centos 72 -- apache2 with virtual hosts -- sftp key-ed access
part4: virtual hosts
- testing what we have
Now that we have configured a working apache2 server, with a default webpage, this website should be visible for all domain names pointing to our ip-address.
To test this we can:
digall three domain-names on our test-machine to see whether they all point to our web-server
If we usedigwithout options, it will give us an ipv4 address, to get an ipv6 address we need to use the parameter-t AAAA
Let's test:ub14-04-student-client:~$ dig -t AAAA bert.netmusic.be ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -t AAAA bert.netmusic.be ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47034 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bert.netmusic.be. IN AAAA ;; ANSWER SECTION: bert.netmusic.be. 259200 IN CNAME st18.netmusic.be. st18.netmusic.be. 259200 IN AAAA 2a01:4f8:202:6116:1000::1118 ;; AUTHORITY SECTION: netmusic.be. 259200 IN NS ns2.linux800.eu. netmusic.be. 259200 IN NS ns1.linux800.eu. ;; ADDITIONAL SECTION: ns1.linux800.eu. 259200 IN A 148.251.117.145 ns1.linux800.eu. 259200 IN AAAA 2a01:4f8:202:6116:1000::11 ns2.linux800.eu. 259200 IN A 148.251.117.146 ns2.linux800.eu. 259200 IN AAAA 2a01:4f8:202:6116:1000::12 ;; Query time: 4 msec ;; SERVER: 2a01:4f8:202:6116:1000::11#53(2a01:4f8:202:6116:1000::11) ;; WHEN: Sat May 07 00:40:41 CEST 2016 ;; MSG SIZE rcvd: 227We are only interested in the answer section:
;; ANSWER SECTION: bert.netmusic.be. 259200 IN CNAME st18.netmusic.be. st18.netmusic.be. 259200 IN AAAA 2a01:4f8:202:6116:1000::1118We see that the main domain-name attributed to
2a01:4f8:202:6116:1000::1118isst18.netmusic.be.
we also see thatbert.netmusic.bepoints tost18.netmusic.bewhich is correct.
Let's look at the answer sections for my other two domain-names:;; ANSWER SECTION: rock.netmusic.be. 259200 IN CNAME st18.netmusic.be. st18.netmusic.be. 259200 IN AAAA 2a01:4f8:202:6116:1000::1118 ;; ANSWER SECTION: roll.netmusic.be. 259200 IN CNAME st18.netmusic.be. st18.netmusic.be. 259200 IN AAAA 2a01:4f8:202:6116:1000::1118which all point to the right ipv6 address.
- we can also
lynxall three domain-names on our test-machine to see whether they all display our default web-site
Let's see what happens when we enter our domain names in lynx on our ubuntu test-machine:teacher@ub14-04-student-client:~$ lynx bert.netmusic.be Looking up 'bert.netmusic.be' first teacher@ub14-04-student-client:~$ lynx rock.netmusic.be Looking up 'rock.netmusic.be' first teacher@ub14-04-student-client:~$ lynx roll.netmusic.be Looking up 'roll.netmusic.be' firstDEFAULT PAGE from TEACHERAll three domain-names give the same web-site in
lynx, which is exactly what we want NOW. Our DNS is well configured. (and we don't need to change/etc/hosts)
In the next section we are going to create a different website for rock.netmusic.be and another for roll.netmusic.be. We can keep the default site, but alter the page in order to perhaps inform the customers that they need to enter a FQDN and not an ip-address.
- planning of our virtual site(s)
We'll create virtual hosts using somewhat special users, created in real user-space in their own 'home'-directory. We'll choose a home-root directory that is different from/hometo isolate this space from normal users. Since our 2nd level domain will be the same for all 'virtual'-users, we will only name them according to third level. (this is not necessary -- only convenient)
We will at first give them a 'too simple' password,
MUCH LATER on we will equip them with KEYS,
even LATER we will configure SFTP.
Virtual-Home-root:/users-www
My Virtual users: rock en roll
- setup of users
[teacher@centos72-s18 ~]$ sudo mkdir /users-www $ sudo useradd -m rock --home-dir /users-www/rock $ sudo useradd -m roll --home-dir /users-www/roll $ sudo passwd rock Changing password for user rock. New password: x-x-x-x BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic Retype new password: x-x-x-x passwd: all authentication tokens updated successfully. $ sudo passwd roll Changing password for user roll. New password: x-x-x-x BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic Retype new password: x-x-x-x passwd: all authentication tokens updated successfully.
Both users will have a directoryPublic, where-in they will place their website.
