Documente Academic
Documente Profesional
Documente Cultură
P ra c t i c e : C o n f i g u r i n g a We b S e rve r
-
G u i d e d exe rc i se
-
�IWIH
-
Machines� -
O utcomes:
A n Apache h t t pd web server r u n n i n g o n yo u r se rverx m a c h i ne, serv i n g o u t a static page a n d -
t h e com p l ete A p a c h e h t t pd m a n u a l .
• Reset y o u r se rverx m a c h i n e.
-
Yo u have b e e n a s ked to confi g u re a b a s i c web server on you r se rve rX m a c h i ne. T h i s web server
s h o u l d se rve out the text " H e l l o C l a ss!" when the U R L h t t p : / / s e rve rX . e x am p l e . c om/ is
-
req u este d .
D 1 .1 .
l [ s t u d e n t@s e r v e r x - ] $ sudo yum - y install httpd h t t pd - manual ;
�- - - - - -- - ·- -----· ·- · ����
- -- -
--- -- - � -
- -- - - - - - -- _ _ _ _ _J
H e l l o Clas s ! -
G u i d e d exercise
-
D 5.1 .
[ s t u d e n t@se r v e r X - ] $ sudo firewall - cmd - - permanent - - add - service=http
[ s t u d e n t@se rv e r X - ] $ sudo firewall - cmd - - reload
-
-
RH 25 4- R H E L7-e n -1 -201 40711 297
-
-
C o n f i g u ri n g a n d Tro u b l es h o ot i n g V i rt u a l H osts
-
O bj ect ives -
V i rt u a l h osts
Virtual hosts a l low a s i n g l e h t t pd server to se rve c o n t e n t for m u l t i p l e d o m a i ns. B a s e d o n e i t h e r
-·
t h e I P a d d ress of the s e r v e r t h a t was con nected t o , t h e host n a m e req u ested by t h e c l i e n t i n t h e
http req u est, o r a com b i n at i o n of b ot h , h t t pd c a n u s e d i fferent confi g u ration sett i n gs, i n c l u d i n g
a d i fferent Documen t Root. -
Confi g u ri n g vi rt u a l h osts
-
V i rt u a l h osts a re conf i g u re d u s i n g <Vi r t ualHost> b l ocks i n s i d e t h e m a i n
conf i g u ra t i o n . To e a s e a d m i n i st rat i o n , t h ese v i rt u a l h o s t b l ocks a re typica l l y n ot
defi n e d i n s i d e /etc/h t t pd/conf / h t t pd . conf, b u t rat h e r i n separate . conf fi l es i n
-
/ e t c / h t t pd/conf . d /.
<Directory / s r v / s i t e 1/www> C»
Req u i r e all g ra n t e d
-
Allowove r r ide N o n e
< / D i r e c t o ry>
-
-
Tro u b l es h o ot i n g v i rt u a l h osts
-
- N a me-based v s . I P- b a s e d v i rt u a l host i n g
By defa u lt. every v i rt u a l h o s t i s a n I P-based v i rt u a l h o s t , sort i n g t raffic to t h e v i rt u a l h osts based
o n w h a t IP a d d ress t h e c l i e n t had con nected to. I f t h e re a re m u lt i p l e vi rtu a l hosts d e c l a re d for
- a si n g l e I P/port c o m b i n a t i o n , the Serve r N ame and Serve rAlias d i rect i ves w i l l b e c o n s u lted,
effective l y e n a b l i n g n a m e-based v i r t u a l host i n g .
- W i l d c a rd s a n d prio rity
The IP a d d ress pa rt of a <Vi r t ualHos t > d i rective can b e re p l aced with one of two w i l d ca rd s :
_d efault_ a n d * . B o t h have exact l y the s a m e m e a n i n g : " M atch A n yt h i n g ".
