home       inleiding       sysadmin       services       links       bash       werk       nothing      

>> mrt 2018: -4- virtual name hosts

1. user accounts voor toegang en website-plaatsing
   we creeëren eerst een algemene plek voor 'alle' webusers;
   daarna creëren we de users met hun home-dir op die plek:

   [student@cOS74-T06-2 ~]$ sudo mkdir /www-homes
   [student@cOS74-T06-2 ~]$ sudo useradd -m --home-dir /www-homes/bob bob
   [student@cOS74-T06-2 ~]$ sudo useradd -m --home-dir /www-homes/dylan dylan
   [student@cOS74-T06-2 ~]$ tail -n 5 /etc/passwd
   student:x:1000:1000:student:/home/student:/bin/bash
   bert:x:1001:1001::/home/bert:/bin/bash
   apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
   bob:x:1002:1002::/www-homes/bob:/bin/bash
   dylan:x:1003:1003::/www-homes/dylan:/bin/bash

   we proberen de accounts (nu nog zonder paswoord),
   en we creëren als deze users een Public directory

   [student@cOS74-T06-2 ~]$ sudo su bob
   [bob@cOS74-T06-2 student]$ cd
   [bob@cOS74-T06-2 ~]$ pwd
   /www-homes/bob
   [bob@cOS74-T06-2 ~]$ mkdir Public
   [bob@cOS74-T06-2 ~]$ exit
   exit
   [student@cOS74-T06-2 ~]$ sudo su dylan
   [dylan@cOS74-T06-2 student]$ cd
   [dylan@cOS74-T06-2 ~]$ pwd
   /www-homes/dylan
   [dylan@cOS74-T06-2 ~]$ mkdir Public
   [dylan@cOS74-T06-2 ~]$ ls
   Public
   [dylan@cOS74-T06-2 ~]$ exit
   exit

   tenslotte plaatsen we een index.html file in Public ter identificatie ...

   [student@cOS74-T06-2 ~]$ sudo su bob
   [sudo] password for student: 
   [bob@cOS74-T06-2 student]$ cd
   [bob@cOS74-T06-2 ~]$ cd Public
   [bob@cOS74-T06-2 Public]$ cat > index.html
   DIT IS BOBs WEBSITE <CTRL><D>
   [bob@cOS74-T06-2 Public]$ exit
   exit
   [student@cOS74-T06-2 ~]$ sudo su dylan
   [dylan@cOS74-T06-2 student]$ cd
   [dylan@cOS74-T06-2 ~]$ cd Public
   [dylan@cOS74-T06-2 Public]$ cat > index.html
   DIT IS DE WEBSITE van DYLAN <CTRL><D>
   [dylan@cOS74-T06-2 Public]$ 

2. configuratie apache
   in CentOS7 is de algemene config file (/etc/httpd/conf/httpd.conf) minder modulair van opbouw dan die in Ubuntu16. Ik ga eerst even kijken hoe de config precies is opgebouwd:

   [student@cOS74-T06-2 ~]$ cd /etc/httpd
   [student@cOS74-T06-2 httpd]$ tree
   .
   ├── conf
   │   ├── httpd.conf
   │   └── magic
   ├── conf.d
   │   ├── autoindex.conf
   │   ├── README
   │   ├── userdir.conf
   │   └── welcome.conf
   ├── conf.modules.d
   │   ├── 00-base.conf
   │   ├── 00-dav.conf
   │   ├── 00-lua.conf
   │   ├── 00-mpm.conf
   │   ├── 00-proxy.conf
   │   ├── 00-systemd.conf
   │   └── 01-cgi.conf
   ├── logs -> ../../var/log/httpd
   ├── modules -> ../../usr/lib64/httpd/modules
   └── run -> /run/httpd

   wat is de root-directory van apache?

