n y ot h e r v i rt u a l h osts; fo r exa m p l e, before the

i n c l u d es in / e t c / h t t pd/conf / h t t pd . conf o r a s a sepa rate file in
/ e t c / h t t pd/conf . d /00 - default . conf.

.....

...

,._

......

......

I"'-

......-

314 R H 254-R H E L 7 - e n -1 -201 40711

--
-

I ntegra t i n g D y n a m i c Web Content

-

Integ ra t i n g D y n a m i c We b C o n t e n t
-

-
O bj ect ives
After co m p l et i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e to config u re A p a c h e h t t pd to se rve
d y n a m i c d atabase-d r i v e n we b conte nt.
-

Dy n a m i c c o n t e n t
M ost m o d e r n websites d o not c o n s i st of p u r e l y static content. Most content se rved o u t i s actu a l ly
-
g e n e rated d y n a m i ca l l y, o n d e m a n d . I nteg ra t i n g d y n a m i c content with A p a c h e H T T P D c a n b e
d o n e i n n u m e ro u s ways. T h i s sect i o n d e s c r i b e s a n u m be r of t h e m o s t c o m m o n ways, b u t m o re
-
ways exist.

Co m m o n G ateway I nte rfa ce

-
O n e o f t h e o l d est fo r m s o f g e n e ra t i n g d y n a m i c content i s b y u s i n g Common Gateway Interface
(CG I ) . W h e n a CGI resou rce is req u ested, h t t pd d oes not s i m p l y read t h e reso u rce a n d se rve
i t out; i n stead, it executes the resou rce as a p rocess, a n d se rves the s t d o u t of t h a t p rocess.
-
A l t h o u g h CGI resou rces a re most l y written in scri pti n g l a n g u a g es l i ke Perl, it i s a l so q u ite
com m o n fo r CGI resou rces to be co m p i l e d C p ro g ra m s , or J a va executa b l es.

- I nformation from t h e req u est ( i n c l u d i n g c l i e n t i nform a t i o n ) i s made ava i l a b l e to t h e CGI p rogram

u s i n g e n v i ro n m e n t va r i a b l es.

- Confi g u ri n g htt p d for C G I

To h ave h t t pd t reat a l ocat i o n as C G I executa b l es, t h e fo l l ow i n g syntax i s u s e d i n t h e h t t pd
config u ra t i o n .

I
-
1----
l Sc r i p tAlias / c g i - b i n / " /v a r /www/c g i - b in / "
I_.. - ----- ---····-·�---- ���--
- ------�
-
T h i s i n st r u cts h t t pd to red i rect a ny req u est for f i l es u n d e r t h e /cgi - bin/ U R I to t h e
/var /www / cgi - b i n / d i recto ry, a n d treat t h e f i l es i n t h at d i rectory as executa b l e scri pts.
-
A n u m be r of caveats exist w h e n u s i n g CG I :

• C G I scri pts wi l l b e executed a s t h e apache u s e r a n d g ro u p.

-

CGI scri pts s h o u l d be executa b l e by t h e apac he user a n d g ro u p.

- • CGI scri pts sh o u l d h a ve t h e h t t pd_sys_sc r ip t_exec_t S E L i n u x context.

• The CGI d i rectory s h o u l d h ave O p t ions None, and a ccess s h o u l d b e g ra nted u s i n g a n o r m a l

-
<Directo ry> b l ock.

S e rvi n g d y n a m i c P H P c o n t e n t
-
A popu l a r method o f p rov i d i n g d y n a m ic content i s u s i n g t h e P H P s c r i p t i n g l a n g u a g e . W h i l e P H P
scri pts can b e se rved u s i n g o l d -fa s h i o n e d C G I , both perfo r m a n ce a n d secu rity c a n b e i m p roved
by h a v i n g h t t pd r u n a P H P i nt e r p reter i n te r n a l l y.
-

By i n sta l l i n g the php p a c kage, a speci a l mod_ph p m od u l e is a d ded to h t t pd . T h e d e fa u l t

confi g u ra t i o n f o r t h i s m o d u l e a d d s t h e fo l l o w i n g l i n es t o t h e m a i n h t t pd confi g u ra t i o n :
-

