SELinux is configured to work with the default Apache configuration. Since you set up a custom log directory in the virtual hosts configuration file, you will receive an error if you attempt to start the Apache service. To resolve this, you need to update the SELinux policies to allow Apache to write to the necessary files. SELinux brings heightened security to your CentOS 7 environment, therefore it is not recommended to completely disable the kernel module.
This step will cover two methods of adjusting Apache policies: universally and on a specific directory. Adjusting policies on directories is more secure, and is therefore the recommended approach. While this approach is more convenient, it will not give you the same level of control as an approach that focuses on a file or directory policy. The setsebool command changes SELinux boolean values. The -P flag will update the boot-time value, making this change persist across reboots.
Since this option is not universally setting policies, you will need to manually set the context type for any new log directories specified in your virtual host configurations.
This command lists and prints the SELinux context of the directory. You will see output similar to the following:. This type will allow Apache to generate and append to web application log files:. Next, use the restorecon command to apply these changes and have them persist across reboots:. The -R flag runs this command recursively, meaning it will update any existing files to use the new context. The -v flag will print the context changes the command made. You will see the following output confirming the changes:.
You can now successfully restart the Apache service:. Now that you have your virtual host set up and SELinux permissions updated, Apache will now serve your domain name. This confirms that your virtual host is successfully configured and serving content.
Repeat Steps 4 and 5 to create new virtual hosts with SELinux permissions for additional domains. In this tutorial, you installed and managed the Apache web server.
Now that you have your web server installed, you have many options for the type of content you can serve and the technologies you can use to create a richer experience. Where would you like to share this to? Twitter Reddit Hacker News Facebook. Share link Tutorial share link. DigitalOcean home. Note that for any changes to take effect, the web server has to be restarted first. See Section To make the recovery from mistakes easier, it is recommended that you make a copy of the original file before editing it.
Being a modular application, the httpd service is distributed along with a number of Dynamic Shared Objects DSO s , which can be dynamically loaded or unloaded at runtime as necessary. Once you are finished, restart the web server to reload the configuration. If you intend to create a new DSO module, make sure you have the httpd-devel package installed. To do so, enter the following command as root :. This package contains the include files, the header files, and the APache eXtenSion apxs utility required to compile a module.
If the build was successful, you should be able to load the module the same way as any other module that is distributed with the Apache HTTP Server. Customize the options according to your requirements as shown in Example Directives that are not supported within this container include User and Group , which were replaced by SuexecUserGroup.
To activate a newly created virtual host, the web server has to be restarted first. Secure Sockets Layer SSL is a cryptographic protocol that allows a server and a client to communicate securely. Along with its extended and improved version called Transport Layer Security TLS , it ensures both privacy and data integrity. This section provides basic information on how to enable this module in the Apache HTTP Server configuration, and guides you through the process of generating private keys and self-signed certificates.
Secure communication is based on the use of keys. On the other hand, in public or asymmetric cryptography , two keys co-exist: a private key that is kept a secret, and a public key that is usually shared with the public.
While the data encoded with the public key can only be decoded with the private key, data encoded with the private key can in turn only be decoded with the public key. The certificate lists various attributes of the server that is, the server host name, the name of the company, its location, etc. This signature ensures that a particular certificate authority has signed the certificate, and that the certificate has not been modified in any way.
When a web browser establishes a new SSL connection, it checks the certificate provided by the web server. If the certificate does not have a signature from a trusted CA, or if the host name listed in the certificate does not match the host name used to establish the connection, it refuses to communicate with the server and usually presents a user with an appropriate error message.
By default, most web browsers are configured to trust a set of widely used certificate authorities. Because of this, an appropriate CA should be chosen when setting up a secure server, so that target users can trust the connection, otherwise they will be presented with an error message, and will have to accept the certificate manually. Since encouraging users to override certificate errors can allow an attacker to intercept the connection, you should use a trusted CA whenever possible.
For more information on this, see Table Table Information about CA lists used by common web browsers. Mozilla Firefox. Mozilla root CA list. Information on root certificates used by Opera. Internet Explorer. Information on root certificates used by Microsoft Windows.
Information on root certificates used by the Chromium project. Once the CA verifies the certificate request and your identity, it will send you a signed certificate you can use with your server. Alternatively, you can create a self-signed certificate that does not contain a CA signature, and thus should be used for testing purposes only.
Enter the following command as root :. For the module to be loaded, restart the httpd service as described in Section Backwards compatibility can be achieved using TLSv1. If you do not specify it in the per-domain VirtualHost section then it will inherit the settings from the global section.
To make sure that a protocol version is being disabled the administrator should either only specify SSLProtocol in the "SSL Global Context" section, or specify it in all per-domain VirtualHost sections.
By default, the configuration file contains one section that looks as follows:. Edit the SSLProtocol line as follows:. Repeat this action for all VirtualHost sections. Save and close the file. Verify that all occurrences of the SSLProtocol directive have been changed as follows:. This step is particularly important if you have more than the one default VirtualHost section. By default the file contains one section that looks as follows:. The command has the following form:. Where port is the port to test and protocol is the protocol version to test for.
To test the SSL server running locally, use localhost as the host name. If at all possible, remove the package. The port is specified by the Listen directive as well as in the VirtualHost name or address. Everything in NSS is associated with a "token".
The software token exists in the NSS database but you can also have a physical token containing certificates. With NSS, these are stored in a database. Each certificate and key is associated with a token and each token can have a password protecting it.
This password is optional, but if a password is used then the Apache HTTP server needs a copy of it in order to open the database without user intervention at system start. Edit the Listen line as follows:. Edit the default VirtualHost default line as follows:. Edit any other non-default virtual host sections if they exist.
The -L option lists all the certificates, or displays information about a named certificate, in a certificate database. The -d option specifies the database directory containing the certificate and key database files. See the certutil 1 man page for more command line options.
This document will be updated to include it when it is made available. The following configuration steps are performed by the. Some configuration is required before running JBoss Web Server. This section includes the following configuration procedures:. Follow this procedure to create the tomcat user and its parent group:. Run the following command to create the tomcat user group:. Run the following command to create the tomcat user in the tomcat user group:.
You can use ls -l to verify that the tomcat user is the owner of the directory. Ensure that the tomcat user has execute permissions to all parent directories. For example:. To stop Tomcat, run the following command as the tomcat user:.
Under Products Provided , you require:. Issue the following command as the root user to install JBoss Web Server:. To verify that Tomcat is running, the output of the service status command should be reviewed. This can be executed as any user. To verify that Tomcat is no longer running, the output of the service status command should be reviewed. The following table contains information about the SELinux policies provided in the jws5-tomcat-selinux packages.
These packages are available in the JWS channel. The SELinux security model is enforced by the kernel and ensures applications have limited access to resources such as file system locations and ports.
This helps ensure that the errant processes either compromised or poorly configured are restricted and in some cases prevented from running. If required, you can run the. Add access permissions to the required ports for JBoss Web Server.
0コメント