Apache httpd, "der" WEB-Server unter CentOS 7.x
Unter CentOS 7 wird der aktuelle Releasezweig 2.4 als Standard-Web-Server vorgehalten.
Auf der Webseite der Apache Software Foundation findet man eine Aufstellung der Featureübersicht des Apache HTTP Server 2.4. Die Dokumentation zum Apache HTTP Server Version 2.4 findet man in deutscher Sprache ebenso auf der Projektseite.
Grundinstallation
Unseren Apache-Webserver installieren wir einfach mit Hilfe von YUM.
# yum install httpd -y
Neben dem Paket httpd werden noch die Pakete httpd-tools, apr, apr-util und mailcap installiert.
httpd
Was uns das Paket httpd alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.
# rpm -qil httpd
Name : httpd Version : 2.4.6 Release : 18.el7.centos Architecture: x86_64 Install Date: Sun 24 Aug 2014 10:22:29 PM CEST Group : System Environment/Daemons Size : 9793373 License : ASL 2.0 Signature : RSA/SHA256, Wed 23 Jul 2014 05:21:22 PM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : httpd-2.4.6-18.el7.centos.src.rpm Build Date : Wed 23 Jul 2014 04:49:10 PM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. /etc/httpd /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.d/README /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.modules.d /etc/httpd/conf.modules.d/00-base.conf /etc/httpd/conf.modules.d/00-dav.conf /etc/httpd/conf.modules.d/00-lua.conf /etc/httpd/conf.modules.d/00-mpm.conf /etc/httpd/conf.modules.d/00-proxy.conf /etc/httpd/conf.modules.d/00-systemd.conf /etc/httpd/conf.modules.d/01-cgi.conf /etc/httpd/conf/httpd.conf /etc/httpd/conf/magic /etc/httpd/logs /etc/httpd/modules /etc/httpd/run /etc/logrotate.d/httpd /etc/sysconfig/htcacheclean /etc/sysconfig/httpd /run/httpd /run/httpd/htcacheclean /usr/lib/systemd/system/htcacheclean.service /usr/lib/systemd/system/httpd.service /usr/lib/tmpfiles.d/httpd.conf /usr/lib64/httpd /usr/lib64/httpd/modules /usr/lib64/httpd/modules/mod_access_compat.so /usr/lib64/httpd/modules/mod_actions.so /usr/lib64/httpd/modules/mod_alias.so /usr/lib64/httpd/modules/mod_allowmethods.so /usr/lib64/httpd/modules/mod_asis.so /usr/lib64/httpd/modules/mod_auth_basic.so /usr/lib64/httpd/modules/mod_auth_digest.so /usr/lib64/httpd/modules/mod_authn_anon.so /usr/lib64/httpd/modules/mod_authn_core.so /usr/lib64/httpd/modules/mod_authn_dbd.so /usr/lib64/httpd/modules/mod_authn_dbm.so /usr/lib64/httpd/modules/mod_authn_file.so /usr/lib64/httpd/modules/mod_authn_socache.so /usr/lib64/httpd/modules/mod_authz_core.so /usr/lib64/httpd/modules/mod_authz_dbd.so /usr/lib64/httpd/modules/mod_authz_dbm.so /usr/lib64/httpd/modules/mod_authz_groupfile.so /usr/lib64/httpd/modules/mod_authz_host.so /usr/lib64/httpd/modules/mod_authz_owner.so /usr/lib64/httpd/modules/mod_authz_user.so /usr/lib64/httpd/modules/mod_autoindex.so /usr/lib64/httpd/modules/mod_buffer.so /usr/lib64/httpd/modules/mod_cache.so /usr/lib64/httpd/modules/mod_cache_disk.so /usr/lib64/httpd/modules/mod_cache_socache.so /usr/lib64/httpd/modules/mod_cgi.so /usr/lib64/httpd/modules/mod_cgid.so /usr/lib64/httpd/modules/mod_charset_lite.so /usr/lib64/httpd/modules/mod_data.so /usr/lib64/httpd/modules/mod_dav.so /usr/lib64/httpd/modules/mod_dav_fs.so /usr/lib64/httpd/modules/mod_dav_lock.so /usr/lib64/httpd/modules/mod_dbd.so /usr/lib64/httpd/modules/mod_deflate.so /usr/lib64/httpd/modules/mod_dialup.so /usr/lib64/httpd/modules/mod_dir.so /usr/lib64/httpd/modules/mod_dumpio.so /usr/lib64/httpd/modules/mod_echo.so /usr/lib64/httpd/modules/mod_env.so /usr/lib64/httpd/modules/mod_expires.so /usr/lib64/httpd/modules/mod_ext_filter.so /usr/lib64/httpd/modules/mod_file_cache.so /usr/lib64/httpd/modules/mod_filter.so /usr/lib64/httpd/modules/mod_headers.so /usr/lib64/httpd/modules/mod_heartbeat.so /usr/lib64/httpd/modules/mod_heartmonitor.so /usr/lib64/httpd/modules/mod_include.so /usr/lib64/httpd/modules/mod_info.so /usr/lib64/httpd/modules/mod_lbmethod_bybusyness.so /usr/lib64/httpd/modules/mod_lbmethod_byrequests.so /usr/lib64/httpd/modules/mod_lbmethod_bytraffic.so /usr/lib64/httpd/modules/mod_lbmethod_heartbeat.so /usr/lib64/httpd/modules/mod_log_config.so /usr/lib64/httpd/modules/mod_log_debug.so /usr/lib64/httpd/modules/mod_log_forensic.so /usr/lib64/httpd/modules/mod_logio.so /usr/lib64/httpd/modules/mod_lua.so /usr/lib64/httpd/modules/mod_macro.so /usr/lib64/httpd/modules/mod_mime.so /usr/lib64/httpd/modules/mod_mime_magic.so /usr/lib64/httpd/modules/mod_mpm_event.so /usr/lib64/httpd/modules/mod_mpm_prefork.so /usr/lib64/httpd/modules/mod_mpm_worker.so /usr/lib64/httpd/modules/mod_negotiation.so /usr/lib64/httpd/modules/mod_proxy.so /usr/lib64/httpd/modules/mod_proxy_ajp.so /usr/lib64/httpd/modules/mod_proxy_balancer.so /usr/lib64/httpd/modules/mod_proxy_connect.so /usr/lib64/httpd/modules/mod_proxy_express.so /usr/lib64/httpd/modules/mod_proxy_fcgi.so /usr/lib64/httpd/modules/mod_proxy_fdpass.so /usr/lib64/httpd/modules/mod_proxy_ftp.so /usr/lib64/httpd/modules/mod_proxy_http.so /usr/lib64/httpd/modules/mod_proxy_scgi.so /usr/lib64/httpd/modules/mod_proxy_wstunnel.so /usr/lib64/httpd/modules/mod_ratelimit.so /usr/lib64/httpd/modules/mod_reflector.so /usr/lib64/httpd/modules/mod_remoteip.so /usr/lib64/httpd/modules/mod_reqtimeout.so /usr/lib64/httpd/modules/mod_request.so /usr/lib64/httpd/modules/mod_rewrite.so /usr/lib64/httpd/modules/mod_sed.so /usr/lib64/httpd/modules/mod_setenvif.so /usr/lib64/httpd/modules/mod_slotmem_plain.so /usr/lib64/httpd/modules/mod_slotmem_shm.so /usr/lib64/httpd/modules/mod_socache_dbm.so /usr/lib64/httpd/modules/mod_socache_memcache.so /usr/lib64/httpd/modules/mod_socache_shmcb.so /usr/lib64/httpd/modules/mod_speling.so /usr/lib64/httpd/modules/mod_status.so /usr/lib64/httpd/modules/mod_substitute.so /usr/lib64/httpd/modules/mod_suexec.so /usr/lib64/httpd/modules/mod_systemd.so /usr/lib64/httpd/modules/mod_unique_id.so /usr/lib64/httpd/modules/mod_unixd.so /usr/lib64/httpd/modules/mod_userdir.so /usr/lib64/httpd/modules/mod_usertrack.so /usr/lib64/httpd/modules/mod_version.so /usr/lib64/httpd/modules/mod_vhost_alias.so /usr/lib64/httpd/modules/mod_watchdog.so /usr/libexec/initscripts/legacy-actions/httpd /usr/libexec/initscripts/legacy-actions/httpd/configtest /usr/libexec/initscripts/legacy-actions/httpd/graceful /usr/sbin/apachectl /usr/sbin/fcgistarter /usr/sbin/htcacheclean /usr/sbin/httpd /usr/sbin/rotatelogs /usr/sbin/suexec /usr/share/doc/httpd-2.4.6 /usr/share/doc/httpd-2.4.6/ABOUT_APACHE /usr/share/doc/httpd-2.4.6/CHANGES /usr/share/doc/httpd-2.4.6/LICENSE /usr/share/doc/httpd-2.4.6/NOTICE /usr/share/doc/httpd-2.4.6/README /usr/share/doc/httpd-2.4.6/VERSIONING /usr/share/doc/httpd-2.4.6/httpd-dav.conf /usr/share/doc/httpd-2.4.6/httpd-default.conf /usr/share/doc/httpd-2.4.6/httpd-info.conf /usr/share/doc/httpd-2.4.6/httpd-languages.conf /usr/share/doc/httpd-2.4.6/httpd-manual.conf /usr/share/doc/httpd-2.4.6/httpd-mpm.conf /usr/share/doc/httpd-2.4.6/httpd-multilang-errordoc.conf /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /usr/share/doc/httpd-2.4.6/proxy-html.conf /usr/share/httpd /usr/share/httpd/error /usr/share/httpd/error/HTTP_BAD_GATEWAY.html.var /usr/share/httpd/error/HTTP_BAD_REQUEST.html.var /usr/share/httpd/error/HTTP_FORBIDDEN.html.var /usr/share/httpd/error/HTTP_GONE.html.var /usr/share/httpd/error/HTTP_INTERNAL_SERVER_ERROR.html.var /usr/share/httpd/error/HTTP_LENGTH_REQUIRED.html.var /usr/share/httpd/error/HTTP_METHOD_NOT_ALLOWED.html.var /usr/share/httpd/error/HTTP_NOT_FOUND.html.var /usr/share/httpd/error/HTTP_NOT_IMPLEMENTED.html.var /usr/share/httpd/error/HTTP_PRECONDITION_FAILED.html.var /usr/share/httpd/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var /usr/share/httpd/error/HTTP_REQUEST_TIME_OUT.html.var /usr/share/httpd/error/HTTP_REQUEST_URI_TOO_LARGE.html.var /usr/share/httpd/error/HTTP_SERVICE_UNAVAILABLE.html.var /usr/share/httpd/error/HTTP_UNAUTHORIZED.html.var /usr/share/httpd/error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var /usr/share/httpd/error/HTTP_VARIANT_ALSO_VARIES.html.var /usr/share/httpd/error/README /usr/share/httpd/error/contact.html.var /usr/share/httpd/error/include /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/spacer.html /usr/share/httpd/error/include/top.html /usr/share/httpd/icons /usr/share/httpd/icons/README /usr/share/httpd/icons/README.html /usr/share/httpd/icons/a.gif /usr/share/httpd/icons/a.png /usr/share/httpd/icons/alert.black.gif /usr/share/httpd/icons/alert.black.png /usr/share/httpd/icons/alert.red.gif /usr/share/httpd/icons/alert.red.png /usr/share/httpd/icons/apache_pb.gif /usr/share/httpd/icons/apache_pb.png /usr/share/httpd/icons/apache_pb.svg /usr/share/httpd/icons/apache_pb2.gif /usr/share/httpd/icons/apache_pb2.png /usr/share/httpd/icons/back.gif /usr/share/httpd/icons/back.png /usr/share/httpd/icons/ball.gray.gif /usr/share/httpd/icons/ball.gray.png /usr/share/httpd/icons/ball.red.gif /usr/share/httpd/icons/ball.red.png /usr/share/httpd/icons/binary.gif /usr/share/httpd/icons/binary.png /usr/share/httpd/icons/binhex.gif /usr/share/httpd/icons/binhex.png /usr/share/httpd/icons/blank.gif /usr/share/httpd/icons/blank.png /usr/share/httpd/icons/bomb.gif /usr/share/httpd/icons/bomb.png /usr/share/httpd/icons/box1.gif /usr/share/httpd/icons/box1.png /usr/share/httpd/icons/box2.gif /usr/share/httpd/icons/box2.png /usr/share/httpd/icons/broken.gif /usr/share/httpd/icons/broken.png /usr/share/httpd/icons/burst.gif /usr/share/httpd/icons/burst.png /usr/share/httpd/icons/c.gif /usr/share/httpd/icons/c.png /usr/share/httpd/icons/comp.blue.gif /usr/share/httpd/icons/comp.blue.png /usr/share/httpd/icons/comp.gray.gif /usr/share/httpd/icons/comp.gray.png /usr/share/httpd/icons/compressed.gif /usr/share/httpd/icons/compressed.png /usr/share/httpd/icons/continued.gif /usr/share/httpd/icons/continued.png /usr/share/httpd/icons/dir.gif /usr/share/httpd/icons/dir.png /usr/share/httpd/icons/diskimg.gif /usr/share/httpd/icons/diskimg.png /usr/share/httpd/icons/down.gif /usr/share/httpd/icons/down.png /usr/share/httpd/icons/dvi.gif /usr/share/httpd/icons/dvi.png /usr/share/httpd/icons/f.gif /usr/share/httpd/icons/f.png /usr/share/httpd/icons/folder.gif /usr/share/httpd/icons/folder.open.gif /usr/share/httpd/icons/folder.open.png /usr/share/httpd/icons/folder.png /usr/share/httpd/icons/folder.sec.gif /usr/share/httpd/icons/folder.sec.png /usr/share/httpd/icons/forward.gif /usr/share/httpd/icons/forward.png /usr/share/httpd/icons/generic.gif /usr/share/httpd/icons/generic.png /usr/share/httpd/icons/generic.red.gif /usr/share/httpd/icons/generic.red.png /usr/share/httpd/icons/generic.sec.gif /usr/share/httpd/icons/generic.sec.png /usr/share/httpd/icons/hand.right.gif /usr/share/httpd/icons/hand.right.png /usr/share/httpd/icons/hand.up.gif /usr/share/httpd/icons/hand.up.png /usr/share/httpd/icons/icon.sheet.gif /usr/share/httpd/icons/icon.sheet.png /usr/share/httpd/icons/image1.gif /usr/share/httpd/icons/image1.png /usr/share/httpd/icons/image2.gif /usr/share/httpd/icons/image2.png /usr/share/httpd/icons/image3.gif /usr/share/httpd/icons/image3.png /usr/share/httpd/icons/index.gif /usr/share/httpd/icons/index.png /usr/share/httpd/icons/layout.gif /usr/share/httpd/icons/layout.png /usr/share/httpd/icons/left.gif /usr/share/httpd/icons/left.png /usr/share/httpd/icons/link.gif /usr/share/httpd/icons/link.png /usr/share/httpd/icons/movie.gif /usr/share/httpd/icons/movie.png /usr/share/httpd/icons/odf6odb.png /usr/share/httpd/icons/odf6odc.png /usr/share/httpd/icons/odf6odf.png /usr/share/httpd/icons/odf6odg.png /usr/share/httpd/icons/odf6odi.png /usr/share/httpd/icons/odf6odm.png /usr/share/httpd/icons/odf6odp.png /usr/share/httpd/icons/odf6ods.png /usr/share/httpd/icons/odf6odt.png /usr/share/httpd/icons/odf6otc.png /usr/share/httpd/icons/odf6otf.png /usr/share/httpd/icons/odf6otg.png /usr/share/httpd/icons/odf6oth.png /usr/share/httpd/icons/odf6oti.png /usr/share/httpd/icons/odf6otp.png /usr/share/httpd/icons/odf6ots.png /usr/share/httpd/icons/odf6ott.png /usr/share/httpd/icons/p.gif /usr/share/httpd/icons/p.png /usr/share/httpd/icons/patch.gif /usr/share/httpd/icons/patch.png /usr/share/httpd/icons/pdf.gif /usr/share/httpd/icons/pdf.png /usr/share/httpd/icons/pie0.gif /usr/share/httpd/icons/pie0.png /usr/share/httpd/icons/pie1.gif /usr/share/httpd/icons/pie1.png /usr/share/httpd/icons/pie2.gif /usr/share/httpd/icons/pie2.png /usr/share/httpd/icons/pie3.gif /usr/share/httpd/icons/pie3.png /usr/share/httpd/icons/pie4.gif /usr/share/httpd/icons/pie4.png /usr/share/httpd/icons/pie5.gif /usr/share/httpd/icons/pie5.png /usr/share/httpd/icons/pie6.gif /usr/share/httpd/icons/pie6.png /usr/share/httpd/icons/pie7.gif /usr/share/httpd/icons/pie7.png /usr/share/httpd/icons/pie8.gif /usr/share/httpd/icons/pie8.png /usr/share/httpd/icons/portal.gif /usr/share/httpd/icons/portal.png /usr/share/httpd/icons/poweredby.png /usr/share/httpd/icons/ps.gif /usr/share/httpd/icons/ps.png /usr/share/httpd/icons/quill.gif /usr/share/httpd/icons/quill.png /usr/share/httpd/icons/right.gif /usr/share/httpd/icons/right.png /usr/share/httpd/icons/screw1.gif /usr/share/httpd/icons/screw1.png /usr/share/httpd/icons/screw2.gif /usr/share/httpd/icons/screw2.png /usr/share/httpd/icons/script.gif /usr/share/httpd/icons/script.png /usr/share/httpd/icons/small /usr/share/httpd/icons/small/back.gif /usr/share/httpd/icons/small/back.png /usr/share/httpd/icons/small/binary.gif /usr/share/httpd/icons/small/binary.png /usr/share/httpd/icons/small/binhex.gif /usr/share/httpd/icons/small/binhex.png /usr/share/httpd/icons/small/blank.gif /usr/share/httpd/icons/small/blank.png /usr/share/httpd/icons/small/broken.gif /usr/share/httpd/icons/small/broken.png /usr/share/httpd/icons/small/burst.gif /usr/share/httpd/icons/small/burst.png /usr/share/httpd/icons/small/comp1.gif /usr/share/httpd/icons/small/comp1.png /usr/share/httpd/icons/small/comp2.gif /usr/share/httpd/icons/small/comp2.png /usr/share/httpd/icons/small/compressed.gif /usr/share/httpd/icons/small/compressed.png /usr/share/httpd/icons/small/continued.gif /usr/share/httpd/icons/small/continued.png /usr/share/httpd/icons/small/doc.gif /usr/share/httpd/icons/small/doc.png /usr/share/httpd/icons/small/folder.gif /usr/share/httpd/icons/small/folder.png /usr/share/httpd/icons/small/folder2.gif /usr/share/httpd/icons/small/folder2.png /usr/share/httpd/icons/small/forward.gif /usr/share/httpd/icons/small/forward.png /usr/share/httpd/icons/small/generic.gif /usr/share/httpd/icons/small/generic.png /usr/share/httpd/icons/small/generic2.gif /usr/share/httpd/icons/small/generic2.png /usr/share/httpd/icons/small/generic3.gif /usr/share/httpd/icons/small/generic3.png /usr/share/httpd/icons/small/image.gif /usr/share/httpd/icons/small/image.png /usr/share/httpd/icons/small/image2.gif /usr/share/httpd/icons/small/image2.png /usr/share/httpd/icons/small/index.gif /usr/share/httpd/icons/small/index.png /usr/share/httpd/icons/small/key.gif /usr/share/httpd/icons/small/key.png /usr/share/httpd/icons/small/movie.gif /usr/share/httpd/icons/small/movie.png /usr/share/httpd/icons/small/patch.gif /usr/share/httpd/icons/small/patch.png /usr/share/httpd/icons/small/ps.gif /usr/share/httpd/icons/small/ps.png /usr/share/httpd/icons/small/rainbow.gif /usr/share/httpd/icons/small/rainbow.png /usr/share/httpd/icons/small/sound.gif /usr/share/httpd/icons/small/sound.png /usr/share/httpd/icons/small/sound2.gif /usr/share/httpd/icons/small/sound2.png /usr/share/httpd/icons/small/tar.gif /usr/share/httpd/icons/small/tar.png /usr/share/httpd/icons/small/text.gif /usr/share/httpd/icons/small/text.png /usr/share/httpd/icons/small/transfer.gif /usr/share/httpd/icons/small/transfer.png /usr/share/httpd/icons/small/unknown.gif /usr/share/httpd/icons/small/unknown.png /usr/share/httpd/icons/small/uu.gif /usr/share/httpd/icons/small/uu.png /usr/share/httpd/icons/sound1.gif /usr/share/httpd/icons/sound1.png /usr/share/httpd/icons/sound2.gif /usr/share/httpd/icons/sound2.png /usr/share/httpd/icons/sphere1.gif /usr/share/httpd/icons/sphere1.png /usr/share/httpd/icons/sphere2.gif /usr/share/httpd/icons/sphere2.png /usr/share/httpd/icons/svg.png /usr/share/httpd/icons/tar.gif /usr/share/httpd/icons/tar.png /usr/share/httpd/icons/tex.gif /usr/share/httpd/icons/tex.png /usr/share/httpd/icons/text.gif /usr/share/httpd/icons/text.png /usr/share/httpd/icons/transfer.gif /usr/share/httpd/icons/transfer.png /usr/share/httpd/icons/unknown.gif /usr/share/httpd/icons/unknown.png /usr/share/httpd/icons/up.gif /usr/share/httpd/icons/up.png /usr/share/httpd/icons/uu.gif /usr/share/httpd/icons/uu.png /usr/share/httpd/icons/uuencoded.gif /usr/share/httpd/icons/uuencoded.png /usr/share/httpd/icons/world1.gif /usr/share/httpd/icons/world1.png /usr/share/httpd/icons/world2.gif /usr/share/httpd/icons/world2.png /usr/share/httpd/icons/xml.png /usr/share/httpd/noindex /usr/share/httpd/noindex/css /usr/share/httpd/noindex/css/bootstrap-theme.min.css /usr/share/httpd/noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/fonts /usr/share/httpd/noindex/css/fonts/Bold /usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.eot /usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.svg /usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.ttf /usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.woff /usr/share/httpd/noindex/css/fonts/BoldItalic /usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.eot /usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.svg /usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.ttf /usr/share/httpd/noindex/css/fonts/BoldItalic/OpenSans-BoldItalic.woff /usr/share/httpd/noindex/css/fonts/ExtraBold /usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.eot /usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.svg /usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.ttf /usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.woff /usr/share/httpd/noindex/css/fonts/ExtraBoldItalic /usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.eot /usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.svg /usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.ttf /usr/share/httpd/noindex/css/fonts/ExtraBoldItalic/OpenSans-ExtraBoldItalic.woff /usr/share/httpd/noindex/css/fonts/Italic /usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.eot /usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.svg /usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.ttf /usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.woff /usr/share/httpd/noindex/css/fonts/Light /usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.eot /usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.svg /usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.ttf /usr/share/httpd/noindex/css/fonts/Light/OpenSans-Light.woff /usr/share/httpd/noindex/css/fonts/LightItalic /usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.eot /usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.svg /usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.ttf /usr/share/httpd/noindex/css/fonts/LightItalic/OpenSans-LightItalic.woff /usr/share/httpd/noindex/css/fonts/Regular /usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.eot /usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.svg /usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.ttf /usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.woff /usr/share/httpd/noindex/css/fonts/Semibold /usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.eot /usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.svg /usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.ttf /usr/share/httpd/noindex/css/fonts/Semibold/OpenSans-Semibold.woff /usr/share/httpd/noindex/css/fonts/SemiboldItalic /usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.eot /usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.svg /usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.ttf /usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.woff /usr/share/httpd/noindex/css/open-sans.css /usr/share/httpd/noindex/images /usr/share/httpd/noindex/images/apache_pb.gif /usr/share/httpd/noindex/images/poweredby.png /usr/share/httpd/noindex/index.html /usr/share/man/man8/apachectl.8.gz /usr/share/man/man8/fcgistarter.8.gz /usr/share/man/man8/htcacheclean.8.gz /usr/share/man/man8/httpd.8.gz /usr/share/man/man8/rotatelogs.8.gz /usr/share/man/man8/suexec.8.gz /var/cache/httpd /var/cache/httpd/proxy /var/lib/dav /var/log/httpd /var/www /var/www/cgi-bin /var/www/html
httpd-tools
Was uns das Paket httpd-tools alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.
