centos 72 -- apache2 with virtual hosts -- sftp key-ed access
part3: apache2
-
install
The installation process of
apache2is straightforward:$ sudo yum install httpd [sudo] password for bert0001: Loaded plugins: fastestmirror base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 Loading mirror speeds from cached hostfile * base: artfiles.org * extras: artfiles.org * updates: artfiles.org Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.4.6-40.el7.centos will be installed --> Processing Dependency: httpd-tools = 2.4.6-40.el7.centos for package: httpd-2.4.6-40.el7.centos.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-40.el7.centos.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-40.el7.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-40.el7.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.4.8-3.el7 will be installed ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed ---> Package httpd-tools.x86_64 0:2.4.6-40.el7.centos will be installed ---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================== Package Arch Version Repository Size ===================================================================================== Installing: httpd x86_64 2.4.6-40.el7.centos base 2.7 M Installing for dependencies: apr x86_64 1.4.8-3.el7 base 103 k apr-util x86_64 1.5.2-6.el7 base 92 k httpd-tools x86_64 2.4.6-40.el7.centos base 82 k mailcap noarch 2.1.41-2.el7 base 31 k Transaction Summary ===================================================================================== Install 1 Package (+4 Dependent packages) Total download size: 3.0 M Installed size: 10 M Is this ok [y/d/N]: y Downloading packages: (1/5): apr-1.4.8-3.el7.x86_64.rpm | 103 kB 00:00:00 (2/5): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00 (3/5): httpd-tools-2.4.6-40.el7.centos.x86_64.rpm | 82 kB 00:00:00 (4/5): httpd-2.4.6-40.el7.centos.x86_64.rpm | 2.7 MB 00:00:00 (5/5): mailcap-2.1.41-2.el7.noarch.rpm | 31 kB 00:00:00 ------------------------------------------------------------------------------------- Total 11 MB/s | 3.0 MB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-3.el7.x86_64 1/5 Installing : apr-util-1.5.2-6.el7.x86_64 2/5 Installing : httpd-tools-2.4.6-40.el7.centos.x86_64 3/5 Installing : mailcap-2.1.41-2.el7.noarch 4/5 Installing : httpd-2.4.6-40.el7.centos.x86_64 5/5 Verifying : httpd-2.4.6-40.el7.centos.x86_64 1/5 Verifying : apr-1.4.8-3.el7.x86_64 2/5 Verifying : mailcap-2.1.41-2.el7.noarch 3/5 Verifying : httpd-tools-2.4.6-40.el7.centos.x86_64 4/5 Verifying : apr-util-1.5.2-6.el7.x86_64 5/5 Installed: httpd.x86_64 0:2.4.6-40.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-3.el7 apr-util.x86_64 0:1.5.2-6.el7 httpd-tools.x86_64 0:2.4.6-40.el7.centos mailcap.noarch 0:2.1.41-2.el7 Complete! -
testing localhost
We first have to install
lynxto test on the terminal:$ sudo yum install lynx Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: artfiles.org * extras: artfiles.org * updates: artfiles.org Resolving Dependencies ......... Dependencies Resolved ===================================================================================== Package Arch Version Repository Size ===================================================================================== Installing: lynx x86_64 2.8.8-0.3.dev15.el7 base 1.4 M Installing for dependencies: centos-indexhtml noarch 7-9.el7.centos base 92 k Transaction Summary ===================================================================================== Install 1 Package (+1 Dependent package) Total download size: 1.5 M Installed size: 5.4 M Is this ok [y/d/N]: y Downloading packages: (1/2): centos-indexhtml-7-9.el7.centos.noarch.rpm | 92 kB 00:00:00 (2/2): lynx-2.8.8-0.3.dev15.el7.x86_64.rpm | 1.4 MB 00:00:00 ------------------------------------------------------------------------------------- Total 7.6 MB/s | 1.5 MB 00:00 ... Running transaction Installing : centos-indexhtml-7-9.el7.centos.noarch 1/2 Installing : lynx-2.8.8-0.3.dev15.el7.x86_64 2/2 Verifying : lynx-2.8.8-0.3.dev15.el7.x86_64 1/2 Verifying : centos-indexhtml-7-9.el7.centos.noarch 2/2 Installed: lynx.x86_64 0:2.8.8-0.3.dev15.el7 Dependency Installed: centos-indexhtml.noarch 0:7-9.el7.centos Complete!Testing with
lynx:$ lynx localhost Looking up localhost first Looking up localhost Making HTTP connection to localhost Alert!: Unable to connect to remote host. lynx: Can't access startfile http://localhost/-
is lynx working?
