Apache Web server

Concept carried out In this Tutorial

 Introduction Apache Web Server :

 Installation of software Apache Web Server
 Configuring Apache Webserver for Website using Default Directory
 Configuring Apache Webserver for Website using User-Defined
Directory
 To configure Virtual Hosts configuration for Apache web server
 Deploying a Basic CGI-Application in Apache Web Server using
default CGI Directory /var/www/cgi-bin
 Deploying a Basic CGI-Application in Apache Web Server using
User Defined CGI Directory which contain CGI-APPLICATION
 Accessing website using HTTPS on Apache Web Server
 To Configured user private Directory or website
 To configure valid Username and Password for private Directory or
website ,As a result Website is not publicly Accessible
 Secure web server with .htaccess file for certain part of website
while remaining part of website is publicly Accessible

Introduction Apache Web Server :

Apace is a very powerful, highly flexible, and configurable web
server.

Apache is a default web server in Linux .

It is Platform independent, its support all the platform.
It is moduler.Its very easy to fix bug and codes.

Advantages:
It support virtual Hosting with 1 Server with 1 IP-ADDRESS multiple
website can be posted.

Apache Server Configuration

Main server configuration stored in /etc/httpd/conf/httpd.conf

Controls general web server parameters, regular virtual hosts and
access
In Apache 2, the /etc/httpd/conf.d directory stores configurations
that are specific to a particular Apache Module. All files in the
directory ending in.conf will be parsed as a configuration file.

Defines filenames and mime-types

Module configuration files stored in /etc/httpd/conf.d/*
Document Root default /var/www/html

Important Parameters of Configuration file httpd.conf:

1
Listen :
If server have multiple IP address, you can limit the IP address and
port on which the server can listen for incoming connection. By
default server listen on port 80, but can be update as well.

For example to limit server only to listen on IP address

192.168.56.101 with port 80 Set Listen Directive
Listen 192.168.56.101:80

DocumentRoot :

Until you change the value of DocumentRoot directive in httpd.conf

file , Apache looks for web pages in default location /var/www/html
directory.

To get your web server up and running, all you need to do is to

transfer the web pages or websites in /var/www/html directory.

Allow :

Value Example Descriptions

Allow from all Default value, allow

access from all hosts

Allow from [IP Allow from 192.168.56.101 To allow only a specific

Address] IP or host

Allow from Allow from agoutam. client To allow only specific

[Host name] host

Allow from Allow from agoutam.com To allow only agoutam.com

[Network] network

Allow from 192.168.1.0/24 To allow only from

[Network] 192.168.1.0 network
192.168.1.0/255.255.255.0

Deny from all Deny access from all

hosts

2
 Deny from [IP Deny from 192.168.56.110 To Deny only a specific
Address] IP or host

Deny from [Host Deny from agoutam.Client To deny only specific

name] host

Deny from Deny from agoutam.com To deny only agoutam.com

[Network] network

Deny from 192.168.56.0/24 To deny only from

[Network] 192.168.56.0/255.255.255.0 192.168.56.0 network

Service

Packages:httpd,httpd-tools,httpd-manual
Daemon:/usr/lib/systemd/system/httpd.service
Ports:80(http),443(https)
Configuration :/etc/httpd/conf/httpd.conf,/var/www/*

Installation of software Apache Web Server

Two packages are required for Apache server

1. httpd httpd-tools httpd-manual
2. mod_ssl
3. elinks

httpd : package install Apache web server.

mod_ssl is the additional package which required to create secure
websites
elinks is the additional package for text based web browser.
If you have yum repository configured use following command to install
Apache web server with additional package

Installation
1. On all node in the cluster (or nodes in the failover domain, if
used), install the httpd httpd-tools httpd-manual

[root@server ~]# yum install httpd httpd-tools httpd-manual

Loaded plugins: fastestmirror, langpacks
base
| 2.9 kB 00:00:00
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check

3
---> Package httpd.x86_64 0:2.4.6-67.el7.centos will be installed
--> Processing Dependency: /etc/mime. types for package: httpd-2.4.6-
67.el7.centos.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package:
httpd-2.4.6-67.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-
2.4.6-67.el7.centos.x86_64
---> Package httpd-manual.noarch 0:2.4.6-67.el7.centos will be
installed
---> Package httpd-tools.x86_64 0:2.4.6-67.el7.centos will be
installed
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved

4
 Package Arch
Version Repository
Size

======================================================================
======================================================================
============================
Installing:
httpd x86_64
2.4.6-67.el7.centos base
2.7 M
httpd-manual noarch
2.4.6-67.el7.centos base
1.3 M
httpd-tools x86_64
2.4.6-67.el7.centos base
87 k
Installing for dependencies:
apr x86_64
1.4.8-3.el7 base
103 k
apr-util x86_64
1.5.2-6.el7 base
92 k
mailcap noarch
2.1.41-2.el7 base
31 k