# rpm -qil httpd-tools
Name : httpd-tools Version : 2.4.6 Release : 18.el7.centos Architecture: x86_64 Install Date: Sun 24 Aug 2014 10:22:26 PM CEST Group : System Environment/Daemons Size : 172164 License : ASL 2.0 Signature : RSA/SHA256, Wed 23 Jul 2014 05:21:33 PM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : httpd-2.4.6-18.el7.centos.src.rpm Build Date : Wed 23 Jul 2014 04:49:10 PM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://httpd.apache.org/ Summary : Tools for use with the Apache HTTP Server Description : The httpd-tools package contains tools which can be used with the Apache HTTP Server. /usr/bin/ab /usr/bin/htdbm /usr/bin/htdigest /usr/bin/htpasswd /usr/bin/httxt2dbm /usr/bin/logresolve /usr/share/doc/httpd-tools-2.4.6 /usr/share/doc/httpd-tools-2.4.6/LICENSE /usr/share/doc/httpd-tools-2.4.6/NOTICE /usr/share/man/man1/ab.1.gz /usr/share/man/man1/htdbm.1.gz /usr/share/man/man1/htdigest.1.gz /usr/share/man/man1/htpasswd.1.gz /usr/share/man/man1/httxt2dbm.1.gz /usr/share/man/man1/logresolve.1.gz
apr
Was uns das Paket apr alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.
# rpm -qil apr
Name : apr Version : 1.4.8 Release : 3.el7 Architecture: x86_64 Install Date: Sun 24 Aug 2014 10:22:24 PM CEST Group : System Environment/Libraries Size : 226686 License : ASL 2.0 and BSD with advertising and ISC and BSD Signature : RSA/SHA256, Fri 04 Jul 2014 02:39:16 AM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : apr-1.4.8-3.el7.src.rpm Build Date : Tue 10 Jun 2014 11:05:16 AM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://apr.apache.org/ Summary : Apache Portable Runtime library Description : The mission of the Apache Portable Runtime (APR) is to provide a free library of C data structures and routines, forming a system portability layer to as many operating systems as possible, including Unices, MS Win32, BeOS and OS/2. /usr/lib64/libapr-1.so.0 /usr/lib64/libapr-1.so.0.4.8 /usr/share/doc/apr-1.4.8 /usr/share/doc/apr-1.4.8/CHANGES /usr/share/doc/apr-1.4.8/LICENSE /usr/share/doc/apr-1.4.8/NOTICE
apr-util
Was uns das Paket apr alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.
# rpm -qil apr-util
Name : apr-util Version : 1.5.2 Release : 6.el7 Architecture: x86_64 Install Date: Sun 24 Aug 2014 10:22:26 PM CEST Group : System Environment/Libraries Size : 198751 License : ASL 2.0 Signature : RSA/SHA256, Fri 04 Jul 2014 02:39:25 AM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : apr-util-1.5.2-6.el7.src.rpm Build Date : Tue 10 Jun 2014 04:31:06 AM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://apr.apache.org/ Summary : Apache Portable Runtime Utility library Description : The mission of the Apache Portable Runtime (APR) is to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing and more. /usr/lib64/apr-util-1 /usr/lib64/libaprutil-1.so.0 /usr/lib64/libaprutil-1.so.0.5.2 /usr/share/doc/apr-util-1.5.2 /usr/share/doc/apr-util-1.5.2/CHANGES /usr/share/doc/apr-util-1.5.2/LICENSE /usr/share/doc/apr-util-1.5.2/NOTICE
mailcap
Was uns das Paket mailcap alles mit ins System bringt, zeigt uns der Befehl rpm mit der Option -qil.
# rpm -qil mailcap
Name : mailcap Version : 2.1.41 Release : 2.el7 Architecture: noarch Install Date: Sun 24 Aug 2014 10:22:27 PM CEST Group : System Environment/Base Size : 63360 License : Public Domain and MIT Signature : RSA/SHA256, Fri 04 Jul 2014 05:37:02 AM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : mailcap-2.1.41-2.el7.src.rpm Build Date : Tue 10 Jun 2014 02:57:23 AM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://git.fedorahosted.org/git/mailcap.git Summary : Helper application and MIME type associations for file types Description : The mailcap file is used by the metamail program. Metamail reads the mailcap file to determine how it should display non-text or multimedia material. Basically, mailcap associates a particular type of file with a particular program that a mail agent or other program can call in order to handle the file. Mailcap should be installed to allow certain programs to be able to handle non-text files. Also included in this package is the mime.types file which contains a list of MIME types and their filename "extension" associations, used by several applications e.g. to determine MIME types for filenames. /etc/mailcap /etc/mime.types /usr/share/doc/mailcap-2.1.41 /usr/share/doc/mailcap-2.1.41/COPYING /usr/share/doc/mailcap-2.1.41/NEWS /usr/share/man/man4/mailcap.4.gz
Grundkonfiguration
Die Konfiguration des Apache-Webservers httpd erfolgt nicht mit Hilfe einer großen Konfigurationsdatei, sondern ist aufgeteilt in kleinere spezielle Konfigurationsdateien, jeweils auf die einzelnen Anwendungsfälle abgestimmt.
Im Verzeichnis /etc/httpd finden wir all diese Dateien.
/etc/httpd/ ├── conf │ ├── httpd.conf │ └── magic ├── conf.d │ ├── autoindex.conf │ ├── README │ ├── userdir.conf │ └── welcome.conf ├── conf.modules.d │ ├── 00-base.conf │ ├── 00-dav.conf │ ├── 00-lua.conf │ ├── 00-mpm.conf │ ├── 00-proxy.conf │ ├── 00-systemd.conf │ └── 01-cgi.conf ├── logs -> ../../var/log/httpd ├── modules -> ../../usr/lib64/httpd/modules └── run -> /run/httpd 6 directories, 13 files
httpd.conf
In der Hauptkonfigurationsdatei /etc/httpd/conf/httpd.conf des Webservers finden sich neben den Konfigurationsanweisungen noch weitere Direktiven
Gleich zu beginn der Konfigurationsdatei findet sich folgender wichtiger Hinweis:
Do NOT simply read the instructions in here without understanding what they do. They're here only as hints or reminders. If you are unsure consult the online docs. You have been warned.
Im Zweifel greifen wir also auf die Online-Dokumentation Dokumentation zum Apache HTTP Server Version 2.4 zurück. Mit dem Editor unserer Wahl, so z.B. vim öffnen wir nun also diese Hauptkonfigurationsdatei.
# vim /etc/httpd/conf/httpd.conf
- /etc/httpd/conf/httpd.conf
# # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. # In particular, see # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html> # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so 'log/access_log' # with ServerRoot set to '/www' will be interpreted by the # server as '/www/log/access_log', where as '/log/access_log' will be # interpreted as '/log/access_log'. # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path. If you point # ServerRoot at a non-local disk, be sure to specify a local disk on the # Mutex directive, if file-based mutexes are used. If you wish to share the # same ServerRoot for multiple httpd daemons, you will need to change at # least PidFile. # ServerRoot "/etc/httpd" # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 # Django : 2014-08-24 # default: Listen 80 Listen 10.0.0.97:80 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Statically compiled modules (those listed by `httpd -l') do not need # to be loaded here. # # Example: # LoadModule foo_module modules/mod_foo.so # Include conf.modules.d/*.conf # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User apache Group apache # 'Main' server configuration # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition. These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # # # ServerAdmin: Your address, where problems with the server should be # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. admin@your-domain.com # # Django : 2014-08-24 # default: ServerAdmin root@localhost ServerAdmin webmaster@nausch.org # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If your host doesn't have a registered DNS name, enter its IP address here. # #ServerName www.example.com:80 # Django : 2014-08-24 # default: unset ServerName www7.nausch.org:80 # # Deny access to the entirety of your server's filesystem. You must # explicitly permit access to web content directories in other # <Directory> blocks below. # <Directory /> AllowOverride none Require all denied </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "/var/www/html" # # Relax access to content within /var/www. # <Directory "/var/www"> AllowOverride None # Allow open access: Require all granted </Directory> # Further relax access to the default document root: <Directory "/var/www/html"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Require all granted </Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # <IfModule dir_module> DirectoryIndex index.html </IfModule> # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ".ht*"> Require all denied </Files> # # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog "logs/error_log" # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn <IfModule log_config_module> # # The following directives define some format nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> # You need to enable mod_logio.c to use %I and %O LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> # # The location and format of the access logfile (Common Logfile Format). # If you do not define any access logfiles within a <VirtualHost> # container, they will be logged here. Contrariwise, if you *do* # define per-<VirtualHost> access logfiles, transactions will be # logged therein and *not* in this file. # #CustomLog "logs/access_log" common # # If you prefer a logfile with access, agent, and referer information # (Combined Logfile Format) you can use the following directive. # CustomLog "logs/access_log" combined </IfModule> <IfModule alias_module> # # Redirect: Allows you to tell clients about