- RH254- R H E L 7-en-1 -20140711 315

-
 ·-

--

C h a pter 1 0. Provi d i n g A p a c h e HTTPD W e b Service

--

<FilesMat c h \ . p h p$>
S e t H a n d l e r application/x - h t t pd - ph p
... .
<File s M a t c h >
D i r e c t o r y i n d e x index . ph p
--------- ---------'

The <FilesMatch> b l o c k i nstructs h t t pd to u s e mod_p h p for a n y f i l e w i t h a n a m e e n d i n g i n

. php, a n d t h e D i r e c t o ryindex d i rective a d d s index . p h p t o t h e l i st o f f i l es t h a t w i l l be sought
w h e n a d i rectory i s req u ested. --

S e rvi n g d y n a m i c Pyt h o n c o n t e nt
--
A l so pop u l a r is g e n e ra t i n g d y n a m i c content u s i n g Pyt hon scri pts. Pyt h o n scri pts c a n be se rved
out u s i n g reg u l a r C G I , but both pyt hon a n d h t t pd a l so s u p port a newer p rotoco l : Web Server
Gateway Interface ( W S G I ) .

W S G I s u p port c a n be a dded to h t t pd by i n sta l l i n g t h e mod_wsgi package.

·-
U n l i ke t h e mod_php o r CGI a p proac h , WSGI d oes n ot start a new scri pt/i n t e r p reter for every
req u est. I n ste a d , a m a i n a p p l ication is starte d , and a l l req u ests a re ro uted i nto that a p p l ication.

Confi g u r i n g h t t pd to s u pport a W S G I a p p l ication ta kes two steps:

1. I n sta l l the mod_wsgi package.

2. Add a WSGISc riptAlias line to a v i rtu a l h ost d efi n it i o n .

The fo l l o w i n g i s a n exa m p l e of a WSGISc rip tAlias d i rective, w h i c h s e n d s a l l req u ests ·-

for h t t p : / / s e r v e r n am e / m y a p p and a ny reso u rces below it to the W S G I a p p l icat i o n

/s rv/myapp/www/myapp . py:

!
·-
��- �----- - -----� -----

WSG ISc r i p tAlias /myapp/ / s rv/myapp/www / myapp . py

-
W S G I a p p l i cati o n s s h o u l d be executa b l e by t h e apac he user a n d g ro u p, a n d t h e i r S E L i n u x
co ntexts s h o u l d b e s e t t o h t t pd_sys_c o n t e n t_t.
·-

Data b a s e co n n ect i v ity

M ost w e b a p p l ications w i l l n e e d to store a nd ret r ieve persistent d a t a . A c o m m o n a p p roa c h t o t h i s
·-
i s to store t h e d a t a i n a data base s u c h a s M a r i a D B o r Postg reS Q L .

W h e n t h e data base i s r u n n i n g on t h e s a m e h o s t a s t h e we b server, a n d t h e d a t a b a s e i s u s i n g a

·-
sta n d a rd n etwo r k port, S E L i n u x w i l l a l l o w t h e network connection from t h e we b a p p l ication to
happen.

·-
W h e n a data base o n a remote host i s u s e d , t h e S E L i n u x Boo l e a n
h t t pd_can_netwo r k_connec t_d b m u st b e s e t to 1 t o a l low t h e c o n n e c t i o n .
·-
W h e n a n etwo r k con n ection to a not h e r needs to b e m a d e f r o m w i t h i n t h e web
a p p l icat i o n , and t h e ta rget is not a we l l - k n ow n database port, t h e S E L i n u x Boo l e a n
h t t pd_can_netwo r k_connect m u st b e s e t to 1 .