-
I m p o rt a n t
-
If no exact match has been fo u n d for a Serve r N ame o r Se rve rAlias d i rective, a n d t h e re a re
m u lt i p l e v i r t u a l hosts d e f i n e d for t h e I P/port c o m b i n a t i o n t h e req uest c a m e i n o n , t h e first v i rt u a l
host t h a t matches a n I P/port i s u s e d , w i t h first b e i n g s e e n a s t h e o rd e r i n w h i c h v i rt u a l hosts a re
- d e f i n e d i n t h e confi g u ra t i o n f i l e.
- Tro u b l es h o ot i n g v i rt u a l h osts
W h e n t ro u b l eshoot i n g v i r t u a l hosts, t h e re a re a n u m be r of a pproaches t h a t c a n h e l p.
-
• Confi g u re a s e p a rate Documen t Root for e a c h v i rt u a l host, with i d e ntifying content.
• Confi g u re separate l og f i l es, both for error l o g g i n g and access l o g g i n g , for e a c h v i rt u a l host.
-
-
R H254- R H E L 7-e n -1-201 40711 299
-
-
Refe re n ces
-
h t t pd ( 8 ) m a n page
---
--
--
..
P ra ct i ce : C o n f i g u r i n g a Vi rt u a l H o st
-
- G u i d ed exe rc ise
r'"'* �
-
-
Mac�nem �
Outcomes:
-
A new web s e rver r u n n i n g o n se rve rX, s e rv i n g out content for wwwX . e x am p l e . c o m from
/ s rv/www e . example . com/www / , and a l l other d o m a i n s from / s rv/defau l t /www/ .
-
Before you begin . . .
• Reset y o u r se rverX m a c h i n e.
-
• Reset yo u r d e s k t opX m a c h i n e.
In an effort to c l e a n u p the m ess, you have been a s ke d to c o n so l i d ate t h ese va r i o u s web se rve rs
-
i nto o n e , serving out t h e d iffe rent d o m a i n s u s i n g n a me-based v i r t u a l h o st i n g .
-
D N S C N A M E reco rds for t h e re l eva n t d o m a i n s have a l re a d y been converted to p o i n t at yo u r
se rve rX m a c h i n e.
-
D 1. Start b y i nsta l l i n g t h e httpd package.
D 1 .1 .
[ s t u d e n t@se r v e r X - ]$ sudo yum install httpd
-
Coming S o o n !
- ------ --- - - - - - - ---�
-
: wwwX
\
L _____ __ _ _ - �-�-- - . - -� i
- D 2 .1 . C reate t h e d i rectories.
-
-
c reated.
-
! [ s t u d e n t@s e rve rX - ] $ sudo restorecon - Rv /s rv/
<Di r e c t o r y /s rv/default/www>
Req u i r e all g r a n t e d
</D i r e c t o ry>
-
-
-
G u i d e d exercise
-
D 5.1 .
[ s t ud e n t@ s e r v e r X - ] $ sudo systemctl start httpd . service
-
[ s t u d e n t@ s e r v e r X - ] $ sudo systemctl enable h t t pd . service
D 6.1 .
[ s t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - permanent - - add - service=http
[ s t u d e n t@se rv e rX - ] $ sudo firewall - cmd - - reload
-
D 7. Fro m yo u r d e s k t opX syste m , use a web b rowser to visit t h e fo l l ow i n g U R Ls; t h e fi rst two
-
s h o u l d res p o n d with the "wwwX" text, w h i l e the l ast two s h o u l d res p o n d w i t h "Coming
Soon ! ".
• h t t p : / /wwwX . e x a m p l e . c om
-
• h t t p : / /wwwX
- • h t t p : / / s e r v e rX . e x a m p l e . c o m
• h t t p : //172 . 25 . X . 11
-
-
-
-
-
C h a pter 1 0. P rov i d i n g A p a c h e HTTPD Web Service
C o n f i g u r i n g H TT P S
-
O bj e c t i ves
After co m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e t o confi g u re A p a c h e h t t pd to p rovide
-
T L S - e n c rypted v i rt u a l h osts.