documents that used to # exist in your server's namespace, but do not anymore. The client # will make a new request for the document at its new location. # Example: # Redirect permanent /foo http://www.example.com/bar # # Alias: Maps web paths into filesystem paths and is used to # access content that does not live under the DocumentRoot. # Example: # Alias /webpath /full/filesystem/path # # If you include a trailing / on /webpath then the server will # require it to be present in the URL. You will also likely # need to provide a <Directory> section to allow access to # the filesystem path. # # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the target directory are treated as applications and # run by the server when requested rather than as documents sent to the # client. The same rules about trailing "/" apply to ScriptAlias # directives as to Alias. # ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" </IfModule> # # "/var/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/var/www/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule mime_module> # # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. # TypesConfig /etc/mime.types # # AddType allows you to add to or override the MIME configuration # file specified in TypesConfig for specific file types. # #AddType application/x-gzip .tgz # # AddEncoding allows you to have certain browsers uncompress # information on the fly. Note: Not all browsers support this. # #AddEncoding x-compress .Z #AddEncoding x-gzip .gz .tgz # # If the AddEncoding directives above are commented-out, then you # probably should define those extensions to indicate media types: # AddType application/x-compress .Z AddType application/x-gzip .gz .tgz # # AddHandler allows you to map certain file extensions to "handlers": # actions unrelated to filetype. These can be either built into the server # or added with the Action directive (see below) # # To use CGI scripts outside of ScriptAliased directories: # (You will also need to add "ExecCGI" to the "Options" directive.) # #AddHandler cgi-script .cgi # For type maps (negotiated resources): #AddHandler type-map var # # Filters allow you to process content before it is sent to the client. # # To parse .shtml files for server-side includes (SSI): # (You will also need to add "Includes" to the "Options" directive.) # AddType text/html .shtml AddOutputFilter INCLUDES .shtml </IfModule> # # Specify a default charset for all content served; this enables # interpretation of all content as UTF-8 by default. To use the # default browser choice (ISO-8859-1), or to allow the META tags # in HTML content to override this choice, comment out this # directive: # AddDefaultCharset UTF-8 <IfModule mime_magic_module> # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # MIMEMagicFile conf/magic </IfModule> # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # # # EnableMMAP and EnableSendfile: On systems that support it, # memory-mapping or the sendfile syscall may be used to deliver # files. This usually improves server performance, but must # be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise # broken on your system. # Defaults if commented: EnableMMAP On, EnableSendfile Off # #EnableMMAP off EnableSendfile on # Supplemental configuration # # Load config files in the "/etc/httpd/conf.d" directory, if any. IncludeOptional conf.d/*.conf
Paketfilter/Firewall
Damit unsere Besucher Verbindungen zu den geöffneten Ports http/80 UND https/443 unseres Apache-Webserver aufbauen können müssen wir für diese noch Änderungen am Paketfilter firewalld vornehmen.
Unter CentOS 7 wird als Standard-Firewall die dynamische firewalld verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbiundungen kurz getrennt werden. Sondern unsere Änderungen können on-the-fly aktiviert oder auch wieder deaktiviert werden.
Mit Hilfe des Programms firewall-cmd legen wir nun eine permanente Regel in der Zone public, dies entspricht in unserem Beispiel das Netzwerk-Interface eth0 mit der IP 10.0.0.70 an. Als Source-IP geben geben wir keine speziellen IP-Adressen an, was entsprechend 0.0.0.0 entspricht. Genug der Vorrede, mit nachfolgendem Befehl werden die beiden Ports 80 und 443 geöffnet.
# firewall-cmd --permanent --zone=public --add-service=http
success
# firewall-cmd --permanent --zone=public --add-service=https
success
Anschließend können wir den Firewall-Daemon einmal durchstarten und anschließend überprüfen, ob die Regeln auch entsprechend unserer Definition, gezogen haben.
# firewall-cmd --reload
success
Anschließend können wir abfragen, welche Dienste in der Zone public geöffnet sind.
# firewall-cmd --zone=public --list-services
http https ssh
Genauso können wir natürlich mit mit dem Befehl iptables abfragen, ob die Erweiterung unseres Paketfilter aktiv ist.
# iptables -nvL IN_public_allow
Chain IN_public_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
Systemstart
erster manueller Start
# systemctl start httpd.service
Im Maillog wird der Start unseres IMAP-Servers entsprechend vermerkt.
# less /var/log/httpd/error_log
[Sun Aug 24 23:23:40.508454 2014] [suexec:notice] [pid 21449] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Sun Aug 24 23:23:40.524746 2014] [auth_digest:notice] [pid 21449] AH01757: generating secret for digest authentication ... [Sun Aug 24 23:23:40.525666 2014] [lbmethod_heartbeat:notice] [pid 21449] AH02282: No slotmem from mod_heartmonitor [Sun Aug 24 23:23:40.529321 2014] [mpm_prefork:notice] [pid 21449] AH00163: Apache/2.4.6 (CentOS) configured -- resuming normal operations [Sun Aug 24 23:23:40.529360 2014] [core:notice] [pid 21449] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
Ebenso kann man den Status des Webservers mit Hilfe des Befehls systemctl abfragen.
# systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Sun 2014-08-24 23:23:40 CEST; 1min 28s ago Main PID: 21449 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─21449 /usr/sbin/httpd -DFOREGROUND ├─21450 /usr/sbin/httpd -DFOREGROUND ├─21451 /usr/sbin/httpd -DFOREGROUND ├─21452 /usr/sbin/httpd -DFOREGROUND ├─21453 /usr/sbin/httpd -DFOREGROUND └─21454 /usr/sbin/httpd -DFOREGROUND Aug 24 23:23:40 vml000097.dmz.nausch.org systemd[1]: Started The Apache HTTP Server.
automatischer Start beim Systemstart
Wollen wir den Daemon beim Hochfahren des Systems automatisch starten, greifen wir auf den Befehl systemctl zurück.
# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
Möchten wir uns vergewissern, ob der Daemon beim Systemstart gestartet wird oder nicht, erfahren wir ebenfalls mit dem Befehl systemctl.
# systemctl is-enabled httpd.service
enabled
Startet der Server nicht automatisch, wird uns ein „disabled“ zurückgemeldet.
Systemtest / Testseite
Firefox
Rufen wir nun das erste mal die URL unseres Webservers auf, wird uns eine modifizierte Fehlerseite präsentiert.
# firefox http://www7.nausch.org
Im Error-Log unseres Webservers sehen wir entsprechend folgenden Hinweis.
[Sun Aug 24 23:29:11.868715 2014] [autoindex:error] [pid 21450] [client 10.0.0.20:53369] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
Im Access-Log finden wir den Zugriff auf die modifizierte Standardseite.
# less /var/log/httpd/access_log
10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET / HTTP/1.1" 403 4880 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /css/bootstrap.min.css HTTP/1.1" 200 19341 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /css/open-sans.css HTTP/1.1" 200 5081 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:11 +0200] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://www7.nausch.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 233 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 231 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 230 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 232 "http://www7.nausch.org/css/open-sans.css" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [24/Aug/2014:23:29:12 +0200] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0"
elinks
Benutzen wir einen Text-Browser, wie z.B. elinks und rufen wir nun die URL unseres Webservers auf, wird uns auch hier eine modifizierte Fehlerseite präsentiert.
# elinks http://www7.nausch.org
Im Error-Log unseres Apache-WEB-Servers wird natürlich wieder eine entsprechende Logzeile generiert.
# less /var/log/httpd/error_log
[Fri Aug 29 13:51:14.353130 2014] [autoindex:error] [pid 4741] [client 10.0.0.20:47188] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
Im Access-Log finden wir den Zugriff auf die modifizierte Standardseite.
# less /var/log/httpd/access_log
10.0.0.20 - - [29/Aug/2014:13:51:14 +0200] "GET / HTTP/1.1" 403 4880 "-" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)" 10.0.0.20 - - [29/Aug/2014:13:51:14 +0200] "GET /css/open-sans.css HTTP/1.1" 200 5081 "http://www7.nausch.org/" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)" 10.0.0.20 - - [29/Aug/2014:13:51:14 +0200] "GET /css/bootstrap.min.css HTTP/1.1" 200 19341 "http://www7.nausch.org/" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)"
telnet
Zum Testen des Server braucht man im Gunde nicht einmal einen Browser. Da das HTML-Protokoll im Klartext abläuft kann man dies auch jederzeit mit einem einfachen telnet testen. Wir bauen hierzu einfach mit Hilfe von telnet eine Verbindung auf Port 80 zu unserem webserver auf und geben dann die benötigten Befehle einfach per Hand ein.
