home       inleiding       sysadmin       services       links       bash       werk       nothing      

centos 72 -- apache2 with virtual hosts -- sftp key-ed access

part4: virtual hosts

  1. testing what we have
     
    Now that we have configured a working apache2 server, with a default webpage, this website should be visible for all domain names pointing to our ip-address.
    To test this we can:
     
    • dig all three domain-names on our test-machine to see whether they all point to our web-server
       
      If we use dig without options, it will give us an ipv4 address, to get an ipv6 address we need to use the parameter -t AAAA
      Let's test:
      ub14-04-student-client:~$ dig -t AAAA bert.netmusic.be
       
      ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -t AAAA bert.netmusic.be
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47034
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
       
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;bert.netmusic.be.      IN  AAAA
       
      ;; ANSWER SECTION:
      bert.netmusic.be.   259200  IN  CNAME   st18.netmusic.be.
      st18.netmusic.be.   259200  IN  AAAA    2a01:4f8:202:6116:1000::1118
       
      ;; AUTHORITY SECTION:
      netmusic.be.        259200  IN  NS  ns2.linux800.eu.
      netmusic.be.        259200  IN  NS  ns1.linux800.eu.
       
      ;; ADDITIONAL SECTION:
      ns1.linux800.eu.    259200  IN  A   148.251.117.145
      ns1.linux800.eu.    259200  IN  AAAA    2a01:4f8:202:6116:1000::11
      ns2.linux800.eu.    259200  IN  A   148.251.117.146
      ns2.linux800.eu.    259200  IN  AAAA    2a01:4f8:202:6116:1000::12
       
      ;; Query time: 4 msec
      ;; SERVER: 2a01:4f8:202:6116:1000::11#53(2a01:4f8:202:6116:1000::11)
      ;; WHEN: Sat May 07 00:40:41 CEST 2016
      ;; MSG SIZE  rcvd: 227

      We are only interested in the answer section:

      ;; ANSWER SECTION:
      bert.netmusic.be.   259200  IN  CNAME   st18.netmusic.be.
      st18.netmusic.be.   259200  IN  AAAA    2a01:4f8:202:6116:1000::1118

      We see that the main domain-name attributed to 2a01:4f8:202:6116:1000::1118 is st18.netmusic.be.
      we also see that bert.netmusic.be points to st18.netmusic.be which is correct.
       
      Let's look at the answer sections for my other two domain-names:

      ;; ANSWER SECTION:
      rock.netmusic.be.   259200  IN  CNAME   st18.netmusic.be.
      st18.netmusic.be.   259200  IN  AAAA    2a01:4f8:202:6116:1000::1118
       
      ;; ANSWER SECTION:
      roll.netmusic.be.   259200  IN  CNAME   st18.netmusic.be.
      st18.netmusic.be.   259200  IN  AAAA    2a01:4f8:202:6116:1000::1118

      which all point to the right ipv6 address.
       

    • we can also lynx all three domain-names on our test-machine to see whether they all display our default web-site
        
      Let's see what happens when we enter our domain names in lynx on our ubuntu test-machine:
      teacher@ub14-04-student-client:~$ lynx bert.netmusic.be
      Looking up  'bert.netmusic.be' first
      teacher@ub14-04-student-client:~$ lynx rock.netmusic.be
      Looking up  'rock.netmusic.be' first
      teacher@ub14-04-student-client:~$ lynx roll.netmusic.be
      Looking up  'roll.netmusic.be' first
       
      DEFAULT PAGE from TEACHER
       

      All three domain-names give the same web-site in lynx, which is exactly what we want NOW. Our DNS is well configured. (and we don't need to change /etc/hosts)
       
      In the next section we are going to create a different website for rock.netmusic.be and another for roll.netmusic.be. We can keep the default site, but alter the page in order to perhaps inform the customers that they need to enter a FQDN and not an ip-address.
       

  2. planning of our virtual site(s)
     
    We'll create virtual hosts using somewhat special users, created in real user-space in their own 'home'-directory. We'll choose a home-root directory that is different from /home to isolate this space from normal users. Since our 2nd level domain will be the same for all 'virtual'-users, we will only name them according to third level. (this is not necessary -- only convenient)
    We will at first give them a 'too simple' password,
    MUCH LATER on we will equip them with KEYS,
    even LATER we will configure SFTP.
     
    Virtual-Home-root: /users-www
    My Virtual users: rock en roll
     
  3. setup of users
    [teacher@centos72-s18 ~]$ sudo mkdir /users-www
    $ sudo useradd -m rock --home-dir /users-www/rock
    $ sudo useradd -m roll --home-dir /users-www/roll
    $ sudo passwd rock
    Changing password for user rock.
    New password: x-x-x-x
    BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
    Retype new password: x-x-x-x
    passwd: all authentication tokens updated successfully.
    $ sudo passwd roll
    Changing password for user roll.
    New password: x-x-x-x
    BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
    Retype new password: x-x-x-x 
    passwd: all authentication tokens updated successfully.

     
    Both users will have a directory Public, where-in they will place their website.
    We will start with a simple index.html file.

