Linux HTTP Server Configuration

This article describes the installation and configuration of a HTTP server on Linux, with specific reference to the information needed for the RHCE EX300 exam.

Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.

Installation

For a minimum HTTP server installation, issue the following command.

If you want a more complete installation, you can install the «Web Server» package group.

Make sure the «/etc/hosts» file contains references for the loopback address and the hostname.

Turn on the HTTP server and make sure it starts automatically on reboot.

The HTTP server is now installed and running. The HTTP configuration files are located under the «/etc/httpd» directory, with the main configuration file being the «/etc/httpd/conf/httpd.conf» file. The default document root is «/var/www/html». Any files or directories below this point will be visible using a browser once you configure the firewall.

Changes to the «/etc/httpd/conf/httpd.conf» file have to be followed by a reload or a restart of the httpd service.

Firewall

If you are using the Linux firewall, you need to punch a hole in the firewall for port 80 (and 443 for HTTPS) to make sure the HTTP server can be accessed from the network. There are several ways to do this:

• The «Firewall Configuration» dialog from the menu (System > Administration > Firewall) or initiated from the command line by running the system-config-firewall command. On the «Trusted Services» section, scroll down the list and check the «WWW (HTTP)» option, then click the «Apply» button.
• The text-based «Firewall Configuration» utility ( system-config-firewall-tui ). This is the text-based version of the above dialog.
• Using the iptables service directly, as described here. In this case we could need the following entry.

You can read more about the Linux firewall here.

SELinux

If you are using SELinux, you will need to consider the following points.

The SELinux booleans associated with the httpd service are displayed using the getsebool command.

The setsebool command is used to set a specific boolean value.

The httpd_sys_content_t context should be assigned to all content.

You can check the current context setting on files and directories using the «ls -alZ» command.

More information on SELinux can be found here.

Virtual Hosts

Virtual Hosts allow multiple websites to be hosts by a single physical machine, with each website being apparently independent of each other. The virtual hosts can be IP-based, but are typically name-based, meaning the domain name in the URL used to access the web server determines which virtual host the request is for.

Create the following directories as locations for two virtual hosts. I’ve also created a test file in both document roots.

If you are using SELinux, make sure the directories and their contents are assigned the correct context.

Virtual hosts are defined in the «/etc/httpd/conf/httpd.conf» file. The definition of the two virtual hosts are shown below.

Reload or restart the httpd service for the changes to take effect.

Provided the DNS, or hosts file, resolves the names «mysite1.com» and «mysite2.com» to the IP address of the web server, pages under the document roots will now display for each virtual host. To test this you can alter your hosts file with the following entries.

You should now see the correct test page under each of the following URLs on the web server.

Private Directories

Using the virtual hosts we created previous, create a new directory called «private» and place a file in it.

Create a «.htpasswd» file containing a username/password, then add a second entry.

Edit the «/etc/httpd/conf/httpd.conf» file with an entry such as the following.

Reload or restart the httpd service for the changes to take effect.

You should now be prompted for a username/password when trying to access the following file.

Group Managed Content

Create a group that the users will be part of.

Add the necessary users to the group.

Change the ownership and permissions of the directories holding the group managed content.

Log in a the two users and check they can add and amend content.

The file with both users content is visible using the following URL.

Notice the umask setting, which allows read/write permission for the group. This setting can be placed in the «

/.bash_profile» file for each user.

Deploy a Basic CGI Application

Create a directory called «cgi-bin» under an existing virtual host.

Create a simple CGI application in the directory, for example a file called «helloworld.pl» with the following contents.

Change the ownership and make sure the file is executable.

Edit the «/etc/httpd/conf/httpd.conf» file, adding the following entries to the virtual host definition.

So the complete definition looks like this.

Reload or restart the httpd service for the changes to take effect.

The CGI application can now be run will the following URL.

If you prefer the «cgi-bin» directory to be placed in a different location, simply alter the «ScriptAlias» entry to reflect the changed location.

SSL Configuration (HTTPS)

HTTPS configuration is not a requirement of the RHCE exam, but it is useful to know, so I included it.

If they are not already installed, install the mod_ssl , openssl and crypto-utils packages.

The installation of the mod_ssl package creates the «/etc/httpd/conf.d/ssl.conf» configuration file, which includes references to the default self-signed localhost certificate and key. This is sufficient for testing SSL configuration. The httpd service must be restarted for the module to be loaded, but we will do that later.

The genkey command can generate a certificate request or a new self-signed certificate. For this test I created a new self-signed certificate. Remember, if you encrypt the certificate with a passphrase, you will need to enter it every time you start the HTTP server.

Move the key and certificate to the relevant directories.

Add/modify the following lines in the «/etc/httpd/conf.d/ssl.conf» file.

Notice the «SSLCACertificateFile» entry is commented out. If you are using a real certificate, you will probably need to download the intermediate bundle from the CA and reference it using this tag.

Restart the HTTP server.

Provided you have the correct firewall settings, you should now be able to access your applications using HTTPS.