Nach dem Verbinden mit dem Server geben wir an welches Dokument wir holen wollen und welche Protokollversion verwendet werden soll. Zu guter Letzt geben wir noch an, von welchem Host wir die Daten holen wollen und schließen unsere Eingaben mit einer Leerzeile ab.
Bei Test vsind die Eingaben am testenden Client in der Farbe blau , die Rückmeldungen unseres Web-Servers in der Farbe schwarz gekennzeichnet. Die Ausgaben des Befehls telnet sind in der Farbe rot eingefärbt.
Wir bauen also eine Verbindung zu unserem Postfix-Server zum HTTP-Port 80 auf.
$ telnet www7.nausch.org 80
Trying 10.0.0.97... Connected to 10.0.0.97. Escape character is '^]'.Die Verbindung zu unserem Webserver steht und dieser erwarten nun von uns unsere weitere Eingabe.
GET / HTTP/1.1 HOST:www7.nausch.org Connection: closeHiermit haben wir dem webserver mitgeteilt, dass wir das root-/Hauptverzeichnis / abrufen, dabei die Protokollversion HTTP/1.1 verwenden und das ganze für die URL bzw. vom Host www7.nausch.org beziehen wollen.
HTTP/1.1 403 Forbidden
Date: Fri, 29 Aug 2014 12:20:43 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 17 Jun 2014 16:00:47 GMT
ETag: "1310-4fc0a3f32a9c0"
Accept-Ranges: bytes
Content-Length: 4880
Connection: close
Content-Type: text/html; charset=UTF-8
Da wir angegeben keine HTML-Seite angegeben, sonder das Verzeichnis / versucht hatten abzurufen, quittiert und unser Webserver die Anfrage mit dem Fehlercode 403 Forbidden. Anschließend wird uns die CentOS spefifische Fehlerseite ausgegeben.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Apache HTTP Server Test Page powered by CentOS</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- Bootstrap --> <link href="css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="css/open-sans.css" type="text/css" /> <style type="text/css"><!-- body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px; } h2, h3, h4 { font-weight: 200; } h2 { font-size: 28px; } .jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */ } .jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc, 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), 0px 6px 30px rgba(0,0,0,0.1); } .jumbotron p { font-size: 28px; font-weight: 100; } .main { background: white; color: #234; border-top: 1px solid rgba(0,0,0,0.12); padding-top: 30px; padding-bottom: 40px; } .footer { border-top: 1px solid rgba(255,255,255,0.2); padding-top: 30px; } --></style> </head> <body> <div class="jumbotron text-center"> <div class="container"> <h1>Testing 123..</h1> <p class="lead">This page is used to test the proper operation of the <a href="http://apache.org">Apache HTTP server</a> after it has been installed. If you can read this page it means that this site is working properly. This server is powered by <a href="http://centos.org">CentOS</a>.</p> </div> </div> <div class="main"> <div class="container"> <div class="row"> <div class="col-sm-6"> <h2>Just visiting?</h2> <p class="lead">The website you just visited is either experiencing problems or is undergoing routine maintenance.</p> <p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p> <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p> </div> <div class="col-sm-6"> <h2>Are you the Administrator?</h2> <p>You should add your website content to the directory <tt>/var/www/html/</tt>.</p> <p>To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p> <h2>Promoting Apache and CentOS</h2> <p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!</p> <p><a href="http://httpd.apache.org/"><img src="images/apache_pb.gif" alt="[ Powered by Apache ]"></a> <a href="http://www.centos.org/"><img src="images/poweredby.png" alt="[ Powered by CentOS Linux ]" height="31" width="88"></a></p> </div> </div> </div> </div> </div> <div class="footer"> <div class="container"> <div class="row"> <div class="col-sm-6"> <h2>Important note:</h2> <p class="lead">The CentOS Project has nothing to do with this website or its content, it just provides the software that makes the website run.</p> <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Project does not have anything to do with this website, the content or the lack of it.</p> <p>For example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:</p> <p><a href="http://www.internic.net/whois.html">http://www.internic.net/whois.html</a></p> </div> <div class="col-sm-6"> <h2>The CentOS Project</h2> <p>The CentOS Linux distribution is a stable, predictable, manageable and reproduceable platform derived from the sources of Red Hat Enterprise Linux (RHEL).<p> <p>Additionally to being a popular choice for web hosting, CentOS also provides a rich platform for open source communities to build upon. For more information please visit the <a href="http://www.centos.org/">CentOS website</a>.</p> </div> </div> </div> </div> </div> </body></html>
Da wir bei unserem Request Connection: close angegeben hatten, wird die Verbindung zum Webserver wieder getrennt.
Connection closed by foreign host.
Anwendungen/WEB-Seiten
erste Webseite
Da wir uns natürlich nicht mit der Standardfehlerseite unseres Apache-Webservers begnügen wollen legen wir uns unsere erste eigene minimalistische HTML-Seite an; hierzu benutzen wir den Editor unserer Wahl, z.B. vim. Das HTML-Dokument legen wir im DocumentRoot var/www/html/ unseres Web-Servers an.
# vim /var/www/html/index.html
<html> Unserer erste <b>html</b>-Testseite!<br> Weiter Informationen zum Apache-Webserver finden wir im <a href="https://dokuwiki.nausch.org/doku.php/centos:web_c7:start">Djangos Dokuwiki</a> ;) </html>
Nun können wir unsere erste eigene Webseite ansurfen, wie gewohnt mit dem Browser der Wahl. Beim Zugriffstest mit Hilfe von telnet gilt auch hier wiederum: „Die Eingaben am testenden Client sind in der Farbe blau , die Rückmeldungen unseres Web-Servers in der Farbe schwarz gekennzeichnet. Die Ausgaben des Befehls telnet sind in der Farbe rot eingefärbt.“
$ firefox www7.nausch.org
$ elinks www7.nausch.org
$ telnet www7.nausch.org 80
Trying 10.0.0.97...
Connected to 10.0.0.97.
Escape character is '^]'.
GET / HTTP/1.1
HOST:www7.nausch.org
Connection: close
HTTP/1.1 200 OK
Date: Fri, 29 Aug 2014 13:24:20 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Fri, 29 Aug 2014 13:15:34 GMT
ETag: "104-501c472c8a108"
Accept-Ranges: bytes
Content-Length: 260
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
Dies ist unserer erste <b>html</b>-Testseite!<br> zum Testen der Konfiguration unseres Web-servers.
Weiter Informationen zum Apache-Webserver finden wir in <a href="https://dokuwiki.nausch.org/doku.php/centos:web_c7:start">Djangos WIKI</a> ;)
</html>
Connection closed by foreign host.
Im Accesslog unseres Webservers sehen wir dann auch die erfolgreichen Zugriffe auf unsere erste index.html.
... 10.0.0.20 - - [29/Aug/2014:15:15:49 +0200] "GET / HTTP/1.1" 200 260 "-" "ELinks/0.12pre6 (textmode; Linux; 177x53-2)" 10.0.0.20 - - [29/Aug/2014:15:16:36 +0200] "GET / HTTP/1.1" 200 260 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0" 10.0.0.20 - - [29/Aug/2014:15:23:54 +0200] "GET /index.html HTTP/1.1" 200 260 "-" "-" 10.0.0.20 - - [29/Aug/2014:15:24:20 +0200] "GET / HTTP/1.1" 200 260 "-" "-" ...
erster (named based) vHOST
Unser Web-Sever soll später für unterschiedliche (Sub-)Domains Seiten ausliefern. Wir werden hierzu Name based virual Hosts oder kurz vHOSTs einsetzen. Eine detailierte Beschreibung hierzu findet man unter anderem auch in der Beschreibung zu Unterstützung namensbasierter virtueller Hosts.
Im folgendem Konfigurationsbeispiel wollen wir für die beiden Hostnamen cam.mail-server.guru und test.mail-server.guru einen Webserver konfigurieren, der die Seiten der beiden vHosts ausliefert.
Zunächst legen wir uns auf unserem Server zwei Verzeichnisse für die beiden vHosts an.
# mkdir /var/www/vhost1
# mkdir /var/www/vhost2
In den neuen Unterverzeichnissen stellen wir dann jeweils eine eigene index-html-Datei ein.