Transaction Summary
======================================================================
======================================================================
============================
Install 3 Packages (+3 Dependent packages)

Total download size: 4.3 M

Installed size: 15 M
Is this ok [y/d/N]: y
Downloading packages:
(1/6): apr-1.4.8-3.el7.x86_64.rpm
| 103 kB 00:00:00
(2/6): apr-util-1.5.2-6.el7.x86_64.rpm
| 92 kB 00:00:00
(3/6): httpd-2.4.6-67.el7.centos.x86_64.rpm
| 2.7 MB 00:00:00
(4/6): httpd-manual-2.4.6-67.el7.centos.noarch.rpm
| 1.3 MB 00:00:00
(5/6): httpd-tools-2.4.6-67.el7.centos.x86_64.rpm
| 87 kB 00:00:00

5
 | 31 kB 00:00:00
-----------------------------------------------------------------------
-----------------------------------------------------------------------
--------------------------
Total
5.3 MB/s | 4.3 MB 00:00:00
Running transaction check
6/6

Installed:
httpd.x86_64 0:2.4.6-67.el7.centos httpd-
manual.noarch 0:2.4.6-67.el7.centos httpd-tools.x86_64
0:2.4.6-67.el7.centos

Dependency Installed:
apr.x86_64 0:1.4.8-3.el7 apr-util.x86_64
0:1.5.2-6.el7 mailcap.noarch 0:2.1.41-2.el7

Complete!
[root@server ~]#

2. To install SSL(Secure Socket layer )on server

[root@server conf.d]# yum install mod_ssl.x86_64

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-67.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================
Package Arch
Version Repository
Size
===================================================================

6
 Installing:
mod_ssl x86_64
1:2.4.6-67.el7.centos base
108 k

Transaction Summary
===================================================================
Install 1 Package

Total download size: 108 k

Installed size: 224 k
Is this ok [y/d/N]: y
Downloading packages:
mod_ssl-2.4.6-67.el7.centos.x86_64.rpm
| 108 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:mod_ssl-2.4.6-67.el7.centos.x86_64
Verifying : 1:mod_ssl-2.4.6-67.el7.centos.x86_64
Installed:
mod_ssl.x86_64 1:2.4.6-67.el7.centos

Complete!
[root@server conf.d]#

3. To Install elinks so link could be open in Putty Browser.

yum install -y elinks

[root@server cgi-bin]# yum install -y elinks

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package elinks.x86_64 0:0.12-0.36.pre6.el7 will be installed
--> Processing Dependency: libnss_compat_ossl.so.0()(64bit) for
package: elinks-
0.12-0.36.pre6.el7.x86_64
--> Processing Dependency: libmozjs185.so.1.0()(64bit) for package:
elinks-0.12-
0.36.pre6.el7.x86_64
--> Running transaction check

---> Package js.x86_64 1:1.8.5-19.el7 will be installed

7
---> Package nss_compat_ossl.x86_64 0:0.9.6-8.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================
=========
Package Arch Version
Repository Size
=======================================================================
=========
Installing:
elinks x86_64 0.12-0.36.pre6.el7 base
882 k
Installing for dependencies:
js x86_64 1:1.8.5-19.el7 base
2.3 M
nss_compat_ossl x86_64 0.9.6-8.el7 base
37 k

Transaction Summary
=======================================================================
=========
Install 1 Package (+2 Dependent packages)

Total download size: 3.2 M

Installed size: 9.6 M
Downloading packages:

elinks-0.12-0.36.pre6.el7.x86_64.rpm | 882 kB 0

-----------------------------------------------------------------------
---------
Total 4.3 MB/s | 3.2 MB
00:00
Verifying : nss_compat_ossl-0.9.6-8.el7.x86_64
3/3

Installed:
elinks.x86_64 0:0.12-0.36.pre6.el7

Dependency Installed:
js.x86_64 1:1.8.5-19.el7
nss_compat_ossl.x86_64 0:0.9.6-8.el7

Complete!

8
Default installation of Apache web server use port 80 for HTTP traffic
and 443 for HTTPS traffic.
If Firewall is on Http and Httpd services should be added to firewall
with port tcp/443 for https and port tcp/80 for http

[root@server ]# firewall-cmd --permanent --add-service=http

[root@server ]# firewall-cmd --permanent --add-service=https
[root@server ]# firewall-cmd --zone=public --permanent --add-
port=443/tcp
[root@server ]# firewall-cmd --zone=public --permanent --add-
port=80/tcp
[root@server ]# firewall-cmd --reload

To Enable Apache web Service at boot time

[root@server ]# systemctl enable httpd

To reload and Restart Apache web Service

[root@server ]# systemctl reload httpd

[root@server ]# systemctl restart httpd

To verify apache Service is running correctly

[root@server html]# ps -ef|grep httpd

root 2007 1 1 21:21 ? 00:00:00 /usr/sbin/httpd -
DFOREGROUND
root 2017 1746 0 21:21 pts/0 00:00:00 grep --color=auto
httpd

