Apache httpd, "der" WEB-Server unter CentOS 7.x

Bild: Apache httpd Logo Unter CentOS 7 wird der aktuelle Releasezweig 2.4 als Standard-Web-Server vorgehalten.

Auf der Webseite der Apache Software Foundation findet man eine Aufstellung der Featureübersicht des Apache HTTP Server 2.4. Die Dokumentation zum Apache HTTP Server Version 2.4 findet man in deutscher Sprache ebenso auf der Projektseite.

Unseren Apache-Webserver installieren wir einfach mit Hilfe von YUM.

# yum install httpd -y

Neben dem Paket httpd werden noch die Pakete httpd-tools, apr, apr-util und mailcap installiert.

httpd

Was uns das Paket httpd alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.

 # rpm -qil httpd
Name        : httpd
Version     : 2.4.6
Release     : 18.el7.centos
Architecture: x86_64
Install Date: Sun 24 Aug 2014 10:22:29 PM CEST
Group       : System Environment/Daemons
Size        : 9793373
License     : ASL 2.0
Signature   : RSA/SHA256, Wed 23 Jul 2014 05:21:22 PM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : httpd-2.4.6-18.el7.centos.src.rpm
Build Date  : Wed 23 Jul 2014 04:49:10 PM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
/etc/httpd
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf.d/README
/etc/httpd/conf.d/autoindex.conf
/etc/httpd/conf.d/userdir.conf
/etc/httpd/conf.d/welcome.conf
/etc/httpd/conf.modules.d
/etc/httpd/conf.modules.d/00-base.conf
/etc/httpd/conf.modules.d/00-dav.conf
/etc/httpd/conf.modules.d/00-lua.conf
/etc/httpd/conf.modules.d/00-mpm.conf
/etc/httpd/conf.modules.d/00-proxy.conf
/etc/httpd/conf.modules.d/00-systemd.conf
/etc/httpd/conf.modules.d/01-cgi.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/magic
/etc/httpd/logs
/etc/httpd/modules
/etc/httpd/run
/etc/logrotate.d/httpd
/etc/sysconfig/htcacheclean
/etc/sysconfig/httpd
/run/httpd
/run/httpd/htcacheclean
/usr/lib/systemd/system/htcacheclean.service
/usr/lib/systemd/system/httpd.service
/usr/lib/tmpfiles.d/httpd.conf
/usr/lib64/httpd
/usr/lib64/httpd/modules
/usr/lib64/httpd/modules/mod_access_compat.so
/usr/lib64/httpd/modules/mod_actions.so
/usr/lib64/httpd/modules/mod_alias.so
/usr/lib64/httpd/modules/mod_allowmethods.so
/usr/lib64/httpd/modules/mod_asis.so
/usr/lib64/httpd/modules/mod_auth_basic.so
/usr/lib64/httpd/modules/mod_auth_digest.so
/usr/lib64/httpd/modules/mod_authn_anon.so
/usr/lib64/httpd/modules/mod_authn_core.so
/usr/lib64/httpd/modules/mod_authn_dbd.so
/usr/lib64/httpd/modules/mod_authn_dbm.so
/usr/lib64/httpd/modules/mod_authn_file.so
/usr/lib64/httpd/modules/mod_authn_socache.so
/usr/lib64/httpd/modules/mod_authz_core.so
/usr/lib64/httpd/modules/mod_authz_dbd.so
/usr/lib64/httpd/modules/mod_authz_dbm.so
/usr/lib64/httpd/modules/mod_authz_groupfile.so
/usr/lib64/httpd/modules/mod_authz_host.so
/usr/lib64/httpd/modules/mod_authz_owner.so
/usr/lib64/httpd/modules/mod_authz_user.so
/usr/lib64/httpd/modules/mod_autoindex.so
/usr/lib64/httpd/modules/mod_buffer.so
/usr/lib64/httpd/modules/mod_cache.so
/usr/lib64/httpd/modules/mod_cache_disk.so
/usr/lib64/httpd/modules/mod_cache_socache.so
/usr/lib64/httpd/modules/mod_cgi.so
/usr/lib64/httpd/modules/mod_cgid.so
/usr/lib64/httpd/modules/mod_charset_lite.so
/usr/lib64/httpd/modules/mod_data.so
/usr/lib64/httpd/modules/mod_dav.so
/usr/lib64/httpd/modules/mod_dav_fs.so
/usr/lib64/httpd/modules/mod_dav_lock.so
/usr/lib64/httpd/modules/mod_dbd.so
/usr/lib64/httpd/modules/mod_deflate.so
/usr/lib64/httpd/modules/mod_dialup.so
/usr/lib64/httpd/modules/mod_dir.so
/usr/lib64/httpd/modules/mod_dumpio.so
/usr/lib64/httpd/modules/mod_echo.so
/usr/lib64/httpd/modules/mod_env.so
/usr/lib64/httpd/modules/mod_expires.so
/usr/lib64/httpd/modules/mod_ext_filter.so
/usr/lib64/httpd/modules/mod_file_cache.so
/usr/lib64/httpd/modules/mod_filter.so
/usr/lib64/httpd/modules/mod_headers.so
/usr/lib64/httpd/modules/mod_heartbeat.so
/usr/lib64/httpd/modules/mod_heartmonitor.so
/usr/lib64/httpd/modules/mod_include.so
/usr/lib64/httpd/modules/mod_info.so
/usr/lib64/httpd/modules/mod_lbmethod_bybusyness.so
/usr/lib64/httpd/modules/mod_lbmethod_byrequests.so
/usr/lib64/httpd/modules/mod_lbmethod_bytraffic.so
/usr/lib64/httpd/modules/mod_lbmethod_heartbeat.so
/usr/lib64/httpd/modules/mod_log_config.so
/usr/lib64/httpd/modules/mod_log_debug.so
/usr/lib64/httpd/modules/mod_log_forensic.so
/usr/lib64/httpd/modules/mod_logio.so
/usr/lib64/httpd/modules/mod_lua.so
/usr/lib64/httpd/modules/mod_macro.so
/usr/lib64/httpd/modules/mod_mime.so
/usr/lib64/httpd/modules/mod_mime_magic.so
/usr/lib64/httpd/modules/mod_mpm_event.so
/usr/lib64/httpd/modules/mod_mpm_prefork.so
/usr/lib64/httpd/modules/mod_mpm_worker.so
/usr/lib64/httpd/modules/mod_negotiation.so
/usr/lib64/httpd/modules/mod_proxy.so
/usr/lib64/httpd/modules/mod_proxy_ajp.so
/usr/lib64/httpd/modules/mod_proxy_balancer.so
/usr/lib64/httpd/modules/mod_proxy_connect.so
/usr/lib64/httpd/modules/mod_proxy_express.so
/usr/lib64/httpd/modules/mod_proxy_fcgi.so
/usr/lib64/httpd/modules/mod_proxy_fdpass.so
/usr/lib64/httpd/modules/mod_proxy_ftp.so
/usr/lib64/httpd/modules/mod_proxy_http.so
/usr/lib64/httpd/modules/mod_proxy_scgi.so
/usr/lib64/httpd/modules/mod_proxy_wstunnel.so
/usr/lib64/httpd/modules/mod_ratelimit.so
/usr/lib64/httpd/modules/mod_reflector.so
/usr/lib64/httpd/modules/mod_remoteip.so
/usr/lib64/httpd/modules/mod_reqtimeout.so
/usr/lib64/httpd/modules/mod_request.so
/usr/lib64/httpd/modules/mod_rewrite.so
/usr/lib64/httpd/modules/mod_sed.so
/usr/lib64/httpd/modules/mod_setenvif.so
/usr/lib64/httpd/modules/mod_slotmem_plain.so
/usr/lib64/httpd/modules/mod_slotmem_shm.so
/usr/lib64/httpd/modules/mod_socache_dbm.so
/usr/lib64/httpd/modules/mod_socache_memcache.so
/usr/lib64/httpd/modules/mod_socache_shmcb.so
/usr/lib64/httpd/modules/mod_speling.so
/usr/lib64/httpd/modules/mod_status.so
/usr/lib64/httpd/modules/mod_substitute.so
/usr/lib64/httpd/modules/mod_suexec.so
/usr/lib64/httpd/modules/mod_systemd.so
/usr/lib64/httpd/modules/mod_unique_id.so
/usr/lib64/httpd/modules/mod_unixd.so
/usr/lib64/httpd/modules/mod_userdir.so
/usr/lib64/httpd/modules/mod_usertrack.so
/usr/lib64/httpd/modules/mod_version.so
/usr/lib64/httpd/modules/mod_vhost_alias.so
/usr/lib64/httpd/modules/mod_watchdog.so
/usr/libexec/initscripts/legacy-actions/httpd
/usr/libexec/initscripts/legacy-actions/httpd/configtest
/usr/libexec/initscripts/legacy-actions/httpd/graceful
/usr/sbin/apachectl
/usr/sbin/fcgistarter
/usr/sbin/htcacheclean
/usr/sbin/httpd
/usr/sbin/rotatelogs
/usr/sbin/suexec
/usr/share/doc/httpd-2.4.6
/usr/share/doc/httpd-2.4.6/ABOUT_APACHE
/usr/share/doc/httpd-2.4.6/CHANGES
/usr/share/doc/httpd-2.4.6/LICENSE
/usr/share/doc/httpd-2.4.6/NOTICE
/usr/share/doc/httpd-2.4.6/README
/usr/share/doc/httpd-2.4.6/VERSIONING
/usr/share/doc/httpd-2.4.6/httpd-dav.conf
/usr/share/doc/httpd-2.4.6/httpd-default.conf
/usr/share/doc/httpd-2.4.6/httpd-info.conf
/usr/share/doc/httpd-2.4.6/httpd-languages.conf
/usr/share/doc/httpd-2.4.6/httpd-manual.conf
/usr/share/doc/httpd-2.4.6/httpd-mpm.conf
/usr/share/doc/httpd-2.4.6/httpd-multilang-errordoc.conf
/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
/usr/share/doc/httpd-2.4.6/proxy-html.conf
/usr/share/httpd
/usr/share/httpd/error
/usr/share/httpd/error/HTTP_BAD_GATEWAY.html.var
/usr/share/httpd/error/HTTP_BAD_REQUEST.html.var
/usr/share/httpd/error/HTTP_FORBIDDEN.html.var
/usr/share/httpd/error/HTTP_GONE.html.var
/usr/share/httpd/error/HTTP_INTERNAL_SERVER_ERROR.html.var
/usr/share/httpd/error/HTTP_LENGTH_REQUIRED.html.var
/usr/share/httpd/error/HTTP_METHOD_NOT_ALLOWED.html.var
/usr/share/httpd/error/HTTP_NOT_FOUND.html.var
/usr/share/httpd/error/HTTP_NOT_IMPLEMENTED.html.var
/usr/share/httpd/error/HTTP_PRECONDITION_FAILED.html.var
/usr/share/httpd/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
/usr/share/httpd/error/HTTP_REQUEST_TIME_OUT.html.var
/usr/share/httpd/error/HTTP_REQUEST_URI_TOO_LARGE.html.var
/usr/share/httpd/error/HTTP_SERVICE_UNAVAILABLE.html.var
/usr/share/httpd/error/HTTP_UNAUTHORIZED.html.var
/usr/share/httpd/error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
/usr/share/httpd/error/HTTP_VARIANT_ALSO_VARIES.html.var
/usr/share/httpd/error/README
/usr/share/httpd/error/contact.html.var
/usr/share/httpd/error/include
/usr/share/httpd/error/include/bottom.html
/usr/share/httpd/error/include/spacer.html
/usr/share/httpd/error/include/top.html
/usr/share/httpd/icons
/usr/share/httpd/icons/README
/usr/share/httpd/icons/README.html
/usr/share/httpd/icons/a.gif
/usr/share/httpd/icons/a.png
/usr/share/httpd/icons/alert.black.gif
/usr/share/httpd/icons/alert.black.png
/usr/share/httpd/icons/alert.red.gif
/usr/share/httpd/icons/alert.red.png
/usr/share/httpd/icons/apache_pb.gif
/usr/share/httpd/icons/apache_pb.png
/usr/share/httpd/icons/apache_pb.svg
/usr/share/httpd/icons/apache_pb2.gif
/usr/share/httpd/icons/apache_pb2.png
/usr/share/httpd/icons/back.gif
/usr/share/httpd/icons/back.png
/usr/share/httpd/icons/ball.gray.gif
/usr/share/httpd/icons/ball.gray.png
/usr/share/httpd/icons/ball.red.gif
/usr/share/httpd/icons/ball.red.png
/usr/share/httpd/icons/binary.gif
/usr/share/httpd/icons/binary.png
/usr/share/httpd/icons/binhex.gif
/usr/share/httpd/icons/binhex.png
/usr/share/httpd/icons/blank.gif
/usr/share/httpd/icons/blank.png
/usr/share/httpd/icons/bomb.gif
/usr/share/httpd/icons/bomb.png
/usr/share/httpd/icons/box1.gif
/usr/share/httpd/icons/box1.png
/usr/share/httpd/icons/box2.gif
/usr/share/httpd/icons/box2.png
/usr/share/httpd/icons/broken.gif
/usr/share/httpd/icons/broken.png
/usr/share/httpd/icons/burst.gif
/usr/share/httpd/icons/burst.png
/usr/share/httpd/icons/c.gif
/usr/share/httpd/icons/c.png
/usr/share/httpd/icons/comp.blue.gif
/usr/share/httpd/icons/comp.blue.png
/usr/share/httpd/icons/comp.gray.gif
/usr/share/httpd/icons/comp.gray.png
/usr/share/httpd/icons/compressed.gif
/usr/share/httpd/icons/compressed.png
/usr/share/httpd/icons/continued.gif
/usr/share/httpd/icons/continued.png
/usr/share/httpd/icons/dir.gif
/usr/share/httpd/icons/dir.png
/usr/share/httpd/icons/diskimg.gif
/usr/share/httpd/icons/diskimg.png
/usr/share/httpd/icons/down.gif
/usr/share/httpd/icons/down.png
/usr/share/httpd/icons/dvi.gif
/usr/share/httpd/icons/dvi.png
/usr/share/httpd/icons/f.gif
/usr/share/httpd/icons/f.png
/usr/share/httpd/icons/folder.gif