   [student@cOS74-T06-2 httpd]$ grep -i serverroot conf/httpd.conf
   # with "/", the value of ServerRoot is prepended -- so 'log/access_log'
   # with ServerRoot set to '/www' will be interpreted by the
   # ServerRoot: The top of the directory tree under which the server's
   # ServerRoot at a non-local disk, be sure to specify a local disk on the
   # same ServerRoot for multiple httpd daemons, you will need to change at
   ServerRoot "/etc/httpd"

   waar en hoe zitten de includes?

   [student@cOS74-T06-2 httpd]$ grep -i ^include conf/httpd.conf
   Include conf.modules.d/*.conf
   IncludeOptional conf.d/*.conf

   ik zou conf.sites-enabled/*.conf als include willen toevoegen ...
   misschien aan het einde van de httpd.conf

   # Supplemental configuration
   #
   # Load config files in the "/etc/httpd/conf.d" directory, if any.
   IncludeOptional conf.d/*.conf
   # virtual host configuration (put by student 16/3/2018 - 10am)
   #
   Include conf.sites-enabled/*.conf

   vervolgens maak ik twee directories:
   /etc/httpd/conf.sites-enabled
/etc/httpd/conf.sites-available

   [student@cOS74-T06-2 httpd]$ sudo mkdir conf.sites-enabled
   [sudo] password for student: 
   [student@cOS74-T06-2 httpd]$ sudo mkdir conf.sites-available
   [student@cOS74-T06-2 httpd]$ cd conf.sites-available/

   Ik zet de default site in sites-available ...

   [student@cOS74-T06-2 conf.sites-available]$ sudo nano 000.default.conf
   <VirtualHost *:80>
       ServerName default.local
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/html
   </VirtualHost>

   en maak een symbolic link naar sites-enabled

   [student@.sites-available]$ cd ../conf.sites-enabled/
   [student@.sites-enabled]$ sudo ln -s ../conf.sites-available/000.default.conf .

3. virtual name hosts
   In het voorgaande punt hebben we de httpd.conf aangepast om onze websites modulair te kunnen beheren. Nu gaan we twee extra sites (name hosts) toevoegen aan apache2:
   bob.conf en dylan.conf

   [student@cOS74-T06-2 httpd]$ cd conf.sites-available/
   [student@cOS74-T06-2 conf.sites-available]$ cat bob.conf 
    
   <VirtualHost *:80>
   ServerName bob.netmusic.be
   ServerAdmin webmaster@localhost
   DocumentRoot /www-homes/bob/Public
   </VirtualHost>
    
   [student@cOS74-T06-2 conf.sites-available]$ cat dylan.conf 
    
   <VirtualHost *:80>
   ServerName dylan.netmusic.be
   ServerAdmin webmaster@localhost
   DocumentRoot /www-homes/dylan/Public
   </VirtualHost>

   Vervolgens moeten we de conf-fimes linken naar conf.sites-enabled ...

   [student@conf.sites-available]$ cd ../conf.sites-enabled/
   [student@conf.sites-enabled]$ sudo ln -s ../conf.sites-available/bob.conf .
   [student@conf.sites-enabled]$ sudo ln -s ../conf.sites-available/dylan.conf .

   En apache2 herstarten ... (met een reload):
   [student@cOS74-T06-2 conf.sites-enabled]$ sudo systemctl reload httpd
    
   Het is dan nuttig even de status op te vragen:

   [student@cOS74-T06-2 conf.sites-enabled]$ sudo systemctl status httpd
   ● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-03-16 10:11:21 CET; 23min ago
    Docs: man:httpd(8)
          man:apachectl(8)
   Process: 1237 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
   Main PID: 910 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
          ├─ 910 /usr/sbin/httpd -DFOREGROUND
          ├─1239 /usr/sbin/httpd -DFOREGROUND
          ├─1240 /usr/sbin/httpd -DFOREGROUND
          ├─1241 /usr/sbin/httpd -DFOREGROUND
          ├─1242 /usr/sbin/httpd -DFOREGROUND
          └─1243 /usr/sbin/httpd -DFOREGROUND
     