$ lynx google.com/ncrGoogle Search Images Maps Play YouTube News Gmail Drive More » Web History | Settings | Sign in Google _______________________________________________________ Google Search I'm Feeling Lucky Advanced search Language tools Advertising Programs Business Solutions +Google About Google Google.de © 2016 - Privacy - Terms (NORMAL LINK) Use right-arrow or <return> to activate. Arrow keys: Up and Down to move. Right to follow a link; Left to go back. H)elp O)ptions P)rint G)o M)ain screen Q)uitlynxis working and the network is fuly functional! -
is
apache2running?$ ps -A | grep httpgives no results -- we'll have to use
systemctlto start it an make it permanent:we start de apache2 server:
$ sudo systemctl start httpdand we test again:
$ lynx localhost Apache HTTP Server Test Page powered by CentOS (p1 of 3) Testing 123.. This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that this site is working properly. This server is powered by CentOS. Just visiting?Next we enable de service at system start:
$ sudo systemctl enable httpdCreated symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.serviceI then restart my machine to check whether apache2 is working at startup
$ sudo init 6reconnect over ssh and test again with lynx -- and sure it works ...
-
-
testing from
ub14-04-student-clientWe've setup this test-machine on the same subnet called ub14-04-student-client with access for all students. From here we can now test apache2 on our own server with lynx (or with firefox).
Testing
lynxon ipv6 is a bit tricky: we'll have to use square brackets to contain the address$ lynx [2a01:4f8:202:6116:1000::1118]Looking up '[2a01:4f8:202:6116:1000::1118]' first Looking up [2a01:4f8:202:6116:1000::1118] Making HTTP connection to [2a01:4f8:202:6116:1000::1118] Alert!: Unable to connect to remote host.Something is preventing us from seeing the website.
- is it the network?
$ ping6 2a01:4f8:202:6116:1000::1118 PING 2a01:4f8:202:6116:1000::1118(2a01:4f8:202:6116:1000::1118) 56 data bytes 64 bytes from 2a01:4f8:202:6116:1000::1118: icmp_seq=1 ttl=64 time=0.333 ms 64 bytes from 2a01:4f8:202:6116:1000::1118: icmp_seq=2 ttl=64 time=0.825 msIt is not the network ...
- is the port open?
THIS IS WHAT WE SHOULD GET
We first test with telnet on google.com (on of these rare sites with ipv6 support):$ telnet -6 2a00:1450:4007:808::200e 80 Trying 2a00:1450:4007:808::200e... Connected to 2a00:1450:4007:808::200e. Escape character is '^]'. ^C Connection closed by foreign host.
THIS IS WAT WE GET
Now we will test with our own machine:$ telnet -6 2a01:4f8:202:6116:1000::1118 80 Trying 2a01:4f8:202:6116:1000::1118... telnet: Unable to connect to remote host: Permission denied
Well, well, a Permission denied is better than Connection refused. This might be a firewall issue.
THIS IS WHAT WE SHOULDN'T GET:
Here below a telnet to a machine without web-service:$ telnet -6 ns1.linux800.eu 80 Trying 2a01:4f8:202:6116:1000::11... telnet: Unable to connect to remote host: Connection refused
- is it the network?
