Thursday, 23 June 2011

HTTP/HTTPS -- Configure a virtual host

If you are coming from a Windows background virtual hosts are the equivalent of hosting several websites using host headers.
In my case I have created a couple of CNAME aliases on my DNS server for 10.168.20.225, so that rhel6virtual.dev.com and rhel6morevirtual.dev.com both point to 10.168.20.225, the ip address of the Apache server. You can replicate this by modifying your /etc/hosts file if you don't want to be using a DNS server. Note that this needs to be added to the client too.

I can now edit the Apache config file (/etc/httpd/conf/httpd.conf) like this:
NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/rhel6virtual/
    ServerName rhel6virtual.dev.com
    ErrorLog logs/rhel6virtual
    CustomLog logs/rhel6virtual common
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/rhel6morevirtual
    ServerName rhel6morevirtual.dev.com
    ErrorLog logs/rhel6mv
    CustomLog logs/rhel6mv common
</VirtualHost>
I now create the DocumentRoot directories:
mkdir /var/www/rhel6virtual; mkdir /var/www/rhel6morevirtual
and add a file to each directory to allow easy testing:
  echo "More Virtual" > /var/www/rhel6morevirtual/index.html; 
  echo "Virtual" > /var/www/rhel6virtual/index.html
You can now restart Apache:
httpd -k restart
So now if you visit http://rhel6virtual.dev.com/index.html you'll see a web page that simply says Virtual and if you visit http://rhel6morevirtual.dev.com/index.html you'll see a web page that simply says More Virtual.

Installing Apache has already been covered here. You can check the rather long list of SELinux settings with:
getsebool -a | grep httpd
For an explanation of what each settings does, check this manual page out:
man httpd_selinux
In order to prevent access to the websites you can use iptables (don't forget to save the configuration), e.g.
 iptables -I INPUT -p tcp --dport 80 -s 10.168.20.0/24 -j DROP
or you can edit the configuration file for Apache, add the following to the second virtual host from above:
 <Directory "/var/www/rhel6morevirtual/">
         Options            Indexes FollowSymLinks
         AllowOverride      None
         Order              deny,allow
         Allow              from 10.168.20.203
         Deny from all
    </Directory>
Only 10.168.20.203 can see rhel6morevirtual now.

In order to prohibit users from accessing the web server, you first need to allow users to use it, so add a user and password with the following command (The -c creates the file, so it's only needed the first time):
 htpasswd -cm /etc/httpd/conf/apachepass myuser
Now, edit the Apache config file and inside the directory directive for "/var/www/rhel6morevirtual/" add:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/httpd/conf/apachepass
Require user myuser
Restart Apache and now the only user that can see rhel6morevirtual will be myuser.

Note that an alternative to this method is to use the .htaccess file. In this method  we create an .htaccess file on the target directory /home/myuser/public_html/ in my case.

Edit the .htaccess file and enter the following :
AuthType Basic
AuthName "Restricted to myuser"
AuthUserFile /home/myuser/public_html/.htauthusers
Require valid-user
You now need to run:
htpasswd -c .htauthusers myuser
If you try to visit the page, you'll be prompted for a username and password. The beauty of this method is that it allows users without root access to restrict access to "their" web site.

No comments:

Post a Comment