Lab 6 Implementing Web(HTTP) Services

Goal: To implement a Web(HTTP) server with a virtual host and CGI capability.

System Setup: Throughout this lab, the hostnames and domain names that you use will be based upon the IP address of your machine. Any time the lab refers to a name that contains X, you should replace X with your station number (the last segment of your IP address). For example, if your station's IP address is 192.168.0.3, you would replace references to stationX.domainX.com with station3.domain3.com.

Enable packet filtering. Before commencing, ensure that packet filtering is active and that SELinux is in Enforcing mode.

Sequence 1: Server installation and basic configuration

Deliverable: A working Web Services implementation: with virtual hosting, CGI capability, and a proxy server.

Instructions:

1. Inventory your system and install packages as necessary.

Enable the service at system boot.

The httpd package is required. Use chkconfig to enable this service.

a. # yum -y install httpd

b. # chkconfig httpd on

2. Consider and document which access controls are applicable to your service implementation to meet the specified requirements.

Complete the access control matrix to be used as an aid while configuring the service:

Access Control  Implementation
Application  /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/*
PAM  N/A
xinetd  N/A
tcp_wrappers  N/A
SELinux  ensure correct file contexts; no change to booleans
Netfilter, IPv6  disregard IPv6 access for now
Netfilter  tcp ports 80 and 443

Check which ports are commonly used for your service:

grep http /etc/services

Check whether httpd is linked, or controlled by another utility that is linked with libwrap.so.

ldd $(which httpd) | grep libwrap
strings $(which httpd) | grep hosts

Application Specific Security

Inspect configuration files used by your service to see the default access control options. A recommended file to begin your inspection is the initialization script called at system boot.

Compare these defaults to the stated requirements.

SELinux

Determine that httpd is an SELinux-targeted service by checking the policy file:

semanage fcontext -l | grep http

You can check for SELinux booleans by running:

getsebool -a | grep http

If you're unsure about the purpose of these settings, try following up with man pages:

man -k http | grep selinux

If the above command fails to indicate a man page, but instead displays an error message with the string "updatedb", then you must run makewhatis &. Please retry the man command as listed above.

3. Start httpd using the default configuration.

a. # service httpd start

4. Verify the DocumentRoot directive in /etc/httpd/conf/httpd.conf reads as below:

DocumentRoot /var/www/html

5. Open a web browser and set the URL to http://stationX.example.com.

If your browser is working, you will see the Red Hat Enterprise Linux Test Page. Note that this page is not the actual index.html file, but it used the /var/www/error/noindex.html file because index.html was missing.

6. Create a new directory hierarchy and some new content:

# mkdir -p /var/www/virtual/wwwX.example.com/html
# cd /var/www/virtual/wwwX.example.com/html
# cat > index.html <<EOF
<b>wwwX.example.com</b>
EOF

(This creates a one-line HTML page.)

7. Create a virtual host by adding the following lines to the bottom of the /etc/httpd/conf/httpd.conf file:

NameVirtualHost 192.168.0.X:80

<VirtualHost 192.168.0.X:80>
  ServerName wwwX.example.com
  ServerAdmin root@stationX.example.com
  DocumentRoot /var/www/virtual/wwwX.example.com/html
  ErrorLog logs/wwwX.example.com-error_log
  CustomLog logs/wwwX.example.com-access_log combined
  <Directory /var/www/virtual/wwwX.example.com/html>
    Options Indexes Includes
  </Directory>
</VirtualHost>

8. Ensure that your DNS system resolves your virtual host domain name.

# dig wwwX.example.com
;; QUESTION SECTION:
;wwwX.example.com

;; ANSWER SECTION:
wwwX.example.com 86400 IN CNAME stationX.example.com.
stationX.example.com 86400 IN A 192.168.0.X

9. Check the syntax of the configuration file and reload httpd.

a. # service httpd configtest

b. If you do not get any errors, run the following to reload httpd :

# service httpd reload

10. In your browser, change the URL to point to the new virtual host:

http://wwwX.example.com

Do you see the content of your customized page?