-
Tra n s p o rt Laye r S e c u rity (T LS)
Transport Layer Security ( T L S ) is a method for e n c ry p t i n g network com m u n i ca t i o n s. T L S i s the
s u ccessor to Secure Sockets Layer ( S S L). T L S a l l ows a c l i e nt to verify t h e i d e n t ity of t h e s e rver
-
a n d , opt i o n a l l y, a l l ows t h e se rver to verify t h e i d e ntity of t h e c l ient.
C l i e nt H e l l o
I �
f2
���--_ ___���� �
'
�
Server H e l l o/ServerCertificate
C l i e n t KeyExchange
1Bt
§]
Data
-
f2
-
� Sessio n Key
fj
Server Certificate
�
-
-
Figure 1 0. 1 : A simplified representation of a TLS handshake
-
-
Confi g u r i n g T L S certificates
-
-
4. The se rve r d e c rypts the sess i o n key, a n d the c l i ent a n d serve r both start e ncrypt i n g a n d
d e c r y p t i n g a l l d a t a s e n d over t h e co n ne ct i o n u s i n g t h e sess i o n key.
-
N ot e
T h i s i s a s i m p l ification o f t h e a c t u a l p roto c o l ; fo r exa m p l e, t h e a ct u a l sess i o n key never
- g ets t ra n s m i tted w i t h a lot c i p h e r s u ites, n ot even in e n c rypted form. The server a n d
c l i e n t b o t h c reate a pre-master key w h i c h g ets exc h a n g e d , a n d b o t h t h e server a n d
c l ie n t ca l c u l ate t h e actu a l sess i o n k e y f r o m t h a t o n e.
-
D u r i n g t h e negotiations, both t h e s e rver a n d c l i e nt a l so use a va riety of methods to
e n s u re a g a i nst re p l a y a n d m a n - i n - t h e- m i d d l e attacks.
-
Co n fi g u ri n g T LS c e rt i f i cates
-
To confi g u re a v i rt u a l host with T L S , m u l t i p l e steps m u st b e com p l eted:
O bt a i n i n g a certificate
-
When o bta i n i n g a certifi cate, t h e re a re two o p t i o n s : creati n g a se lf-s i g n e d certificate (a
certificate s i g n e d by itse l f, not a n a c t u a l CA), o r crea t i n g a certificate request and having a
reputa b l e CA s i g n t h a t req u est so it beco m e s a certificate.
-
The crypto-utils package conta i n s a u t i l ity ca l l e d gen key that s u p po rts both methods. To c reate a
certificate (s i g n i n g req u est) with gen key, r u n t h e fo l l owi n g com m a n d , w h e re <FQDN> is t h e f u l l y
q u a l i fied d o m a i n n a m e c l ients w i l l u s e t o c o n n ect t o yo u r se rver:
-
[ r oo t @ s e r v e r X - ] # genkey <FQDN>
___ !
-
....
-
D u ri n g the crea t i o n , gen key w i l l ask for t h e d e s i red key size (c hoose at l east 2048 bits), if a
s i g n i n g req u est shou l d be m a d e (a n swe r i n g no w i l l c reate a s e l f- s i g n e d certifi cate), w h e t h e r t h e
-
private k e y s h o u l d be p rotected w i t h a passphrase, a n d g e n e ra l i nformation a bout t h e i d e nt ity o f
t h e server.
n ever b e s h a red w i t h t h e o u t s i d e w o r l d .
I n sta l l A p a c h e H T T P D mod u l es
-
A p a c h e HTTPD needs a n exte n s i o n m od u l e to be i n sta l l ed to a c t i vate T L S s u p port. O n Red Hat
Enterprise Linux 7, you c a n i n sta l l t h i s m od u l e using t h e mod_ssl package.
-
T h i s package w i l l automatica l l y e n a b l e h t t pd for a defa u lt v i rt u a l host l i ste n i n g o n port 443/
TCP. T h i s defa u l t v i rt u a l host i s confi g u red in the f i l e /et c / h t t pd/conf . d / s s l . conf.