Va rious o t her S E L i n u x Boo l e a n s c a n a l so a ffect t h e w a y i n w h i c h web a p p l i c a t i o n s a re executed

by h t t pd .
·-

316 R H 254- R H E L 7-en-1 -20140711 ·-

-

Database c o n n ectivity
-

i '� I Refe re n ces

- "' R I
L_J
h t t pd(8) and h t t pd_p h p_selinux(8) man pages

- httpd-manual package contents

/ u s r / s h a re/doc/mod_ws gi - * /READM E
-

-
R H254- R H E L7 -en -1 -20140711 317

-
 ·-

·-

C h a pter 1 0 . Provi d i ng A p a c h e H T T P D Web Service

--

P ra c t i ce : C o n f i g u ri n g a We b A p p l i ca t i o n
--

G u i d e d exe rc i se
I n t h i s l a b, you w i l l confi g u re y o u r s e rve rX syste m to se rve a P H P a p p l i cation that u ses a
M a ri a D B database backe n d .
-

Reso u rces:
Files: /va r /www/ h t ml/index . h tml -

Machines: d e s k t o pX a n d serverX

O utcomes:
A worki n g PHP a p p l ication with a data base backend r u n n i n g o n se rve rX.

Before you begin . . . -

• Reset yo u r deskt opX system.

• Reset yo u r se rve rX syste m . -

• Log i nto a n d s e t u p yo u r se rve rX system .

-

[ s t u d e n t@serverX - ) $ lab phpdb setup

- - �- - - -- -

Yo u r co m pa n y is tryi n g to p u s h i nto t h e co l l ect i b l e ca rd g a m e m a rket. O n e of t h e major focuses

i n that push is to prov i d e a n o n l i n e database of a l l cards i n the p o p u l a r game "Tra g ic: The
S a d d e n i n g ".
-

Yo u r web deve l opers a re h a rd at work, a n d have p rov i d e d you w i t h an e a r l y a l pha vers i o n of t h e

web i nte rface i n /var /www/ h t ml/index . php.
-
Yo u r database a d m i n i st rators, not wa n t i n g to be outdone by t h e web deve l opers, h a ve p o p u lated
a M a ria D B data base, rea d y for use.
-
One of you r fo r m e r cowo r k e rs was tasked with confi g u ri n g the web server for this p roject. S a d l y,
after a n u m be r of weeks t ryi n g to get t h e code to r u n , t h a t coworker was l et go.
-
It's now up to you to get this p roj ect o n t h e road a g a i n . Both the database server a n d
t h e w e b server a re a l re a d y r u n n i n g o n se rve rX, b u t c l ients h ave t rou b l e c o n n e ct i n g to
h t t p : / / s e r v e rX . e x a m p l e . c o m .

Yo u r web d eve l o p e rs h ave d e l ivered b u g -free code a s us u a l , and the DBA h a s d e l ivered a work i n g
data base, w i t h correct records.
-

D 1. Re p l i cate the issue of u sers n ot being a b l e to c o n n ect to s e r v e rX . e x a m p l e . c o m .

D 1 .1 . O n y o u r d e s k t o pX m a c h i ne, start a n i nsta n c e o f fi refox a n d point it a t

-
s e r v e rx . e x a m p l e . c o m .

D 2. That " U n a b l e to c o n n ect" message h a s two l i ke l y c a u ses: h t t pd . se rvice not r u n n i n g

-
o n se rve rX, o r a fi rewa l l issue. I nvest i g ate both.

D 2 .1 . C h e c k if h t t pd . s e rvice is r u n n i n g o n se rve rX.

-

31 8 RH254- R H E L 7 - e n -1 -20140711 -

-
-

G u i d ed exercise
-

[ s t u d e n t@ s e r v e r X -)$ sudo sys t emctl status -1 httpd . service

-

D 2.2. I nvest i g ate if t h e h t t p service is o p e n e d for t h e defa u l t zone on s e rve rX.

-
I [ s t ud e n t@ s e r v e r x - ) $ sudo firewall - cmd - - list - all
�������

- D 3. Confi g u re the fi rewa l l o n se rve rX to a l l o w h t t p t raffic.

