Intro to HTTP

The Apache Web Server is the most popular web server on the Internet today[24]. The service name for apache is httpd, and the package for Apache is called: httpd-{ver}.{arch}.rpm.

Installing HTTP

Apache can be installed by individual packages, or the entire web-server package group can be installed by running the command `yum groupinstall web-server`. Note that installing the group will contain several packages including the Apache Manual which is then locally accessible at 'http://localhost/manual'. To install the (individual) package for secure HTTP, install the mod_ssl package with the command `yum install mod_ssl`.

HTTP Configuration

The table below lists the critical files and their locations for the Apache web server.

Table 9.1. Apache Web Server Critical File Locations

File Description[a]
'/etc/httpd' Location of main configuration files. Also called the ServerRoot.
'/etc/httpd/conf/httpd.conf' Main configuration file[b]
'/etc/httpd/conf.d' Module configuraion "dump" directory.
'/etc/sysconfig/httpd' This file can be used to set additional environment variables for the httpd process, or pass additional options to the httpd executable.
'/var/www/html' Default Document Root (DocRoot). The typical location for pages that are served as requested.
'/var/log/httpd' Log files

[a] Note that these locations can be changed from the defaults by altering the main configuration file.

[b] The default installation of this file is well commented and worthy of close study. Make a copy of the initial installation of this file with the command `cat /etc/httpd/conf/httpd.conf > /etc/httpd/conf/httpd.conf.init`.


Note that the default httpd.conf file is distinctly divided into three sections, which are listed and described below.

  1. Section #1 contains directives that apply to the running of the Apache server itself.
  2. Section #2 contains directives that apply to the default or main web server.
  3. Section #3 makes possible the configuration of additional virtual hosts that can be served by Apache in addition to the main web site.

Apache virtual hosts come in two forms, outlined below.

Table 9.2. Apache Virtual Host Types

Type Description
Standard Virtual Hosts Exist on hosts that have been assigned multiple IP addresses. They are configured by IP address. Queries for each separate IP address are served pages from a particular virtual host.
Name Virtual Hosts Exist on hosts with multiple names aliased to one IP address. This requires either an entry in the DNS server that will resolve properly, or consistent entries across hosts in '/etc/hosts'. Queries for each separate name (regardless of IP address) are served as different virtual hosts.

The image below shows a typical name virtual host configuration stanza.

Figure 9.1. Apache Virtual Host Configuration

Apache Virtual Host Configuration

With th default configuration, a /var/www/html/index.html page will be served as the home page if it is present. Additionally, the https:// protocol can be utilized if it is configured by installing mod_ssl and configuring /etc/httpd/conf.d/ssl.conf. The secure https protocol will require a certificate of some type, either from a signing authority or self-signed.

Apache Access Control Directives

The format of access control directives in Apache configuration files can be confusing. Listed below is an example of this format.

    <Directory /var/www/>
        Order Deny,Allow
        Deny from all
        Allow from dev.example.com
    </Directory>

This format works by way of three-pass access control with the following order of priority.

  1. Parse all statements of type specified first.
  2. Parse all statements of type specified second. Matches overrides matches of previous type.
  3. Process requests which matched nothing.

In Order statements, whichever directive comes last is the default in case of no match. The listing below shows examples of Apache configuration directives that address host based security.

    Deny from example.com
    Allow from 192.168.0.15
    Deny from 192.168.0.0/255.255.255.0
    Deny from 192.168.1.0/24

Access Control with .htaccess Files

If permitted by httpd.conf, access may be controlled on a per-directory basis with .htaccess files in the directories where the content needs to be protected. The listing below shows how this is accomplished.

    <Files ~ "^\.ht">
        Order allow,deny
        Allow from 192.168.5.200
        Deny from all
    </Files>
  

HTTP as a Service

The Apache process runs as httpd. To start the process and configure it to persist upon reboot, use the following command: `service httpd start && chkconfig httpd on`.

Commands to Manipulate HTTP

There is a wealth of control that can be exercised over the httpd daemon while it is running. The command `httpd --h` gives the details of this utility.

    root@intrepid ~/
    --> httpd -h
    Usage: httpd [-D name] [-d directory] [-f file]
                 [-C "directive"] [-c "directive"]
                 [-k start|restart|graceful|graceful-stop|stop]
                 [-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
    Options:
      -D name            : define a name for use in <IfDefine name> directives
      -d directory       : specify an alternate initial ServerRoot
      -f file            : specify an alternate ServerConfigFile
      -C "directive"     : process directive before reading config files
      -c "directive"     : process directive after reading config files
      -e level           : show startup errors of level (see LogLevel)
      -E file            : log startup errors to file
      -v                 : show version number
      -V                 : show compile settings
      -h                 : list available command line options (this page)
      -l                 : list compiled in modules
      -L                 : list available configuration directives
      -t -D DUMP_VHOSTS  : show parsed vhost settings
      -t -D DUMP_RUN_CFG : show parsed run settings
      -S                 : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
      -t -D DUMP_MODULES : show all loaded modules 
      -M                 : a synonym for -t -D DUMP_MODULES
      -t                 : run syntax check for config files
      -T                 : start without DocumentRoot(s) check
      -X                 : debug mode (only one worker, do not detach)

The following command(s) create users that can be granted access via Apache per-directory configuration.

  • `htpasswd -cm /etc/httpd/.htpasswd good_user` - creates the file, adds the user.
  • `htpasswd -m /etc/httpd/.htpasswd another_user` - adds another user, modify the file only.

Securing HTTP

The following commands will show SELinux implications for httpd.

    semanage fcontext -l | grep "http"      # shows SELinux filesystem contexts that might apply to httpd
    semanage port -l | grep "http"          # shows SELinux port contexts that might apply to httpd
    semanage boolean -l | grep http         # shows SELinux booleans that might apply to httpd

Additional information can be found by reading the `man httpd_selinux` page. SELinux can be more verbose when logging httpd events with the command `semanage dontaudit off`. Note that this disables setroubleshoot-server, sealert, and the issuing of SELinux messages into '/var/log/messages'. The messages will need to be viewed in '/var/log/audit/audit.log'.

The following table lists several important SELinux file contexts.

Table 9.3. Several httpd SELinux File Contexts

Context Description
httpd_sys_content_t For general files and directories to be served by httpd.
httpd_sys_script_exec_t For scripts (CGI) to be executed by the web server.
public_content_t For files that are to be shared with other SELinux protected services.

Note that files of the protocol 'http://' are served by default on port 80, and files of the protocol 'https://' are served by default on port 443. These ports will need to be opened appropriately on the firewall.

Additional Notes & Considerations for HTTP

Apache can be configured for authentication via LDAP. See the section called "Apache User Based Security with LDAP Authentication" for an exercise that shows this directive.

Reference Material for this Chapter

For this chapter's supporting material, please reference Chapters 14 & 17 in the RHCSA/RHCE Linux Certification Study Guide text book.