-
Confi g u re a virt u a l host w i t h TLS
Virtual h osts with T L S a re confi g u red i n the s a m e way as reg u l a r virt u a l h osts, with s o m e
a d d itio n a l para m eters. I t i s poss i b l e to use n a m e-based v i rt u a l host i n g with T L S , b u t some o l d e r
....
b rowsers a re n ot compat i b l e w i t h t h i s a p p roach.
L i s t e n 4 4 3 h t t p s C» l
SSLPas s P h r ase D ialog exec : / u s r /libexec / h t t pd - s sl - pass - d ialog f)
SSLSe s s ioncache s hmcb : / r u n / h t t pd / s s lc ac h e ( 512000 )
SSLSe s s ionCac heTime o u t 300
SSLRandomseed s t a r t u p file : / de v/ u r andom 256
-
SSLRand omseed connect b u i l t i n
S S L C r y p t oDevice b u i l t i n
SSLEngine on O -
SSLCi p h e r S u i t e H I G H : M E D I U M : ! aN U L L : ! Mos e» -
�
" %t %h %{SS L_PROTOCO L } x %{SSL_C I P H E R } x \ "%r \ " %b "
r t ualH o s t >
-
-
-
I
-
SSLP r o t oc o l all - SSLv2 - SSLv3
....
<Vi r t ualHost * : 443>
Serve r N ame demo . example . com
S S L E n g i n e on
-
SSLCe r t ificat e F ile / e t c / p k i / t l s / c e r t s/demo . example . com . c r t
SSLCe r t ific a t e KeyF ile / e t c / p k i / tl s / p r iv a t e /demo . example . com . key
SSLCe r t ific a t eChain File / e t c / p k i / t l s /c e r t s /example - c a . c r t
-
</Vi r t ualHo s t >
Wa r n i n g
Not defi n i n g w h a t p rotoc o l s a n d c i p h e rs c a n b e u s e d w i l l res u l t i n h t t pd u s i n g
defa u l t o pt i o n s f o r t hese. h t t pd defa u lts a re not c o n s i d e re d sec u re, a n d it i s h i g h l y
reco m m e n d e d to rest rict b o t h to a m o re s e c u re s u bset.
The fo l l owi n g i s an exa m p l e that, at the d ate of p u b l ication, was c o n s i d e re d t h e best set of -
I
..--- . .· - ---�----��--.
j
SSLCip h e r S u i t e " EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA
+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA2 56 EECDH+aRSA+RC4 EECDH E D H +aRSA RC4 ! aN U L L -
I m p o rt a n t
-
Secu rity research i s a n a l ways o n g o i n g a r m s race. I t i s reco m m e n d e d t h a t
a d m i n i st rators re-eva l uate t h e i r s e l ected c i p he rs on a reg u l a r basis.
I
----�--,
I Head e r always set S t r ic t - T r a n s po r t - Se c u r i t y " max - age=15 7 6 8 0 0 0 "
I
-
S e n d i n g t h i s extra h e a d e r i nforms c l i e nts t h a t t h ey a re not a l l owed to fetc h a ny resou rces for
t h i s page t h a t a re not se rved u s i n g T L S .
-
A n o t h e r poss i b l e iss u e c o m e s f r o m c l i e nts c o n n e c t i n g ove r h t t p to a reso u rce t h ey s h o u l d have
been u s i n g h t t p s for.
is to a utomatica l l y red i rect c l ients connecting over h t t p to t h e s a m e resou rce using h t t ps.
To set up t h ese redi rects, config u re a h t t p v i rt u a l host for the same Se rve r Name a n d -
j
i Rew r i t e E n g i n e o n
Rew r i t e R u le A ( / . * ) $ h t t p s : //%{ HTTP_POST}$1 [ r e d i r e c t = 3 0 1 ]
L- -
-
-
Permanen t ly message ( [ r e d i r e c t = 30 1 ] ) to the s a m e res o u rc e s e rved out over htt ps. The
-
%{HTTP _HOST} va ria b l e uses the h o st n a m e that was req u ested by the c l i e nt. w h i l e t h e $1 pa rt
i s a b a c k - reference to w h a teve r was m a t c h e d between the fi rst set of p a re n t h eses i n the reg u l a r
expre ss i o n .