D 3.1 . '
[ s t u d e n t@ s e r v e r X - )$ sudo firewall - cmd - - permanent - - add - service=ht tp
.,. [ s t u d e n t@s e rv e r x - ) $ sudo firewall - cmd - - reload

D 4. Test if ope n i n g up the fi rewa l l s o l ve d yo u r issue.

-

D 4.1 . Fro m d e s k t o pX, p o i n t a b rows e r a t h t t p : / / s e r v e rX . e x am p l e . c o m .

-- D 5. That test page i s typica l l y s h own when h t t pd c a n not find a n i n dex page. Verify that
t h e re i s i nd e e d a f i l e n a m e d /var /www / h t ml/index . php, and that it i s rea d a b l e by t h e
h t t pd p rocess.

�
-
D 5.1 . I
�
[ s t u d e t@s e r v e r X -]$ ls - lZ /var/www / html/index . php

-
D 6. h t t pd o n l y searches for . p h p f i l es when php i s properly i n sta l l e d . Ve r i fy that this is the
case.
-
D 6.1 .
[ s t u d e n t@ s e r v e r X - ] $ yum list php

- D 6.2. I n sta l l the php package.

! ------,
I [ s t u d e n t@ s e r v e r x - ) $ sudo yum install php
- !

D 6.3. Restart t h e h t t pd . se rvice o n serverX to a ctivate t h e new P H P m od u l es.

-
i
I [ s t u d e n t@ s e r v e r X - ] $ sudo systemctl restart httpd . service
I
-
D 7. Fro m yo u r d e s k t opX syste m , use fi refox to c h e c k if h t t p : / / s e r v e rx . e x a m p l e . c o m
i s n o w wo r k i n g .

-
D 8. That e m pty p a g e does n ot l o o k good. I nvesti gate t h e i s s u e .

D 8 .1 . C h e c k t h e h t t pd e rror l o g .
-

I [ s t u d e n t@ s e r v e r x -)$ sudo t ail /var/log/ht tpd/error_log

l
-
D 8.2. That " u ndefined f u nc t ion mysqli_connec t " error l oo ks l i ke a m i s s i n g
P H P l i b ra r y. I n sta l l t h e php-mysql p a c ka g e to i n sta l l t h e needed bits.

!
-
[ s t u d e n t@s e r v e r X -)$ sudo yum install php - mysql

- R H254-R H E L7-en-1 -201 40711 319

-
 -

C h a pter 1 0. P rovi d i n g A p a c h e HTTPD Web Service

-

D 8.3. Resta rt h t t pd . se rvice to m a ke a n y r u n n i n g PHP i n s t a n ces awa re of t h e new

l i b ra r i es.
-

[ s t ud e n t@ s e r v e r X - ]$ sudo systemctl restart httpd . service

-

D 9. Fro m d e s k t o pX, use fi refox to verify t h a t t h e a p p l ication now works. W h e n a data base
l isti n g i s ret u r n e d , execute lab p h p d b g r ade on deskt opX to verify yo u r work.
-
D 9.1 .
[ s t ud e n t@de s k t o pX - ] $ lab phpdb grade

320 R H 254- R H E L 7-en-1 -20140711 -

-
-

L a b : Provid i n g A p a c h e H T T P D Web Service

-

-
L a b : P rovi d i n g A p a c h e H T T P D We b S e rv i ce

- Perfo r m a nce c h e c k l i st
I n t h i s l a b, you w i l l confi g u re yo u r se rve rX to serve a Pyt h o n W S G I w e b a p p l i ca t i o n over HTTPS.

Resou rces:
Files: / home/ s t u d e n t /webapp . wsgi
-
Machines: deskt opX a n d s e rverx

- Outcomes:
A T L S v i rt u a l h ost serv i n g a Pyt h o n WSGI w e b a p p l icat i o n o n t h e h t t ps : II
webappX . example . com d o m a i n .
-
Before you begin . . .
• Reset yo u r d e s k t opX syst e m .
-
• Reset yo u r se rve rX syste m .

• L o g i nto a n d s e t u p you r se rverX syst e m .