/usr/share/httpd/icons/folder.open.gif
/usr/share/httpd/icons/folder.open.png
/usr/share/httpd/icons/folder.png
/usr/share/httpd/icons/folder.sec.gif
/usr/share/httpd/icons/folder.sec.png
/usr/share/httpd/icons/forward.gif
/usr/share/httpd/icons/forward.png
/usr/share/httpd/icons/generic.gif
/usr/share/httpd/icons/generic.png
/usr/share/httpd/icons/generic.red.gif
/usr/share/httpd/icons/generic.red.png
/usr/share/httpd/icons/generic.sec.gif
/usr/share/httpd/icons/generic.sec.png
/usr/share/httpd/icons/hand.right.gif
/usr/share/httpd/icons/hand.right.png
/usr/share/httpd/icons/hand.up.gif
/usr/share/httpd/icons/hand.up.png
/usr/share/httpd/icons/icon.sheet.gif
/usr/share/httpd/icons/icon.sheet.png
/usr/share/httpd/icons/image1.gif
/usr/share/httpd/icons/image1.png
/usr/share/httpd/icons/image2.gif
/usr/share/httpd/icons/image2.png
/usr/share/httpd/icons/image3.gif
/usr/share/httpd/icons/image3.png
/usr/share/httpd/icons/index.gif
/usr/share/httpd/icons/index.png
/usr/share/httpd/icons/layout.gif
/usr/share/httpd/icons/layout.png
/usr/share/httpd/icons/left.gif
/usr/share/httpd/icons/left.png
/usr/share/httpd/icons/link.gif
/usr/share/httpd/icons/link.png
/usr/share/httpd/icons/movie.gif
/usr/share/httpd/icons/movie.png
/usr/share/httpd/icons/odf6odb.png
/usr/share/httpd/icons/odf6odc.png
/usr/share/httpd/icons/odf6odf.png
/usr/share/httpd/icons/odf6odg.png
/usr/share/httpd/icons/odf6odi.png
/usr/share/httpd/icons/odf6odm.png
/usr/share/httpd/icons/odf6odp.png
/usr/share/httpd/icons/odf6ods.png
/usr/share/httpd/icons/odf6odt.png
/usr/share/httpd/icons/odf6otc.png
/usr/share/httpd/icons/odf6otf.png
/usr/share/httpd/icons/odf6otg.png
/usr/share/httpd/icons/odf6oth.png
/usr/share/httpd/icons/odf6oti.png
/usr/share/httpd/icons/odf6otp.png
/usr/share/httpd/icons/odf6ots.png
/usr/share/httpd/icons/odf6ott.png
/usr/share/httpd/icons/p.gif
/usr/share/httpd/icons/p.png
/usr/share/httpd/icons/patch.gif
/usr/share/httpd/icons/patch.png
/usr/share/httpd/icons/pdf.gif
/usr/share/httpd/icons/pdf.png
/usr/share/httpd/icons/pie0.gif
/usr/share/httpd/icons/pie0.png
/usr/share/httpd/icons/pie1.gif
/usr/share/httpd/icons/pie1.png
/usr/share/httpd/icons/pie2.gif
/usr/share/httpd/icons/pie2.png
/usr/share/httpd/icons/pie3.gif
/usr/share/httpd/icons/pie3.png
/usr/share/httpd/icons/pie4.gif
/usr/share/httpd/icons/pie4.png
/usr/share/httpd/icons/pie5.gif
/usr/share/httpd/icons/pie5.png
/usr/share/httpd/icons/pie6.gif
/usr/share/httpd/icons/pie6.png
/usr/share/httpd/icons/pie7.gif
/usr/share/httpd/icons/pie7.png
/usr/share/httpd/icons/pie8.gif
/usr/share/httpd/icons/pie8.png
/usr/share/httpd/icons/portal.gif
/usr/share/httpd/icons/portal.png
/usr/share/httpd/icons/poweredby.png
/usr/share/httpd/icons/ps.gif
/usr/share/httpd/icons/ps.png
/usr/share/httpd/icons/quill.gif
/usr/share/httpd/icons/quill.png
/usr/share/httpd/icons/right.gif
/usr/share/httpd/icons/right.png
/usr/share/httpd/icons/screw1.gif
/usr/share/httpd/icons/screw1.png
/usr/share/httpd/icons/screw2.gif
/usr/share/httpd/icons/screw2.png
/usr/share/httpd/icons/script.gif
/usr/share/httpd/icons/script.png
/usr/share/httpd/icons/small
/usr/share/httpd/icons/small/back.gif
/usr/share/httpd/icons/small/back.png
/usr/share/httpd/icons/small/binary.gif
/usr/share/httpd/icons/small/binary.png
/usr/share/httpd/icons/small/binhex.gif
/usr/share/httpd/icons/small/binhex.png
/usr/share/httpd/icons/small/blank.gif
/usr/share/httpd/icons/small/blank.png
/usr/share/httpd/icons/small/broken.gif
/usr/share/httpd/icons/small/broken.png
/usr/share/httpd/icons/small/burst.gif
/usr/share/httpd/icons/small/burst.png
/usr/share/httpd/icons/small/comp1.gif
/usr/share/httpd/icons/small/comp1.png
/usr/share/httpd/icons/small/comp2.gif
/usr/share/httpd/icons/small/comp2.png
/usr/share/httpd/icons/small/compressed.gif
/usr/share/httpd/icons/small/compressed.png
/usr/share/httpd/icons/small/continued.gif
/usr/share/httpd/icons/small/continued.png
/usr/share/httpd/icons/small/doc.gif
/usr/share/httpd/icons/small/doc.png
/usr/share/httpd/icons/small/folder.gif
/usr/share/httpd/icons/small/folder.png
/usr/share/httpd/icons/small/folder2.gif
/usr/share/httpd/icons/small/folder2.png
/usr/share/httpd/icons/small/forward.gif
/usr/share/httpd/icons/small/forward.png
/usr/share/httpd/icons/small/generic.gif
/usr/share/httpd/icons/small/generic.png
/usr/share/httpd/icons/small/generic2.gif
/usr/share/httpd/icons/small/generic2.png
/usr/share/httpd/icons/small/generic3.gif
/usr/share/httpd/icons/small/generic3.png
/usr/share/httpd/icons/small/image.gif
/usr/share/httpd/icons/small/image.png
/usr/share/httpd/icons/small/image2.gif
/usr/share/httpd/icons/small/image2.png
/usr/share/httpd/icons/small/index.gif
/usr/share/httpd/icons/small/index.png
/usr/share/httpd/icons/small/key.gif
/usr/share/httpd/icons/small/key.png
/usr/share/httpd/icons/small/movie.gif
/usr/share/httpd/icons/small/movie.png
/usr/share/httpd/icons/small/patch.gif
/usr/share/httpd/icons/small/patch.png
/usr/share/httpd/icons/small/ps.gif
/usr/share/httpd/icons/small/ps.png
/usr/share/httpd/icons/small/rainbow.gif
/usr/share/httpd/icons/small/rainbow.png
/usr/share/httpd/icons/small/sound.gif
/usr/share/httpd/icons/small/sound.png
/usr/share/httpd/icons/small/sound2.gif
/usr/share/httpd/icons/small/sound2.png
/usr/share/httpd/icons/small/tar.gif
/usr/share/httpd/icons/small/tar.png
/usr/share/httpd/icons/small/text.gif
/usr/share/httpd/icons/small/text.png
/usr/share/httpd/icons/small/transfer.gif
/usr/share/httpd/icons/small/transfer.png
/usr/share/httpd/icons/small/unknown.gif
/usr/share/httpd/icons/small/unknown.png
/usr/share/httpd/icons/small/uu.gif
/usr/share/httpd/icons/small/uu.png
/usr/share/httpd/icons/sound1.gif
/usr/share/httpd/icons/sound1.png
/usr/share/httpd/icons/sound2.gif
/usr/share/httpd/icons/sound2.png
/usr/share/httpd/icons/sphere1.gif
/usr/share/httpd/icons/sphere1.png
/usr/share/httpd/icons/sphere2.gif
/usr/share/httpd/icons/sphere2.png
/usr/share/httpd/icons/svg.png
/usr/share/httpd/icons/tar.gif
/usr/share/httpd/icons/tar.png
/usr/share/httpd/icons/tex.gif
/usr/share/httpd/icons/tex.png
/usr/share/httpd/icons/text.gif
/usr/share/httpd/icons/text.png
/usr/share/httpd/icons/transfer.gif
/usr/share/httpd/icons/transfer.png
/usr/share/httpd/icons/unknown.gif
/usr/share/httpd/icons/unknown.png
/usr/share/httpd/icons/up.gif
/usr/share/httpd/icons/up.png
/usr/share/httpd/icons/uu.gif
/usr/share/httpd/icons/uu.png
/usr/share/httpd/icons/uuencoded.gif
/usr/share/httpd/icons/uuencoded.png
/usr/share/httpd/icons/world1.gif
/usr/share/httpd/icons/world1.png
/usr/share/httpd/icons/world2.gif
/usr/share/httpd/icons/world2.png
/usr/share/httpd/icons/xml.png
/usr/share/httpd/noindex
/usr/share/httpd/noindex/css
/usr/share/httpd/noindex/css/bootstrap-theme.min.css
/usr/share/httpd/noindex/css/bootstrap.min.css
/usr/share/httpd/noindex/css/fonts
/usr/share/httpd/noindex/css/fonts/Bold
/usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.eot
/usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.svg
/usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.ttf
/usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.woff
/usr/share/httpd/noindex/css/fonts/BoldItalic
/usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.eot
/usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.svg
/usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.ttf
/usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.woff
/usr/share/httpd/noindex/css/fonts/ExtraBold
/usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.eot
/usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.svg
/usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.ttf
/usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.woff
/usr/share/httpd/noindex/css/fonts/ExtraBoldItalic
/usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.eot
/usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.svg
/usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.ttf
/usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.woff
/usr/share/httpd/noindex/css/fonts/Italic
/usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.eot
/usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.svg
/usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.ttf
/usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.woff
/usr/share/httpd/noindex/css/fonts/Light
/usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.eot
/usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.svg
/usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.ttf
/usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.woff
/usr/share/httpd/noindex/css/fonts/LightItalic
/usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.eot
/usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.svg
/usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.ttf
/usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.woff
/usr/share/httpd/noindex/css/fonts/Regular
/usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.eot
/usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.svg
/usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.ttf
/usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.woff
/usr/share/httpd/noindex/css/fonts/Semibold
/usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.eot
/usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.svg
/usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.ttf
/usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.woff
/usr/share/httpd/noindex/css/fonts/SemiboldItalic
/usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.eot
/usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.svg
/usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.ttf
/usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.woff
/usr/share/httpd/noindex/css/open-sans.css
/usr/share/httpd/noindex/images
/usr/share/httpd/noindex/images/apache_pb.gif
/usr/share/httpd/noindex/images/poweredby.png
/usr/share/httpd/noindex/index.html
/usr/share/man/man8/apachectl.8.gz
/usr/share/man/man8/fcgistarter.8.gz
/usr/share/man/man8/htcacheclean.8.gz
/usr/share/man/man8/httpd.8.gz
/usr/share/man/man8/rotatelogs.8.gz
/usr/share/man/man8/suexec.8.gz
/var/cache/httpd
/var/cache/httpd/proxy
/var/lib/dav
/var/log/httpd
/var/www
/var/www/cgi-bin
/var/www/html