-
R Refe re n ces
- h t t pd(8) m a n p a g e
httpd-manua/ contents
-
Q u a l ys SSL L a bs: S S L/T L S D e p l oy m e n t Best Practices
https://www.ss l l a bs.com/p rojects/best- p ract i ces/
-
-
P ra ct i ce : C o n f i g u ri n g a T L S - e n a b l e d Vi rt u a l
-
H ost
-
G u i d ed exe rc i se
-
I n t h i s l a b, you w i l l confi g u re T L S - e n c rypted v i rt u a l hosts.
Reso u rces:
-
• h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / t l s / c e r t s /wwwX . c r t
-
• h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / t l s / p r i v a t e /wwwX . k e y
-
• h t t p : / / c l a s s r o o m . e x am p l e . c o m / p u b / t l s / c e r t s /we b a p pX . c r t
h t t p : / / c l a s s r o o m . e x a m p l e . c o m / p u b / t l s / p r iv a t e /we b a p pX . k ey
-
Machines: d e s k t opX and se rverX
Outcomes:
-
A web server config u red w i t h two v i r t u a l hosts, wwwX . example . com a n d
we bappX . example . com, b o t h p rotected b y T L S .
-
Before you begin. . .
• Reset yo u r se rve rX syste m .
-
• Reset yo u r desk topX system.
Yo u have been a s ked to conf i g u re a web server o n y o u r se rverX m a c h i n e to h ost this site.
This web server w i l l n e e d to host two virtual hosts: h t t p s : I /wwwx . e x a m p l e . c o m a n d ·-
-
-
G u i d ed exercise
-
D 1 .1 .
! [ s t u d e n t @s e r v e r X - ] $ sudo yum install ht tpd mod_ssl
-
- i
i [ s t u d e n t@ s e r v e r X - ] $ sudo mkdir - p / s rv/{www, webapp}X/www
I
-
i
[ s t u d e n t@ s e r v e r X - ] $ sudo restorecon - Rv /srv/
-
- [ s t u d e n t@ s e r v e r X - ] $ cd /etc/pki/tls/cer t s
[ s t u d e n t@se r v e r x c e r t s ] $ s u d o wget h t t p : //classroom . example . com/pub/
example - ca . c r t
-
I
I
[ s t ud e n t@ s e r v e r X c e r t s ] $ sudo wget h t t p : //class room . example . com/pub/tls/ I
certs/wwwX . c r t
- [ s t u d e n t@se r v e r x c e r t s ] $ sudo wget h t t p , //cla••,� . ex"""le . com/pub/tl•/
certs/webappX . crt
-
D 3.3. Switch to t h e p r ivat e d i rectory a nd d o w n l o a d t h e p rivate keys. Do not forget to
set t h e p e r m i s s i o n s on the p rivate keys to 0600.
I
-
[ s t u d e n t@ s e r v e r x c e r t s ] $ cd /etc/pki/tls/private
l
[ s t u d e n t@se r v e r X p r ivate ] $ sudo wget h t t p : //class room . example . com/pub/tls/ 1
-
RH254- R H E L 7-en-1-201 40711 311
-
-
D o not forget to add a n automatic red i rect from t h e non-TLS-based http site to t h e TLS
e n c rypted https site.
