home       inleiding       sysadmin       services       links       bash       werk       nothing      

>> mrt 2018: -4- virtual name hosts

  1. user accounts voor toegang en website-plaatsing
    we creeëren eerst een algemene plek voor 'alle' webusers;
    daarna creëren we de users met hun home-dir op die plek:
    [student@cOS74-T06-2 ~]$ sudo mkdir /www-homes
    [student@cOS74-T06-2 ~]$ sudo useradd -m --home-dir /www-homes/bob bob
    [student@cOS74-T06-2 ~]$ sudo useradd -m --home-dir /www-homes/dylan dylan
    [student@cOS74-T06-2 ~]$ tail -n 5 /etc/passwd
    student:x:1000:1000:student:/home/student:/bin/bash
    bert:x:1001:1001::/home/bert:/bin/bash
    apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
    bob:x:1002:1002::/www-homes/bob:/bin/bash
    dylan:x:1003:1003::/www-homes/dylan:/bin/bash

    we proberen de accounts (nu nog zonder paswoord),
    en we creëren als deze users een Public directory

    [student@cOS74-T06-2 ~]$ sudo su bob
    [bob@cOS74-T06-2 student]$ cd
    [bob@cOS74-T06-2 ~]$ pwd
    /www-homes/bob
    [bob@cOS74-T06-2 ~]$ mkdir Public
    [bob@cOS74-T06-2 ~]$ exit
    exit
    [student@cOS74-T06-2 ~]$ sudo su dylan
    [dylan@cOS74-T06-2 student]$ cd
    [dylan@cOS74-T06-2 ~]$ pwd
    /www-homes/dylan
    [dylan@cOS74-T06-2 ~]$ mkdir Public
    [dylan@cOS74-T06-2 ~]$ ls
    Public
    [dylan@cOS74-T06-2 ~]$ exit
    exit

    tenslotte plaatsen we een index.html file in Public ter identificatie ...

    [student@cOS74-T06-2 ~]$ sudo su bob
    [sudo] password for student: 
    [bob@cOS74-T06-2 student]$ cd
    [bob@cOS74-T06-2 ~]$ cd Public
    [bob@cOS74-T06-2 Public]$ cat > index.html
    DIT IS BOBs WEBSITE <CTRL><D>
    [bob@cOS74-T06-2 Public]$ exit
    exit
    [student@cOS74-T06-2 ~]$ sudo su dylan
    [dylan@cOS74-T06-2 student]$ cd
    [dylan@cOS74-T06-2 ~]$ cd Public
    [dylan@cOS74-T06-2 Public]$ cat > index.html
    DIT IS DE WEBSITE van DYLAN <CTRL><D>
    [dylan@cOS74-T06-2 Public]$ 
  2. configuratie apache
    in CentOS7 is de algemene config file (/etc/httpd/conf/httpd.conf) minder modulair van opbouw dan die in Ubuntu16. Ik ga eerst even kijken hoe de config precies is opgebouwd:
    [student@cOS74-T06-2 ~]$ cd /etc/httpd
    [student@cOS74-T06-2 httpd]$ tree
    .
    ├── conf
    │   ├── httpd.conf
    │   └── magic
    ├── conf.d
    │   ├── autoindex.conf
    │   ├── README
    │   ├── userdir.conf
    │   └── welcome.conf
    ├── conf.modules.d
    │   ├── 00-base.conf
    │   ├── 00-dav.conf
    │   ├── 00-lua.conf
    │   ├── 00-mpm.conf
    │   ├── 00-proxy.conf
    │   ├── 00-systemd.conf
    │   └── 01-cgi.conf
    ├── logs -> ../../var/log/httpd
    ├── modules -> ../../usr/lib64/httpd/modules
    └── run -> /run/httpd

    wat is de root-directory van apache?

    [student@cOS74-T06-2 httpd]$ grep -i serverroot conf/httpd.conf
    # with "/", the value of ServerRoot is prepended -- so 'log/access_log'
    # with ServerRoot set to '/www' will be interpreted by the
    # ServerRoot: The top of the directory tree under which the server's
    # ServerRoot at a non-local disk, be sure to specify a local disk on the
    # same ServerRoot for multiple httpd daemons, you will need to change at
    ServerRoot "/etc/httpd"

    waar en hoe zitten de includes?

    [student@cOS74-T06-2 httpd]$ grep -i ^include conf/httpd.conf
    Include conf.modules.d/*.conf
    IncludeOptional conf.d/*.conf

    ik zou conf.sites-enabled/*.conf als include willen toevoegen ...
    misschien aan het einde van de httpd.conf

    # Supplemental configuration
    #
    # Load config files in the "/etc/httpd/conf.d" directory, if any.
    IncludeOptional conf.d/*.conf
    # virtual host configuration (put by student 16/3/2018 - 10am)
    #
    Include conf.sites-enabled/*.conf

    vervolgens maak ik twee directories:
    /etc/httpd/conf.sites-enabled
    /etc/httpd/conf.sites-available

    [student@cOS74-T06-2 httpd]$ sudo mkdir conf.sites-enabled
    [sudo] password for student: 
    [student@cOS74-T06-2 httpd]$ sudo mkdir conf.sites-available
    [student@cOS74-T06-2 httpd]$ cd conf.sites-available/

    Ik zet de default site in sites-available ...

