home       inleiding       sysadmin       services       links       bash       werk       nothing      

centos 72 -- apache2 with virtual hosts -- sftp key-ed access

part3: apache2

  1. install

    The installation process of apache2 is straightforward:

    $ sudo yum install httpd
    [sudo] password for bert0001: 
      
    Loaded plugins: fastestmirror
    base                                                          | 3.6 kB  00:00:00     
    extras                                                        | 3.4 kB  00:00:00     
    updates                                                       | 3.4 kB  00:00:00     
    Loading mirror speeds from cached hostfile
    * base: artfiles.org
    * extras: artfiles.org
    * updates: artfiles.org
    Resolving Dependencies
    --> Running transaction check
    ---> Package httpd.x86_64 0:2.4.6-40.el7.centos will be installed
    --> Processing Dependency: httpd-tools = 2.4.6-40.el7.centos for package: httpd-2.4.6-40.el7.centos.x86_64
    --> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-40.el7.centos.x86_64
    --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-40.el7.centos.x86_64
    --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-40.el7.centos.x86_64
    --> Running transaction check
    ---> Package apr.x86_64 0:1.4.8-3.el7 will be installed
    ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
    ---> Package httpd-tools.x86_64 0:2.4.6-40.el7.centos will be installed
    ---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
    --> Finished Dependency Resolution
     
    Dependencies Resolved
     
    =====================================================================================
    Package             Arch           Version                       Repository    Size
    =====================================================================================
    Installing:
    httpd               x86_64         2.4.6-40.el7.centos           base         2.7 M
    Installing for dependencies:
    apr                 x86_64         1.4.8-3.el7                   base         103 k
    apr-util            x86_64         1.5.2-6.el7                   base          92 k
    httpd-tools         x86_64         2.4.6-40.el7.centos           base          82 k
    mailcap             noarch         2.1.41-2.el7                  base          31 k
     
    Transaction Summary
    =====================================================================================
    Install  1 Package (+4 Dependent packages)
     
    Total download size: 3.0 M
    Installed size: 10 M
    Is this ok [y/d/N]: y
    Downloading packages:
    (1/5): apr-1.4.8-3.el7.x86_64.rpm                             | 103 kB  00:00:00     
    (2/5): apr-util-1.5.2-6.el7.x86_64.rpm                        |  92 kB  00:00:00     
    (3/5): httpd-tools-2.4.6-40.el7.centos.x86_64.rpm             |  82 kB  00:00:00     
    (4/5): httpd-2.4.6-40.el7.centos.x86_64.rpm                   | 2.7 MB  00:00:00     
    (5/5): mailcap-2.1.41-2.el7.noarch.rpm                        |  31 kB  00:00:00     
    -------------------------------------------------------------------------------------
    Total                                                    11 MB/s | 3.0 MB  00:00     
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
    Installing : apr-1.4.8-3.el7.x86_64                                            1/5 
    Installing : apr-util-1.5.2-6.el7.x86_64                                       2/5 
    Installing : httpd-tools-2.4.6-40.el7.centos.x86_64                            3/5 
    Installing : mailcap-2.1.41-2.el7.noarch                                       4/5 
    Installing : httpd-2.4.6-40.el7.centos.x86_64                                  5/5 
    Verifying  : httpd-2.4.6-40.el7.centos.x86_64                                  1/5 
    Verifying  : apr-1.4.8-3.el7.x86_64                                            2/5 
    Verifying  : mailcap-2.1.41-2.el7.noarch                                       3/5 
    Verifying  : httpd-tools-2.4.6-40.el7.centos.x86_64                            4/5 
    Verifying  : apr-util-1.5.2-6.el7.x86_64                                       5/5 
     
    Installed:
    httpd.x86_64 0:2.4.6-40.el7.centos                                                 
     
    Dependency Installed:
    apr.x86_64 0:1.4.8-3.el7                       apr-util.x86_64 0:1.5.2-6.el7      
    httpd-tools.x86_64 0:2.4.6-40.el7.centos       mailcap.noarch 0:2.1.41-2.el7      
     
    Complete!
  2. testing localhost

    We first have to install lynx to test on the terminal:

    $ sudo yum install lynx
     
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * base: artfiles.org
    * extras: artfiles.org
    * updates: artfiles.org
    Resolving Dependencies
    .........
    Dependencies Resolved
    =====================================================================================
    Package                 Arch          Version                     Repository   Size
    =====================================================================================
    Installing:
    lynx                    x86_64        2.8.8-0.3.dev15.el7         base        1.4 M
    Installing for dependencies:
    centos-indexhtml        noarch        7-9.el7.centos              base         92 k
    Transaction Summary
    =====================================================================================
    Install  1 Package (+1 Dependent package)
    Total download size: 1.5 M
    Installed size: 5.4 M
    Is this ok [y/d/N]: y
    Downloading packages:
    (1/2): centos-indexhtml-7-9.el7.centos.noarch.rpm             |  92 kB  00:00:00     
    (2/2): lynx-2.8.8-0.3.dev15.el7.x86_64.rpm                    | 1.4 MB  00:00:00     
    -------------------------------------------------------------------------------------
    Total                                                   7.6 MB/s | 1.5 MB  00:00     
    ...
    Running transaction
    Installing : centos-indexhtml-7-9.el7.centos.noarch                            1/2 
    Installing : lynx-2.8.8-0.3.dev15.el7.x86_64                                   2/2 
    Verifying  : lynx-2.8.8-0.3.dev15.el7.x86_64                                   1/2 
    Verifying  : centos-indexhtml-7-9.el7.centos.noarch                            2/2 
     
    Installed:
    lynx.x86_64 0:2.8.8-0.3.dev15.el7                                                  
     
    Dependency Installed:
    centos-indexhtml.noarch 0:7-9.el7.centos                                           
     
    Complete!

    Testing with lynx:

    $ lynx localhost
     
    Looking up localhost first
    Looking up localhost
    Making HTTP connection to localhost
    Alert!: Unable to connect to remote host.
     
    lynx: Can't access startfile http://localhost/
    • is lynx working?

      $ lynx google.com/ncr

      Google
       
      Search Images Maps Play YouTube News Gmail Drive More »
      Web History | Settings | Sign in
       
      Google
        
      _______________________________________________________
      Google Search  I'm Feeling Lucky    Advanced search
      Language tools
       
      Advertising Programs     Business Solutions     +Google     About Google
      Google.de
       
      © 2016 - Privacy - Terms
       
      (NORMAL LINK) Use right-arrow or <return> to activate.
      Arrow keys: Up and Down to move.  Right to follow a link; Left to go back.
      H)elp O)ptions P)rint G)o M)ain screen Q)uit

      lynx is working and the network is fuly functional!

    • is apache2 running?

      $ ps -A | grep http

      gives no results -- we'll have to use systemctl to start it an make it permanent:

      we start de apache2 server:

      $ sudo systemctl start httpd

      and we test again:

      $ lynx localhost
       
      Apache HTTP Server Test Page powered by CentOS (p1 of 3)
      Testing 123..
      This page is used to test the proper operation of the Apache HTTP server
      after it has been installed. If you can read this page it means that this
      site is working properly. This server is powered by CentOS.
      Just visiting?

      Next we enable de service at system start:

      $ sudo systemctl enable httpd

      Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service

      I then restart my machine to check whether apache2 is working at startup

      $ sudo init 6

      reconnect over ssh and test again with lynx -- and sure it works ...

  3. testing from ub14-04-student-client

    We've setup this test-machine on the same subnet called ub14-04-student-client with access for all students. From here we can now test apache2 on our own server with lynx (or with firefox).

    Testing lynx on ipv6 is a bit tricky: we'll have to use square brackets to contain the address

    $ lynx [2a01:4f8:202:6116:1000::1118]

    Looking up  '[2a01:4f8:202:6116:1000::1118]' first
    Looking up [2a01:4f8:202:6116:1000::1118]
    Making HTTP connection to [2a01:4f8:202:6116:1000::1118]
    Alert!: Unable to connect to remote host.

    Something is preventing us from seeing the website.

    • is it the network?
      $ ping6 2a01:4f8:202:6116:1000::1118
      PING 2a01:4f8:202:6116:1000::1118(2a01:4f8:202:6116:1000::1118) 56 data bytes
      64 bytes from 2a01:4f8:202:6116:1000::1118: icmp_seq=1 ttl=64 time=0.333 ms
      64 bytes from 2a01:4f8:202:6116:1000::1118: icmp_seq=2 ttl=64 time=0.825 ms

      It is not the network ...
       

    • is the port open?
       