httpd-tools

Was uns das Paket httpd-tools alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.

 # rpm -qil httpd-tools
Name        : httpd-tools
Version     : 2.4.6
Release     : 18.el7.centos
Architecture: x86_64
Install Date: Sun 24 Aug 2014 10:22:26 PM CEST
Group       : System Environment/Daemons
Size        : 172164
License     : ASL 2.0
Signature   : RSA/SHA256, Wed 23 Jul 2014 05:21:33 PM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : httpd-2.4.6-18.el7.centos.src.rpm
Build Date  : Wed 23 Jul 2014 04:49:10 PM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://httpd.apache.org/
Summary     : Tools for use with the Apache HTTP Server
Description :
The httpd-tools package contains tools which can be used with
the Apache HTTP Server.
/usr/bin/ab
/usr/bin/htdbm
/usr/bin/htdigest
/usr/bin/htpasswd
/usr/bin/httxt2dbm
/usr/bin/logresolve
/usr/share/doc/httpd-tools-2.4.6
/usr/share/doc/httpd-tools-2.4.6/LICENSE
/usr/share/doc/httpd-tools-2.4.6/NOTICE
/usr/share/man/man1/ab.1.gz
/usr/share/man/man1/htdbm.1.gz
/usr/share/man/man1/htdigest.1.gz
/usr/share/man/man1/htpasswd.1.gz
/usr/share/man/man1/httxt2dbm.1.gz
/usr/share/man/man1/logresolve.1.gz

apr

Was uns das Paket apr alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.

 # rpm -qil apr
Name        : apr
Version     : 1.4.8
Release     : 3.el7
Architecture: x86_64
Install Date: Sun 24 Aug 2014 10:22:24 PM CEST
Group       : System Environment/Libraries
Size        : 226686
License     : ASL 2.0 and BSD with advertising and ISC and BSD
Signature   : RSA/SHA256, Fri 04 Jul 2014 02:39:16 AM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : apr-1.4.8-3.el7.src.rpm
Build Date  : Tue 10 Jun 2014 11:05:16 AM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://apr.apache.org/
Summary     : Apache Portable Runtime library
Description :
The mission of the Apache Portable Runtime (APR) is to provide a
free library of C data structures and routines, forming a system
portability layer to as many operating systems as possible,
including Unices, MS Win32, BeOS and OS/2.
/usr/lib64/libapr-1.so.0
/usr/lib64/libapr-1.so.0.4.8
/usr/share/doc/apr-1.4.8
/usr/share/doc/apr-1.4.8/CHANGES
/usr/share/doc/apr-1.4.8/LICENSE
/usr/share/doc/apr-1.4.8/NOTICE

apr-util

Was uns das Paket apr alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.

 # rpm -qil apr-util
Name        : apr-util
Version     : 1.5.2
Release     : 6.el7
Architecture: x86_64
Install Date: Sun 24 Aug 2014 10:22:26 PM CEST
Group       : System Environment/Libraries
Size        : 198751
License     : ASL 2.0
Signature   : RSA/SHA256, Fri 04 Jul 2014 02:39:25 AM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : apr-util-1.5.2-6.el7.src.rpm
Build Date  : Tue 10 Jun 2014 04:31:06 AM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://apr.apache.org/
Summary     : Apache Portable Runtime Utility library
Description :
The mission of the Apache Portable Runtime (APR) is to provide a
free library of C data structures and routines.  This library
contains additional utility interfaces for APR; including support
for XML, LDAP, database interfaces, URI parsing and more.
/usr/lib64/apr-util-1
/usr/lib64/libaprutil-1.so.0
/usr/lib64/libaprutil-1.so.0.5.2
/usr/share/doc/apr-util-1.5.2
/usr/share/doc/apr-util-1.5.2/CHANGES
/usr/share/doc/apr-util-1.5.2/LICENSE
/usr/share/doc/apr-util-1.5.2/NOTICE

mailcap

Was uns das Paket mailcap alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.

 # rpm -qil mailcap
Name        : mailcap
Version     : 2.1.41
Release     : 2.el7
Architecture: noarch
Install Date: Sun 24 Aug 2014 10:22:27 PM CEST
Group       : System Environment/Base
Size        : 63360
License     : Public Domain and MIT
Signature   : RSA/SHA256, Fri 04 Jul 2014 05:37:02 AM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : mailcap-2.1.41-2.el7.src.rpm
Build Date  : Tue 10 Jun 2014 02:57:23 AM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://git.fedorahosted.org/git/mailcap.git
Summary     : Helper application and MIME type associations for file types
Description :
The mailcap file is used by the metamail program.  Metamail reads the
mailcap file to determine how it should display non-text or multimedia
material.  Basically, mailcap associates a particular type of file
with a particular program that a mail agent or other program can call
in order to handle the file.  Mailcap should be installed to allow
certain programs to be able to handle non-text files.

Also included in this package is the mime.types file which contains a
list of MIME types and their filename "extension" associations, used
by several applications e.g. to determine MIME types for filenames.
/etc/mailcap
/etc/mime.types
/usr/share/doc/mailcap-2.1.41
/usr/share/doc/mailcap-2.1.41/COPYING
/usr/share/doc/mailcap-2.1.41/NEWS
/usr/share/man/man4/mailcap.4.gz

Die Konfiguration des Apache-Webservers httpd erfolgt nicht mit Hilfe einer großen Konfigurationsdatei, sondern ist aufgeteilt in kleinere spezielle Konfigurationsdateien, jeweils auf die einzelnen Anwendungsfälle abgestimmt.

Im Verzeichnis /etc/httpd finden wir all diese Dateien.

/etc/httpd/
├── conf
│   ├── httpd.conf
│   └── magic
├── conf.d
│   ├── autoindex.conf
│   ├── README
│   ├── userdir.conf
│   └── welcome.conf
├── conf.modules.d
│   ├── 00-base.conf
│   ├── 00-dav.conf
│   ├── 00-lua.conf
│   ├── 00-mpm.conf
│   ├── 00-proxy.conf
│   ├── 00-systemd.conf
│   └── 01-cgi.conf
├── logs -> ../../var/log/httpd
├── modules -> ../../usr/lib64/httpd/modules
└── run -> /run/httpd

6 directories, 13 files

httpd.conf

In der Hauptkonfigurationsdatei /etc/httpd/conf/httpd.conf des Webservers finden sich neben den Konfigurationsanweisungen noch weitere Direktiven

Gleich zu beginn der Konfigurationsdatei findet sich folgender wichtiger Hinweis:

Do NOT simply read the instructions in here without understanding what they do. They're here only as hints or reminders. If you are unsure consult the online docs. You have been warned.

Im Zweifel greifen wir also auf die Online-Dokumentation Dokumentation zum Apache HTTP Server Version 2.4 zurück. Mit dem Editor unserer Wahl, so z.B. vim öffnen wir nun also diese Hauptkonfigurationsdatei.