Security-Enhanced Linux (SELinux)

Security-Enhanced Linux (SELinux) is a Linux kernel security module

that provides a mechanism for supporting access control security
policies that confine user programs and system servers, access to
files and network resources

9
We need to set context of any newly created file or directory for the
web server user to be able to access it.

By default, newly-created files and directories inherit the SELinux

type of their parent directories. For example, when creating a new
file in the /etc/ directory that is labeled with the etc_t type, the new
file inherits the same type:

There are multiple commands for managing the SELinux context for
files, such as chcon, semanage fcontext, and restorecon

Run the chcon -t type file-name command to change the file type, where
type is a type, such as httpd_sys_content_t, and file-name is a file
or directory name.
Run the chcon -R -t type directory-name command to change the type of
the directory and its contents, where type is a type, such as
httpd_sys_content_t, and directory-name is a directory name.

We need to set context of any newly created file or directory for the
web server user to be able to access it.

Use the chcon command to change the context

#chcon -R -u system_u /var/www/html
#chcon -R -t httpd_sys_content_t /var/www/html/

Verify that all the context fields have been changed correctly
#ls -Z /var/www/html

[root@server privdir]# ls -Z /var/www/html

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
index.html
drwxr-xr-x. root root

Configure SELinux for web server

Use following command to check all associated SELinux Booleans with
httpd

[root@server privdir]# getsebool -a |grep httpd

httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off

10
 httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off

Default enabled SELinux options

Booleans Descriptions
httpd_builtin_scripting Used to provide permission for php content
httpd_dbus_avahi Supports access from HTTP services
httpd_enable_cgi Allows HTTP services to execute GCI scripts
httpd_tty_comm Enables communication with controlling
terminals

httpd_unified Supports read/write/execute access by

httpd_t files

Configuring Apache Webserver for Website using Default Directory

To view Basic configuration of server and client configuration

[root@server html]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain

192.168.56.101 server.agoutam.com server

192.168.56.102 client.agoutam.com client
192.168.56.101 www.agoutam.com

Where :
Server IP :192.168.56.101
Client IP : 192.168.56.102

11
1 .Edit the /etc/httpd/conf/httpd.conf configuration file and customize the file

[root@server ]# vi /etc/httpd/conf/httpd.conf

Listen 80
ServerName www.agoutam.com:80
DocumentRoot "/var/www/html"

<Directory "/var/www/html">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

To configure sample web page index.html

[root@server html]# cat index.html

Checking Web Server www.server.agoutam.com config directory
/var/www/html .
[root@server html]#

To Verify Apache Configuration file syntax is correct.

[root@server html]# httpd -t

Syntax OK

To Enable Apache Ports and Service if firewall is on

[root@server ]#firewall-cmd --permanent --add-service=http

[root@server ]#firewall-cmd --zone=public --permanent
--add-port=80/tcp
[root@server ]#firewall-cmd --reload

To enable Apache Service at boot time.

12
 [root@server html]# systemctl enable httpd
Created symlink from
/etc/systemd/system/multi-user.target.wants/httpd.service to
/usr/lib/systemd/system/httpd.service.

To Start Apache Service

[root@server html]# systemctl start httpd

[root@server html]#

To verify apache Service is running correctly

[root@server html]# ps -ef|grep httpd

root 2007 1 1
21:21 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 2009 2007 0 21:21 ? 00:00:00 /usr/sbin/httpd -
DFOREGROUND
apache 2010 2007 0 21:21 ? 00:00:00 /usr/sbin/httpd -
DFOREGROUND
apache 2011 2007 0 21:21 ? 00:00:00 /usr/sbin/httpd -
DFOREGROUND
apache 2012 2007 0 21:21 ? 00:00:00 /usr/sbin/httpd -
DFOREGROUND
apache 2013 2007 0 21:21 ? 00:00:00 /usr/sbin/httpd -
DFOREGROUND
root 2017 1746 0 21:21 pts/0 00:00:00 grep --color=auto
httpd

To Verify Web Server Pages is loading and working correctly

[root@server ]# elinks http://www.agoutam.com

13
Configuring Apache Webserver for Website using User-Defined Directory

Apache web server use default directory /var/www/html to store all

website ,But Even User defined Directory can be configured

Edit and Configure httpd.conf file for User Defined Apache Web Server
Directory

[root@server html]# vi /etc/httpd/conf/httpd.conf

Listen 80
ServerName www.agoutam.com:80

#DocumentRoot "/var/www/html"
DocumentRoot "/web"

#
# Relax access to content within /var/www.
#
<Directory "/var/www/html">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

#Provide Appropriate Permission to /web Directory

<Directory "/web">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

To create user-defined Web directory

[root@server html]# mkdir -v /web

mkdir: created directory ‘/web’
[root@server html]#

To create Sample web Page index.html in web directory '/web'

14
 [root@server ]# cd /web
[root@server web]# vi index.html
[root@server web]# cat index.html
This is for demo Changing Root Directory to /web/agoutam for site
www.agoutam.com

Selinux changes for new Document root(source context)

To change the Selinux context to web directory

[root@server /]# semanage fcontext -a -t httpd_sys_content_t

'/web(/.*)?'

