1.selinux
The selinux security subsystem restricts services from domain and security context constraints to only or as much resources as it should have.
Domain: Service functional constraints;
Security context: Restrictions on file permissions.
The state of SELinux is configured by configuring/etc/selinux/config.It is recommended that the status be adjusted to enforcing, which can take effect after configuration by restarting the system or executing the commands setenforce 0 and setenforce 1.
2.semanage r command
This command is used to manage selinux policies
[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
The above command modifies the security context value of the directory, -a means modification, -t means type, http_sys_content_t means security context value (the target directory is to be modified to this value), /home/wwwroot is the target directory, and wwwroot cannot be followed by'/'(which may be the reason for the version).
The restorecon command is used to make the security context take effect immediately.
3. Configure virtual host functionality
The virtual host function is based on IP address, host domain name and port number.
IP Address Based
[root@linuxprobe ~]# mkdir -p /home/wwwroot/10 [root@linuxprobe ~]# echo "IP:192.168.10.10" > /home/wwwroot/10/index.html [root@linuxprobe ~]# vim /etc/httpd/conf/httpd.conf ..................Omit some output information......... 113 <VirtualHost 192.168.10.10> 114 DocumentRoot /home/wwwroot/10 115 ServerName www.linuxprobe.com 116 <Directory /home/wwwroot/10 > 117 AllowOverride None 118 Require all granted 119 </Directory> 120 </VirtualHost> [root@linuxprobe ~]# systemctl restart httpd [root@linuxprobe ~]# systemctl enable httpd [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10 [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/10/* [root@linuxprobe ~]# restorecon -Rv /home/wwwroot
First, create the directory where the IP holds the data (/home/wwwroot/10), write the first page file to visit the website (index.html), then edit the configuration file for the httpd service, and write the directory of the changed site data on the documentroot to be consistent.After editing, save and exit.Restart and add the service to the startup item, then set the security context of the directory and the files in the directory (not recursive, so take a few more steps), and make the security context take effect immediately with the restorecon command.
Host Domain Name Based
This experiment uses forced resolution to access IP addresses.(Specify the IP address for the domain name)
[root@linuxprobe ~]# vim /etc/hosts #Open the configuration file and append the following line to the existing content 192.168.10.10 www.linuxprobe.com bbs.linuxprobe.com tech.linuxprobe.com [root@linuxprobe ~]# ping -c 4 www.linuxprobe.com #Ping to see if you can ping 64 bytes from www.linuxprobe.com (192.168.10.10): icmp_seq=4 ttl=64 time=0.069 ms --- www.linuxprobe.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.061/0.069/0.077/0.008 ms [root@linuxprobe ~]# mkdir -p /home/wwwroot/www #Create Site Data Save Directory [root@linuxprobe ~]# echo "WWW.linuxprobe.com" > /home/wwwroot/www/index.html #Write to the home page file of your site, and success will show what you have written. [root@linuxprobe ~]# vim /etc/httpd/conf/httpd.conf #Edit httpd service configuration file ..................Omit some output information......... 113 <VirtualHost 192.168.10.10> #Virtual Host IP Address 114 DocumentRoot "/home/wwwroot/www" #Site Data Storage Directory 115 ServerName "www.linuxprobe.com" #Site Server Domain Name 116 <Directory "/home/wwwroot/www"> #Site data directory permissions, consistent with saving data directory 117 AllowOverride None 118 Require all granted #Allow all requests 119 </directory> 120 </VirtualHost> [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot #Set the security context for directories and files [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/www/* [root@linuxprobe ~]# restorecon -Rv /home/wwwroot #Make the security context take effect immediately
Based on port number
Setting up port number-based virtual host functionality involves restrictions on the selinux domain and security context.
[root@linuxprobe ~]# mkdir -p /home/wwwroot/6111 #Create Site Data Save Directory [root@linuxprobe ~]# echo "port:6111" > /home/wwwroot/6111/index.html #Write to the site home page file [root@linuxprobe ~]# vim /etc/httpd/conf/httpd.conf #Prepare the main configuration file for the httpd service and insert the port number 6111 on line 43 43 Listen 6111 [root@linuxprobe ~]# vim /etc/httpd/conf/httpd.conf #Configuration of virtual host information ..................Omit some output information......... 113 <VirtualHost 192.168.10.10:6111> #Virtual Host IP Address and Port Number 114 DocumentRoot "/home/wwwroot/6111" 115 ServerName www.linuxprobe.com 116 <Directory "/home/wwwroot/6111"> 117 AllowOverride None 118 Require all granted 119 </Directory> 120 </VirtualHost> [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot #Set directory and file security context within directory [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111 [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111/* [root@linuxprobe ~]# restorecon -Rv /home/wwwroot/ #Make the set security context take effect immediately [root@linuxprobe ~]# systemctl restart httpd #Restart the httpd service for the changes to take effect, but the following error message will be prompted because of selinux system domain restrictions Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctlxn'for details. [root@linuxprobe ~]# semanage port -l | grep http #Find the Boolean value of the http service in the system, find the relevant policy to set. [root@linuxprobe ~]# semanage port -a -t http_port_t -p tcp 6111 #Add port 6111 to the Boolean value allowance.Then proceed to IP: there is no problem accessing the port number.