 # vim /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.
 
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"
 
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
# Django : 2014-08-24
# default: Listen 80
Listen 10.0.0.97:80
 
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf
 
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache
 
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
 
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
# Django : 2014-08-24
# default: ServerAdmin root@localhost
ServerAdmin webmaster@nausch.org
 
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
# Django : 2014-08-24
# default: unset
ServerName www7.nausch.org:80
 
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other 
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>
 
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
 
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
 
#
# Relax access to content within /var/www.
#
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>
 
# Further relax access to the default document root:
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks
 
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None
 
    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>
 
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
 
#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ".ht*">
    Require all denied
</Files>
 
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"
 
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
 
<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
 
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
 
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    #CustomLog "logs/access_log" common
 
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined
</IfModule>
 
<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar
 
    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.
 
    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
 
</IfModule>
 
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
 
<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig /etc/mime.types
 
    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
 
    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi
 
    # For type maps (negotiated resources):
    #AddHandler type-map var
 
    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
 
#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default.  To use the 
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8
 
<IfModule mime_magic_module>
    #
    # The mod_mime_magic module allows the server to use various hints from the
    # contents of the file itself to determine its type.  The MIMEMagicFile
    # directive tells the module where the hint definitions are located.
    #
    MIMEMagicFile conf/magic
</IfModule>
 
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
 
#
# EnableMMAP and EnableSendfile: On systems that support it, 
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted 
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on
 
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

Paketfilter/Firewall

Damit unsere Besucher Verbindungen zu den geöffneten Ports http/80 UND https/443 unseres Apache-Webserver aufbauen können müssen wir für diese noch Änderungen am Paketfilter firewalld vornehmen.

Unter CentOS 7 wird als Standard-Firewall die dynamische firewalld verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbiundungen kurz getrennt werden. Sondern unsere Änderungen können on-the-fly aktiviert oder auch wieder deaktiviert werden.

Mit Hilfe des Programms firewall-cmd legen wir nun eine permanente Regel in der Zone public, dies entspricht in unserem Beispiel das Netzwerk-Interface eth0 mit der IP 10.0.0.70 an. Als Source-IP geben geben wir keine speziellen IP-Adressen an, was entsprechend 0.0.0.0 entspricht. Genug der Vorrede, mit nachfolgendem Befehl werden die beiden Ports 80 und 443 geöffnet.

 # firewall-cmd --permanent --zone=public --add-service=http
 success
 # firewall-cmd --permanent --zone=public --add-service=https
 success

Anschließend können wir den Firewall-Daemon einmal durchstarten und anschließend überprüfen, ob die Regeln auch entsprechend unserer Definition, gezogen haben.

 # firewall-cmd --reload
 success

Anschließend können wir abfragen, welche Dienste in der Zone public geöffnet sind.

 # firewall-cmd --zone=public --list-services
 http https ssh

Genauso können wir natürlich mit mit dem Befehl iptables abfragen, ob die Erweiterung unseres Paketfilter aktiv ist.

 # iptables -nvL IN_public_allow
Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW

erster manueller Start

 # systemctl start httpd.service

Im Maillog wird der Start unseres IMAP-Servers entsprechend vermerkt.

 # less /var/log/httpd/error_log
[Sun Aug 24 23:23:40.508454 2014] [suexec:notice] [pid 21449] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Aug 24 23:23:40.524746 2014] [auth_digest:notice] [pid 21449] AH01757: generating secret for digest authentication ...
[Sun Aug 24 23:23:40.525666 2014] [lbmethod_heartbeat:notice] [pid 21449] AH02282: No slotmem from mod_heartmonitor
[Sun Aug 24 23:23:40.529321 2014] [mpm_prefork:notice] [pid 21449] AH00163: Apache/2.4.6 (CentOS) configured -- resuming normal operations
[Sun Aug 24 23:23:40.529360 2014] [core:notice] [pid 21449] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

Ebenso kann man den Status des Webservers mit Hilfe des Befehls systemctl abfragen.

 # systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Sun 2014-08-24 23:23:40 CEST; 1min 28s ago
 Main PID: 21449 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─21449 /usr/sbin/httpd -DFOREGROUND
           ├─21450 /usr/sbin/httpd -DFOREGROUND
           ├─21451 /usr/sbin/httpd -DFOREGROUND
           ├─21452 /usr/sbin/httpd -DFOREGROUND
           ├─21453 /usr/sbin/httpd -DFOREGROUND
           └─21454 /usr/sbin/httpd -DFOREGROUND

Aug 24 23:23:40 vml000097.dmz.nausch.org systemd[1]: Started The Apache HTTP Server.

automatischer Start beim Systemstart

Wollen wir den Daemon beim Hochfahren des Systems automatisch starten, greifen wir auf den Befehl systemctl zurück.

 # systemctl enable httpd.service
 ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'

Möchten wir uns vergewissern, ob der Daemon beim Systemstart gestartet wird oder nicht, erfahren wir ebenfalls mit dem Befehl systemctl.

 # systemctl is-enabled httpd.service
 enabled

Startet der Server nicht automatisch, wird uns ein „disabled“ zurückgemeldet.

Firefox

Rufen wir nun das erste mal die URL unseres Webservers auf, wird uns eine modifizierte Fehlerseite präsentiert.

 # firefox http://www7.nausch.org

Bild: Firefoxansicht der Standardfehlerseite des Apache Webservers 2.4 unter CentOS 7

Im Error-Log unseres Webservers sehen wir entsprechend folgenden Hinweis.

 [Sun Aug 24 23:29:11.868715 2014] [autoindex:error] [pid 21450] [client 10.0.0.20:53369] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive

Im Access-Log finden wir den Zugriff auf die modifizierte Standardseite.

 # less /var/log/httpd/access_log
10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET / HTTP/1.1" 403 4880 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /css/bootstrap.min.css HTTP/1.1" 200 19341 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /css/open-sans.css HTTP/1.1" 200 5081 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 233 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 231 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 230 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 232 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"

Benutzen wir einen Text-Browser, wie z.B. elinks und rufen wir nun die URL unseres Webservers auf, wird uns auch hier eine modifizierte Fehlerseite präsentiert.

 # elinks http://www7.nausch.org

Bild: elinks-Ansicht der Standardfehlerseite des Apache Webservers 2.4 unter CentOS 7

Im Error-Log unseres Apache-WEB-Servers wird natürlich wieder eine entsprechende Logzeile generiert.

 # less /var/log/httpd/error_log
 [Fri Aug 29 13:51:14.353130 2014] [autoindex:error] [pid 4741] [client 10.0.0.20:47188] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive

Im Access-Log finden wir den Zugriff auf die modifizierte Standardseite.

 # less /var/log/httpd/access_log
10.0.0.20 - - [29/Aug/2014:13:51:14 +0200] "GET / HTTP/1.1" 403 4880 "-" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)"
10.0.0.20 - - [29/Aug/2014:13:51:14 +0200] "GET /css/open-sans.css HTTP/1.1" 200 5081 "http://www7.nausch.org/" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)"
10.0.0.20 - - [29/Aug/2014:13:51:14 +0200] "GET /css/bootstrap.min.css HTTP/1.1" 200 19341 "http://www7.nausch.org/" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)"

telnet

Zum Testen des Server braucht man im Gunde nicht einmal einen Browser. Da das HTML-Protokoll im Klartext abläuft kann man dies auch jederzeit mit einem einfachen telnet testen. Wir bauen hierzu einfach mit Hilfe von telnet eine Verbindung auf Port 80 zu unserem webserver auf und geben dann die benötigten Befehle einfach per Hand ein.

Nach dem Verbinden mit dem Server geben wir an welches Dokument wir holen wollen und welche Protokollversion verwendet werden soll. Zu guter Letzt geben wir noch an, von welchem Host wir die Daten holen wollen und schließen unsere Eingaben mit einer Leerzeile ab.

Bei Test vsind die Eingaben am testenden Client in der Farbe blau , die Rückmeldungen unseres Web-Servers in der Farbe schwarz gekennzeichnet. Die Ausgaben des Befehls telnet sind in der Farbe rot eingefärbt.

Wir bauen also eine Verbindung zu unserem Postfix-Server zum HTTP-Port 80 auf.

$ telnet www7.nausch.org 80
Trying 10.0.0.97...
Connected to 10.0.0.97.
Escape character is '^]'.
Die Verbindung zu unserem Webserver steht und dieser erwarten nun von uns unsere weitere Eingabe.

GET / HTTP/1.1
HOST:www7.nausch.org
Connection: close

Hiermit haben wir dem webserver mitgeteilt, dass wir das root-/Hauptverzeichnis / abrufen, dabei die Protokollversion HTTP/1.1 verwenden und das ganze für die URL bzw. vom Host www7.nausch.org beziehen wollen.

HTTP/1.1 403 Forbidden
Date: Fri, 29 Aug 2014 12:20:43 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 17 Jun 2014 16:00:47 GMT
ETag: "1310-4fc0a3f32a9c0"
Accept-Ranges: bytes
Content-Length: 4880
Connection: close
Content-Type: text/html; charset=UTF-8

Da wir angegeben keine HTML-Seite angegeben, sonder das Verzeichnis / versucht hatten abzurufen, quittiert und unser Webserver die Anfrage mit dem Fehlercode 403 Forbidden. Anschließend wird uns die CentOS spefifische Fehlerseite ausgegeben.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
                <title>Apache HTTP Server Test Page powered by CentOS</title>
                <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

    <!-- Bootstrap -->
    <link href="css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="css/open-sans.css" type="text/css" />

<style type="text/css"><!--              

body {
  font-family: "Open Sans", Helvetica, sans-serif;
  font-weight: 100;
  color: #ccc;
  background: rgba(10, 24, 55, 1);
  font-size: 16px;
}

h2, h3, h4 {
  font-weight: 200;
}

h2 {
  font-size: 28px;
}

.jumbotron {
  margin-bottom: 0;
  color: #333;
  background: rgb(212,212,221); /* Old browsers */
  background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */
}

.jumbotron h1 {
  font-size: 128px;
  font-weight: 700;
  color: white;
  text-shadow: 0px 2px 0px #abc,
               0px 4px 10px rgba(0,0,0,0.15),
               0px 5px 2px rgba(0,0,0,0.1),
               0px 6px 30px rgba(0,0,0,0.1);
}

.jumbotron p {
  font-size: 28px;
  font-weight: 100;
}

.main {
   background: white;
   color: #234;
   border-top: 1px solid rgba(0,0,0,0.12);
   padding-top: 30px;
   padding-bottom: 40px;
}

.footer {
   border-top: 1px solid rgba(255,255,255,0.2);
   padding-top: 30px;
}

    --></style>
</head>
<body>
  <div class="jumbotron text-center">
    <div class="container">
          <h1>Testing 123..</h1>
                <p class="lead">This page is used to test the proper operation of the <a href="http://apache.org">Apache HTTP server</a> after it has been installed. If you can read this page it means that this site is working properly. This server is powered by <a href="http://centos.org">CentOS</a>.</p>
                </div>
  </div>
  <div class="main">
    <div class="container">
       <div class="row">
                        <div class="col-sm-6">
                        <h2>Just visiting?</h2>
                                        <p class="lead">The website you just visited is either experiencing problems or is undergoing routine maintenance.</p>
                                        <p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>
                                        <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p>
                                </div>
                                <div class="col-sm-6">
                                        <h2>Are you the Administrator?</h2>
                                        <p>You should add your website content to the directory <tt>/var/www/html/</tt>.</p>
                                        <p>To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>

