Linux operation and maintenance learning - DAY11

Apache services

At present, the programs that provide Web network services include IIS, Nginx, and Apache.

IIS is a web service program in Windows system. Nginx is a lightweight website service software, high-performance HTTP and reverse proxy server, and also an IMAP/POP3/SMTP proxy server, which is an asynchronous model architecture. Apache HTTP Server is an open source web server of the Apache Software Foundation, which is characterized by synchronous multi process model, one connection corresponds to one process.

1, Apache service configuration

The package name of Apache service is httpd, and the service program is httpd.

Profile in Linux system

Profile name Storage path
Service directory /etc/httpd
Master profile /etc/httpd/conf/httpd.conf
Website data directory /var/www/html
Access log /var/log/httpd/access_log
Error log /var/log/httpd/error_log

2, SELinux security subsystem

SELinux domain: service function limitation

Security context: file permission restrictions

SELinux service has three configuration modes (configuration file / etc/selinux/config):

Enforce: force to enable the security policy mode to intercept unreasonable requests from the service.

Permission: when the service is out of authority, a warning will be given and no forced interception will be made.

disabled: turn off SELinux and do not warn or intercept the behaviors beyond the authority.

Use the getenforce command to get the running mode of the current SELinux service. You can use the setenforcer [0| 1] command to modify the current running mode of SELinux (0 is disabled, 1 is enabled). This modification is only temporary and will fail after the system restarts.

1.semanage command

The semanage command is used to manage SELinux's policies. Format "semanage [options] [file]"

semanage command parameters and functions

parameter Effect
-l Used for query
-a For adding
-t What is the specific value
-m For modification
-d For deletion

Use the ls command to query the security context of the original file or directory. Query directory, parameter d; query context, parameter Z.

[root@langfeng ~]# ls -lZd /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Solution: ① modify the security context of the directory and use the fcontext option. ② And use the restorecon command to restart SELinux security context to take effect immediately, - Rv recursively operates on the specified directory (recursion cannot be used, and directories at all levels need to be set).

[root@langfeng ~]# ls -Zd /home/aaa/
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/aaa/
[root@langfeng ~]# semanage fcontext -a -t httpd_sys_content_t /home/aaa
[root@langfeng ~]# ls -Zd /home/aaa/                                    
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/aaa/
[root@langfeng ~]# restorecon -v /home/aaa/
restorecon reset /home/aaa context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
[root@langfeng ~]# ls -Zd /home/aaa/       
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /home/aaa/

2.SELinux domain security policy rules

When the security context (file permission) of non directory SELinux affects permissions, it is necessary to consider whether it is SELinux domain (service function) restriction.

Solution: ① use getsebool command to query protocol related security policies. ② The setsebool command modifies the Boolean value of the rule in SELinux policy, and the - P parameter indicates that the rule will take effect permanently after modification. 3.

[root@langfeng ~]# getsebool -a 
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off

3. Virtual host function

Virtual host function can divide a running physical server into multiple "virtual servers". The virtual host function of Apache is based on different IP addresses, host domain names or port numbers requested by users, which can provide multiple websites to provide external access services at the same time.

① based on IP address

If a server has multiple IP addresses, and each IP address corresponds to each website deployed on the server one by one, then when users request to access different IP addresses, they will access page resources of different websites. In the configuration file of httpd (/ etc/httpd/conf/httpd.conf), the parameters of virtual host website based on IP address are added.

DocumentRoot "/var/www/html/101"
<Directory /var/www/html/101 >
AllowOverride None
Require all granted

② based on domain name

Based on the local file (/ etc/hosts), or the address that can be resolved through DNS. In the configuration file of httpd (/ etc/httpd/conf/httpd.conf), the parameters of virtual host website based on IP address are added.

DocumentRoot "/var/www/html"
<Directory /var/www/html>
AllowOverride None
Require all granted
DocumentRoot "/var/bbs/html"
<Directory /var/bbs/html>
AllowOverride None
Require all granted

③ based on port number

You need to add the port number of listening in the configuration file,

Tags: Operation & Maintenance SELinux Apache IIS Nginx

Posted on Tue, 24 Mar 2020 08:55:47 -0400 by Ben5on