-
-
I <Vi r t ualHo s t * : 443>
S e r v e r N ame wwwX . example . com
S S L E n g i n e On
SSLP r o t ocol all - SSLv2 - SSLV3 -
SSLCip h e r S u i t e H I G H : M E D I U M : ! aN ull : ! MOS
SSLHo n o rCiphe r O r d e r on
SSLCe r t ificateFile / e t c / p k i / t l s / c e r t s /wwwX . c r t
-
SSLCe r t ificat eKeyFile / e t c / p k i / t l s / p rivate/wwwX . key
SSLCe r t ificat eChain F ile / e t c / p k i / t l s /c e r t s/example - c a . c r t
Document Root / s r v/wwwX/www
</Vi r t u al H o s t >
< D i r e c t o r y / s r v/wwwX/www>
R e q u i r e all g ra n t e d -
</ D i r e c t o ry>
-
D 4.3. To acco m p l i s h the a utomatic redi rect from http to https, a d d the fo l l ow i n g b l o c k
to / e t c / h t t pd/conf . d/wwwX . conf:
-
<Vi r t ualHost * : 80>
S e r v e r N ame wwwx . example . com
Rew r i t eEngine o n
Rew r i t e Rule A { / . * ) $ h t t p s : / /%{ HTTP_HOST}$1 [ r e d i r e c t = 3 0 1 ] -
D 5. Confi g u re the webappX . example . com v i rt u a l host by copyi n g the confi g u ra t i o n for yo u r -
·-
-
-
G u i d e d exercise
-
���
-
[ s t udent@serverX - ] $ sudo firewall - cmd - - permanent - - add - service=http -
, add - service=https
t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - reload
-
j
-
[ s t u d e n t @d e s k t o p X - ] $ wget http : //class room . example . com/pub/example - c a . c r t
L _ _
C l ose a l l o p e n d i a l o g s.
-
D 7.4. Poi n t yo u r browser at both and
h t t p : / / wwwwX . e x am p l e . c o m
Both s h o u l d redi rect to t h e i r h t t ps
h t t p : / / we b a p pX . e x am p l e . c o m .
cou nterpart a utomat ica l l y, w i t h o u t a certifi cate wa r n i n g .
-
N ote
- W h e n t ro u b l eshoot i n g a web server u s i n g f i refox, it c a n b e u s ef u l t o e m pty t h e
c a c h e from wit h i n t h e P references d i a l og . T h e C l e a r N o w b utton c a n be fou n d
i n t h e Advanced > N etwork t a b . I f t h e c a c h e i s n ot c l e a re d i n betwee n se rver
- resta rts, fi refox m i g ht s h ow o l d , outdated i nfo r m a t i o n .
-
D 8. Bonus question:
W i t h o ut f u rt h e r config u ra t i o n , a v i s i t to h t t p : / / s e r v e rX . e x am p l e . c o m wi l l
-
a l so res u l t i n a red i rect t o h t t ps . W h y i s t h is, a n d how co u l d you p revent t h i s from
happening?
-
Answer:
-
...
.....
...
,._
......
......
I"'-
......-
--
-
Integ ra t i n g D y n a m i c We b C o n t e n t
-
-
O bj ect ives
After co m p l et i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e to config u re A p a c h e h t t pd to se rve
d y n a m i c d atabase-d r i v e n we b conte nt.
-
Dy n a m i c c o n t e n t
M ost m o d e r n websites d o not c o n s i st of p u r e l y static content. Most content se rved o u t i s actu a l ly
-
g e n e rated d y n a m i ca l l y, o n d e m a n d . I nteg ra t i n g d y n a m i c content with A p a c h e H T T P D c a n b e
d o n e i n n u m e ro u s ways. T h i s sect i o n d e s c r i b e s a n u m be r of t h e m o s t c o m m o n ways, b u t m o re
-
ways exist.
I
-
1----
l Sc r i p tAlias / c g i - b i n / " /v a r /www/c g i - b in / "
I_.. - ----- ---····-·�---- ���--
- ------�
-
T h i s i n st r u cts h t t pd to red i rect a ny req u est for f i l es u n d e r t h e /cgi - bin/ U R I to t h e
/var /www / cgi - b i n / d i recto ry, a n d treat t h e f i l es i n t h at d i rectory as executa b l e scri pts.
-
A n u m be r of caveats exist w h e n u s i n g CG I :
S e rvi n g d y n a m i c P H P c o n t e n t
-
A popu l a r method o f p rov i d i n g d y n a m ic content i s u s i n g t h e P H P s c r i p t i n g l a n g u a g e . W h i l e P H P
scri pts can b e se rved u s i n g o l d -fa s h i o n e d C G I , both perfo r m a n ce a n d secu rity c a n b e i m p roved
by h a v i n g h t t pd r u n a P H P i nt e r p reter i n te r n a l l y.