   Mar 16 10:11:20 cOS74-T06-2 systemd[1]: Starting The Apache HTTP Server...
   Mar 16 10:11:21 cOS74-T06-2 httpd[910]: AH00558: httpd: Could not reliably d...ge
   Mar 16 10:11:21 cOS74-T06-2 systemd[1]: Started The Apache HTTP Server.
   Mar 16 10:33:28 cOS74-T06-2 httpd[1217]: AH00558: httpd: Could not reliably d...e
   Mar 16 10:33:28 cOS74-T06-2 systemd[1]: Reloaded The Apache HTTP Server.
   Mar 16 10:34:34 cOS74-T06-2 httpd[1237]: AH00558: httpd: Could not reliably d...e
   Mar 16 10:34:35 cOS74-T06-2 systemd[1]: Reloaded The Apache HTTP Server.

   en te testen ...
    
   we krijgen de default site als we surefen op ip-adres ...
    
   maar ....
    
   op bob.netmusic.be en dylan.netmusic.be krijgen we:
   "Forbidden -- You don't have permission to access / on this server."
    

4. Forbidden oplossen
    
   4.1. toegang verlenen in /etc/httpd/conf/httpd.conf
    
   ... ergens in deze file staan de directory declaraties,
   die zien er uit als volgt:

   <Directory /var/www></Directory>
   Options Indexes FollowSymLinks
   AllowOverride None
   Require all granted
   </Directory>

   en onder de laatste declaratie, plaatsen we het volgende:

   #
   # added to allow virtual hosts from /www-homes
   <Directory /www-homes>
   Options Indexes FollowSymLinks
   AllowOverride All
   Require all granted
   </Directory>
   #

   we doen dit en reloaden apache2, maar er is nog steeds Forbidden
    
   4.2. toegang verlenen inSElinux
    
   we moeten eerst policy-core-utils installeren:

   [student@cOS74-T06-2 ~]$ sudo yum install policycoreutils-python
   Loaded plugins: fastestmirror
   Loading mirror speeds from cached hostfile
   * base: ftp.belnet.be
   * extras: ftp.belnet.be
   * updates: ftp.belnet.be
   Resolving Dependencies
   ...
   Installed:
   policycoreutils-python.x86_64 0:2.5-17.1.el7                                   
    
   Dependency Installed:
   audit-libs-python.x86_64 0:2.7.6-3.el7  checkpolicy.x86_64 0:2.5-4.el7        
   libcgroup.x86_64 0:0.41-13.el7          libsemanage-python.x86_64 0:2.5-8.el7 
   python-IPy.noarch 0:0.75-6.el7          setools-libs.x86_64 0:3.3.8-1.1.el7   
    
   Complete!

   vervolgens voegen we /www-homes/*/Public toe als een regular expression aan httpd:

   $ sudo semanage fcontext --add --type httpd_sys_content_t "/www-homes/.*/Public(/.*)?"
   $ sudo restorecon -Rv /www-homes

   maar nog steeds krijgen we Forbidden 403
    
   4.3. file permissions
    
   De file permissions van /www-homes en onderliggende zijn niet leesbaar voor de user van het process httpd:

   [student@cOS74-T06-2 ~]$ ls -l /www-homes/
   total 0
   drwx------. 3 bob   bob   97 Mar 16 09:24 bob
   drwx------. 3 dylan dylan 97 Mar 16 09:25 dylan

   Die moeten we nog aanpassen met chmod -R 755
 
[student@cOS74-T06-2 ~]$ sudo chmod -R 755 /www-homes/
    
   tenslotte herstarten we voor de zekerheid apache2 ...
    
   [student@cOS74-T06-2 conf]$ sudo systemctl reload httpd
    
    
   . . . ... en tot onze niet geringe verbazing werkt alles nu ...