Difference between revisions of "ApacheRecipes"
(text review) |
|||
| Line 1: | Line 1: | ||
| − | Apache is | + | The Apache HTTP Server is very configurable; therefore, there are many ways to confine it. This page contains recipes to get started with common configurations. |
| − | = Labeling public_html correctly = | + | = Labeling the public_html directory correctly = |
| − | The public_html directory in your user home directory already has correct labeling rules | + | The public_html directory in your user home directory already has the correct labeling rules in the system file contexts. This directory may or may not exist by default. If you create this directory, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. Use the restorecon command to relabel your public_html directory: |
| − | + | $ ls -Z | |
drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html | drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html | ||
| − | + | $ restorecon -R public_html | |
| − | + | $ ls -Z | |
drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html | drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html | ||
| − | As | + | As shown above, the public_html directory was relabeled from user_home_t to httpd_user_content_t. This directory should now be accessible to the Apache HTTP Server. |
| − | = Allow Apache to connect to your database server = | + | = Allow the Apache HTTP Server to connect to your database server = |
| − | To allow Apache to connect to a MySQL or PostgreSQL | + | To allow the Apache HTTP Server to connect to a database server, such as MySQL or PostgreSQL, enable the httpd_can_network_connect_db boolean: |
| − | + | # semanage boolean -m --on httpd_can_network_connect_db | |
| − | + | ||
| − | = Allow Apache to run CGI scripts = | + | = Allow the Apache HTTP Server to run CGI scripts = |
| − | + | Allowing the Apache HTTP Server to execute scripts can be a security risk. Some users require the Apache HTTP Server to execute CGI scripts. To allow this, first enable the httpd_enable_cgi boolean: | |
| − | + | # semanage boolean -m --on httpd_enable_cgi | |
| − | + | ||
| − | If your CGI scripts are in the cgi-bin directory of your web root | + | If your CGI scripts are in the cgi-bin directory of your web root, no more steps are required. If they are not, you need to label the scripts with httpd_sys_script_exec_t: |
| − | + | # semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi | |
| − | + | # restorecon /var/www/html/path/to/my/cgi | |
| − | = Allow Apache to send mail = | + | = Allow the Apache HTTP Server to send mail = |
| − | + | To allow the Apache HTTP Server to send mail, enable the httpd_can_sendmail boolean: | |
| − | + | # semanage boolean -m --on httpd_can_sendmail | |
| − | + | ||
= Using an NFS or CIFS home directory = | = Using an NFS or CIFS home directory = | ||
| − | For home directories on NFS enable the httpd_use_nfs boolean | + | For home directories on NFS, enable the httpd_use_nfs boolean: |
| − | + | # semanage boolean -m --on httpd_use_nfs | |
| − | + | ||
| − | For home directories on CIFS enable the httpd_use_cifs boolean | + | For home directories on CIFS, enable the httpd_use_cifs boolean: |
| − | + | # semanage boolean -m --on httpd_use_cifs | |
| − | + | ||
Revision as of 10:35, 25 November 2009
The Apache HTTP Server is very configurable; therefore, there are many ways to confine it. This page contains recipes to get started with common configurations.
Contents
Labeling the public_html directory correctly
The public_html directory in your user home directory already has the correct labeling rules in the system file contexts. This directory may or may not exist by default. If you create this directory, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. Use the restorecon command to relabel your public_html directory:
$ ls -Z drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html $ restorecon -R public_html $ ls -Z drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html
As shown above, the public_html directory was relabeled from user_home_t to httpd_user_content_t. This directory should now be accessible to the Apache HTTP Server.
Allow the Apache HTTP Server to connect to your database server
To allow the Apache HTTP Server to connect to a database server, such as MySQL or PostgreSQL, enable the httpd_can_network_connect_db boolean:
# semanage boolean -m --on httpd_can_network_connect_db
Allow the Apache HTTP Server to run CGI scripts
Allowing the Apache HTTP Server to execute scripts can be a security risk. Some users require the Apache HTTP Server to execute CGI scripts. To allow this, first enable the httpd_enable_cgi boolean:
# semanage boolean -m --on httpd_enable_cgi
If your CGI scripts are in the cgi-bin directory of your web root, no more steps are required. If they are not, you need to label the scripts with httpd_sys_script_exec_t:
# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi # restorecon /var/www/html/path/to/my/cgi
Allow the Apache HTTP Server to send mail
To allow the Apache HTTP Server to send mail, enable the httpd_can_sendmail boolean:
# semanage boolean -m --on httpd_can_sendmail
Using an NFS or CIFS home directory
For home directories on NFS, enable the httpd_use_nfs boolean:
# semanage boolean -m --on httpd_use_nfs
For home directories on CIFS, enable the httpd_use_cifs boolean:
# semanage boolean -m --on httpd_use_cifs