To Set file security context with restorecon

[root@server /]# restorecon -R -v /web

restorecon reset /web context unconfined_u:object_r:default_t:s0-
>unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/agoutam context
unconfined_u:object_r:default_t:s0-
>unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/index.html context
unconfined_u:object_r:default_t:s0-
>unconfined_u:object_r:httpd_sys_content_t:s0
[root@server /]#

To reload and restart Apache web service

[root@server /]# systemctl reload httpd

[root@server /]# systemctl restart httpd

To verify webpage after changing new DocumentRoot directory

[root@server ]#elinks http://www.agoutam.com

15
 To configure Virtual Hosts configuration for Apache web server

Virtual host feature of Apache allows you to define multiple web sites on single IP
address. For Virtual hosts configuration following options are required

NameVirtualHost Hostname or IP address of the virtual host

ServerAdmin Email address of the webmaster
DocumentRoot Location of the directory, which holds virtual host files

ServerName URL of the virtual host

ErrorLog Location for the error log
CustomLog Location for a custom log

Edit and Configure httpd.conf file and make entry for Virtual Host
Configuration :

[root@server web]# vi /etc/httpd/conf/httpd.conf

<VirtualHost 192.168.56.101>
DocumentRoot /web
ServerName server.agoutam.com
ServerAdmin root@agoutam.com
ErrorLog "logs/site_error.log"
CustomLog "logs/site_access.log" combines
</VirtualHost>

To Create same web page index.html for Virtual Host

[root@server web]# vi index.html

[root@server web]# cat index.html
This is for demo for multiple site hosting in same server having ip
192.168.56.101 www.server.agoutam.com

To Reload and Restart Apache services.

[root@server web]# systemctl reload httpd

[root@server web]# systemctl restart httpd
[root@server web]#

To verify webpage after configuring Virtual Host

[root@server ]#elinks http://www.agoutam.com

16
 Deploying a Basic CGI-Application in Apache Web Server using
default CGI Directory /var/www/cgi-bin

To create a perl script for testing cgi-Application

[root@server ~]# cd /var/www/cgi-bin

[root@server cgi-bin]# vi cgidemo.pl

[root@server cgi-bin]# cat cgidemo.pl
#!/usr/bin/perl
print "Content-type:text/html\n\n";
print " This is Demo of Deploying CGI Application";

To Make the Script cgidemo.pl Executable.

[root@server cgi-bin]# chmod 755 /var/www/cgi-bin/cgidemo.pl

To Check the SELinux httpd_enablecgi boolen is on

[root@server cgi-bin]# getsebool httpd_enable_cgi

httpd_enable_cgi --> on
[root@server cgi-bin]#

To replace /var/www/cgi-bin with short name for directory "/cgi-bin/"

path make a entry for Alias

[root@server ]#vi /etc/httpd/conf/httpd.conf

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

http://www.agoutam.com/var/www/ var/www/cgi-bin /cgidemo.pl

Above URL could be access like below URL also

http://www.agoutam.com/cgi-bin/cgidemo.pl

To allow Permission for Directory "/var/www/cgi-bin " make entry for

cgi-bin directory in httpd.conf file

[root@server ]#vi /etc/httpd/conf/httpd.conf

#Allowing Permission for directory

<Directory "/var/www/cgi-bin">
AllowOveride None
Options None
Require all granted

17
 </Directory>

To Reload and Restart Apache web service.

[root@server cgi-bin]# systemctl reload httpd

[root@server cgi-bin]# systemctl restart httpd
[root@server cgi-bin]#

To view and load cgi-application open in web browser.

[root@server cgi-bin]#elinks
http://www.agoutam.com/cgi-bin/cgidemo.pl

Deploying a Basic CGI-Application in Apache Web Server using User

Defined CGI Directory which contain CGI-APPLICATION

If want to use a directory other than the var/www/cgi-bin/ default for

example :/webapp

To create a user Defined CGI Directory which contain CGI Applications

cgidemo.pl

[root@server cgi-bin]# mkdir -v /webapp

mkdir: created directory ‘/webapp’

[root@server cgi-bin]# mv /var/www/cgi-bin/cgidemo.pl /webapp

[root@server cgi-bin]# ls -lrt /webapp
total 4
-rwxr-xr-x. 1 root root 105 Oct 18 02:19 cgidemo.pl
[root@server cgi-bin]#
[root@server webapp]# cat cgidemo.pl
#!/usr/bin/perl
print "Content-type:text/html\n\n";
print " This is Demo of Deploying CGI Application";

18
To Set up SElinux configuration for the /webapp directory:

[root@server cgi-bin]# yum install -y setroubleshoot-server

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Package setroubleshoot-server-3.2.28-3.el7.x86_64 already installed
and latest version
Nothing to do
[root@server cgi-bin]#

[root@server cgi-bin]# semanage fcontext -a -t httpd_sys_script_exec_t

"/webapp(/.*)?"