-

, [ s t ud e n t@se rve rx - ] $ lab webapp setup

�
l -�- - -- - --- -· -·· - - ---- -- -�------- -- -- - -
-

You r deve l o p e rs a re wo r k i n g o n a n e w web-based a p p l i c a t i o n written i n Pyt h o n . They

have a s ked you to conf i g u re the h t t pd service o n se rve rx to run t h i s a p p l ication o n the
- h t t p s : I /we b a p pX . e x a m p l e . com d o m a i n , u s i n g TLS e n c rypti o n .

The a p p l i c a t i o n i s prog ra m m ed t o be r u n b e h i n d a w e b server t h a t s u p p o rt WSGI.

-
To config u re t h e a p p l ication, you w i l l need t h e fo l l ow i n g i nformat i o n :

- File Dow n l oa d l o c a t i o n
T L S cert i f i ca te h t t p : / / c l a s s r o o m / p u b / t l s / c e r t s /we b a p pX . c r t

T L S p r i vate key h t t p : / / c l a s s r o o m / p u b / t l s / p r iv a t e /we b a p pX . k e y

-

T L S CA certifi cate h t t p : / / c las s r oom/ p u b/example - ca . c r t

Pyt h o n a p p l icat i o n /home/ s t u d e n t /webapp . ws g i

-

The w e b a p p l ication s h o u l d be c o p i e d to a s u ita b l e l ocat i o n o u t s i d e of a ny Doc umen t Root.

-
O n ce you a re d o n e w i t h you r work, you c a n run t h e fo l l o w i n g com m a n d o n yo u r d e s k topX
m a c h i n e to va l i d ate yo u r work:

-
; [ s t u d e n t@de s k t opX - ] $ lab webapp g rade
-- -� ---- - - - - --�- ----

- 1. I n sta l l t h e packages n e e d e d f o r h t t pd , T LS, a n d WSG I s u ppo rt.

2. C reate a s u i ta b l e location on t h e f i l e syst e m o n se rve rx to host t h e web a p p l ication, t h e n

-
c o py t h e a p p l ication t h e re.

-
RH254- R H EL 7-en-1 -201 40711 321

-
 -

C h a pter 1 0. Prov i d i n g A p a c h e HTTPD Web Service

-

3. Dow n l o a d a l l t h e certifi cates and keys that you w i l l need to confi g u re T L S .

4. Confi g u re a new T L S n a m e-based v i r t u a l h ost for ht t p s : I /we b a p pX . e x am p l e . c o m , u s i n g -

t h e web a p p l i cation f o r I , a n d u s i n g t h e keys a n d certificates y o u d ow n l oaded e a r l i e r.

5. Start and e n a b l e yo u r w e b server, and m a ke the T L S -e n a b l ed web server avai l a b l e to the

outside.

6. Fro m yo u r d e s k t opX system, test t h e new web a p p l i c a t i o n . -

7. Va l i date you r work by r u n n i n g lab webapp g r ade o n d e s k t opX.

322 R H 254- R H E L 7 - e n -1 -201 40711 -

-
-

Sol ution
-

So l ut i o n
-

I n t h i s l a b, yo u w i l l confi g u re yo u r se rve rX to se rve a Pyt h o n W S G I web a p p l i c a t i o n over HTTPS.

- Res o u rces:

Files: / home/ s t u d e n t /webapp . ws g i

Machines: d e s k t opX and se rverx

Outcomes:
- A TLS vi rtu a l h ost servi n g a Pyt h o n WSGI web a p p l icat i o n o n t h e h t t ps : //
webappX . example . com d o m a i n .

Before you begin . . .

• Reset yo u r d e s k t o pX syst e m .

• Reset yo u r se rverx syste m .

-

• L o g i nto a n d s e t u p y o u r se rve rx syste m .

i
- -- -�--�---- - -- � �-�
-
[ s t u d e n t@ s e r v e rX - ] $ lab webapp setup

- You r d eve l opers a re w o r k i n g o n a new web-based a p p l i c a t i o n written in Pyt h o n . T h ey

h ave a s ked you to confi g u re t h e h t t pd service o n serverx to r u n t h i s a p p l i c a t i o n o n t h e
h t t p s : I /we b a p pX . e x am p l e . c o m d o m a i n , u s i n g T L S e n c rypti o n .

