Note: This is an RHCE 7 exam objective. It has been renamed in June 2016 from “Configure private directories” to “Configure access restrictions on directories” without any particular change.
Prerequisites
First, follow the instructions to install an Apache web server.
Then, create a private directory (called here private):
# cd /var/www/html # mkdir private # echo "This is a test." > private/index.html # restorecon -R .
There are several ways to restrict access to this directory:
1) host-based private directories
To only allow the test.example.com host (add the name/IP address in the /etc/hosts file if necessary) to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:
<Directory "/var/www/html/private"> AllowOverride None Options None Require host test.example.com </Directory>
Check the configuration file:
# apachectl configtest Syntax OK
2) user-based private directories
To only allow me to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:
<Directory "/var/www/html/private"> AuthType Basic AuthName "Password protected area" AuthUserFile /etc/httpd/conf/passwd Require user me </Directory>
Check the configuration file:
# apachectl configtest Syntax OK
Create the passwd file and store me‘s password:
# htpasswd -c /etc/httpd/conf/passwd me New password:your passwordRe-type new password:your passwordAdding password for user me # chmod 600 /etc/httpd/conf/passwd # chown apache:apache /etc/httpd/conf/passwd
Note: The .htpasswd file can be used locally instead of the httpd.conf file in 1) and 2) for the same purpose.
Whatever the option chosen, restart the httpd service:
# systemctl restart httpd
Configuration Check
Check the httpd service:
# yum install -y curl # curl -u user:password http://localhost
or
# yum install -y elinks # elinks http://localhost/private
Useful Tip
If you forget the syntax of some Apache directives, install the httpd-manual package and browse the documentation in the /usr/share/httpd/manual/howto directory:
# yum install -y httpd-manual # elinks /usr/share/httpd/manual/howto/auth.html
Thanks to Jeromeza for this tip.
Hi,
I’ve tried the command [# htpasswd -c passwd user01] but this didn’t create the [passwd] file until I entered the full path for the destination location.
Regards.
You were right. I made a mistake. Thanks.
If during the exam or real life, you have to create the webserver directory under any location other than /var/www/,
It will certainly take more time to reconfigure everything:
If you look at “/etc/httpd/conf/httpd.conf” you will notice there are several lines in that file that point to “/var/www/” to set or call different things.
If in an actual work case, you have to point to a different directory, then there are no issues with taking your time and changing all the paths in httpd.conf to the new location. However, during the exam you have little time to play with these things, the best solution in this case would be to use symlinks.
Let’s say if you are asked to put your webserver files under /newlocation/, you can create everything there and then create a symlink under /var/www/html for it and in the “/etc/httpd/conf.d/vhosts.conf” file, refer to the symlink for the location :
Another thing you need to remember is that you have also more work to do other than just restorecon -R :
Example : let’s say you have to create your webserver under /life/world/ directory instead of /var/www/ ;
In this case, Selinux will prevent the access and you need to perform below commands to fix the issue:
(we assume semanage is already installed)
# semanage fcontext -a -t httpd_sys_script_exec_t “/life/world(/.*)?”
# semanage fcontext -a -t httpd_sys_content_t “/life/world(/.*)?”
# restorecon -R -v /life/world/
I perfectly agree. Thanks.
Could you guys perhaps explain why this option no longer works?
Symbolic link not allowed or link target not accessible: /var/www/html/dummy-host.example.com/index.html
# cat /var/www/html/dummy-host.example.com/index.html
selinux test
# ls -latrh /var/www/html/dummy-host.example.com/
index.html > /website/index.html
I found the solution myself:
====================================
HTTP – USING AN ALTERNATIVE WEB DIR
====================================
#### INSTALL REQUIRED PACKAGES ####
yum groupinstall -y “Web server”
yum -y install setroubleshoot-server selinux-policy
#### START AND ENABLE SERVICE ####
systemctl enable httpd
systemctl start httpd
#### ADD FIREWALL RULES ####
firewall-cmd –permanent –add-service=https
firewall-cmd –reload
#### MAKE NEW WEB DIR ####
mkdir /web
echo testing > /web/index.html
#### SET SELINUX CONTECT ####
NOTE: CHECK MAN SEMANAGE-FCONTEXT
semanage fcontext -a -t httpd_sys_content_t “/web(/.*)?”
restorecon -R /web
#### CREATE SYMLINK TO /VAR/WWW/HTML ####
NOTE: WE DO THIS SO WE DON’T NEED TO EDIT ANY HTTPD CONF FILES FOR DIFFERENT LOCATIONS OR SET DIRECTORY RULES
ln -s /web/* /var/www/html/mysite/
NOTE: MAKE SURE /var/www/html/mysite/ IS LISTED AS THE DOCUMENTROOT IN YOUR VHOST CONFIG
#### RESTART APACHE ####
systemctl restart httpd
#### CHECK SITE ####
curl http://localhost
This probably works as long as you have all symlinks in place and none of them are broken. However, what is your plan for making directories available? Say you have a private file located under /web/private/secret.html. How do you think to publish it?
I’ve found that elinks doesn’t seem to handle the auth properly and I don’t get through to the private content.