[root@server cgi-bin]# restorecon -R /webapp

To Edit and Configure httpd.conf file

[root@server ]# vi /etc/httpd/conf/httpd.conf

ScriptAlias /cgi-bin/ "/webapp"

#To provide permission to /webapp directory

<Directory "/webapp">
AllowOverride None
Options None
Require all granted
</Directory>

To Check the Syntax of configuration file is correct or not :

[root@server cgi-bin]# apachectl configtest

Syntax OK

To reload and Restart Apache web Service

[root@server cgi-bin]# systemctl reload httpd

[root@server cgi-bin]# systemctl restart httpd

19
To view CGI-Application using user-defined cgi directory

[root@server cgi-bin]# elinks http://www.agoutam.com/ webapp

/cgidemo.pl

Accessing website using HTTPS on Apache Web Server

To View main configuration file for SSL and HTTPS web service
configuration,

ssl.conf is main configuration file for https

[root@server conf.d]# ls -lrt ssl.conf

-rw-r--r--. 1 root root 9438 Aug 1 21:54 ssl.conf
[root@server conf.d]#

To Generate private and Public key for Site www.agoutam.com

[root@server conf.d]# openssl req -new -x509 -nodes -out

/etc/pki/tls/certs/www.agoutam.com.crt -keyout
/etc/pki/tls/private/www.agoutam.com.key -days 365
Generating a 2048 bit RSA private key
......................+++
................+++
writing new private key to '/etc/pki/tls/private/www.agoutam.com.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:INDIA

20
 string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:RANCHI
Locality Name (eg, city) [Default City]:RANCHI
Organization Name (eg, company) [Default Company Ltd]:AGOUTAM
Organizational Unit Name (eg, section) []:ABHISHEK
Common Name (eg, your name or your server's hostname)
[]:www.agoutam.com
Email Address []:abhishekvitmca@yahoo.com
[root@server conf.d]#

Public key Location :/etc/pki/tls/certs/www.agoutam.com.cert

[root@server certs]# pwd

/etc/pki/tls/certs
[root@server certs]# ls -lrt www.agoutam.com.crt
-rw-r--r--. 1 root root 1452 Oct 18 03:24 www.agoutam.com.crt
[root@server certs]# cat www.agoutam.com.crt
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIJANIhSQKDh9pBMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
VQQGEwJJTjEPMA0GA1UECAwGUkFOQ0hJMQ8wDQYDVQQHDAZSQU5DSEkxEDAOBgNV
BAoMB0FHT1VUQU0xETAPBgNVBAsMCEFCSElTSEVLMRgwFgYDVQQDDA93d3cuYWdv
dXRhbS5jb20xJzAlBgkqhkiG9w0BCQEWGGFiaGlzaGVrdml0bWNhQHlhaG9vLmNv
bTAeFw0xNzEwMTcyMTU0MTdaFw0xODEwMTcyMTU0MTdaMIGXMQswCQYDVQQGEwJJ
TjEPMA0GA1UECAwGUkFOQ0hJMQ8wDQYDVQQHDAZSQU5DSEkxEDAOBgNVBAoMB0FH
T1VUQU0xETAPBgNVBAsMCEFCSElTSEVLMRgwFgYDVQQDDA93d3cuYWdvdXRhbS5j
b20xJzAlBgkqhkiG9w0BCQEWGGFiaGlzaGVrdml0bWNhQHlhaG9vLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOJiWfZ2/6vgKAHTc5ltrb2NMvGp
+73dJnBlApluUhbRjulgHojXH92ExFvZcDT//ocu2IFIltDxVW9Flh8UPwnIx6iW
KaMyT+XFJjXgEhn7Yf4mZ5YG0GIGUCDxwi5Gfj+oEHFW0TjaLxiO3nBw+Yvofau4
h3sE2lj6tUtFzKs5KBpr89iP2BX2u1veU7x7cuOfSUY7Pp1C1e2LWshjxYqSj4cB
ft2P2iq9lLY4pGNwbspWzfEzW0PtEYg=
-----END CERTIFICATE-----
[root@server certs]#

Private Key location :cd /etc/pki/private/ www.agoutam.com.key

[root@server certs]# cd /etc/pki/tls/private

[root@server private]# ls -lrt www.agoutam.com.key
-rw-r--r--. 1 root root 1704 Oct 18 03:24 www.agoutam.com.key