                                        <h2>Promoting Apache and CentOS</h2>
                                        <p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers.  Thanks for using Apache and CentOS!</p>
                                        <p><a href="http://httpd.apache.org/"><img src="images/apache_pb.gif" alt="[ Powered by Apache ]"></a> <a href="http://www.centos.org/"><img src="images/poweredby.png" alt="[ Powered by CentOS Linux ]" height="31" width="88"></a></p>
                                </div>
                        </div>
            </div>
                </div>
        </div>
          <div class="footer">
      <div class="container">
        <div class="row">
          <div class="col-sm-6">          
            <h2>Important note:</h2>
            <p class="lead">The CentOS Project has nothing to do with this website or its content,
            it just provides the software that makes the website run.</p>
            
            <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. 
            Unless you intended to visit CentOS.org, the CentOS Project does not have anything to do with this website,
            the content or the lack of it.</p>
            <p>For example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:</p>
            <p><a href="http://www.internic.net/whois.html">http://www.internic.net/whois.html</a></p>
          </div>
          <div class="col-sm-6">
            <h2>The CentOS Project</h2>
            <p>The CentOS Linux distribution is a stable, predictable, manageable and reproduceable platform derived from 
               the sources of Red Hat Enterprise Linux (RHEL).<p>
            
            <p>Additionally to being a popular choice for web hosting, CentOS also provides a rich platform for open source communities to build upon. For more information
               please visit the <a href="http://www.centos.org/">CentOS website</a>.</p>
          </div>
        </div>
                  </div>
    </div>
  </div>
</body></html>

Da wir bei unserem Request Connection: close angegeben hatten, wird die Verbindung zum Webserver wieder getrennt.

Connection closed by foreign host.

erste Webseite

Da wir uns natürlich nicht mit der Standardfehlerseite unseres Apache-Webservers begnügen wollen legen wir uns unsere erste eigene minimalistische HTML-Seite an; hierzu benutzen wir den Editor unserer Wahl, z.B. vim. Das HTML-Dokument legen wir im DocumentRoot var/www/html/ unseres Web-Servers an.

# vim /var/www/html/index.html
<html>
Unserer erste <b>html</b>-Testseite!<br>
Weiter Informationen zum Apache-Webserver finden wir im <a href="https://dokuwiki.nausch.org/doku.php/centos:web_c7:start">Djangos Dokuwiki</a> ;)
</html>

Nun können wir unsere erste eigene Webseite ansurfen, wie gewohnt mit dem Browser der Wahl. Beim Zugriffstest mit Hilfe von telnet gilt auch hier wiederum: „Die Eingaben am testenden Client sind in der Farbe blau , die Rückmeldungen unseres Web-Servers in der Farbe schwarz gekennzeichnet. Die Ausgaben des Befehls telnet sind in der Farbe rot eingefärbt.“

 $ firefox www7.nausch.org
 $ elinks www7.nausch.org

$ telnet www7.nausch.org 80
Trying 10.0.0.97...
Connected to 10.0.0.97.
Escape character is '^]'.
GET / HTTP/1.1
HOST:www7.nausch.org
Connection: close

HTTP/1.1 200 OK
Date: Fri, 29 Aug 2014 13:24:20 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Fri, 29 Aug 2014 13:15:34 GMT
ETag: "104-501c472c8a108"
Accept-Ranges: bytes
Content-Length: 260
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
Dies ist unserer erste <b>html</b>-Testseite!<br> zum Testen der Konfiguration unseres Web-servers.

Weiter Informationen zum Apache-Webserver finden wir in <a href="https://dokuwiki.nausch.org/doku.php/centos:web_c7:start">Djangos WIKI</a> ;)
</html>

Connection closed by foreign host.

Im Accesslog unseres Webservers sehen wir dann auch die erfolgreichen Zugriffe auf unsere erste index.html.

... 
 
10.0.0.20 - - [29/Aug/2014:15:15:49 +0200] "GET / HTTP/1.1" 200 260 "-" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)"
10.0.0.20 - - [29/Aug/2014:15:16:36 +0200] "GET / HTTP/1.1" 200 260 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
10.0.0.20 - - [29/Aug/2014:15:23:54 +0200] "GET /index.html HTTP/1.1" 200 260 "-" "-"
10.0.0.20 - - [29/Aug/2014:15:24:20 +0200] "GET / HTTP/1.1" 200 260 "-" "-"
 
...

erster (named based) vHOST

Unser Web-Sever soll später für unterschiedliche (Sub-)Domains Seiten ausliefern. Wir werden hierzu Name based virual Hosts oder kurz vHOSTs einsetzen. Eine detailierte Beschreibung hierzu findet man unter anderem auch in der Beschreibung zu Unterstützung namensbasierter virtueller Hosts.

Im folgendem Konfigurationsbeispiel wollen wir für die beiden Hostnamen cam.mail-server.guru und test.mail-server.guru einen Webserver konfigurieren, der die Seiten der beiden vHosts ausliefert.

Zunächst legen wir uns auf unserem Server zwei Verzeichnisse für die beiden vHosts an.

 # mkdir /var/www/vhost1
 # mkdir /var/www/vhost2

In den neuen Unterverzeichnissen stellen wir dann jeweils eine eigene index-html-Datei ein.

 # vim /var/www/vhost1/index.html
/var/www/vhost1/index.html
<html>
<h1>vHost 1</h1>
Dies ist die <b>index.html</b>-Startseite unseres ersten vHosts bzw. default-Host unseres Web-servers.<br>
<br>
Weitere Informationen zum Apache-Webserver finden wir im <a href="https://dokuwiki.nausch.org/doku.php/centos:web_c7:start">Djangos WIKI</a> ;)
</html>
 # vim /var/www/vhost2/index.html
/var/www/vhost2/index.html
<html>
<h1>vHost 2</h1>
Dies ist die <b>index.html</b>-Startseite unseres zweiten vHosts unseres Web-servers.<br>
</html>

Wir haben also folgende Verzeichnis-Struktur.

/var/www/
├── cgi-bin
├── html
├── vhost1
│   └── index.html
└── vhost2
    └── index.html

Was wir nun brauchen, ist die entsprechende Konfiguration(sdatei) für dieses Beispiel. Durch die Directive IncludeOptional in der Konfigurationsdatei /etc/httpd/conf/httpd.conf werden alle Dateien mit der Erweiterung .conf in alphabetischer Reihenfolge eingebunden.

 # vim /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
...
 
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

Ob wir nun eine Datei mit allen vHost-Definitionen anlegen, oder ob diese in einzelne Dateien aufgesplittet werden, ist letztendlich egal. Die Trennung in einzelne Konfigurationsdateien hat den Vorteil, dass man so leichter den Überblick bei vielen vHosts behält und man so leicht einzelne vHosts schnell deaktivieren kann, in dem man die Konfigurationsdatei umbenennt, oder in ein anderes Verzeichnis verschiebt. Der Namensteil 80 symmbolisiert dabei auch den HTTP-Port 80.

Wir legen uns also für unseren ersten Host eine Date an.

 # vim /etc/httpd/conf.d/80_test.mail-server.guru.conf
/etc/httpd/conf.d/80_test.mail-server.guru.conf
#
# Django : 2014-08-29
#          vHost test.sec-mail.guru
#
 
<VirtualHost *:80>
    ServerAdmin webmaster@nausch.org
    ServerName test.sec-mail.guru
    ServerPath /
    DocumentRoot "/var/www/vhost1"
 
    <Directory "/var/www/vhost1">
        Options FollowSymLinks
        AllowOverride none
        Require all granted
    </Directory>
 
    DirectoryIndex index.html
    ErrorLog logs/test.mail-server.guru_error.log
    CustomLog logs/test.mail-server.guru_access.log combined
</VirtualHost>

Und auch für unseren zweiten vHOST legen wir die nötige Konfigurationsdatei an.

 # vim /etc/httpd/conf.d/80_test.mail-server.guru.conf
/etc/httpd/conf.d/80_cam.mail-server.guru.conf
#
# Django : 2014-08-29
#          vHost webcam.sec-mail.guru
#
 
<VirtualHost *:80>
    ServerAdmin webmaster@nausch.org
    ServerName webcam.sec-mail.guru
    ServerAlias cam.sec-mail.guru
    ServerPath /
    DocumentRoot "/var/www/vhost2"
 
    <Directory "/var/www/vhost2">
        Options FollowSymLinks
        AllowOverride none
        Require all granted
    </Directory>
 
    DirectoryIndex index.html
    ErrorLog logs/webcam.mail-server.guru_error.log
    CustomLog logs/webcam.mail-server.guru_access.log combined
</VirtualHost>

Nun ist es an der Zeit, unseren Webserver von der Konfigurationsanpassung in Kenntnis zu setzen. Bevor wir dies aber tun, überprüfen wir noch, ob die Konfigurationsdateien unseres web-Servers noch irgendwelche syntaktischen Fehler haben. Hierzu benutzen wir folgenden Aufruf.

 # apachectl -t
 Syntax OK

Da kein Syntax-Fehler gefunden wurde, führen wir einen Reload unseres Apache-WEB-Servers durch.

 # systemctl reload httpd.service

Da jeder vHOST die Zugriffe bzw. die Fehler in separate Logdateien schreibt, haben wir es bei der Fehlersuche oder Auswertung der einzelnen Kunden-vHOSTS einfacher, als bei großen Dateien, in die jeder einzelne vHOST schreiben würde.

/var/log/httpd/
├── access_log
├── test.mail-server.guru_access.log
├── test.mail-server.guru_error.log
├── webcam.mail-server.guru_access.log
├── webcam.mail-server.guru_error.log
└── error_log

In dem Konfigurationsbeispiel ist der zweite vHOST sowohl über dem Namen webcam.sec-mail.guru als auch cam.sec-mail.guru erreichbar. realisiert wurde dies mit dem Parameter ServerAlias.

Eine ausführliche Beschreibung und Dokumentationder einzelnen Konfigurations-Directiven und -Optionen findet man in der Apache-Dokumentation zu virtuellen Hosts.

named based default vHOST

Setzen wir name-based-virtual-hosts ein, überprüft unser Webserver, ob im Request die IP-Adresse des Servers verwendet wurde. Anschließend werden dann alle <VirtualHost>-Abschnitte mit der benutzten IP-Adresse verglichen und geprüft, ob der gewählte Hostname zu einem ServerName oder der ServerAlias-Anweisung übereinstimmt. Bei einem positiven Ergebnis wird dann die konfiguration dieses vHOSTs verwendet, wie. z.B. in dem vorherigen Konfigurationsbeispiel. Wird jedoch kein passender vHOST gefunden, so wird die Konfiguration des ersten vHOSTS verwendet!

