Apache services
At present, the programs that provide Web network services include IIS, Nginx, and Apache.
IIS is a web service program in Windows system. Nginx is a lightweight website service software, high-performance HTTP and reverse proxy server, and also an IMAP/POP3/SMTP proxy server, which is an asynchronous model architecture. Apache HTTP Server is an open source web server of the Apache Software Foundation, which is characterized by synchronous multi process model, one connection corresponds to one process.
1, Apache service configuration
The package name of Apache service is httpd, and the service program is httpd.
Profile in Linux system
| Profile name | Storage path |
| Service directory | /etc/httpd |
| Master profile | /etc/httpd/conf/httpd.conf |
| Website data directory | /var/www/html |
| Access log | /var/log/httpd/access_log |
| Error log | /var/log/httpd/error_log |
2, SELinux security subsystem
SELinux domain: service function limitation
Security context: file permission restrictions
SELinux service has three configuration modes (configuration file / etc/selinux/config):
Enforce: force to enable the security policy mode to intercept unreasonable requests from the service.
Permission: when the service is out of authority, a warning will be given and no forced interception will be made.
disabled: turn off SELinux and do not warn or intercept the behaviors beyond the authority.
Use the getenforce command to get the running mode of the current SELinux service. You can use the setenforcer [0| 1] command to modify the current running mode of SELinux (0 is disabled, 1 is enabled). This modification is only temporary and will fail after the system restarts.
1.semanage command
The semanage command is used to manage SELinux's policies. Format "semanage [options] [file]"
semanage command parameters and functions
| parameter | Effect |
| -l | Used for query |
| -a | For adding |
| -t | What is the specific value |
| -m | For modification |
| -d | For deletion |
Use the ls command to query the security context of the original file or directory. Query directory, parameter d; query context, parameter Z.
[root@langfeng ~]# ls -lZd /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Solution: ① modify the security context of the directory and use the fcontext option. ② And use the restorecon command to restart SELinux security context to take effect immediately, - Rv recursively operates on the specified directory (recursion cannot be used, and directories at all levels need to be set).
[root@langfeng ~]# ls -Zd /home/aaa/ drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/aaa/ [root@langfeng ~]# semanage fcontext -a -t httpd_sys_content_t /home/aaa [root@langfeng ~]# ls -Zd /home/aaa/ drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/aaa/ [root@langfeng ~]# restorecon -v /home/aaa/ restorecon reset /home/aaa context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 [root@langfeng ~]# ls -Zd /home/aaa/ drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /home/aaa/
2.SELinux domain security policy rules
When the security context (file permission) of non directory SELinux affects permissions, it is necessary to consider whether it is SELinux domain (service function) restriction.
Solution: ① use getsebool command to query protocol related security policies. ② The setsebool command modifies the Boolean value of the rule in SELinux policy, and the - P parameter indicates that the rule will take effect permanently after modification. 3.
[root@langfeng ~]# getsebool -a abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off ......
3. Virtual host function
Virtual host function can divide a running physical server into multiple "virtual servers". The virtual host function of Apache is based on different IP addresses, host domain names or port numbers requested by users, which can provide multiple websites to provide external access services at the same time.
① based on IP address
If a server has multiple IP addresses, and each IP address corresponds to each website deployed on the server one by one, then when users request to access different IP addresses, they will access page resources of different websites. In the configuration file of httpd (/ etc/httpd/conf/httpd.conf), the parameters of virtual host website based on IP address are added.
<VirtualHost 192.168.241.101> DocumentRoot "/var/www/html/101" ServerName www.langfeng.com <Directory /var/www/html/101 > AllowOverride None Require all granted </Directory> </VirtualHost>
② based on domain name
Based on the local file (/ etc/hosts), or the address that can be resolved through DNS. In the configuration file of httpd (/ etc/httpd/conf/httpd.conf), the parameters of virtual host website based on IP address are added.
<VirtualHost 192.168.241.100> DocumentRoot "/var/www/html" ServerName www.langfeng.com <Directory /var/www/html> AllowOverride None Require all granted </directory> </VirtualHost> <VirtualHost 192.168.241.101> DocumentRoot "/var/bbs/html" ServerName bbs.langfeng.com <Directory /var/bbs/html> AllowOverride None Require all granted </directory> </VirtualHost>
③ based on port number
You need to add the port number of listening in the configuration file,