21
To view private key www.agoutam.com.key

[root@server private]# cat www.agoutam.com.key

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDiYln2dv+r4CgB
03OZba29jTLxqfu93SZwZQKZblIW0Y7pYB6I1x/dhMRb2XA0//6HLtiBSJbQ8VVv
RZYfFD8JyMeolnj8jp8PcmcXPKhlx4a0UVn7J0k2v1EH82rIaOlmGeJyQAjYM/Y6
wPCRPutSXVX22WioGFm33lchvbW5Vw43oHiLOIM4JBCIncOvLNCOfEhc3mrspdwL
AL3LKgQCUn1QvZiV7jGn+8bzMmx8iM9nQ7BcLSjHdbXapawZfzydk0FmMTcfig8E
5MVdoadK/d9CU4oIOZNRlz08bD2hZYNw4L+HE2+HQmHsaSun6a3UZ47iVC1TITDG
fm601OL7AgMBAAECggEBAMQ1/kcyCJMNq185yD245BcgJIF0lO6QmNpdkg0toxSH
+NepKY3s9n9mrVH2edxV7GN6ZMhZA+6A3U2eAGlbgO+YCATEtoQfkRkwTM3FEydz
8fqjb9vQxxIea7r6bRjaZUDLOotPmNra3pU52MfqwscWgoV7FcxrnodQvDBQXwsN
GcRqAReTgoZL82AUZNcO1lOfUyCdr67QPh42qSAV5DtWg4/8nzPdRZRVtwqfZOJI
M0PTzMm4C6rZZthL9gXSyDRhQk+94jfxuBc+6naoE/lhhcBZmaomIiFQK4vm9mk8
41mspwIhKnkxddRN/KhHgb5brAMheOX1ZCgYdCpMpeECgYEA8TaIGPvnltHdQxe8
FsOeH4l6uESdGxvj6Q0YPtNJ13uix4JATT+zRWErujmZ/o6mW3Q8+JfH2gq3N5cd
fvxpdc4XVnIMVnPA80fo1OLd0bf2wEzsKI/YN3CEcSAC40SuEx92ah9NJNamG4D+
svaK5bTghvLiwDExTNTJwguNQjkCgYEA8EMao1F1/yGJEr0YD3YL3lIX6ePhqAWd
W6z4Vg0pX5DHRvGrWWoFsvykPuBFg5TujStyl4JSMS+llJ6KUe+SKE6ieb7Kamb0
7JLnQQvpRk2NTcSGbJE7b81XR7B8xrc8aD05edXizwBYtlg3qBFpQ79hV7+lOCJZ
s9cKUCZJvtMCgYEAtMGPlWFX965Gp5tmqIxotutYGjPYo1LwJFlavOGqqR6OKgGS
XBELL0eU9BVsL9UIFupxMjzTV7LF/5NvWBSgltYcqPwIANT3V5egg7+KSDkaYJqE
MhUxCsJ3jSpW36Y86Dmgi//u2Fc93Mh6lPOpvF8iDh5/C1URw6iFlLMBZQkCgYBs
kuaGx1k7Yjw/a5Rj6ESUwyRrXb+r3l2uAAx5VplLxnFHbg6w6WiJ6gGPKGpBfBwR
T4EJVqst7wo0jzCStmCmNmLWAZIXY09rWTeH/Yn9ay5f5l+Y0Ei7zV+T1f2ND2EM
+h3vIOjOAqoUPOlp2fRn2SR0MvbG1z8SNitC7QqGYQKBgHO1PZjuFWlarsZ3rb64
3kuZMZQhD4ZNaP64pTcATjGdiF2jsGb1xsJGoQpY9VuX7G2vNT1WNg335xa9CuAw
/VIa+w3RsBdr9Kg5Z/GhPQUIlNrBNECkkzN/Tz7TkIDF8SZjCZ31g8sl5RkLtAzx
ntRmMwXwXvhN6tjXOtH7Q8I1
-----END PRIVATE KEY-----
[root@server private]#

To edit and Configure ssl.conf file for HTTPS service for web service

[root@server private]# cd /etc/httpd/conf.d

[root@server private]# vi ssl.conf

ServerName www.agoutam.com:443
DocumentRoot "/var/www/html"

Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.

22
 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/www.agoutam.com.crt

# Server Private Key:

# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/www.agoutam.com.key

To restart Apache web services

[root@server conf.d]# systemctl restart httpd

To list virtual hosts that are currently configured on my apache-

server

[root@server conf.d]# httpd -D DUMP_VHOSTS

VirtualHost configuration:
192.168.56.101:80 server.agoutam.com
(/etc/httpd/conf/httpd.conf:190)
*:443 www.agoutam.com
(/etc/httpd/conf.d/ssl.conf:56)