Wichtig
Da wir alle unsere vHOSTs in jeweils eigenen Dateien konfigurieren, ist es notwendig, dass wir dafür sorgen, dass die Konfigurationsdatei ganz am Anfang des Verzeichnisses steht, da der Apache-Webserver, die einzelnen Konfigurationsdateien im Verzeichnis /etc/httpd/conf.d/ in alphabetischer Reihenfolge einliest. Wir erreichen das ganz einfach, in dem wir dem vHOST eingfach eine 10 im Dateinamen vorne an stellen.

Für diesen speziellen Fall können wir auch eine eigene spezielle vHOST-Konfiguration definieren, nämlich den _default_-vHOST. Nähere Hinweise hierzu findet man in der Beschreibung zuUsing _default_ vhosts.

Wir legen uns also hierzu einen speziellen vHOST an.

 # vim /etc/httpd/conf.d/10_default_vHost.conf
/etc/httpd/conf.d/10_default_vHost.conf
#
# Django : 2014-08-29
#          default vHost sec-mail.guru
#
 
<VirtualHost _default_:80>
    ServerAdmin webmaster@nausch.org
    ServerName sec-mail.guru
    ServerAlias www.sec-mail.guru
    ServerPath /
    DocumentRoot "/var/www/default"
 
    <Directory "/var/www/default">
        Options FollowSymLinks
        AllowOverride none
        Require all granted
    </Directory>
 
    DirectoryIndex index.html
    ErrorLog logs/default-host_sec-mail.guru_error.log
    CustomLog logs/default-host_sec-mail.guru_access.log combined
</VirtualHost>

Auch hier testen wir, o sich nicht irgendwo ein Schreibfehler eingeschlichen hat.

 # apachectl -t
 Syntax OK

Anschließend führen wir einen reload unseres Servers durch, damit dieser die Konfigurationsdateien neu einliest.

 # systemctl reload httpd.service

Nicht immer wollen wir Inhalte die unser WEB-Server zur Verfügung stellt, allen Besuchern zugänglich machen. Bestimmte vertrauliche Daten, sollen oft nur einem gewissen Teilnehmerkreis angeboten werden. Diese Besucher müssen sich dann mit Hilfe eines Namens und eines zugehörigen Passwortes zu erkennen geben.

In den folgenden beiden Konfigurationsbeispielen wollen wir nun an Hand zweier Beispiele diese Funktion einrichten.

Basic Authentifikation

Die einfachste Variante zum Anmeldevorgang ist die Variante PasswordBasicAuth. Die berechtigten Nutzer und die zugehörigen Passwörter sind in einer Konfigurationsdatei, die sich außerhalb des Webserverspeicherbereichs kurz DocumentRoot befindet.

Mit Hilfe des Befehls htpasswd aus dem RPM httpd-tools verwalten wir die entsprechenden Userdaten.

Haben wir noch keine Passwort-Datei angelegt, generieren wir dies mit folgendem Aufruf. Ob man nun einen Usernamen oder eine eMail-Adresse zur Authentifizierung verwenden ist egal.

 # htpasswd -c /etc/httpd/.htpasswd django@sec-mail.guru
 New password: 
 Re-type new password:

Das Passwort, welches wir 2x eingegeben hatten, wird standardmäßig als MD5-digest mit einem 32 salt gespeichert. Man erkennt dies an der Zeichenfolge $apr1$.

 # cat /etc/httpd/.htpasswd
 django@sec-mail.guru:$apr1$YyiOChB1$FoEbQKJ.lgbVrD4lh7CN2.

Wollen wir einen weiteren Nutzerhinzufügen rufen wir den Befehl htpasswd ohne den Parameter -c auf.

 # htpasswd -/etc/httpd/.htpasswd django
 New password: 
 Re-type new password:

Es befinden sich nun zwei Anmeldenamen und deren zugehörigen verschlüsselten Passwörtern in der .htpasswd-Datei.

 # cat /etc/httpd/.htpasswd
 django:$apr1$4lnKyN.k$A6mfy5g6yxOgZWn9IcCNg.
 django@sec-mail.guru:$apr1$YyiOChB1$FoEbQKJ.lgbVrD4lh7CN2.

Haben wir alle Benutzer angelegt, geht es nun weiter mit der Konfiguration unseres vHOSTs.

Beim betreffenden Beispiel, einem vHOST der die WEB-Anwendung PostfixAdmin zur Verfügung stellt, tragen wir nun folgende Zeilen nach.

 # vim /etc/httpd/conf.d/vhost_443_postfixadmin.conf
...
 
	# Django : 2014-09-08 Konfigurationsbeispiel zur Basic Authenifikation mit Hilfe
	# einer htpasswd-Datei
	<Location />
		Options +FollowSymLinks +Multiviews +Indexes
		AllowOverride None
		AuthType basic
		AuthName "PostfixAdmin-Webserver"
		AuthUserFile /etc/httpd/.htpasswd 
    		Require valid-user django django@sec-mail.guru
	</Location>
 
...

Damit unsere Änderungen aktiv werden bedarf es noch eines Reloads unseres httpdaemon.

 # systemctl reload httpd.service

WICHTIG:
Damit die Anmeldedaten nicht von Dritten mitgelesen und abgefischt werden können, nutzen wir natürlich einen SSL-geschützten vHOST!

LDAPs Authentifikation

In der Regel haben wir zur Verwaltung der Nutzerdaten ein Backendsystem zur Verwaltung im Einsatz. Im folgendem Konfigurationsbeispiel werden wir uns nun gegen einen vorhandenen LDAP-Server authentifizieren.

Damit sich unser Client mit dem OpenLDAP-Server verbinden kann, sind ein paar Vorkehrungen zu treffen.

Installation

openldap-clients

Als erstes installieren wir uns das RPM-Paket openldap-clients, wie soll es anders sein, verwenden wir hierzu das Programmverwaltungs-Tool YUM unter CentOS 7.x.

 # yum install openldap-clients -y

Das was uns das Paket alles mitbrachte, können wir uns wie folgt ausgeben lassen.

 # rpm -qil openldap-clients
Name        : openldap-clients
Version     : 2.4.39
Release     : 6.el7
Architecture: x86_64
Install Date: Fri 17 Jul 2015 07:29:06 PM CEST
Group       : Applications/Internet
Size        : 588433
License     : OpenLDAP
Signature   : RSA/SHA256, Sat 14 Mar 2015 09:22:43 AM CET, Key ID 24c6a8a7f4a80eb5
Source RPM  : openldap-2.4.39-6.el7.src.rpm
Build Date  : Fri 06 Mar 2015 05:36:42 AM CET
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.openldap.org/
Summary     : LDAP client utilities
Description :
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. The openldap-clients package contains the client
programs needed for accessing and modifying OpenLDAP directories.
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldappasswd
/usr/bin/ldapsearch
/usr/bin/ldapurl
/usr/bin/ldapwhoami
/usr/share/man/man1/ldapadd.1.gz
/usr/share/man/man1/ldapcompare.1.gz
/usr/share/man/man1/ldapdelete.1.gz
/usr/share/man/man1/ldapexop.1.gz
/usr/share/man/man1/ldapmodify.1.gz
/usr/share/man/man1/ldapmodrdn.1.gz
/usr/share/man/man1/ldappasswd.1.gz
/usr/share/man/man1/ldapsearch.1.gz
/usr/share/man/man1/ldapurl.1.gz
/usr/share/man/man1/ldapwhoami.1.gz

Konfiguration

openldap-clients

Versuchen wir uns jetzt schon mit unserem LDAP-Server zu verbinden, schlägt dies unweigerlich fehl. Beispiel:

 # ldapsearch -W -x -b "dc=nausch,dc=org" "uid=django" \
              -D "cn=Technischeruser,dc=nausch,dc=org" -LLL \
              -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Die Verbindung schlägt fehl, da der Client dem Zertifikat des OpenLDAP-Servers (noch) nicht vertraut!

Wir müssen als erst noch die zum Serverzertifikat passenden Root-Zertifikate der CA1) CAcert als vertrauenswürdige Root-Zertifikate importieren.

Vertrauensmodelle in Public-Key-Infrastrukturen

Bei der asymmetrischen Verschlüsselung, wie sie bei SSL/TLS gesicherter Kommunikation zum Einsatz kommt, benötigt der sendende Kommunikationspartner den öffentlichen Schlüssel (public key) des Empfängers. Bei dieser Kommunikation ist es äusserst wichtig, dass die Echtheit des Schlüssels gewährleistet, sprich auch überprüft werden kann. Diese Überprüfung erfolgt mit digitalen Zertifikaten, die die Echtheit eines öffentlichen Schlüssels sowie den Geltungsbereich und die Anwendungsbereich für das Zertifikat bestätigen.

BILD: schematische Darstellung des Vertrauensverhältnis beim PKI Modell

Bei einer reinen 1:1 Kommunikation können sich beide Kommunikationspartner, oder der Client mit dem Server dieses Vertrauen selbst gegenseitig aussprechen. In den allermeisten Fällen wird es aber bei der verschlüsselten und vertraulichen Kommunikation um eine 1:n Kommunikation handeln; d.h. ein Server wird mit unter sehr vielen Clients Daten austauschen. Eine gegenseitige Vertrauensbildung ist hier in den allermeisten Fällen nicht realistisch und praktikabel durchführbar.

Für die Überprüfung der Echtheit der zur Verschlüsselung verwendeten X.509-Zertifikates wird wiederum ein digitales Zertifikat einer CA2) oder kurz Zertifizierungsstelle verwendet. Diese CA bestätigt somit die Echtheit des Zertifikates. Eine Zertifikat (Root Zertifikat) einer CA selbst kann wiederum durch eine weitere CA beglaubigt worden sein. Somit ergibt sich eine Kette von Zertifikaten, bei der jedes Zertifikat mit dem Zertifikat der übergeordneten Stelle authentifiziert werden kann. Diese Vertrauenskette wird auch Zertifizierungspfad oder trusted chain bezeichnet.

BILD: schematische Darstellung eines X.509 Zertifikates

Ohne dem übergeordneten Root Zertifikat kann zwar verschlüsselt kommuniziert werden, wir wissen aber dabei nicht, ob der zur Verschlüsselung zugrunde liegender Schlüsselmaterials valide ist und ob der Gesprächspartner derjenige ist, den er vorzugeben scheint.

Unserem Kommunikationssystem, egal ob das nun ein WEB-Browser oder ein Web- oder Mailserver ist, müssen wir nun also noch zwei Dinge beibringen.

  1. Root Zertifikate:
    Wir müssen die benötigten Root-Zertifikate unserem System zur Verfügung stellen.
  2. CA Vertrauen:
    Der jeweiligen CA und dessen Root-Zertifikat müssen wir noch explizit unser Vertrauen aussprechen

Ohne diese beiden essentiellen Maßnahmen, können wir zwar verschlüsselt Kommunizieren, wir wissen aber nicht, ob der Adressat derjenige ist den wir meinen und ob dieser die Daten auch wirklich entschlüsseln kann!