11. Enable the web port in your firewall for the 192.168.0.0/24 subnet.

a. # iptables -I INPUT 1 -s 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT

b. # service iptables save

Sequence 2: Using CGI

Deliverable: A web server with a CGI script

Instructions:

1. Add the following line to the <VirtualHost> block defined in the previous Sequence:

ScriptAlias /cgi-bin/ /var/www/virtual/wwwX.example.com/cgi-bin/

2. Create the directory above, then create a file inside it named test.sh, with the following contents:

#!/bin/bash
echo Content-Type: text/html
echo
echo "<pre>"
echo My username is:
whoami
echo
echo My id is:
id
echo
echo My shell settings are:
set
echo
echo My environmental variables are:
env
echo
echo Here are the files in /tmp/:
ls /tmp/*
echo "</pre>"

a. # cd /var/www/virtual/wwwX.example.com/
# mkdir -p cgi-bin

3. Try to execute this CGI script by pointing your web browser to http://wwwX.example.com/cgi-bin/test.sh

Why didn't the script execute? Check the log files in /var/log/httpd/ for information to help you answer why. (Did you remember to restart or reload server?).

4. Fix the problem and ensure that the script executes properly.

a. Make the script read-write-executable for user, and read-executable for group and other:

# chmod 755 test.sh

5. In the test.sh script, the ls /tmp/* command is executed. When you test this and the script otherwise runs correctly, you will note that the ls command fails. Can you figure out why?

If the ls command works, ensure that you are in Enforcing mode

6. Remove the ls /tmp/* command from the test.sh script and confirm that the test.sh script can run without errors after restarting the httpd daemon..

a. Run setenforce to ensure that you are in Enforcing mode.

# setenforce 1

b. In /var/log/audit/audit.log, you should see some SELinux errors as the web server tries to access the files in /tmp/.

c. SELinux prevents the web server from accessing the files in /tmp/. Note the SELinux error messages in the /var/log/audit/audit.log file.

Challenge Sequence 3: Securing access to your web site documents

Deliverable: A password-protected web server

Instructions:

1. Create a file named .htaccess in the wwwX.example.com document root with the following content:

AuthName "restricted stuff"
AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd-wwwX
require valid-user

a. Edit /var/www/virtual/wwwX.example.com/html/.htaccess, and add the content above.

2. Create your domain's password file in /etc/httpd/conf/.htpasswd-wwwX. The file must be readable by the group apache. Reload the httpd service.

a. # cd /etc/httpd/conf/

b. # htpasswd -mc .htpasswd-wwwX user_name

c. # chgrp apache .htpasswd-wwwX

d. # chmod 640 .htpasswd-wwwX

e. # service httpd reload

3. Access the http://wwwX.example.com web page. Are you prompted for a user name and password?

It should not work yet.

4. Add the following line to the web server's configuration file httpd.conf, inside of the <Directory> block for the wwwX.example.com virtual host you created earlier:

AllowOverride AuthConfig

5. Try to access the http://wwwX.example.com web page again. Are you prompted for a user name and password now? If so, are you able to gain access to the page with the user name and password you created earlier?

6. Create a new directory for your web site named /virtual/. Copy (not move) the contents of your virtual web site to the new directory.

a. # mkdir -p /virtual

b. # cp -a /var/www/virtual/wwwX.example.com/html /virtual

7. Change the DocumentRoot of the virtual web site to /virtual/. Attempt to access the web page. Did it work? If not, investigate the errors and fix the problem.

a. Change the DocumentRoot of the virtual site in /etc/httpd/conf/httpd.conf to match the following:

DocumentRoot /virtual/html

b. Test and reload the web server

# service httpd configtest
# service httpd reload

c. /var/log/audit/audit.log should contain some SELinux errors regarding an incorrect target context. Set the context on the directory and file:

# chcon -R --reference=/var/www/html /virtual

8. If you found some SELinux errors, did you attempt to use restorecon to change the context? Did it work?

a. restorecon will not fix the problem because this web site is not in a standard directory. You must use chcon to fix this problem.

Sequence 4: Basic Squid(ICP) Implementation

Deliverable: A working Squid(ICP) proxy server.

Instructions:

1. Inventory your system and install packages as necessary.

The squid package is required. Use chkconfig to enable this service.

a. # yum -y install squid

b. # chkconfig squid on

2. Consider and document which access controls are applicable to your service implementation to meet the specified requirements.