To Check Public key

[root@server conf.d]# openssl s_client -connect www.agoutam.com:443 -

status
CONNECTED(00000003)
OCSP response: no response sent
depth=0 C = IN, ST = RANCHI, L = RANCHI, O = AGOUTAM, OU = ABHISHEK,
CN = www.agoutam.com, emailAddress = abhishekvitmca@yahoo.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = RANCHI, L = RANCHI, O = AGOUTAM, OU = ABHISHEK,
CN = www.agoutam.com, emailAddress = abhishekvitmca@yahoo.com
verify return:1
---

23
 Certificate chain
0
s:/C=IN/ST=RANCHI/L=RANCHI/O=AGOUTAM/OU=ABHISHEK/CN=www.agoutam.com/
emailAddress=abhishekvitmca@yahoo.com

i:/C=IN/ST=RANCHI/L=RANCHI/O=AGOUTAM/OU=ABHISHEK/CN=www.agoutam.com/
emailAddress=abhishekvitmca@yahoo.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIJANIhSQKDh9pBMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
VQQGEwJJTjEPMA0GA1UECAwGUkFOQ0hJMQ8wDQYDVQQHDAZSQU5DSEkxEDAOBgNV
BAoMB0FHT1VUQU0xETAPBgNVBAsMCEFCSElTSEVLMRgwFgYDVQQDDA93d3cuYWdv
dXRhbS5jb20xJzAlBgkqhkiG9w0BCQEWGGFiaGlzaGVrdml0bWNhQHlhaG9vLmNv
BQADggEBAI+LIUWVKLxwQH7EkGivRZ4UfPIblFV7vQzLWaLvfdS0jXYImpu+stsz
MM+h9CAVRflXSBe1CIMeWRJFE8jciLge3yMmSeZbeWaYM5hZUNhOb7Hik81qrySM
tMVvYtOj0ufJ9LrU/U8ntvQFL6INkoSn1dtugZXhDaqHyYZHOyNLXAbxYn0E9co/
KaMyT+XFJjXgEhn7Yf4mZ5YG0GIGUCDxwi5Gfj+oEHFW0TjaLxiO3nBw+Yvofau4
h3sE2lj6tUtFzKs5KBpr89iP2BX2u1veU7x7cuOfSUY7Pp1C1e2LWshjxYqSj4cB
ft2P2iq9lLY4pGNwbspWzfEzW0PtEYg=
-----END CERTIFICATE-----
subject=/C=IN/ST=RANCHI/L=RANCHI/O=AGOUTAM/OU=ABHISHEK/
CN=www.agoutam.com/emailAddress=abhishekvitmca@yahoo.com
issuer=/C=IN/ST=RANCHI/L=RANCHI/O=AGOUTAM/OU=ABHISHEK/
CN=www.agoutam.com/emailAddress=abhishekvitmca@yahoo.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1722 bytes and written 424 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
---
read:errno=0
[root@server conf.d]#

To Open port 443 and Add Service https to the Firewall

[root@server ]#firewall-cmd --permanent --add-service=https

[root@server ]#firewall-cmd --zone=public --permanent --add-
port=443/tcp
[root@server ]#firewall-cmd --reload

24
To Open configure website www.agoutam.com using secure Socket
Connection

25
After Allowing Security exception web Page could be accessed

To Configured user private Directory or website

To edit and Configure httpd.conf file for User private Directory for
web-Service

[root@server privdir]# vi /etc/httpd/conf/httpd.conf

ServerName www.agoutam.com:80
DocumentRoot "/var/www/html"

<Directory "/var/www/html/privdir">
AllowOverride None
Options none
Require all granted
</Directory>

To create Private Directory 'privdir'

[root@server conf]# mkdir -v /var/www/html/privdir

mkdir: created directory ‘/var/www/html/privdir’

To create Sample webpage index.html in Private directory 'privdir'

[root@server privdir]#cd /var/www/html/privdir

[root@server privdir]# cat index.html
This is demo for Testing Private Directory
[root@server privdir]#

To check syntax of configuration file httpd.conf is correct or not.

[root@server privdir]# apachectl configtest

Syntax OK
[root@server privdir]#

26
To Reload and Restart Apache web Service

[root@server privdir]# systemctl reload httpd

[root@server privdir]# systemctl restart httpd

To Acess Private Directory or Website

[root@server ]# elinks http://www.agoutam.com/privdir/index.html

To configure valid Username and Password for private Directory

or website ,As a result Website is not publicly Accessible

User-Based Security
User based authentication provides a way to allow only certain users
to access web server.