# vim /var/www/vhost1/index.html
- /var/www/vhost1/index.html
<html> <h1>vHost 1</h1> Dies ist die <b>index.html</b>-Startseite unseres ersten vHosts bzw. default-Host unseres Web-servers.<br> <br> Weitere Informationen zum Apache-Webserver finden wir im <a href="https://dokuwiki.nausch.org/doku.php/centos:web_c7:start">Djangos WIKI</a> ;) </html>
# vim /var/www/vhost2/index.html
- /var/www/vhost2/index.html
<html> <h1>vHost 2</h1> Dies ist die <b>index.html</b>-Startseite unseres zweiten vHosts unseres Web-servers.<br> </html>
Wir haben also folgende Verzeichnis-Struktur.
/var/www/ ├── cgi-bin ├── html ├── vhost1 │ └── index.html └── vhost2 └── index.html
Was wir nun brauchen, ist die entsprechende Konfiguration(sdatei) für dieses Beispiel. Durch die Directive IncludeOptional in der Konfigurationsdatei /etc/httpd/conf/httpd.conf werden alle Dateien mit der Erweiterung .conf in alphabetischer Reihenfolge eingebunden.
# vim /etc/httpd/conf/httpd.conf
- /etc/httpd/conf/httpd.conf
... # Supplemental configuration # # Load config files in the "/etc/httpd/conf.d" directory, if any. IncludeOptional conf.d/*.conf
Ob wir nun eine Datei mit allen vHost-Definitionen anlegen, oder ob diese in einzelne Dateien aufgesplittet werden, ist letztendlich egal. Die Trennung in einzelne Konfigurationsdateien hat den Vorteil, dass man so leichter den Überblick bei vielen vHosts behält und man so leicht einzelne vHosts schnell deaktivieren kann, in dem man die Konfigurationsdatei umbenennt, oder in ein anderes Verzeichnis verschiebt. Der Namensteil 80 symmbolisiert dabei auch den HTTP-Port 80.
Wir legen uns also für unseren ersten Host eine Date an.
# vim /etc/httpd/conf.d/80_test.mail-server.guru.conf
- /etc/httpd/conf.d/80_test.mail-server.guru.conf
# # Django : 2014-08-29 # vHost test.sec-mail.guru # <VirtualHost *:80> ServerAdmin webmaster@nausch.org ServerName test.sec-mail.guru ServerPath / DocumentRoot "/var/www/vhost1" <Directory "/var/www/vhost1"> Options FollowSymLinks AllowOverride none Require all granted </Directory> DirectoryIndex index.html ErrorLog logs/test.mail-server.guru_error.log CustomLog logs/test.mail-server.guru_access.log combined </VirtualHost>
Und auch für unseren zweiten vHOST legen wir die nötige Konfigurationsdatei an.
# vim /etc/httpd/conf.d/80_test.mail-server.guru.conf
- /etc/httpd/conf.d/80_cam.mail-server.guru.conf
# # Django : 2014-08-29 # vHost webcam.sec-mail.guru # <VirtualHost *:80> ServerAdmin webmaster@nausch.org ServerName webcam.sec-mail.guru ServerAlias cam.sec-mail.guru ServerPath / DocumentRoot "/var/www/vhost2" <Directory "/var/www/vhost2"> Options FollowSymLinks AllowOverride none Require all granted </Directory> DirectoryIndex index.html ErrorLog logs/webcam.mail-server.guru_error.log CustomLog logs/webcam.mail-server.guru_access.log combined </VirtualHost>
Nun ist es an der Zeit, unseren Webserver von der Konfigurationsanpassung in Kenntnis zu setzen. Bevor wir dies aber tun, überprüfen wir noch, ob die Konfigurationsdateien unseres web-Servers noch irgendwelche syntaktischen Fehler haben. Hierzu benutzen wir folgenden Aufruf.
# apachectl -t
Syntax OK
Da kein Syntax-Fehler gefunden wurde, führen wir einen Reload unseres Apache-WEB-Servers durch.
# systemctl reload httpd.service
Da jeder vHOST die Zugriffe bzw. die Fehler in separate Logdateien schreibt, haben wir es bei der Fehlersuche oder Auswertung der einzelnen Kunden-vHOSTS einfacher, als bei großen Dateien, in die jeder einzelne vHOST schreiben würde.
/var/log/httpd/ ├── access_log ├── test.mail-server.guru_access.log ├── test.mail-server.guru_error.log ├── webcam.mail-server.guru_access.log ├── webcam.mail-server.guru_error.log └── error_log
In dem Konfigurationsbeispiel ist der zweite vHOST sowohl über dem Namen webcam.sec-mail.guru als auch cam.sec-mail.guru erreichbar. realisiert wurde dies mit dem Parameter ServerAlias.
Eine ausführliche Beschreibung und Dokumentationder einzelnen Konfigurations-Directiven und -Optionen findet man in der Apache-Dokumentation zu virtuellen Hosts.
named based default vHOST
Setzen wir name-based-virtual-hosts ein, überprüft unser Webserver, ob im Request die IP-Adresse des Servers verwendet wurde. Anschließend werden dann alle <VirtualHost>-Abschnitte mit der benutzten IP-Adresse verglichen und geprüft, ob der gewählte Hostname zu einem ServerName oder der ServerAlias-Anweisung übereinstimmt. Bei einem positiven Ergebnis wird dann die konfiguration dieses vHOSTs verwendet, wie. z.B. in dem vorherigen Konfigurationsbeispiel. Wird jedoch kein passender vHOST gefunden, so wird die Konfiguration des ersten vHOSTS verwendet!
Wichtig
Da wir alle unsere vHOSTs in jeweils eigenen Dateien konfigurieren, ist es notwendig, dass wir dafür sorgen, dass die Konfigurationsdatei ganz am Anfang des Verzeichnisses steht, da der Apache-Webserver, die einzelnen Konfigurationsdateien im Verzeichnis /etc/httpd/conf.d/ in alphabetischer Reihenfolge einliest. Wir erreichen das ganz einfach, in dem wir dem vHOST eingfach eine 10 im Dateinamen vorne an stellen.
Für diesen speziellen Fall können wir auch eine eigene spezielle vHOST-Konfiguration definieren, nämlich den _default_-vHOST. Nähere Hinweise hierzu findet man in der Beschreibung zuUsing _default_ vhosts.
Wir legen uns also hierzu einen speziellen vHOST an.
# vim /etc/httpd/conf.d/10_default_vHost.conf
- /etc/httpd/conf.d/10_default_vHost.conf
# # Django : 2014-08-29 # default vHost sec-mail.guru # <VirtualHost _default_:80> ServerAdmin webmaster@nausch.org ServerName sec-mail.guru ServerAlias www.sec-mail.guru ServerPath / DocumentRoot "/var/www/default" <Directory "/var/www/default"> Options FollowSymLinks AllowOverride none Require all granted </Directory> DirectoryIndex index.html ErrorLog logs/default-host_sec-mail.guru_error.log CustomLog logs/default-host_sec-mail.guru_access.log combined </VirtualHost>
Auch hier testen wir, o sich nicht irgendwo ein Schreibfehler eingeschlichen hat.
# apachectl -t
Syntax OK
Anschließend führen wir einen reload unseres Servers durch, damit dieser die Konfigurationsdateien neu einliest.
# systemctl reload httpd.service
Authentifizierung für geschützte Bereiche
Nicht immer wollen wir Inhalte die unser WEB-Server zur Verfügung stellt, allen Besuchern zugänglich machen. Bestimmte vertrauliche Daten, sollen oft nur einem gewissen Teilnehmerkreis angeboten werden. Diese Besucher müssen sich dann mit Hilfe eines Namens und eines zugehörigen Passwortes zu erkennen geben.
In den folgenden beiden Konfigurationsbeispielen wollen wir nun an Hand zweier Beispiele diese Funktion einrichten.
Basic Authentifikation
Die einfachste Variante zum Anmeldevorgang ist die Variante PasswordBasicAuth. Die berechtigten Nutzer und die zugehörigen Passwörter sind in einer Konfigurationsdatei, die sich außerhalb des Webserverspeicherbereichs kurz DocumentRoot befindet.
Mit Hilfe des Befehls htpasswd aus dem RPM httpd-tools verwalten wir die entsprechenden Userdaten.
Haben wir noch keine Passwort-Datei angelegt, generieren wir dies mit folgendem Aufruf. Ob man nun einen Usernamen oder eine eMail-Adresse zur Authentifizierung verwenden ist egal.
# htpasswd -c /etc/httpd/.htpasswd django@sec-mail.guru
New password: Re-type new password:
Das Passwort, welches wir 2x eingegeben hatten, wird standardmäßig als MD5-digest mit einem 32 salt gespeichert. Man erkennt dies an der Zeichenfolge $apr1$.