-
-
·-
--
<FilesMat c h \ . p h p$>
S e t H a n d l e r application/x - h t t pd - ph p
... .
<File s M a t c h >
D i r e c t o r y i n d e x index . ph p
--------- ---------'
S e rvi n g d y n a m i c Pyt h o n c o n t e nt
--
A l so pop u l a r is g e n e ra t i n g d y n a m i c content u s i n g Pyt hon scri pts. Pyt h o n scri pts c a n be se rved
out u s i n g reg u l a r C G I , but both pyt hon a n d h t t pd a l so s u p port a newer p rotoco l : Web Server
Gateway Interface ( W S G I ) .
·-
U n l i ke t h e mod_php o r CGI a p proac h , WSGI d oes n ot start a new scri pt/i n t e r p reter for every
req u est. I n ste a d , a m a i n a p p l ication is starte d , and a l l req u ests a re ro uted i nto that a p p l ication.
!
·-
��- �----- - -----� -----
-
W S G I a p p l i cati o n s s h o u l d be executa b l e by t h e apac he user a n d g ro u p, a n d t h e i r S E L i n u x
co ntexts s h o u l d b e s e t t o h t t pd_sys_c o n t e n t_t.
·-
·-
W h e n a data base o n a remote host i s u s e d , t h e S E L i n u x Boo l e a n
h t t pd_can_netwo r k_connec t_d b m u st b e s e t to 1 t o a l low t h e c o n n e c t i o n .
·-
W h e n a n etwo r k con n ection to a not h e r needs to b e m a d e f r o m w i t h i n t h e web
a p p l icat i o n , and t h e ta rget is not a we l l - k n ow n database port, t h e S E L i n u x Boo l e a n
h t t pd_can_netwo r k_connect m u st b e s e t to 1 .
Database c o n n ectivity
-
/ u s r / s h a re/doc/mod_ws gi - * /READM E
-
-
R H254- R H E L7 -en -1 -20140711 317
-
·-
·-
P ra c t i ce : C o n f i g u ri n g a We b A p p l i ca t i o n
--
G u i d e d exe rc i se
I n t h i s l a b, you w i l l confi g u re y o u r s e rve rX syste m to se rve a P H P a p p l i cation that u ses a
M a ri a D B database backe n d .
-
Reso u rces:
Files: /va r /www/ h t ml/index . h tml -
Machines: d e s k t o pX a n d serverX
O utcomes:
A worki n g PHP a p p l ication with a data base backend r u n n i n g o n se rve rX.
Yo u r web d eve l o p e rs h ave d e l ivered b u g -free code a s us u a l , and the DBA h a s d e l ivered a work i n g
data base, w i t h correct records.
-
31 8 RH254- R H E L 7 - e n -1 -20140711 -
-
-
G u i d ed exercise
-
-
I [ s t ud e n t@ s e r v e r x - ) $ sudo firewall - cmd - - list - all
�������
D 3.1 . '
[ s t u d e n t@ s e r v e r X - )$ sudo firewall - cmd - - permanent - - add - service=ht tp
.,. [ s t u d e n t@s e rv e r x - ) $ sudo firewall - cmd - - reload
-- D 5. That test page i s typica l l y s h own when h t t pd c a n not find a n i n dex page. Verify that
t h e re i s i nd e e d a f i l e n a m e d /var /www / h t ml/index . php, and that it i s rea d a b l e by t h e
h t t pd p rocess.
�
-
D 5.1 . I
�
[ s t u d e t@s e r v e r X -]$ ls - lZ /var/www / html/index . php
-
D 6. h t t pd o n l y searches for . p h p f i l es when php i s properly i n sta l l e d . Ve r i fy that this is the
case.
-
D 6.1 .