    [student@cOS74-T06-2 conf.sites-available]$ sudo nano 000.default.conf
    <VirtualHost *:80>
        ServerName default.local
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    </VirtualHost>

    en maak een symbolic link naar sites-enabled

    [student@.sites-available]$ cd ../conf.sites-enabled/
    [student@.sites-enabled]$ sudo ln -s ../conf.sites-available/000.default.conf .
  3. virtual name hosts
    In het voorgaande punt hebben we de httpd.conf aangepast om onze websites modulair te kunnen beheren. Nu gaan we twee extra sites (name hosts) toevoegen aan apache2:
    bob.conf en dylan.conf
    [student@cOS74-T06-2 httpd]$ cd conf.sites-available/
    [student@cOS74-T06-2 conf.sites-available]$ cat bob.conf 
     
    <VirtualHost *:80>
    ServerName bob.netmusic.be
    ServerAdmin webmaster@localhost
    DocumentRoot /www-homes/bob/Public
    </VirtualHost>
     
    [student@cOS74-T06-2 conf.sites-available]$ cat dylan.conf 
     
    <VirtualHost *:80>
    ServerName dylan.netmusic.be
    ServerAdmin webmaster@localhost
    DocumentRoot /www-homes/dylan/Public
    </VirtualHost>

    Vervolgens moeten we de conf-fimes linken naar conf.sites-enabled ...

    [student@conf.sites-available]$ cd ../conf.sites-enabled/
    [student@conf.sites-enabled]$ sudo ln -s ../conf.sites-available/bob.conf .
    [student@conf.sites-enabled]$ sudo ln -s ../conf.sites-available/dylan.conf .

    En apache2 herstarten ... (met een reload):
    [student@cOS74-T06-2 conf.sites-enabled]$ sudo systemctl reload httpd
     
    Het is dan nuttig even de status op te vragen:

    [student@cOS74-T06-2 conf.sites-enabled]$ sudo systemctl status httpd
    ● httpd.service - The Apache HTTP Server
    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
    Active: active (running) since Fri 2018-03-16 10:11:21 CET; 23min ago
     Docs: man:httpd(8)
           man:apachectl(8)
    Process: 1237 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
    Main PID: 910 (httpd)
    Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
    CGroup: /system.slice/httpd.service
           ├─ 910 /usr/sbin/httpd -DFOREGROUND
           ├─1239 /usr/sbin/httpd -DFOREGROUND
           ├─1240 /usr/sbin/httpd -DFOREGROUND
           ├─1241 /usr/sbin/httpd -DFOREGROUND
           ├─1242 /usr/sbin/httpd -DFOREGROUND
           └─1243 /usr/sbin/httpd -DFOREGROUND
      
    Mar 16 10:11:20 cOS74-T06-2 systemd[1]: Starting The Apache HTTP Server...
    Mar 16 10:11:21 cOS74-T06-2 httpd[910]: AH00558: httpd: Could not reliably d...ge
    Mar 16 10:11:21 cOS74-T06-2 systemd[1]: Started The Apache HTTP Server.
    Mar 16 10:33:28 cOS74-T06-2 httpd[1217]: AH00558: httpd: Could not reliably d...e
    Mar 16 10:33:28 cOS74-T06-2 systemd[1]: Reloaded The Apache HTTP Server.
    Mar 16 10:34:34 cOS74-T06-2 httpd[1237]: AH00558: httpd: Could not reliably d...e
    Mar 16 10:34:35 cOS74-T06-2 systemd[1]: Reloaded The Apache HTTP Server.

    en te testen ...
     
    we krijgen de default site als we surefen op ip-adres ...
     
    maar ....
     
    op bob.netmusic.be en dylan.netmusic.be krijgen we:
    "Forbidden -- You don't have permission to access / on this server."
     

  4. Forbidden oplossen
     
    4.1. toegang verlenen in /etc/httpd/conf/httpd.conf
     
    ... ergens in deze file staan de directory declaraties,
    die zien er uit als volgt:
    <Directory /var/www></Directory>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
    </Directory>

    en onder de laatste declaratie, plaatsen we het volgende:

    #
    # added to allow virtual hosts from /www-homes
    <Directory /www-homes>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    </Directory>
    #

    we doen dit en reloaden apache2, maar er is nog steeds Forbidden
     
    4.2. toegang verlenen inSElinux
     
    we moeten eerst policy-core-utils installeren:

    [student@cOS74-T06-2 ~]$ sudo yum install policycoreutils-python
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * base: ftp.belnet.be
    * extras: ftp.belnet.be
    * updates: ftp.belnet.be
    Resolving Dependencies
    ...
    Installed:
    policycoreutils-python.x86_64 0:2.5-17.1.el7                                   
     
    Dependency Installed:
    audit-libs-python.x86_64 0:2.7.6-3.el7  checkpolicy.x86_64 0:2.5-4.el7        
    libcgroup.x86_64 0:0.41-13.el7          libsemanage-python.x86_64 0:2.5-8.el7 
    python-IPy.noarch 0:0.75-6.el7          setools-libs.x86_64 0:3.3.8-1.1.el7   
     
    Complete!

    vervolgens voegen we /www-homes/*/Public toe als een regular expression aan httpd:

    $ sudo semanage fcontext --add --type httpd_sys_content_t "/www-homes/.*/Public(/.*)?"
    $ sudo restorecon -Rv /www-homes

    maar nog steeds krijgen we Forbidden 403
     
    4.3. file permissions
     
    De file permissions van /www-homes en onderliggende zijn niet leesbaar voor de user van het process httpd:

    [student@cOS74-T06-2 ~]$ ls -l /www-homes/
    total 0
    drwx------. 3 bob   bob   97 Mar 16 09:24 bob
    drwx------. 3 dylan dylan 97 Mar 16 09:25 dylan

    Die moeten we nog aanpassen met chmod -R 755
     
    [student@cOS74-T06-2 ~]$ sudo chmod -R 755 /www-homes/
     
    tenslotte herstarten we voor de zekerheid apache2 ...
     
    [student@cOS74-T06-2 conf]$ sudo systemctl reload httpd
     
     
    . . . ... en tot onze niet geringe verbazing werkt alles nu ...