      THIS IS WHAT WE SHOULD GET
      We first test with telnet on google.com (on of these rare sites with ipv6 support):
      $ telnet -6 2a00:1450:4007:808::200e 80
      Trying 2a00:1450:4007:808::200e...
      Connected to 2a00:1450:4007:808::200e.
      Escape character is '^]'.
      ^C
      Connection closed by foreign host.

       
      THIS IS WAT WE GET
      Now we will test with our own machine:

      $ telnet -6 2a01:4f8:202:6116:1000::1118 80
      Trying 2a01:4f8:202:6116:1000::1118...
      telnet: Unable to connect to remote host: Permission denied

       
      Well, well, a Permission denied is better than Connection refused. This might be a firewall issue.
        
      THIS IS WHAT WE SHOULDN'T GET:
      Here below a telnet to a machine without web-service:

      $ telnet -6 ns1.linux800.eu 80
      Trying 2a01:4f8:202:6116:1000::11...
      telnet: Unable to connect to remote host: Connection refused

       

  4. troubleshooting apache2
     
    Since we think this is a firewall problem, we concentrate on the centOS72 machine. To get an overview of the current firewall settings we first ask for help with the following:
    $ sudo firewall-cmd --help
     
    Usage: firewall-cmd [OPTIONS...]
     
    General Options
    -h, --help           Prints a short help text and exists
    -V, --version        Print the version string of firewalld
    -q, --quiet          Do not print status messages
     
    Status Options
    --state              Return and print firewalld state
    --reload             Reload firewall and keep state information
    --complete-reload    Reload firewall and loose state information
    --runtime-to-permanent  Create permanent from runtime configuration
     
    Permanent Options
    --permanent          Set an option permanently Usable for options maked with [P]
     
    Zone Options
    --get-default-zone   Print default zone for connections and interfaces
    --set-default-zone=<zone>  Set default zone
    --get-active-zones   Print currently active zones
    --get-zones          Print predefined zones [P]
    --get-services       Print predefined services [P]
    --get-icmptypes      Print predefined icmptypes [P]
    --get-zone-of-interface=<interface>  Print name of the zone the interface is bound to [P]
    --get-zone-of-source=<source>[/<mask>]  Print name of the zone the source[/mask] is bound to [P]
    --list-all-zones     List everything added for or enabled in all zones [P]
    --new-zone=<zone>    Add a new zone [P only]
    --delete-zone=<zone> Delete an existing zone [P only]
    --zone=<zone>        Use this zone to set or query options, else default zone  
                                    Usable for options maked with [Z]
    --get-target         Get the zone target [P] [Z]
    --set-target=<target>  Set the zone target [P] [Z]
     
    IcmpType Options
    --new-icmptype=<icmptype>
                       Add a new icmptype [P only]
    --delete-icmptype=<icmptype>
                       Delete and existing icmptype [P only]
     
    Service Options
    --new-service=<service>
                       Add a new service [P only]
    --delete-service=<service>
                       Delete and existing service [P only]
     
    Options to Adapt and Query Zones
    --list-all           List everything added for or enabled in a zone [P] [Z]
    ...
     
    Options to Handle Bindings of Interfaces
    --list-interfaces    List interfaces that are bound to a zone [P] [Z]
    ...
     
    Options to Handle Bindings of Sources
    --list-sources       List sources that are bound to a zone [P] [Z]
    ...
     
    Direct Options
    --direct             First option for all direct options
    ...
     
    Lockdown Options
    --lockdown-on        Enable lockdown.
    --lockdown-off       Disable lockdown.
    --query-lockdown     Query whether lockdown is enabled
     
    Lockdown Whitelist Options
    ...
      
    Panic Options
    --panic-on           Enable panic mode
    --panic-off          Disable panic mode
    --query-panic        Query whether panic mode is enabled

    We snipped away many options.
    What interests us now is the current configuration, and how to list it.
    So any options with list take our attention.
    After reading for about 2 minutes,
    the option --list-all-zones
    jumps into the face, so we test it:
     