[ s t u d e n t@ s e r v e r X - ] $ yum list php
! ------,
I [ s t u d e n t@ s e r v e r x - ) $ sudo yum install php
- !
-
D 8. That e m pty p a g e does n ot l o o k good. I nvesti gate t h e i s s u e .
D 8 .1 . C h e c k t h e h t t pd e rror l o g .
-
!
-
[ s t u d e n t@s e r v e r X -)$ sudo yum install php - mysql
-
-
D 9. Fro m d e s k t o pX, use fi refox to verify t h a t t h e a p p l ication now works. W h e n a data base
l isti n g i s ret u r n e d , execute lab p h p d b g r ade on deskt opX to verify yo u r work.
-
D 9.1 .
[ s t ud e n t@de s k t o pX - ] $ lab phpdb grade
-
-
-
L a b : P rovi d i n g A p a c h e H T T P D We b S e rv i ce
- Perfo r m a nce c h e c k l i st
I n t h i s l a b, you w i l l confi g u re yo u r se rve rX to serve a Pyt h o n W S G I w e b a p p l i ca t i o n over HTTPS.
Resou rces:
Files: / home/ s t u d e n t /webapp . wsgi
-
Machines: deskt opX a n d s e rverx
- Outcomes:
A T L S v i rt u a l h ost serv i n g a Pyt h o n WSGI w e b a p p l icat i o n o n t h e h t t ps : II
webappX . example . com d o m a i n .
-
Before you begin . . .
• Reset yo u r d e s k t opX syst e m .
-
• Reset yo u r se rve rX syste m .
- File Dow n l oa d l o c a t i o n
T L S cert i f i ca te h t t p : / / c l a s s r o o m / p u b / t l s / c e r t s /we b a p pX . c r t
-
O n ce you a re d o n e w i t h you r work, you c a n run t h e fo l l o w i n g com m a n d o n yo u r d e s k topX
m a c h i n e to va l i d ate yo u r work:
-
; [ s t u d e n t@de s k t opX - ] $ lab webapp g rade
-- -� ---- - - - - --�- ----
-
RH254- R H EL 7-en-1 -201 40711 321
-
-
-
-
Sol ution
-
So l ut i o n
-
- Res o u rces:
Outcomes:
- A TLS vi rtu a l h ost servi n g a Pyt h o n WSGI web a p p l icat i o n o n t h e h t t ps : //
webappX . example . com d o m a i n .
i
- -- -�--�---- - -- � �-�
-
[ s t u d e n t@ s e r v e rX - ] $ lab webapp setup
-
T L S CA certifi cate h t t p : / / c las s r oom/ p u b/example - ca . c r t
- 1 .1 .
[ s t udent@serverx - ] $ sudo yum install h t t pd mod_ssl mod_wsgi
-
R H254-R H E L 7 -en -1-201 40711 323
-
-
[ s t ud e n t@ s e r v e r x - ] $ sudo cp -/webapp . wsgi /s rv/webappX/www/
[ s t u d e n t@ s e r v e r x - ] $ cd /etc/pki/tls/certs
-
[ s t u d e n t@serve rx ce r t s ] $ sudo wget http : //classroom . example . com/pub/example
ca . c rt
-
3.2. D ow n l oa d t h e webappX . example . com certificate to / e t c / p k i / t ls/ce r t s .
4.1 . C reate a new f i l e /etc / h t t pd/conf . d /webappX . conf with the fo l l owing content:
-
appl ication:
Solution
-
7.1 .
[ s t u d e n t @d e s k t o pX - ] $ lab webapp g rade
-
-
S u m m a ry
-
Confi g u r i n g A p a c h e H T T P D
I n t h i s sect i o n , s t u d e nts l e a r n e d how to i d e n t ify t h e k e y confi g u ra t i o n f i l es, l o g f i l es,
and content d i rectories used by Apache h t t pd
Confi g u r i n g HTTPS
In this sect i o n , stu d e nts l e a r n e d h ow to confi g u re A p a c h e h t t pd to p rov i d e T L S
e n c rypted v i r t u a l h osts.