So next on the list (and one i’ve been avoiding for a while!) is HTTPD (aka Web Server). What we’ll need to cover is CGI scripts, Authentication, SSL authentication and VirtualHosts – a lot of stuff basically!
So without further ado, lets get cracking with authentication.
Installation
Installing the web server and related packages is fairly simple, as there is a yum group created for it:
[root@Server1 private]# yum grouplist | grep Web Web Server Web Servlet Engine Web-Based Enterprise Management [root@Server1 private]#
So we just need to simply “yum groupinstall “Web Server”” and thats that done. We also need to do “yum install mod_ssl” for the SSL cert’s package etc.
Configuration: Authentication per user
There are so many variations of authentication that can come up – from simple “per user” authentication, i.e. “only let John in”, to group authentication “Only let these users in:”, to LDAP authentication, etc.
The first we will cover is user based authentication. We are going to allow the user “sam” access to the folder /var/www/html/private – and nobody else.
To do this, lets create the directory first and set the permissions appropriately:
mkdir /var/www/html/private
restorecon -RFvv /var/www/html/private
chmod g+s /var/www/html/private
Next, we need to create our .htaccess file that we are going to use for authentication:
htpasswd -cm /var/www/.htaccess sam
[Enter password here]
This asks for a password – which along with the username “sam”, will be used for authentication and access control to the “../private” directory. Next, we need to configure httpd.conf to recognise this new file. I have added mine inside a VirtualHost for ease of management:
<VirtualHost *:80>
<Directory /var/www/html/private>
AuthType basic
AuthName "Secret area"
AuthUserFile /var/www/.htpasswd
Require user sam
</Directory>
</VirtualHost>
In here we can see that we are have one directory (the one we are trying to protect), we are using “basic” auth type, using the userfile we created earlier (located in /var/www/.htpasswd), and requiring “sam” is an authenticated user.
Finally, restart httpd (service httpd restart) and voila – your directory is now password protected for just that user.
Configuration: Authentication per group
Next, we can look at a more realistic scenario – only wanting to allow a GROUP of people access to a directory, i.e. the sales team to the sales directory, etc.
To do this, we need to modify our setup above. First, create a new .htpasswd file as below:
[root@Server1 private]# cat /var/www/.htpasswd2 Company: sam jim paul
Then modify the VirtualHost in httpd.conf to look similar to the below:
<VirtualHost *:80>
<Directory /var/www/html/private>
AuthType basic
AuthName "Secret area"
AuthUserFile /var/www/.htpasswd
AuthGroupFile /var/www/.htpasswd2
Require group Company
</Directory>
</VirtualHost>
Here we are requiring the group “Company” which we created. However, users still must have a PASSWORD in the AuthUserFile – so we still need to do:
[root@Server1 private]# htpasswd /var/www/.htpasswd jim New password: Re-type new password: Adding password for user jim [root@Server1 private]# htpasswd /var/www/.htpasswd paul New password: Re-type new password: Adding password for user paul
For example. Now we have 3 users, in the group “Company”, and our Auth File is pointing at it to get authenticated. You can imagine this scenario with different groups, allow going to different directories – “Sales: jim sam” for /var/www/html/sales, then “Development: john phil” going to /var/www/html/dev, for example.
Configuration: Authentication by LDAP
Finally on the authentication front – LDAP. Firstly, you’ll need the certicate file – *.crt – and store this somewhere accessible, i.e. /etc/httpd/example-ca.crt.
Then, all we need to do is modify the httpd.conf file again – but this time, we need to add a global line (i.e. not a line that lives inside a VirtualHost). The line we need to add is:
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/example-ca.crt
For example. This needs to live in the global section of the file, so it can be read by all V’hosts.
Next, we need to modify the Auth* settings as we did in the first 2 example:
LDAPTrustedGlobalCert CA_BASE64 .crt ..
<VirtualHost *:80>
<Directory /var/www/html/private>
AuthType basic
AuthName "Secret area"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://fqdn/prefix" TLS
Require valid-user
</Directory>
</VirtualHost>
.. and thats all there is to it really. The difficulty here is in the exam, you need to remember “LDAPTrustedGlobalCert CA_BASE64 ..” – which ive been unable to find in the httpd-manual package – so i hope that doesnt come up!
Configuration: Based upon IP address
An addendum – sometimes we may require limiting access to certain IP addresses, i.e. “localhost only” or only a certain PC / terminal, for example. We can do this one of 2 ways.
1. Edit the VirtualHost listen address – i.e.
<VirtualHost 127.0.0.1:80>
This means that this VirtualHost will only respond if its called on the local loopback address.
2. We can use “allow from” and “deny all”, as below:
Order deny,allow
Deny from all
Allow from 127.0.0.1
Thanks to this great post here for the info: http://serverfault.com/questions/276963/make-apache-only-accessible-via-127-0-0-1-is-this-possible
Closing thoughts
Most of what can be seen above is helpfully available in the “http://server/manual” documentation site, which you can install using the package “httpd-manual”. Here you can click on, go to the “How to’s” and pretty much copy and paste and modify for 2 of the above 3. The LDAP one is tricky -so if anyone finds any documentation on that, then please let me know! 🙂
Sam