Complete the access control matrix to be used as an aid while configuring the service:

Access Control Implementation
Application  /etc/squid/squid.conf
PAM  /etc/pam.d/squid
xinetd  N/A
tcp_wrappers  N/A
SELinux  ensure correct file contexts; no change to booleans
Netfilter, IPv6  disregard IPv6 access for now
Netfilter  default tcp port is 3128

Check which ports are commonly used for your service:

grep squid /etc/services

Application Specific Security

Inspect configuration files used by your service to see the default access control options. A recommended file to begin your inspection is the initialization script called at system boot.

Compare these defaults to the stated requirements.

SELinux

Determine that squid is an SELinux-targeted service by checking the policy file:

semanage fcontext -l | grep squi

You can check for SELinux booleans by running:

getsebool -a | grep squi

If you're unsure about the purpose of these settings, try following up with man pages:

man -k proxy | grep selinux

If the above command fails to indicate a man page, but instead displays an error message with the string "updatedb", then you must run makewhatis &. Please retry the man command as listed above.

3. Start the squid service, then configure your web browser to use your proxy. Use localhost as the server, with the port set to 3128.

a. # service squid start

b. # chkconfig squid on

c. To set the proxy settings in Firefox, navigate to Edit->Preferences. In the General settings, click on the Connection Settings... button. Click the Manual proxy configuration radio button. Add localhost in the HTTP Proxy: box, and 3128 in the Port: box. Click OK to accept the changes.

4. Try accessing a web page somewhere. If the classroom does not have Internet access, try http://server1.example.com/pub/, which should return the RHN Satellite server page.

5. Now have a neighbor configure his or her web browser to use your proxy. This should not work.

6. Configure the firewall to allow the default proxy port to your neighbor's IP address. Have your neighbor attempt to connect again. This should still not work.

a. # iptables -I INPUT 1 -s 192.168.0.0/24 -p tcp --dport 3128 -j ACCEPT

b. # service iptables save

7. The page that squid returns, and the bottom of /var/log/squid/access.log indicate why.

8. Open /etc/squid/squid.conf in your preferred text browser. As you can see, it is mostly comments and documentation. You will also note that squid is extremely configurable and tunable. For this lab, we will configure a basic setup that will be adequate for many settings.

a. If you don't have a preferred text editor, use gedit:

# gedit /etc/squid/squid.conf

9. Search for the second occurrence of Recommended minimum configuration in the file. This will take you to the default access control lists, or acls. Add an acl for the 192.168.0.0/24 network below the acl CONNECT method CONNECT line.

a. You should add this line:

acl example src 192.168.0.0/24

You can now refer to this network as example elsewhere in the configuration file. src means that the IP specified is the source IP(s) for this acl.

10. Search further down in the file for INSERT YOUR OWN RULE(S) HERE. Add a line above the localhost access rule to allow example. Reload squid. Your neighbor should now be able to access your cache.

a. You should add this line:

http_access allow example

b. # service squid reload

11. Some URLs are best avoided completely. Return to the acl section, and add the some acl lines beneath the line you added earlier to include .yahoo.com and .hotmail.com in an acl named otherguys (use .example.com if you do not have Internet access in your classroom).

a. Add these lines near the location that you added the example acls:

acl otherguys dstdomain .yahoo.com
acl otherguys dstdomain .hotmail.com

b. There are a couple of things to mention here. First, note that the additive property of acls. Both of the domains are added to the acl. Second, note the dstdomain acl type, which specifies that this definition concerns destination domains. Third, note the use of dot notation in specifying the domain name. Make sure to include the leading dot.

12. Add a rule to deny access to these problematic domains.

Restart squid again, then check one or more of the web sites associated with those domains. Unfortunately, you find that access is not denied.

a. Return to where you added the allow rule for example, and below it add the following:

http_access deny otherguys

b. # service squid reload

13. Open the configuration file again, and move the deny rule you added so that it is before the allow rule for example. Order matters, so by having the allow rule for example before the deny rule for the otherguys destinations, access was allowed and the deny rule never took effect. After moving the rule, restart squid once more. This time it should deny access to any site within the prohibited domains.

a. # service squid reload

RH253读书笔记(6)-Lab 6 Implementing Web(HTTP) Services的更多相关文章

  1. RH253读书笔记(5)-Lab 5 Network File Sharing Services

    Lab 5 Network File Sharing Services Goal: Share file or printer resources with FTP, NFS and Samba Se ...