Источник

Welcome

In the result the file “/var/www/sites/site1/index.html” should contain just one line of html code:

Welcome

3. Apache server configuration

Configuration files of the websites are in “/etc/apache2/sites-available/” catalog. Let’s create a configuration file for a new virtual host taking the default configuration from the file “000-default.conf” as a basis.

cd /etc/apache2/sites-available/
cp 000-default.conf site1.conf

Open the file “site1.conf” and change the “DocumentRoot” attribute. Put the path of your website as the value, so in our case it’s “/var/www/sites/site1”

At this stage we don’t need to configure the simultaneous operation of multiple websites, so we can disable the default website and enable the new site. Reload the server configuration to apply the changes.

a2dissite 000-default
a2ensite site1
systemctl reload apache2

Open the link “http://[server’s _ip_address]” again and make sure that instead of the default welcome page we have our new page.

We finished configuration of our HTTP server and we can proceed to the next step.

FTP server configuration

1. Installation

Let’s install our ftp server and an additional package “db-util”, that we’ll need to configure virtual users

apt install vsftpd db-util

2. Create local account

The vsftpd server allows us to configure access permissions in a very flexible way. For our tasks we need to provide ftp users with the following:

• full access to the contents of “/var/www/sites/”;
• disable all that’s above “/var/www/”;
• connection with a virtual account;

Create a local account “virtual” without login permission but with access to home folder “/var/www/”. This account will be used by ftp users to connect to the server

useradd -d /var/www virtual

“Root” will be the owner of the “/var/www” folder by default. In order to enable ftp users to modify the contents of the websites, let’s change the owner of “/var/www/sites/” including subfolders of “virtual”.

chown -R virtual:root /var/www/sites

As a result, the user “virtual” will be able to see the contents of “/var/www/” and write into the “/var/www/sites/” subfolder.

3. Configuration

The main configuration is in the file “/etc/vsftpd.conf”, so let’s open it and edit it as follows:

#enable virtual users
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=virtual

#configure permission
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=NO
anon_umask=0022
chroot_local_user=YES

#launch settings
listen=YES
pasv_min_port=30000
pasv_max_port=30999

4. Create the database

You will need a database in order to store data of virtual accounts.

First, let’s create a simple text file “users.txt” in the home folder and save access details (login and password) of virtual users into every other line. For example, we will need a virtual user with the login “ftp” and password “Qwe123”. Then the file will look like this:

Let’s create the database

db_load -T -t hash -f

Let’s modify the default PAM file “/etc/pam.d/vsftp” as follows:

auth required /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/x86_64-linux-gnu/security/pam_userdb.so db=/etc/vsftpd_login

Please note that the path of the “pam_userdb.so” library may be different but you can change it if needed.

Reload the vsftpd server to apply changes.

systemctl restart vsftpd

We finished configuring the FTP server.

Connection details:

• ftp://[server’s_ip_address]
• login: ftp
• password: Qwe123

PHP server configuration

1. Installation of PHP

Today the latest stable version of PHP is php 7.4.5 which’s not included in official Ubuntu repositories. Let’s connect a third-party repository and install the latest version of PHP.

apt update
apt install software-properties-common
add-apt-repository ppa:ondrej/php
apt update
apt install php7.4

2. Check

In order for PHP to be executed web page file should have “.php” extension. Let’s rename our test page:

cd /var/www/sites/site1/
mv index.html index.php

Add the following php line to the file “/var/www/sites/site1/index.php”, so the file should look like this:

Welcome

Save the changes and check the result in the browser.

If you see the result of function “phpinfo()”, the PHP interpreter is working properly. Now let’s proceed to the next step.

MySQL (MariaDB) configuration

1. Installation

Let’s install MariaDB and a PHP module for MySQL and then reload Apache.

apt install mariadb-server php-mysql
systemctl restart apache2

Refresh the test page and go to the section PDO in the PHP configuration table. If you can find the section “PDO_mysql”, then it means the driver for Mysql is installed correctly.

Then we will need to do the initial security configuration of MariaDB and set the password for the “root” user, disable remote access, and delete all guest accounts.

At the first step, we have to enter the «root» user’s password to access DBMS or press Enter if there’s no password. Since there’s no password set for the «root» user after installation, just press “Enter”.

Please note that in MariaDB there are already its own accounts that have nothing to do with the OS accounts. So the only user we deal with in MariaDB is «root».

After that, the configurator will ask us to set the password for the root user. Type “Y” to confirm and enter the new password. In our case, it’s “Qwe123”

Reply “Y” to all the rest questions up to the very end.

Configuration is done!

MariaDB access details:

phpMyAdmin configuration

1. Installation

Let’s install the necessary extension for PHP — mbstring.

apt install php-mbstring

In the official repository there’s only an outdated version of phpMyAdmin, so let’s install the new one manually.

Open the official website of the project “https://www.phpmyadmin.net/” and download the latest archive.

Copy the archive to the server in the “/var/www/sites/” folder using any ftp client.