We will start with a simpleindex.htmlfile.[teacher@centos72-s18 ~]$ sudo su rock [rock@centos72-s18 teacher]$ cd [rock@centos72-s18 ~]$ pwd /users-www/rock [rock@centos72-s18 ~]$ mkdir Public [rock@centos72-s18 ~]$ echo "<html><body><h1>this place ROCKS</h1></body></html>" >> Public/index.html [rock@centos72-s18 ~]$ exit exit [teacher@centos72-s18 ~]$ sudo su roll [roll@centos72-s18 teacher]$ cd [roll@centos72-s18 ~]$ pwd /users-www/roll [roll@centos72-s18 ~]$ mkdir Public [roll@centos72-s18 ~]$ echo "<html><body><h1>barrels ROLLing down the street</h1></body></html>" >> Public/index.html [roll@centos72-s18 ~]$ exit exit -
Allowing access by apache2
We have to tell apache2 in the config file/etc/httpd/conf/httpd.confthat the directory/users-wwwand all its subdirectories can have full access. We add the following in the file/etc/httpd/conf/httpd.confbelow the declaration<Directory "/var/www/"> ... </Directory>in our case close to line 159 :
to save some time you can cut and paste the following:# # added to allow virtual hosts from /user-www <Directory /users-www> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory>
Now we have to restart apache ...
$ sudo systemctl restart httpd
Everything seems to be fine. If you want to be sure, test again with lynx. We cannot test virtual hosts yet, only the default page, so we can be sure we didn't make any syntax errors in the above..If you see any error messages, please read and act accordingly -- usually it's about a syntax error -- one or the other wrong character at the wrong place, or a character missing ...
- Allowing access by SElinux
First we install policy-utilities:
$ sudo yum install policycoreutils-python
Next we execute the following two commands:$ sudo semanage fcontext --add --type httpd_sys_content_t "/users-www/.*/Public(/.*)?" $ sudo restorecon -Rv /users-www restorecon reset /users-www/rock/Public context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /users-www/rock/Public/index.html context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /users-www/roll/Public context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /users-www/roll/Public/index.html context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 -
virtual host declaration
From a previous exercise, we learned to put virtualhost-config files in the directory/etc/httpd/conf.d. There's a README file here which says:This directory holds configuration files for the Apache HTTP Server; any files in this directory which have the ".conf" extension will be processed as httpd configuration files. The directory is used in addition to the directory /etc/httpd/conf.modules.d/, which contains configuration files necessary to load modules. Files are processed in alphabetical order.This means that we can put our virtual-host-config files here.
The last lines on the/etc/httpd/httpd.conf, apache2 config file, read as follows:# Supplemental configuration # # Load config files in the "/etc/httpd/conf.d" directory, if any. IncludeOptional conf.d/*.confThis means that our config files have to end in
.conf
Let us first create ... rock.netmusic.be
$ pwd
/etc/httpd/conf.d
$ sudo vim rock.netmusic.be.conf<VirtualHost *:80> ServerName rock.netmusic.be ServerAlias www.rock.netmusic.be DocumentRoot /users-www/rock/Public </VirtualHost>
And we can test it immediately after restarting apache2 ...
$ sudo systemctl restart httpd
... and we get no reply, which is probably good ...
...
... testing
$ lynx localhost
403 forbidden
???
Here's why:[teacher@centos72-s18 ~]$ ls -l / total 32 ... drwxrwxrwt. 8 root root 4096 May 7 11:06 tmp drwxr-xr-x. 4 root root 28 May 7 08:28 users-www ... [teacher@centos72-s18 ~]$ ls -l /users-www/ total 0 drwx------. 3 rock rock 92 May 7 08:34 rock drwx------. 3 roll roll 92 May 7 08:35 roll
the world of others has no read rights in the rock nor in roll, so it doesn't work.
However, ... what happened to our default site?
Let's correct the permissions:[teacher@centos72-s18 ~]$ sudo chmod 755 /users-www/* -v mode of ‘/users-www/rock’ changed from 0744 (rwxr--r--) to 0755 (rwxr-xr-x) mode of ‘/users-www/roll’ changed from 0744 (rwxr--r--) to 0755 (rwxr-xr-x)
we don't have to restart apache to test again: ...the problem was not in the config-file
$ lynx localhost
this place ROCKS
However, ... what happened to our default site?
Seems that if we create virtual hosts, we have to make the default site a virtual host too. And since they are read alphabetically, we better name it accordingly. In debian they use:000-default.conf
Monkey see, monkey do ...
$ sudo vim /etc/httpd/conf.d/000-default.conf<VirtualHost *:80> # Servername commented out # ServerName netmusic.be ServerAdmin webmaster@localhost DocumentRoot /var/www/html </VirtualHost>
And now we have to restart apache ...
$ sudo systemctl restart httpd
$ lynx localhost
default page from TEACHER
$ lynx rock.netmusic.be
... it took a while (10 seconds) checking the ipv6 ...
this place ROCKS
this makes me happy ...
Last we have to add the virtual host config for roll.netmusic.be
$ sudo vim roll.netmusic.be.conf<VirtualHost *:80> ServerName roll.netmusic.be ServerAlias www.roll.netmusic.be DocumentRoot /users-www/roll/Public </VirtualHost>And we can test it immediately after restarting apache2 ...
$ sudo systemctl restart httpd$ lynx roll.netmusic.be
barrels ROLLING down the street
THE UBUNTU CLIENT IMMEDIATELY GIVES THE SAME RESULTS
-- this proves that we should test basic things first --... and on the ipv6 enabled desktop on telenet it also works ...