    [teacher@centos72-s18 ~]$ sudo su rock
    [rock@centos72-s18 teacher]$ cd
    [rock@centos72-s18 ~]$ pwd
    /users-www/rock
    [rock@centos72-s18 ~]$ mkdir Public
    [rock@centos72-s18 ~]$ echo "<html><body><h1>this place ROCKS</h1></body></html>" >> Public/index.html 
    [rock@centos72-s18 ~]$ exit
    exit
    [teacher@centos72-s18 ~]$ sudo su roll
    [roll@centos72-s18 teacher]$ cd
    [roll@centos72-s18 ~]$ pwd
    /users-www/roll
    [roll@centos72-s18 ~]$ mkdir Public
    [roll@centos72-s18 ~]$ echo "<html><body><h1>barrels ROLLing down the street</h1></body></html>" >> Public/index.html
    [roll@centos72-s18 ~]$ exit
    exit

     

  4. Allowing access by apache2
     
    We have to tell apache2 in the config file /etc/httpd/conf/httpd.conf that the directory /users-www and all its subdirectories can have full access. We add the following in the file /etc/httpd/conf/httpd.confbelow the declaration <Directory "/var/www/"> ... </Directory> in our case close to line 159 :

    httpd.conf

     
    to save some time you can cut and paste the following:

    #
    # added to allow virtual hosts from /user-www
    <Directory /users-www>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    </Directory>

     
    Now we have to restart apache ...
    $ sudo systemctl restart httpd
     
    Everything seems to be fine. If you want to be sure, test again with lynx. We cannot test virtual hosts yet, only the default page, so we can be sure we didn't make any syntax errors in the above..

    If you see any error messages, please read and act accordingly -- usually it's about a syntax error -- one or the other wrong character at the wrong place, or a character missing ...
     

  5. Allowing access by SElinux
     
    First we install policy-utilities:
    $ sudo yum install policycoreutils-python
     
    Next we execute the following two commands:
    $ sudo semanage fcontext --add --type httpd_sys_content_t "/users-www/.*/Public(/.*)?"
    $ sudo restorecon -Rv /users-www
     
    restorecon reset /users-www/rock/Public context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
    restorecon reset /users-www/rock/Public/index.html context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
    restorecon reset /users-www/roll/Public context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
    restorecon reset /users-www/roll/Public/index.html context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 

      

  6. virtual host declaration
     
    From a previous exercise, we learned to put virtualhost-config files in the directory /etc/httpd/conf.d. There's a README file here which says:

    This directory holds configuration files for the Apache HTTP Server; any files in this directory which have the ".conf" extension will be processed as httpd configuration files.  The directory is used in addition to the directory /etc/httpd/conf.modules.d/, which contains configuration files necessary to load modules. Files are processed in alphabetical order.

    This means that we can put our virtual-host-config files here.
     
    The last lines on the /etc/httpd/httpd.conf, apache2 config file, read as follows:

    # Supplemental configuration
    #
    # Load config files in the "/etc/httpd/conf.d" directory, if any.
    IncludeOptional conf.d/*.conf

    This means that our config files have to end in .conf
     
    Let us first create ... rock.netmusic.be
     
    $ pwd
    /etc/httpd/conf.d
    $ sudo vim rock.netmusic.be.conf

    <VirtualHost *:80>
    ServerName rock.netmusic.be
    ServerAlias www.rock.netmusic.be
    DocumentRoot /users-www/rock/Public
    </VirtualHost>

     
    And we can test it immediately after restarting apache2 ...
    $ sudo systemctl restart httpd
     
    ... and we get no reply, which is probably good ...
    ...
    ... testing
    $ lynx localhost
    403 forbidden
    ???
     
    Here's why:

    [teacher@centos72-s18 ~]$ ls -l /
    total 32
    ...
    drwxrwxrwt.  8 root root 4096 May  7 11:06 tmp
    drwxr-xr-x.  4 root root   28 May  7 08:28 users-www
    ...
    [teacher@centos72-s18 ~]$ ls -l /users-www/
    total 0
    drwx------. 3 rock rock 92 May  7 08:34 rock
    drwx------. 3 roll roll 92 May  7 08:35 roll

     
    the world of others has no read rights in the rock nor in roll, so it doesn't work.
    However, ... what happened to our default site?
     
    Let's correct the permissions:

    [teacher@centos72-s18 ~]$ sudo chmod 755 /users-www/* -v
     
    mode of ‘/users-www/rock’ changed from 0744 (rwxr--r--) to 0755 (rwxr-xr-x)
    mode of ‘/users-www/roll’ changed from 0744 (rwxr--r--) to 0755 (rwxr-xr-x)

     
    we don't have to restart apache to test again: ...the problem was not in the config-file
    $ lynx localhost
    this place ROCKS
     
    However, ... what happened to our default site?
     
    Seems that if we create virtual hosts, we have to make the default site a virtual host too. And since they are read alphabetically, we better name it accordingly. In debian they use: 000-default.conf
    Monkey see, monkey do ...
     
    $ sudo vim /etc/httpd/conf.d/000-default.conf

    <VirtualHost *:80>
    # Servername commented out
    # ServerName netmusic.be
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    </VirtualHost>

     
    And now we have to restart apache ...
     
    $ sudo systemctl restart httpd
     
    $ lynx localhost
    default page from TEACHER
     
    $ lynx rock.netmusic.be
    ... it took a while (10 seconds) checking the ipv6 ...
    this place ROCKS
     
    this makes me happy ...
     
    Last we have to add the virtual host config for roll.netmusic.be
     
    $ sudo vim roll.netmusic.be.conf

    <VirtualHost *:80>
    ServerName roll.netmusic.be
    ServerAlias www.roll.netmusic.be
    DocumentRoot /users-www/roll/Public
    </VirtualHost>

    And we can test it immediately after restarting apache2 ...
    $ sudo systemctl restart httpd

    $ lynx roll.netmusic.be
    barrels ROLLING down the street
     
    THE UBUNTU CLIENT IMMEDIATELY GIVES THE SAME RESULTS
    -- this proves that we should test basic things first --

    ... and on the ipv6 enabled desktop on telenet it also works ...