    $ sudo firewall-cmd --list-all-zones
      
    block
    interfaces: 
    sources: 
    services: 
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 
        
    dmz
    interfaces: 
    sources: 
    services: ssh
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 
        
    drop
    interfaces: 
    sources: 
    services: 
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 
        
    external
    interfaces: 
    sources: 
    services: ssh
    ports: 
    masquerade: yes
    forward-ports: 
    icmp-blocks: 
    rich rules: 
        
    home
    interfaces: 
    sources: 
    services: dhcpv6-client ipp-client mdns samba-client ssh
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 
        
    internal
    interfaces: 
    sources: 
    services: dhcpv6-client ipp-client mdns samba-client ssh
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 
     
        
    public (default, active)
    interfaces: enp0s3
    sources: 
    services: dhcpv6-client ssh
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 
     
        
    trusted
    interfaces: 
    sources: 
    services: 
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 
        
    work
    interfaces: 
    sources: 
    services: dhcpv6-client ipp-client ssh
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules:

    We are particularly interested in the zone public since that is where our website(s) should be seen. I repeat this zone hereunder:

    public (default, active)
    interfaces: enp0s3
    sources: 
    services: dhcpv6-client ssh
    ports: 
    masquerade: no
    forward-ports: 
    icmp-blocks: 
    rich rules: 

    Notice that interface points to our ipv6 net-card;
    service enables a dhcpv6-client as well as the ssh-service that we currently use to connect. They must be open. However, there is nothing mentioned about apache2. So I thought that we should add the service apache2 to this public zone.
     
    And how is apache2 called on centOS72, yes, httpd but enabling it gave the error: Error: INVALID_SERVICE: httpd So this is not correct. At second thought I noticed that ssh misses the letter-d from sshd, so let's try http in stead:
     
    $ sudo firewall-cmd --zone=public --add-service=http --permanent
    success
     
    $ sudo firewall-cmd --reload
    success
     
    Perhaps the centOS firewall is now correctly configured for our apache2. Let's try on our ipv6 client:
     

    teacher@ub14-04-student-client:~$ telnet -6 2a01:4f8:202:6116:1000::1118 80
    Trying 2a01:4f8:202:6116:1000::1118...
    Connected to 2a01:4f8:202:6116:1000::1118.
    Escape character is '^]'.
    ^C
    Connection closed by foreign host.

    BINGO -- it connects, next we try lynx ...
     
    teacher@ub14-04-student-client:~$ lynx [2a01:4f8:202:6116:1000::1118]
    Looking up '[2a01:4f8:202:6116:1000::1118]' first
     

    Testing 123..
     
    This page is used to test the proper operation of the Apache HTTP server
    after it has been installed. If you can read this page it means that this
    site is working properly. This server is powered by CentOS.
    Just visiting?
    The website you just visited is either experiencing problems or is
    undergoing routine maintenance.
    If you would like to let the administrators of this website know that you've
    seen this page instead of the page you expected, you should send them
    e-mail. In general, mail sent to the name "webmaster" and directed to the
    website's domain should reach the appropriate person.
    For example, if you experienced problems while visiting www.example.com, you
    should send e-mail to "webmaster@example.com".
    Are you the Administrator?
    You should add your website content to the directory /var/www/html/.
    To prevent this page from ever being used, follow the instructions in the
    file /etc/httpd/conf.d/welcome.conf.
    Promoting Apache and CentOS
    -- press space for next page --

    AND IT WORKS!!
    However, we're not finished yet; apache2 tells us 403 forbidden and adds:
    You should add your website content to the directory /var/www/html/. To prevent this page from ever being used, follow the instructions in the file /etc/httpd/conf.d/welcome.conf
    Something that we will now promptly do.
    But first we want to restart our server, to see whether our configuration sticks to the server ...
     
    ... and YES, it still acts the same after the restart.
     
    ... we can test on our desktop at home with firefox, we have ipv6 from telenet:

    screenshot-firefox

     

  5. getting rid of 403 forbidden
     
    This is a peace of cake. Just put an index.html file in /var/www/html ......
     
    we proceeded as follows:
     
    $ echo "<html><body><h1>DEFAULT PAGE from TEACHER</h1></body></html>" >> index.html
    $ sudo cp index.html /var/www/html
      
    On our test-machine we type:
     
    teacher@ub14-04-student-client:~$ lynx [2a01:4f8:202:6116:1000::1118]
    Looking up '[2a01:4f8:202:6116:1000::1118]' first
     
                              DEFAULT PAGE from TEACHER
     
    Commands: Use arrow keys to move, '?' for help, 'q' to quit, '<-' to go back.
    Arrow keys: Up and Down to move.  Right to follow a link; Left to go back.
    H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list 

    ... exactly what we wanted.