Options Description
AuthType Defines the authentication method
AuthName Comment for the users
AuthUserFile File used to define username and password
AuthGroupFile File used to define groups
Require Specifies the users or groups that can log in

To Edit and configure httpd.conf file for password based private

Directory 'privdir'

27
 [root@server privdir]# vi /etc/httpd/conf/httpd.conf

Listen 80
ServerName www.agoutam.com:80
DocumentRoot "/var/www/html"

<Directory "/var/www/html">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

<Directory "/var/www/html/privdir">
AllowOverride None
Options none
Require all granted
<Directory>

<Directory "/var/www/html/privdir">
AuthType basic
AuthName "Password protected Area"
Authuserfile /etc/httpd/conf/passwd
Require user agoutam
</Directory>

To set password for user 'agoutam' private Directory

[root@server privdir]# htpasswd -c /etc/httpd/conf/passwd agoutam

New password:
Re-type new password:
Adding password for user agoutam
[root@server privdir]#

Use htpasswd command create a userauthfile, that will be holds user

accounts.
-c Create new file and populates it with first user and password.
-m Passwords will be encrypted in MD5 before saving

Do not use -c options for creating subsequent users, otherwise it will

completely override the file. Use -c option only first time for first
user, from second users do not use -c option

To provide permission for passwd database file /etc/httpd/conf/passwd.

[root@server privdir]# chmod 600 /etc/httpd/conf/passwd

28
To provide user and Group ownership to Apache web services to database
file passwd

[root@server privdir]# chown apache:apache /etc/httpd/conf/passwd

[root@server privdir]# ls -lrt /etc/httpd/conf/ | grep passwd

-rw-------. 1 apache apache 46 Oct 18 08:05 passwd
[root@server privdir]#

To restart and reload Apache web Services

[root@server privdir]# systemctl restart httpd

To Access password protected private Web directory

,"www.agoutam.com/privdir/index.html"

Secure web server with .htaccess file for certain part of

website while remaining part of website is publicly Accessible

To allow certain parts of Website publicly accessible, while other by only

authenticated users using .htaccess file for group

To Make a directory and file under privdir

29
 root@server ]# mkdir /var/www/html/privdir/

Suppose that privdir folder contains the salary sheet of employees and
we want to allow only grp1 group to access it.
Create a .htaccess file in the privdir folder and add group user to
file so only group user can access the file.

Change AllowOverride directive value to authconfig in httpd.conf

Add followings and save the file

[root@server ]# vi /etc/httpd/conf/httpd.conf

Listen 80
ServerName www.agoutam.com:80
DocumentRoot "/var/www/html"

<Directory "/var/www/html">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

<Directory "/var/www/html/privdir">
AllowOverride authconfig
Options none
Require all granted
<Directory>

To create .htaccess file and configuring for Group based

Authentication .

[root@server privdir]#vi /var/www/html/privdir/.htaccess

[root@server privdir]# cat .htaccess

AuthType basic
AuthName "Password protected Area"
AuthUserFile /etc/httpd/conf/userpasswd
AuthGroupFile /etc/httpd/conf/rhel7groupfile
Require group grp1

Now only users from grp1 group, defined in

/etc/httpd/conf/rhel7groupfile can assess this

To Create few more accounts

30
 [root@server privdir]# htpasswd -mc /etc/httpd/conf/userpasswd
grpuser1
New password:
Re-type new password:
Adding password for user grpuser1
[root@server privdir]# htpasswd -mc /etc/httpd/conf/userpasswd
grpuser2
New password:
Re-type new password:
Adding password for user grpuser2
[root@server privdir]#
[root@server privdir]# htpasswd -m /etc/httpd/conf/userpasswd
grpuser3
New password:
Re-type new password:
Adding password for user grpuser3
[root@server privdir]#

Create rhel7groupfile, this file will hold entry for users part of
group

[root@server privdir]# vi /etc/httpd/conf/rhel7groupfile

Add user accounts in grp1 group and save file
[root@server privdir]# cat /etc/httpd/conf/rhel7groupfile
grp1: grpuser1 grpuser2
[root@server privdir]#

To Provide Permission and ownership to Apache web server to

userpasswd and rhel7groupfile file

[root@server privdir]# chmod 600 /etc/httpd/conf/userpasswd

[root@server privdir]# chown apache:apache /etc/httpd/conf/userpasswd
[root@server privdir]# chmod 600 /etc/httpd/conf/rhel7groupfile
[root@server privdir]# chown apache:apache
/etc/httpd/conf/rhel7groupfile
[root@server privdir]#

To Update the SELinux context of .htaccess file

31
 [root@server privdir]# chcon -t httpd_sys_content_t
/var/www/html/privdir/.htaccess
# Either chcon or semanage command can be used
[root@server privdir]# semanage fcontext -a -t
httpd_sys_content_t /var/www/html/privdir/.htaccess
[root@server privdir]# restorecon -R -v
/var/www/html/privdir/.htaccess
[root@server privdir]#

To Reload and Restart the web server

[root@server privdir]# systemctl restart httpd

[root@server privdir]# systemctl reload httpd
[root@server privdir]#

To Access website Publicly and certain contents

www.agoutam.com/privdir/salary.html Access allowed only for certain
group grpuser1 and grpuser2,

Since grpuser2 is Added in group file 'rhel7groupfile'so user

successfully able to access the folder privdir content's

32
Since grpuser3 is created but is not Added in group file
'rhel7groupfile'so user not able to access the folder privdir
content's

33