- troubleshooting apache2
Since we think this is a firewall problem, we concentrate on the centOS72 machine. To get an overview of the current firewall settings we first ask for help with the following:$ sudo firewall-cmd --help Usage: firewall-cmd [OPTIONS...] General Options -h, --help Prints a short help text and exists -V, --version Print the version string of firewalld -q, --quiet Do not print status messages Status Options --state Return and print firewalld state --reload Reload firewall and keep state information --complete-reload Reload firewall and loose state information --runtime-to-permanent Create permanent from runtime configuration Permanent Options --permanent Set an option permanently Usable for options maked with [P] Zone Options --get-default-zone Print default zone for connections and interfaces --set-default-zone=<zone> Set default zone --get-active-zones Print currently active zones --get-zones Print predefined zones [P] --get-services Print predefined services [P] --get-icmptypes Print predefined icmptypes [P] --get-zone-of-interface=<interface> Print name of the zone the interface is bound to [P] --get-zone-of-source=<source>[/<mask>] Print name of the zone the source[/mask] is bound to [P] --list-all-zones List everything added for or enabled in all zones [P] --new-zone=<zone> Add a new zone [P only] --delete-zone=<zone> Delete an existing zone [P only] --zone=<zone> Use this zone to set or query options, else default zone Usable for options maked with [Z] --get-target Get the zone target [P] [Z] --set-target=<target> Set the zone target [P] [Z] IcmpType Options --new-icmptype=<icmptype> Add a new icmptype [P only] --delete-icmptype=<icmptype> Delete and existing icmptype [P only] Service Options --new-service=<service> Add a new service [P only] --delete-service=<service> Delete and existing service [P only] Options to Adapt and Query Zones --list-all List everything added for or enabled in a zone [P] [Z] ... Options to Handle Bindings of Interfaces --list-interfaces List interfaces that are bound to a zone [P] [Z] ... Options to Handle Bindings of Sources --list-sources List sources that are bound to a zone [P] [Z] ... Direct Options --direct First option for all direct options ... Lockdown Options --lockdown-on Enable lockdown. --lockdown-off Disable lockdown. --query-lockdown Query whether lockdown is enabled Lockdown Whitelist Options ... Panic Options --panic-on Enable panic mode --panic-off Disable panic mode --query-panic Query whether panic mode is enabledWe snipped away many options.
What interests us now is the current configuration, and how to list it.
So any options with list take our attention.
After reading for about 2 minutes,
the option--list-all-zones
jumps into the face, so we test it:
$ sudo firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: drop interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: external interfaces: sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: internal interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: public (default, active) interfaces: enp0s3 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: trusted interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:We are particularly interested in the zone public since that is where our website(s) should be seen. I repeat this zone hereunder:
public (default, active) interfaces: enp0s3 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:Notice that interface points to our ipv6 net-card;
service enables a dhcpv6-client as well as the ssh-service that we currently use to connect. They must be open. However, there is nothing mentioned about apache2. So I thought that we should add the service apache2 to this public zone.
And how is apache2 called on centOS72, yes, httpd but enabling it gave the error:Error: INVALID_SERVICE: httpdSo this is not correct. At second thought I noticed that ssh misses the letter-d from sshd, so let's try http in stead:
$ sudo firewall-cmd --zone=public --add-service=http --permanent
success
$ sudo firewall-cmd --reload
success
Perhaps the centOS firewall is now correctly configured for our apache2. Let's try on our ipv6 client:
teacher@ub14-04-student-client:~$ telnet -6 2a01:4f8:202:6116:1000::1118 80 Trying 2a01:4f8:202:6116:1000::1118... Connected to 2a01:4f8:202:6116:1000::1118. Escape character is '^]'. ^C Connection closed by foreign host.BINGO -- it connects, next we try lynx ...
teacher@ub14-04-student-client:~$ lynx [2a01:4f8:202:6116:1000::1118]
Looking up '[2a01:4f8:202:6116:1000::1118]' first
Testing 123.. This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that this site is working properly. This server is powered by CentOS. Just visiting? The website you just visited is either experiencing problems or is undergoing routine maintenance. If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person. For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com". Are you the Administrator? You should add your website content to the directory /var/www/html/. To prevent this page from ever being used, follow the instructions in the file /etc/httpd/conf.d/welcome.conf. Promoting Apache and CentOS -- press space for next page --AND IT WORKS!!
However, we're not finished yet; apache2 tells us403 forbiddenand adds:
You should add your website content to the directory/var/www/html/. To prevent this page from ever being used, follow the instructions in the file/etc/httpd/conf.d/welcome.conf
Something that we will now promptly do.
But first we want to restart our server, to see whether our configuration sticks to the server ...
... and YES, it still acts the same after the restart.
... we can test on our desktop at home with firefox, we have ipv6 from telenet:
- getting rid of
403 forbidden
This is a peace of cake. Just put anindex.htmlfile in/var/www/html......
we proceeded as follows:
$ echo "<html><body><h1>DEFAULT PAGE from TEACHER</h1></body></html>" >> index.html
$ sudo cp index.html /var/www/html
On our test-machine we type:
teacher@ub14-04-student-client:~$lynx [2a01:4f8:202:6116:1000::1118]
Looking up '[2a01:4f8:202:6116:1000::1118]' firstDEFAULT PAGE from TEACHER Commands: Use arrow keys to move, '?' for help, 'q' to quit, '<-' to go back. Arrow keys: Up and Down to move. Right to follow a link; Left to go back. H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list... exactly what we wanted.