# cat /etc/httpd/.htpasswd
django@sec-mail.guru:$apr1$YyiOChB1$FoEbQKJ.lgbVrD4lh7CN2.
Wollen wir einen weiteren Nutzerhinzufügen rufen wir den Befehl htpasswd ohne den Parameter -c auf.
# htpasswd -/etc/httpd/.htpasswd django
New password: Re-type new password:
Es befinden sich nun zwei Anmeldenamen und deren zugehörigen verschlüsselten Passwörtern in der .htpasswd-Datei.
# cat /etc/httpd/.htpasswd
django:$apr1$4lnKyN.k$A6mfy5g6yxOgZWn9IcCNg. django@sec-mail.guru:$apr1$YyiOChB1$FoEbQKJ.lgbVrD4lh7CN2.
Haben wir alle Benutzer angelegt, geht es nun weiter mit der Konfiguration unseres vHOSTs.
Beim betreffenden Beispiel, einem vHOST der die WEB-Anwendung PostfixAdmin zur Verfügung stellt, tragen wir nun folgende Zeilen nach.
# vim /etc/httpd/conf.d/vhost_443_postfixadmin.conf
... # Django : 2014-09-08 Konfigurationsbeispiel zur Basic Authenifikation mit Hilfe # einer htpasswd-Datei <Location /> Options +FollowSymLinks +Multiviews +Indexes AllowOverride None AuthType basic AuthName "PostfixAdmin-Webserver" AuthUserFile /etc/httpd/.htpasswd Require valid-user django django@sec-mail.guru </Location> ...
Damit unsere Änderungen aktiv werden bedarf es noch eines Reloads unseres httpdaemon.
# systemctl reload httpd.service
WICHTIG:
Damit die Anmeldedaten nicht von Dritten mitgelesen und abgefischt werden können, nutzen wir natürlich einen SSL-geschützten vHOST!
LDAPs Authentifikation
In der Regel haben wir zur Verwaltung der Nutzerdaten ein Backendsystem zur Verwaltung im Einsatz. Im folgendem Konfigurationsbeispiel werden wir uns nun gegen einen vorhandenen LDAP-Server authentifizieren.
Damit sich unser Client mit dem OpenLDAP-Server verbinden kann, sind ein paar Vorkehrungen zu treffen.
Installation
openldap-clients
Als erstes installieren wir uns das RPM-Paket openldap-clients, wie soll es anders sein, verwenden wir hierzu das Programmverwaltungs-Tool YUM unter CentOS 7.x.
# yum install openldap-clients -y
Das was uns das Paket alles mitbrachte, können wir uns wie folgt ausgeben lassen.
# rpm -qil openldap-clients
Name : openldap-clients Version : 2.4.39 Release : 6.el7 Architecture: x86_64 Install Date: Fri 17 Jul 2015 07:29:06 PM CEST Group : Applications/Internet Size : 588433 License : OpenLDAP Signature : RSA/SHA256, Sat 14 Mar 2015 09:22:43 AM CET, Key ID 24c6a8a7f4a80eb5 Source RPM : openldap-2.4.39-6.el7.src.rpm Build Date : Fri 06 Mar 2015 05:36:42 AM CET Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.openldap.org/ Summary : LDAP client utilities Description : OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap-clients package contains the client programs needed for accessing and modifying OpenLDAP directories. /usr/bin/ldapadd /usr/bin/ldapcompare /usr/bin/ldapdelete /usr/bin/ldapexop /usr/bin/ldapmodify /usr/bin/ldapmodrdn /usr/bin/ldappasswd /usr/bin/ldapsearch /usr/bin/ldapurl /usr/bin/ldapwhoami /usr/share/man/man1/ldapadd.1.gz /usr/share/man/man1/ldapcompare.1.gz /usr/share/man/man1/ldapdelete.1.gz /usr/share/man/man1/ldapexop.1.gz /usr/share/man/man1/ldapmodify.1.gz /usr/share/man/man1/ldapmodrdn.1.gz /usr/share/man/man1/ldappasswd.1.gz /usr/share/man/man1/ldapsearch.1.gz /usr/share/man/man1/ldapurl.1.gz /usr/share/man/man1/ldapwhoami.1.gz
Konfiguration
openldap-clients
Versuchen wir uns jetzt schon mit unserem LDAP-Server zu verbinden, schlägt dies unweigerlich fehl. Beispiel:
# ldapsearch -W -x -b "dc=nausch,dc=org" "uid=django" \ -D "cn=Technischeruser,dc=nausch,dc=org" -LLL \ -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Die Verbindung schlägt fehl, da der Client dem Zertifikat des OpenLDAP-Servers (noch) nicht vertraut!
Wir müssen als erst noch die zum Serverzertifikat passenden Root-Zertifikate der CA1) CAcert als vertrauenswürdige Root-Zertifikate importieren.
Vertrauensmodelle in Public-Key-Infrastrukturen
Wir haben nun in der Datei /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem die nötigen Root-Zertifikate und müssen nun nur noch unserem openldap-client mitteilen, diesen auch zu nutzen. Hierzu editieren wir nun die Konfigurationsdatei des openldap-clients.
# vim /etc/openldap/ldap.conf
- /etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 # Django: 2015-07-17 # defaul: unset # Definition des standardmässig abgefragten Teilbaums / Searchbase # Anfragen werden unterhalb von dc=nausch, dc=org ausgeführt BASE dc=nausch, dc=org # Definition des LDAP-Servers URI ldap://openldap.dmz.nausch.org #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # Django : 2015-07-17 # default: TLS_CACERTDIR /etc/openldap/certs # Django : 2015-07-16 # Pfad und Datei mit den vertrauenswürdigen Root-Zertifikaten # default: unset TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
Zum Testen richten wir erneut eine Anfrage an unseren OpenLDP-Server.
# ldapsearch -W -x -b "dc=nausch,dc=org" "uid=django" \ -D "cn=Technischeruser,dc=nausch,dc=org" -LLL \ -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password:
dn: uid=django,ou=People,dc=nausch,dc=org uid: django cn: django objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 16617 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/django gecos: django userPassword:: RGQ0bWRkMyE=
mod_ldap
Im Gegensatz zum Konfigurationsbeispiel der Basic Authentifikation mit Hilfe von PasswordBasicAuth, benötigen wir das zusätzliche RPM-Paket mod_ldap, welches die beiden notwendigen Module mod_authnz_ldap und mod_ldap zur LDAP-Authentifikation benötigt werden. Das RPM installieren wir uns nun mit Hilfe von yum.
# yum install mod_ldap -y
Konfiguration
Was nun noch fehlt, ist die Konfiguration unseres vHOSTs. In der Konfigurationsdatei des betreffenden vHOSTs tragen wir nun folgende Zeilen nach.
# vim /etc/httpd/conf.d/vhost_443_postfixadmin.conf
... # Django : 2015-07-17 Konfigurationsbeispiel zur LDAP Authenifikation mit Hilfe # der beiden Module mod_authnz_ldap und mod_ldap aus dem RPM mod_ldap. <Location /> Options +FollowSymLinks +Multiviews +Indexes AllowOverride None AuthType Basic AuthName "PostfixAdmin-Webserver" AuthBasicProvider ldap AuthLDAPUrl ldaps://openldap.dmz.nausch.org:389/ou=People,dc=nausch,dc=org?uid AuthLDAPBindDN cn=Technischeruser,dc=nausch,dc=org AuthLDAPBindPassword e1n531f!D4xIi57n393I1354u! AuthLDAPBindAuthoritative on Require ldap-user django bigchief nagios </Location> ...
Damit unsere Änderungen aktiv werden bedarf es noch eines reloads unseres HTTP-Deamon.
# systemctl reload httpd.service
WICHTIG:
Damit die Anmeldedaten nicht von Dritten mitgelesen und abgefischt werden können, nutzen wir natürlich einen SSL-geschützten vHOST!
Test
Logging
Ausnahme eines Hosts/IP-Adresse
Soll eine IP-Adresse bzw. ein Host vom Logging ausgeschlossen werden, verwenden wir folgendes Konfigurationsbeispiel, welches wir beim betreffenden vHost eintragen.
# vim 1st_vhost.conf
... SetEnvIf Remote_Addr "10\.0\.0\.27" dontlog ErrorLog logs/defaulthost_error.log CustomLog logs/defaulthost_access.log combined env=!dontlog ...
Greif der Host mit der IP-Adresse 10.0.0.27 auf den VHost zu, wird darüber im access-Log keine Einträge vermerkt.