Unarchive the folder and rename it to “phpMyAdmin”. Don’t forget to install the “unzip” utility. You can delete the archive after you unarchived it.

apt install unzip
cd /var/www/sites/
unzip phpMyAdmin-5.0.2-all-languages.zip
mv phpMyAdmin-5.0.2-all-languages phpMyAdmin
rm phpMyAdmin-5.0.2-all-languages.zip

Create the following folder “/var/www/sites/phpMyAdmin/tmp” for temporary files and enable access for everyone. If you don’t do this, phpMyAdmin will report access denied to the temporary folder.

cd /var/www/sites/phpMyAdmin/
mkdir tmp
chmod 777 tmp

2. Create an alias

Since phpMyAdmin is not a separate virtual host and is located outside of the root directory, let’s configure the alias.

Open the file “/etc/apache2/mods-available/alias.conf” and add this line:

Alias /pma “/var/www/sites/phpMyAdmin»

inside this section:

Reload Apache to apply the changes.

systemctl reload apache2

Alias is set, so we can access phpMyAdmin here “http://[server’s_ip_address]/pma”.

3. Prepare the database

Since we restricted using root user during the initial configuration of MariaDB, we will have to create a new account with all permissions that will be used to access phpMyAdmin.

Besides, to enable additional features of phpMyAdmin we’ll need a service database and an account to access it.

Let’s create the accounts

mariadb -u root -p

GRANT ALL PRIVILEGES ON *.* TO ‘pma’@’localhost’ IDENTIFIED BY ‘Qwe123’ WITH GRANT OPTION;

GRANT SELECT, INSERT, UPDATE, DELETE ON `phpmyadmin`.* TO ‘pmaservice’@’localhost’ IDENTIFIED BY ‘Qwe123’ WITH grant option;

Please note that the database name in the second request is in back sparks “… ON `phpmyadmin`.* TO ‘pma’@’localhost’ IDENTIFIED BY …”,

In the result, there will be two accounts created in MariaDB:

• Login: pma, Password: Qwe123
  Full access, will be used to log in to phpMyAdmin
• Login: pmaservice, Password: Qwe123
  The service account is required for additional features to work

At the next step, we will set these details in the configuration file “config.inc.php”.

Then we’ll need to import the database from the file “phpMyAdmin/sql/create_tables.sql”.

Let’s import it with the help of phpMyAdmin.

Open the link “http://[server’s_ip_address]/pma”

Enter login “pma” and password “Qwe123”

Go to “Import”, click “Select file” and select the file ”sql/create_tables.sql” in the root directory of phpMyAdmin. There’s supposed to be the folder on your PC “phpMyAdmin” with files. Unarchive it if necessary.

Click “Next” to start importing.

4. Configuration

Let’s copy the configuration file from the template

cd /var/www/sites/phpMyAdmin/
cp config.sample.inc.php config.inc.php

Let’s open the configuration file “/var/www/sites/phpMyAdmin/config.inc.php” and do the following changes:

1. Set a random 32-character value for the attribute “$cfg[‘blowfish_secret’]”. Use any password generator for it..
   
2. Remove commenting from all the lines of the “phpMyAdmin configuration storage settings” section and set the login and password of MariaDB’s service account for the “controluser” and “controlpass” attributes accordingly. In our case, it’s pmaservice and Qwe123.

Save the changes.

Access details for phpMyadmin:

• http://[server’s_ip_address]/pma/
• Login: pma
• Password: Qwe123

How to install and configure WordPress on a Linux server

1. WordPress package and files placement

Go to the official WP website “https://ru.wordpress.org/” and download the archive to your local PC.

Upload the archive to the server into the “/var/www/sites/” folder and unarchive it to the “wordpress” folder.

Copy the contents of the “/var/www/sites/wordpress/” root folder of the “/var/www/sites/site1/” website.

Since we copied the files via the console with root permissions, let’s change the owner of the “/var/www/sites/” folder including the contents of “virtual”. This is required to enable full access for ftp connection via the client.

cd /var/www/sites/
tar -xzvf wordpress-5.4-ru_RU.tar.gz
cp -R wordpress/* site1/
chown -R virtual:root /var/www/sites

2. Create a database for WordPress

Входим в PHPMyAdmin и нажимаем “Создать БД”. Указываем произвольное имя базы данных, в нашем случае “wordpress_db” и нажимаем кнопку “Создать”.

Select the new database in the left section and click “Privileges”

Then click “Add user account”.

Enter the login and password (wpservice / Qwe123) in the opened window, check “Grant all privileges in the wordpress_db” and click “Next”

On the next page click “Cancel all” to reset all privileges on the database level and click “Next”.

3. WordPress configuration on a Linux server

Go to the root directory of your website and copy the configuration file from the template

cd /var/www/sites/site1/
cp wp-config-sample.php wp-config.php

Open the “wp-config.php” file and enter the database connection parameters that we created at the previous step and save the changes.

4. Install CMS WordPress

Open the following link in the browser “http://[server’s_ip_address]/wp-admin/install.php”.

Fill all the fields and click “Install WordPress”. Set a random username and password. In our case, it’s wpadmin and Qwe123 accordingly.

These details will be used to access WordPress.

After you finish the installation, open the link “http://[server’s_ip_address]/wp-login.php”, enter the access details, and log in to WordPress.

You should see one of the WordPress templates on the main page.

Источник