  2. RH253读书笔记(7)-Lab 7 Electronic Mail

    Lab 7 Electronic Mail Goal: To build common skills with MTA configuration Estimated Duration: 90 min ...

  3. RH253读书笔记(8)-Lab 8 Securing Data

    Lab 8 Securing Data Goal: Gain familiarity with encryption utilities Sequence 1: Using SSH keys with ...

  4. RH253读书笔记(2)-Lab 2 System Resource Access Controls

    Lab 2 System Resource Access Controls Goal: To become familiar with system resource access controls. ...

  5. RH253读书笔记(1)-Lab 1 System Monitoring

    Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...

  6. RH253读书笔记(4)-Lab 4 The Domain Name System

    Lab 4 The Domain Name System Goal: To install and configure a DNS server System Setup: Throughout th ...

  7. RH253读书笔记(3)-Lab 3 Securing Networking

    Lab 3 Securing Networking Goal: To build skills with the Netfilter packet filter Sequence 1: Applyin ...

  8. RH253读书笔记(9)-Lab 9 Account Management Methods

    Lab 9 Account Management Methods Goal: To build skills with PAM configuration Sequence 1: Track Fail ...

  9. 【读书笔记】使用代理录制Web性能测试脚本

    读书笔记:<零成本实现Web性能测试>第3章 基本操作步骤: 在测试计划中添加线程组. 在该线程组中添加HTTP请求默认值.设置服务器名称或ip.端口. 在工作台添加HTTP代理服务器.设 ...

随机推荐

  1. uva 11722 - Joining with Friend(概率)

    题目连接:uva 11722 - Joining with Friend 题目大意:你和朋友乘火车,而且都会路过A市.给定两人可能到达A市的时段,火车会停w.问说两人能够见面的概率. 解题思路:y = ...

  2. hdu 3790 (最短路径问题dijkstra)

    主题链接:http://acm.hdu.edu.cn/showproblem.php?pid=3790 Problem Description 给你n个点,m条无向边,每条边都有长度d和花费p,给你起 ...

  3. Android编程 获取网络连接状态 及调用网络配置界面

    获取网络连接状态 随着3G和Wifi的推广,越来越多的Android应用程序需要调用网络资源,检测网络连接状态也就成为网络应用程序所必备的功能. Android平台提供了ConnectivityMan ...

  4. android windows 上JNI编程

    昨天学习windows上的JNI编程,JNI说白了就是java和c语言的一个互相沟通的桥梁.java能够调用JNI来完毕调用C语言实现的方法. JNI的全称是(Java native interfac ...

  5. WPF-21:WPF实现仿安卓的图案密码键盘(初级)

    希望大家有这方面好的代码给提供下,谢谢了! 想用C#做一个和手机上一样的图形密码键盘,貌似这方面资料比较少,虽然winphone手机上也有但是网上也没有这方面的代码.只好用常规的思维去实现一下,当然是 ...

  6. Linux命令之文本处理(二)

    cut命令 cut命令用来操作文件的列,能够视为列编辑器:与之相应是大多数的行"编辑器".如sed.grep.sort等,它们操作文本时,以行为单位. cut的主要功能就是输出文本 ...

  7. Javascript 优化

    Javascript 优化 作者:@gzdaijie本文为作者原创,转载请注明出处:http://www.cnblogs.com/gzdaijie/p/5324489.html 目录 1.全局变量污染 ...

  8. 解决wordpress发表文章,照片不能居中的问题

    最近,随着一个年轻漂亮的女人的帮助(简直美极了.图相当火爆,性格非常好.大家闺秀型,照片给大家看看下一个突发.哈哈)获取她的个人博客,地址似乎是www.okaaok.com遇到发表文章.照片不能反正水 ...

  9. windows azure Vm、cloud service、web application 如何选择可用的服务

    windows azure 的web应用和虚拟机都经常用.我们经常把我们的网站部署上去.一般选择web应用或者开一个虚拟机.开一个虚拟机就会按照虚拟机的使用时间进行计费. 那么我们选择web部署在哪里 ...

  10. Android研究之手PullToRefresh(ListView GridView 下拉刷新)使用具体解释

     群里一哥们今天聊天偶然提到这个git hub上的控件:pull-to-refresh ,有兴趣的看下,样例中的功能极其强大,支持非常多控件.本篇博客具体给大家介绍下ListView和GridVi ...