CA-Zertifikate unter CentOS 7

Die wichtigsten Zertifizierungsstellen und deren Root-Zertifikate müssen wir uns nun nicht alle einzeln auf diversen webseiten zusammensuchen. Mit Hilfe des RPM-Paketes ca-certificates können wir zum einen die wichtigsten, von der Mozilla Foundation ausgewählten, CAs zurückgreifen. Bei der Grundinstallation unseres systems wurde bereits dieses Paket installiert; was es mitbrachte zeigt uns der folgende Aufruf.

 # rpm -qil ca-certificates
Name        : ca-certificates
Version     : 2014.1.98
Release     : 70.0.el7_0
Architecture: noarch
Install Date: Mon 09 Feb 2015 03:36:17 PM CET
Group       : System Environment/Base
Size        : 1029265
License     : Public Domain
Signature   : RSA/SHA256, Thu 18 Sep 2014 03:53:56 PM CEST, Key ID 24c6a8a7f4a80eb5
Source RPM  : ca-certificates-2014.1.98-70.0.el7_0.src.rpm
Build Date  : Thu 18 Sep 2014 02:11:36 PM CEST
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.mozilla.org/
Summary     : The Mozilla CA root certificate bundle
Description :
This package contains the set of CA certificates chosen by the
Mozilla Foundation for use with the Internet PKI.
/etc/pki/ca-trust
/etc/pki/ca-trust/README
/etc/pki/ca-trust/extracted
/etc/pki/ca-trust/extracted/README
/etc/pki/ca-trust/extracted/java
/etc/pki/ca-trust/extracted/java/README
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/ca-trust/extracted/openssl
/etc/pki/ca-trust/extracted/openssl/README
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/pem
/etc/pki/ca-trust/extracted/pem/README
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/source
/etc/pki/ca-trust/source/README
/etc/pki/ca-trust/source/anchors
/etc/pki/ca-trust/source/blacklist
/etc/pki/java
/etc/pki/java/cacerts
/etc/pki/tls
/etc/pki/tls/cert.pem
/etc/pki/tls/certs
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
/etc/ssl
/etc/ssl/certs
/usr/bin/update-ca-trust
/usr/share/man/man8/update-ca-trust.8.gz
/usr/share/pki/ca-trust-source
/usr/share/pki/ca-trust-source/README
/usr/share/pki/ca-trust-source/anchors
/usr/share/pki/ca-trust-source/blacklist
/usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
/usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
/usr/share/pki/ca-trust-source/ca-bundle.trust.crt
Dokumentation
manpage von update-ca-trust

In der recht ausführlichen manpage von update-ca-trust finden sich viele hilfreiche Detailangaben zum Importieren und Trusten von zusätzlichen Root-Zertifikaten.

 # man update-ca-trust
UPDATE-CA-TRUST(8)                                                     UPDATE-CA-TRUST(8)

NAME
       update-ca-trust - manage consolidated and dynamic configuration of CA certificates
       and associated trust

SYNOPSIS
       update-ca-trust [COMMAND]

DESCRIPTION
       update-ca-trust(8) is used to manage a consolidated and dynamic configuration
       feature of Certificate Authority (CA) certificates and associated trust.

       The feature is available for new applications that read the consolidated
       configuration files found in the /etc/pki/ca-trust/extracted directory or that
       load the PKCS#11 module p11-kit-trust.so

       Parts of the new feature are also provided in a way to make it useful for legacy
       applications.

       Many legacy applications expect CA certificates and trust configuration in a fixed
       location, contained in files with particular path and name, or by referring to a
       classic PKCS#11 trust module provided by the NSS cryptographic library.

       The dynamic configuration feature provides functionally compatible replacements
       for classic configuration files and for the classic NSS trust module named
       libnssckbi.

       In order to enable legacy applications, that read the classic files or access the
       classic module, to make use of the new consolidated and dynamic configuration
       feature, the classic filenames have been changed to symbolic links. The symbolic
       links refer to dynamically created and consolidated output stored below the
       /etc/pki/ca-trust/extracted directory hierarchy.

       The output is produced using the update-ca-trust command (without parameters), or
       using the update-ca-trust extract command. In order to produce the output, a
       flexible set of source configuration is read, as described in section SOURCE
       CONFIGURATION.

       In addition, the classic PKCS#11 module is replaced with a new PKCS#11 module
       (p11-kit-trust.so) that dynamically reads the same source configuration.

SOURCE CONFIGURATION
       The dynamic configuration feature uses several source directories that will be
       scanned for any number of source files. It is important to select the correct
       subdirectory for adding files, as the subdirectory defines how contained
       certificates will be trusted or distrusted, and which file formats are read.

       Files in subdirectories below the directory hierarchy
       /usr/share/pki/ca-trust-source/ contain CA certificates and trust settings in the
       PEM file format. The trust settings found here will be interpreted with a low
       priority.

       Files in subdirectories below the directory hierarchy /etc/pki/ca-trust/source/
       contain CA certificates and trust settings in the PEM file format. The trust
       settings found here will be interpreted with a high priority.

       You may use the following rules of thumb to decide, whether your configuration
       files should be added to the /etc or rather to the /usr directory hierarchy:

       ·   If you are manually adding a configuration file to a system, you probably want
           it to override any other default configuration, and you most likely should add
           it to the respective subdirectory in the /etc hierarchy.

       ·   If you are creating a package that provides additional root CA certificates,
           that is intended for distribution to several computer systems, but you still
           want to allow the administrator to override your list, then your package
           should add your files to the respective subdirectory in the /usr hierarchy.

       ·   If you are creating a package that is supposed to override the default system
           trust settings, that is intended for distribution to several computer systems,
           then your package should install the files to the respective subdirectory in
           the /etc hierarchy.

       QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the
       list of CAs trusted on the system:

       ·   add it as a new file to directory /etc/pki/ca-trust/source/anchors/

       ·   run update-ca-trust extract

       QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format
       (which may contain distrust/blacklist trust flags, or trust flags for usages other
       than TLS) then:

       ·   add it as a new file to directory /etc/pki/ca-trust/source/

       ·   run update-ca-trust extract

       In order to offer simplicity and flexibility, the way certificate files are
       treated depends on the subdirectory they are installed to.

       ·   simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or
           /etc/pki/ca-trust/source/anchors/

       ·   simple blacklist (distrust) subdirectory:
           /usr/share/pki/ca-trust-source/blacklist/ or
           /etc/pki/ca-trust/source/blacklist/

       ·   extended format directory: /usr/share/pki/ca-trust-source/ or
           /etc/pki/ca-trust/source/

       In the main directories /usr/share/pki/ca-trust-source/ or
       /etc/pki/ca-trust/source/ you may install one or multiple files in the following
       file formats:

       ·   certificate files that include trust flags, in the BEGIN/END TRUSTED
           CERTIFICATE file format (any file name), which have been created using the
           openssl x509 tool and the -addreject -addtrust options. Bundle files with
           multiple certificates are supported.

       ·   files in the p11-kit file format using the .p11-kit file name extension, which
           can (e.g.) be used to distrust certificates based on serial number and issuer
           name, without having the full certificate available. (This is currently an
           undocumented format, to be extended later. For examples of the supported
           formats, see the files shipped with the ca-certificates package.)

       ·   certificate files without trust flags in either the DER file format or in the
           PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files will be
           added with neutral trust, neither trusted nor distrusted. They will simply be
           known to the system, which might be helpful to assist cryptographic software
           in constructing chains of certificates. (If you want a CA certificate in these
           file formats to be trusted, you should remove it from this directory and move
           it to the ./anchors subdirectory instead.)

       In the anchors subdirectories /usr/share/pki/ca-trust-source/anchors/ or
       /etc/pki/ca-trust/source/anchors/ you may install one or multiple certificates in
       either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. Each
       certificate will be treated as trusted for all purposes.

       In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or
       /etc/pki/ca-trust/source/blacklist/ you may install one or multiple certificates
       in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format.
       Each certificate will be treated as distrusted for all purposes.

       Please refer to the x509(1) manual page for the documentation of the BEGIN/END
       CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.

       Applications that rely on a static file for a list of trusted CAs may load one of
       the files found in the /etc/pki/ca-trust/extracted directory. After modifying any
       file in the /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
       directories or in any of their subdirectories, or after adding a file, it is
       necessary to run the update-ca-trust extract command, in order to update the
       consolidated files in /etc/pki/ca-trust/extracted/ .

       Applications that load the classic PKCS#11 module using filename libnssckbi.so
       (which has been converted into a symbolic link pointing to the new module) and any
       application capable of loading PKCS#11 modules and loading p11-kit-trust.so, will
       benefit from the dynamically merged set of certificates and trust information
       stored in the /usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
       directories.

EXTRACTED CONFIGURATION
       The directory /etc/pki/ca-trust/extracted/ contains generated CA certificate
       bundle files which are created and updated, based on the SOURCE CONFIGURATION by
       running the update-ca-trust extract command.

       If your application isn’t able to load the PKCS#11 module p11-kit-trust.so, then
       you can use these files in your application to load a list of global root CA
       certificates.

       Please never manually edit the files stored in this directory, because your
       changes will be lost and the files automatically overwritten, each time the
       update-ca-trust extract command gets executed.

       In order to install new trusted or distrusted certificates, please rather install
       them in the respective subdirectory below the /usr/share/pki/ca-trust-source/ or
       /etc/pki/ca-trust/source/ directories, as described in the SOURCE CONFIGURATION
       section.

       The directory /etc/pki/ca-trust/extracted/java/ contains a CA certificate bundle
       in the java keystore file format. Distrust information cannot be represented in
       this file format, and distrusted certificates are missing from these files. File
       cacerts contains CA certificates trusted for TLS server authentication.

       The directory /etc/pki/ca-trust/extracted/openssl/ contains CA certificate bundle
       files in the extended BEGIN/END TRUSTED CERTIFICATE file format, as described in
       the x509(1) manual page. File ca-bundle.trust.crt contains the full set of all
       trusted or distrusted certificates, including the associated trust flags.

       The directory /etc/pki/ca-trust/extracted/pem/ contains CA certificate bundle
       files in the simple BEGIN/END CERTIFICATE file format, as decribed in the x509(1)
       manual page. Distrust information cannot be represented in this file format, and
       distrusted certificates are missing from these files. File tls-ca-bundle.pem
       contains CA certificates trusted for TLS server authentication. File
       email-ca-bundle.pem contains CA certificates trusted for E-Mail protection. File
       objsign-ca-bundle.pem contains CA certificates trusted for code signing.

COMMANDS
       (absent/empty command)
           Same as the extract command described below. (However, the command may print
           fewer warnings, as this command is being run during rpm package installation,
           where non-fatal status output is undesired.)

       extract
           Instruct update-ca-trust to scan the SOURCE CONFIGURATION and produce updated
           versions of the consolidated configuration files stored below the
           /etc/pki/ca-trust/extracted directory hierarchy.