The a p p l ication i s pro gra m m ed to be r u n b e h i n d a web server t h a t s u p port WSG I .

To config u re t h e a p p l i c a t i o n , you w i l l need t h e fo l l ow i n g i nfo r m a t i o n :

-

File Dow n l oa d l ocat i o n

T L S certificate h t t p : / / c l a s s r o o m / p u b / t l s / c e r t s / we b a p pX . c r t

T L S private key h t t p : / / c l a s s r o o m / p u b / t l s / p r iv a t e /we b a p pX . k e y

-
T L S CA certifi cate h t t p : / / c las s r oom/ p u b/example - ca . c r t

Pyt h o n a p p l i ca t i o n /home / s t u d e n t /webapp . wsgi

- The web a p p l i cat i o n s h o u l d b e copied to a s u ita b l e l o c a t i o n outside of a n y Doc ume n t Root .

O n c e you a re d o n e w i t h yo u r work, you c a n r u n t h e fo l l ow i n g com m a n d on yo u r d e s k t o pX

m a c h i n e to va l i date yo u r work:

[ s t u d e n t@des k t o p X - ] $ lab webapp grade

-

1. I n sta l l t h e packages n e e d e d f o r h t t pd, T LS, a n d WSG I s u p po rt.

- 1 .1 .
[ s t udent@serverx - ] $ sudo yum install h t t pd mod_ssl mod_wsgi

2. C reate a s u i t a b l e l oc a t i o n on the f i l e syst e m o n se rve rx to h ost the web a p p l i c a t i o n , t h e n

copy t h e a p p l i c a t i o n t h e re.

2.1 . C reate a new d i rectory / s rv/we bappX/www.

-

-
R H254-R H E L 7 -en -1-201 40711 323
 -

C h a pte r 1 0. P rov i d i n g A p a c h e HTTPD Web Service

-

[ s t u d e n t@ s e r v e rX - ] $ sudo mkdir -p /s rv/webappX/www

-

2.2. Copy t h e a p p l ication to its new home.

-
[ s t ud e n t@ s e r v e r x - ] $ sudo cp -/webapp . wsgi /s rv/webappX/www/

2.3. Reset t h e S E L i n u x context o n t h e new d i recto ry. -

[ s t ud e n t@s e rverx - ] $ sudo restorecon - Rv /srv/webappX

3. Dow n l oa d a l l t h e certificates and keys that you w i l l need to config u re T L S .

3.1 . D ow n l oa d t h e example . c o m CA certificate to /etc/pki/tls/ce r t s. -

[ s t u d e n t@ s e r v e r x - ] $ cd /etc/pki/tls/certs
-
[ s t u d e n t@serve rx ce r t s ] $ sudo wget http : //classroom . example . com/pub/example ­
ca . c rt

-
3.2. D ow n l oa d t h e webappX . example . com certificate to / e t c / p k i / t ls/ce r t s .

[ s t u d e n t@se rverx c e r t s ] $ sudo wget http : //classroom . example . com/pub/tls/certs/ -

webappX . c r t

3 . 3 . D o w n l o a d t h e webappX private k e y to / e t c / pki/ t ls / p rivate/ a n d s e t t h e

p e r m i s s i o n s to 0600.

[ s t u d e nt@se rverx c e r t s ] $ cd /etc/pki/tls/private -

[ s t u d e n t @ s e r v e r X p r ivat e ] $ sudo wget http : //class room . example . com/pub/tls/

private/webappX . key
[ s t u d e n t@ s e r v e r x p r ivat e ] $ sudo chmod 0600 webappX . key -

4. Confi g u re a new TLS n a m e-based v i r t u a l host for h t t p s : / / we b a p pX . e x a m p l e . c om, u s i n g

the web a p p l icat i o n for / , a n d u s i n g t h e keys a n d certificates y o u d ow n l oa d e d e a r l i e r. -