Curl seems to a) actually work for me b) be quicker:
curl -u me:password http://localhost
I agree with you. Curl is a better tool than elinks. Thanks.
An other option is to use lynx. It is harder to use than elinks but it does passwords.
Is there a way to flush cache in elinks? I use both firefox and curl for passing the credentials and I want to understand why it doesn’t work in elinks.
When you open elinks, don’t go to any URL but press “C” twice. This will open the cache manager where you can remove cache entries.
I think you may get a better responce to question on a elinks form. This sounds like a developers question. This may not be build in to elinks.
yum install -y httpd-manual
less /usr/share/httpd/manual/howto/auth.html
This helps greatly if you forget the syntax for the auth based directives.
I add it to the tutorial. Thanks.
Hi, how to create the Access Restricted Directory with virtual host configuration? I wrote the Directory stanza in /etc/httpd/conf.d/private.conf and create passwd file. below is my private.conf configuration:
AuthType Basic
AuthName “Secret Files”
AuthUserFile “/etc/httpd/passwd”
Require user sam
DocumentRoot /var/www/html/private
when I am trying to connect using http://localhost/private, it returns ‘not found’ error.
Can you please explain, What am i missing?
How can we restrict a whole domain.
e.g
*.example.local.
I am trying this without dns but it does not seem to work.
Options None
AllowOverride None
Require all granted
Require not host *.example.local
Your configuration will cause Apache to perform a reverse DNS lookup on the client IP address, therefore if you don’t have a reverse DNS zone configured, it will not work.
I suspect you will need a DNS for this.
Hi CertDepot,
Thanks for the tutorials. They provide a very solid base to experiment on.
I am facing a weird behavior in Curl while practicing access restrictions.
I have set up Access Restrictions as follows –
Directory Paths – /var/www/html/{host,user}private/index.html
where http://webserver/hostprivate should allow/deny specific hosts to view the page
& http://webserver/userprivate should ask for user’s authentication.
Configuration :
A. /etc/httpd/conf.d/01_hostprivate.conf
<Directory /var/www/html/hostprivate>
AllowOverride None
#Options None
Require host CentOS-Client1.example.com
#Require ip 10.10.100.2
</Directory>
B./etc/httpd/conf.d/02_userprivate.conf
<Directory /var/www/html/userprivate>
#AllowOverride None
AuthType Basic
AuthName “Restricted Files”
# (Following line optional)
AuthBasicProvider file
AuthUserFile /etc/httpd/conf.d/hpasswd
Require user mike
</Directory>
Firewall is allowed, SELinux is enforced, contexts are correct, permissions are good as well.
For some weird reason, while curling from (allowed) client, I get the following:
[root@CentOS-Client1 ~]# curl -k http://10.10.100.1/hostprivate
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=”http://10.10.100.1/hostprivate/” rel=”nofollow”>here</a>.</p>
</body></html>
[root@CentOS-Client1 ~]# curl -u mike:redhat http://10.10.100.1/userprivate
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=”http://10.10.100.1/userprivate/” rel=”nofollow”>here</a>.</p>
</body></html>
However, lynx and firefox are working as expected, since they are prompting for username and password. Any ideas why curl is vomiting?
Try adding a forward slash “/” to the URLs, for example:
# curl -k http://10.10.100.1/hostprivate/
# # curl -u mike:redhat http://10.10.100.1/userprivate/
Sorry, didn’t test it as quickly as I should have.
Thanks Thomas. U are spot on !
[root@CentOS-Client1 ~]# curl -k http://10.10.100.1/hostprivate/
Access granted to Client1 only
[root@CentOS-Client1 ~]# curl -u mike:redhat http://10.10.100.1/userprivate/
only for Mike
[root@CentOS-Client1 ~]#
Looks interesting. I know elinks has the same issue. I suspect it is something to do with the ciphers used.
Have you looked at the log file(s) on the server? Sometimes, these can give you a clue. There is also a debug mode called verbose. At a quick look on the man file I would suggest you look up anyauth and variation.
What ciphers are you referring to? If you look at the ouput posted, all connections as well as redirects are plain text HTTP.
I am taking a guess that there is a mismatch between the server/client with no-cipher/cipher(ssl)/(other).
Sorry, but I’m still puzzled. Taking a guess based on what? The 301 redirect goes to HTTP, there is no TLS/SSL involved as far as I can tell.
Ok I missed that. However I have come across errors where the cipher/Authorization gives strange errors. In addition I was thinking there is a difference between authorization and encryption communication.
Hi,
How can I restrict specific ip on apache 2.4.6?
My configuration is not restricting.
DocumentRoot “/var/test”
#
#
Directory “/var/test/sysdbagroup”
AllowOverride AuthConfig
Require ip 192.168.0.101
/Directory
Seems its not working on 2.4 version.
The following works for me when put in the Directory section:
so how would .htaccess works if AllowOverride None. My Scenario is if user1 belongs to dba group and coming from 192.168.0.101, web should be accessible if not then should be denied.
Then you can use the following for the group:
If you want to restrict to specific IPs, then add:
To require all conditions to be met, put both into RequireAll.
Thank you Lisenet. 🙂
what if I need to call .htaccess. For e.g if user1 belongs to dba group and coming from 192.168.0.101 should be allowed else denied.