FILES
       /etc/pki/tls/certs/ca-bundle.crt
           Classic filename, file contains a list of CA certificates trusted for TLS
           server authentication usage, in the simple BEGIN/END CERTIFICATE file format,
           without distrust information. This file is a symbolic link that refers to the
           consolidated output created by the update-ca-trust command.

       /etc/pki/tls/certs/ca-bundle.trust.crt
           Classic filename, file contains a list of CA certificates in the extended
           BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or
           distrust) flags specific to certificate usage. This file is a symbolic link
           that refers to the consolidated output created by the update-ca-trust command.

       /etc/pki/java/cacerts
           Classic filename, file contains a list of CA certificates trusted for TLS
           server authentication usage, in the Java keystore file format, without
           distrust information. This file is a symbolic link that refers to the
           consolidated output created by the update-ca-trust command.

       /usr/share/pki/ca-trust-source
           Contains multiple, low priority source configuration files as explained in
           section SOURCE CONFIGURATION. Please pay attention to the specific meanings of
           the respective subdirectories.

       /etc/pki/ca-trust/source
           Contains multiple, high priority source configuration files as explained in
           section SOURCE CONFIGURATION. Please pay attention to the specific meanings of
           the respective subdirectories.

       /etc/pki/ca-trust/extracted
           Contains consolidated and automatically generated configuration files for
           consumption by applications, which are created using the update-ca-trust
           extract command. Don’t edit files in this directory, because they will be
           overwritten. See section EXTRACTED CONFIGURATION for additional details.

AUTHOR
       Written by Kai Engert and Stef Walter.

update-ca-trust                         09/18/2014                     UPDATE-CA-TRUST(8)
/etc/pki/ca-trust/source/README

Da wir einzelnen Root-Zertifikaten explizit das Vertrauen aussprechen wollen, werden wir die vom RPM-Paket mitgebrachten Verzeichnisstrukturen unter /etc verwenden. Dort finden wir auch noch eine entsprechende README Datei.

 # less /etc/pki/ca-trust/source/README
This directory /etc/pki/ca-trust/source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.

=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
                    /etc/pki/ca-trust/source/anchors/
            subdirectory, and run the
                    update-ca-trust
            command.

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.
=============================================================================

Please refer to the update-ca-trust(8) manual page for additional information.
Import-Beispiel am CAcert Root-Zertifikat

Im folgendem Beispiel wollen wir uns das Root-Zertifikat von CAcert als vertrauenswürdige Root-Zertifikate importieren.

Hierzu wechseln wir im ersten Schritt in das Verzeichnis /etc/pki/ca-trust/source/anchors.

 # cd /etc/pki/ca-trust/source/anchors

Anschließend holen wir uns das Root-Certifikat von CAcert von deren Homepage auf unseren Server.

 # wget -O CAcert_class1.pem --no-check-certificate https://www.cacert.org/certs/root.crt

Somit befindet sich nun das Root-Zertifikat von CAcert in unserem Verzeichnis.

 # less CAcert_class1.pem
-----BEGIN CERTIFICATE-----
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
-----END CERTIFICATE-----

Das gleiche machen wir nun mit dem Class3 Zertifikat von CAcert.

 # wget -O CAcert_class3.pem --no-check-certificate https://www.cacert.org/certs/class3.crt

Nun haben wir auch das Class3 Root-Zertifikat von CAcert in unserem Verzeichnis.

 # less CAcert_class3.pem
-----BEGIN CERTIFICATE-----
MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----

WICHTIG:

Bevor wir nun dem Zertifikat bzw. der CA das Vertrauen aussprechen, überprüfen wir noch die Echteit des Zertifikates an Hand dessen Fingerprints.

 # openssl x509 -noout -fingerprint -in CAcert_class1.pem 
SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

Diesen Fingerprint vergleichen wir nun mit den Angaben von CAcert auf deren Homepage. Dort finden wir folgende Daten:

SHA1 Fingerabdruck: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33


Unterscheiden sich die beiden Fingerprints ist SOFORT mit dem Importvorgang abzubrechen!

Da beide Fingerprints gleich sind, können wir nun noch mit dem zweite CAcert Class3 Zertifikat genau so verfahren dabei wie beim ersten Zertifikat.

 # openssl x509 -noout -fingerprint -in CAcert_class3.pem
SHA1 Fingerprint=AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE

Diesen Fingerprint vergleichen wir nun mit den Angaben von CAcert auf deren Homepage. Dort finden wir folgende Daten:

SHA1 Fingerabdruck: AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE

Ist Fingerprint Vergleich beim Class 3 Zertifikat auch gleich, können wir mit dem eigentlichem Importvorgang der beiden Zertifikate fortfahren!

Zum Importieren der CAcert-Root-Zertifikate benutzen wir nun den Befehl update-ca-trust.

 # update-ca-trust

Ist der Importvorgang abgeschlossen, befinden sich in der in der Datei /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem die gerade importierten Root-Zertifikate.

Wollen wir überprüfen, ob die gewünschten Zertifikate auch wirklich in dem erstellten Zertifikats-Bundle enthalten sind, greifen wir auf ein kleines Script zurück. Mit dem folgenden Perl-Script kann eine Liste aller Zertifikate erstellt werden, die sich in einer Zertifikats-Bundle-Datei befinden.

 # vim /usr/local/bin/ca-list
/usr/local/bin/ca-list
#!/usr/bin/perl
# Liste eines Zertifikatsbundles ausgeben.
# Django <django@mailserver.guru> (c) 2015
#
$file = shift;
unless($file) { die("Ohne Zertifikatsbundle kann die Liste nicht erstellt werden!\n"); }
open LISTE, "<$file" or die("Fehler beim Laden der Datei \"$file\"\n");
 
$certfile = "";
print "Folgende Zertifikate befinden sich in der Datei $file:\n";
 
while(<LISTE>) {
        $certfile .= $_;
        if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
                print `echo "$certfile" | openssl x509 -noout -subject`;
                $certfile = "";
        }
}
close LISTE;

Das gerade angelegt Script statten wir noch mit den x-Ausführungsrecht aus.

 # chmod +x /usr/local/bin/ca-list

Nun können wir auch überprüfen, ob sich die zuvor installierten Root-Zertifikate von CAcert in der Zertifikats-Bundle-Datei /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem befinden.

 # ca-list /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep -i cacert.org
subject= /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
subject= /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root

Wir haben nun in der Datei /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem die nötigen Root-Zertifikate und müssen nun nur noch unserem openldap-client mitteilen, diesen auch zu nutzen. Hierzu editieren wir nun die Konfigurationsdatei des openldap-clients.

 # vim /etc/openldap/ldap.conf
/etc/openldap/ldap.conf
#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
#BASE           dc=example,dc=com
#URI            ldap://ldap.example.com ldap://ldap-master.example.com:666
 
# Django: 2015-07-17
# defaul: unset
#         Definition des standardmässig abgefragten Teilbaums / Searchbase
#         Anfragen werden unterhalb von dc=nausch, dc=org ausgeführt
BASE            dc=nausch, dc=org
 
#         Definition des LDAP-Servers 
URI             ldap://openldap.dmz.nausch.org
 
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
 
# Django : 2015-07-17
# default:      TLS_CACERTDIR   /etc/openldap/certs
 
# Django : 2015-07-16
#          Pfad und Datei mit den vertrauenswürdigen Root-Zertifikaten
# default: unset
TLS_CACERT      /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

Zum Testen richten wir erneut eine Anfrage an unseren OpenLDP-Server.

 # ldapsearch -W -x -b "dc=nausch,dc=org" "uid=django" \
              -D "cn=Technischeruser,dc=nausch,dc=org" -LLL \
              -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password: 
dn: uid=django,ou=People,dc=nausch,dc=org
uid: django
cn: django
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 16617
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/django
gecos: django
userPassword:: RGQ0bWRkMyE=
mod_ldap

Im Gegensatz zum Konfigurationsbeispiel der Basic Authentifikation mit Hilfe von PasswordBasicAuth, benötigen wir das zusätzliche RPM-Paket mod_ldap, welches die beiden notwendigen Module mod_authnz_ldap und mod_ldap zur LDAP-Authentifikation benötigt werden. Das RPM installieren wir uns nun mit Hilfe von yum.

 # yum install mod_ldap -y
Konfiguration

Was nun noch fehlt, ist die Konfiguration unseres vHOSTs. In der Konfigurationsdatei des betreffenden vHOSTs tragen wir nun folgende Zeilen nach.

 # vim /etc/httpd/conf.d/vhost_443_postfixadmin.conf
...
 
	# Django : 2015-07-17 Konfigurationsbeispiel zur LDAP Authenifikation mit Hilfe
	# der beiden Module mod_authnz_ldap und mod_ldap aus dem RPM mod_ldap.
        <Location />
                Options +FollowSymLinks +Multiviews +Indexes
                AllowOverride None
                AuthType Basic
                AuthName "PostfixAdmin-Webserver"
                AuthBasicProvider ldap
                AuthLDAPUrl ldaps://openldap.dmz.nausch.org:389/ou=People,dc=nausch,dc=org?uid
                AuthLDAPBindDN cn=Technischeruser,dc=nausch,dc=org
                AuthLDAPBindPassword e1n531f!D4xIi57n393I1354u!
                AuthLDAPBindAuthoritative on
                Require ldap-user django bigchief nagios
        </Location>
...

Damit unsere Änderungen aktiv werden bedarf es noch eines reloads unseres HTTP-Deamon.

 # systemctl reload httpd.service

WICHTIG:
Damit die Anmeldedaten nicht von Dritten mitgelesen und abgefischt werden können, nutzen wir natürlich einen SSL-geschützten vHOST!

Test

Der Webserver wird nun den Zugang erst gestatten, sobald die Daten richtig eingegeben wurden.

Bild: Eingabe-Fenster bei einer zugriffsgeschützten WEB-Anwendung

Wird über den Menüpunkt [ Cancel ] die Eingabe abgebrochen, verweigert der Webserver den Zutritt zur betreffenden Anwendung!

Ausnahme eines Hosts/IP-Adresse

Soll eine IP-Adresse bzw. ein Host vom Logging ausgeschlossen werden, verwenden wir folgendes Konfigurationsbeispiel, welches wir beim betreffenden vHost eintragen.

 # vim 1st_vhost.conf
...

    SetEnvIf  Remote_Addr "10\.0\.0\.27" dontlog
    ErrorLog  logs/defaulthost_error.log
    CustomLog logs/defaulthost_access.log combined env=!dontlog

...

Greif der Host mit der IP-Adresse 10.0.0.27 auf den VHost zu, wird darüber im access-Log keine Einträge vermerkt.

Links


1) , 2)
Certificate Authority
Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/web_c7/apache_1.txt
  • Zuletzt geändert: 11.04.2018 05:37.
  • von django