4.1 . C reate a new f i l e /etc / h t t pd/conf . d /webappX . conf with the fo l l owing content:
-

<Vi r t ualH o s t * : 443>

S e r v e r N ame webappX . example . com
S S L E n g i n e on
S S L P r o t oc o l all - SSLV2 - SS Lv3
SSLCip h e r S u i t e H I G H : M E D I U M : ! aN U L L : ! MD5
S S L H o n o r Ci p h e r O r d e r o n
SSLCe r t ificate File / e t c / p k i / t l s /c e r t s /webappX . c r t
SSLCe r t ificat eKeyFile / e t c / p k i / t l s / p rivate/X . key
SSLCe r t ificateChain File / e t c / p k i / t l s / c e r t s/example - c a . c r t
WSGISc r i p t Alias I / s rv/we bappX/www/webapp . ws g i
</Vi r t ualHo s t >

4 . 2 . A d d a < Di r e c t o ry> b l o c k to you r n e w config u ra t i o n to a l low a ccess to t h e web -

appl ication:

324 R H 254- R H E L 7-en-1 -20140711 -

-

Solution
-

< D i r e c t o r y / s r v/we b a p pX/www>

req u i r e all g r a n t e d
< / D i r e c t o ry>

- 5. Start and e n a b l e y o u r web server, and m a ke t h e T L S - e n a b l ed w e b se rver ava i l a b l e to the

o u t s i d e.

5.1 . Sta rt and e n a b l e h t t pd.

[ s t u d e n t@serve rX - ] $ sudo systemctl start httpd . service

- [ s t u d e n t @ s e r v e rX - ] $ sudo systemctl enable h t t pd . service

5.2. O p e n h t t p s in the defa u l t zone of t h e fi rewa l l on se rve rX.

-

[ s t u d e n t @ s e r ve rX - ] $ sudo firewall - cmd - - permanent - - ad d - service=https

[ s t u d e n t@se rve rX - ] $ sudo firewall - cmd - - reload
-

6. Fro m y o u r d e s k t opX syst e m , test t h e new web a p p l i ca t i o n .

-
6.1 . Poi nt a n i n st a n ce o f fi refox at h t t p s : I /we b a p pX . e x am p l e . c om. E i t h e r i m port t h e
example . c o m CA certificate as a t r u sted CA fi rst, o r accept t h e certifi cate warn i n g .
-
6 . 2 . A l ternatively, y o u c a n r u n t h e fo l l owi n g co m m a n d o n d e s k t opX:

[ s t u d e n t@de s k t o pX - ] $ curl - k https : //webappX . example . com

L__ __ _

7. Va l i d ate yo u r work by r u n n i n g lab we bapp g r ade o n d e s k t opX.

-

7.1 .
[ s t u d e n t @d e s k t o pX - ] $ lab webapp g rade

- R H 2 5 4- R H E L 7-en-1-201 40711 325

-
 -

C h a pter 1 0. Prov i d i n g A p a c h e HTTPD Web Service

S u m m a ry
-

Confi g u r i n g A p a c h e H T T P D
I n t h i s sect i o n , s t u d e nts l e a r n e d how to i d e n t ify t h e k e y confi g u ra t i o n f i l es, l o g f i l es,
and content d i rectories used by Apache h t t pd

Confi g u r i n g a n d Tro u b l es h ooti n g V i r t u a l H osts

In t h i s sect i o n , st u d e nts l e a r n e d h ow to confi g u re A p a c h e h t t pd to p rovi d e I P-based
and n a me-based v i rt u a l hosts.

Confi g u r i n g HTTPS
In this sect i o n , stu d e nts l e a r n e d h ow to confi g u re A p a c h e h t t pd to p rov i d e T L S ­
e n c rypted v i r t u a l h osts.

I ntegrat i n g Dyn a m i c We b Content

In t h i s sect i o n , s t u d e nts learned h ow to confi g u re Apache h t t pd to serve d y n a m i c
data ba se-d riven w e b content.

326 R H254- R H E L7 - e n -1 -20140711