Finally! I took some time out, with a big road trip to America and various other activities going on, I'd not had the time to keep the blog going. Anyway, things are back to normal now and after a recent hard disk failure I unexpectedly found myself setting up a new secure web server using CentOS 5.2 x64 and Apache Httpd 2.2.3 and PHP5. Later I'll add in a Java EE application server for more dynamic/web app stuff.
Thought that I'd type up some small notes on a problem I'd come across before, when trying to setup Mercurial HG-WEB in directories (or sym links) to directories outside of the usual /var/www
One of the problems may come from SELinux. Whilst it's tempting to turn it off, for something facing the public on the web - this would be a real last resort!
Security Contexts: - a quick explanation
Files and directories have security contexts. These can be seen using ls, e.g.
ls -aZ
By default Apache Httpd cannot access all files, it can access those with httpd_sys_content_t context types.
For example user home directories come with the context home_root_t which will give a permission denied type error if httpd tries to serve up files from there (or anywhere below!). Another common security context is default_t which will be assigned as the default for new files and folders.
An important difference between mv and cp
cp creates a new context (inherits), wheras mv actually moves it (unmodified). So a common gotcha is to create files in the user home directory and mv them to /var/www/... but this keeps the home context home_root_t - hence this creates the permission denied error.
Some handy commands:
chcon -R -h -t httpd_sys_content_t /test/
change the directory /test/ to httpd_sys_content security context type, recursively but not following sym-links.
i.e. the above would enable /test/ to be served by a documentroot in Httpd
If SELinux is suspected for the permissions problems (as opposed to httpd configuration), the SELinux restrictions will appear in the message log:
tail -f /var/log/messages
SELinux boolean flags:
can be read with
getsebool httpd_enable_cgi
and set with
setsebool httpd_enable_cgi true
Invoke the simple GUI configurator with: system-config-securitylevel
Restore the file context (say after an mv command):
restorecon -R -v ./folderwithwrongcontext/
Additional SE Linux parameters:
Enable Samba to access home dirs:
setsebool -P samba_enable_home_dirs=1
Additional Resources:
Good overview in this link: http://docs.fedoraproject.org/selinux-apache-fc3/sn-simple-setup.html
Subscribe to:
Post Comments (Atom)
Posts
4 comments:
w00t, thanks for helping me fix my SELinux problem :)
You are entirely welcome :)
Louis,
I have reverse proxied my Appache to Glassfish 2.1 on the same machine. My Appache is used solely for a Word Press blog where we post "articles". The main traffic though is to the java apps on the Glassfish side. I want to reverse the setup, using Glassfish to respond to port 80 requests and proxy a single folder off the Glassfish docroot /articles to the Appache server. Any thoughts?
Here is my set up.
Apache:
ProxyRequests Off
ProxyPreserveHost On
AllowCONNECT 86 81 8186 554
Options +FollowSymLinks
ProxyPass /articles/ !
#ProxyPass /images/ !
#ProxyPass /nagios !
ProxyPass /server-info !
ProxyPass /server-status !
ProxyPass / http://127.0.0.1:81/
ProxyPassReverse / http://127.0.0.1:81/
Glasfish:
Post a Comment