Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 13. The Apache HTTP Server

The Apache HTTP Server provides an open-source HTTP server with the current HTTP standards.[14]
In Red Hat Enterprise Linux, the httpd package provides the Apache HTTP Server. Enter the following command to see if the httpd package is installed: 
~]$ rpm -q httpd
package httpd is not installed
Copy to Clipboard Toggle word wrap
If it is not installed and you want to use the Apache HTTP Server, use the yum utility as the root user to install it: 
~]# yum install httpd
Copy to Clipboard Toggle word wrap

13.1. The Apache HTTP Server and SELinux
Link kopieren

When SELinux is enabled, the Apache HTTP Server (httpd) runs confined by default. Confined processes run in their own domains, and are separated from other confined processes. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited. The following example demonstrates the httpd processes running in their own domain. This example assumes the httpd, setroubleshoot, setroubleshoot-server and policycoreutils-python packages are installed:
  1. Run the getenforce command to confirm SELinux is running in enforcing mode: 
    ~]$ getenforce
Enforcing
    Copy to Clipboard Toggle word wrap
    The command returns Enforcing when SELinux is running in enforcing mode.
  2. Enter the following command as root to start httpd: 
    ~]# systemctl start httpd.service
    Copy to Clipboard Toggle word wrap
    Confirm that the service is running. The output should include the information below (only the time stamp will differ): 
    ~]# systemctl status httpd.service       
httpd.service - The Apache HTTP Server
	  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
	  Active: active (running) since Mon 2013-08-05 14:00:55 CEST; 8s ago
    Copy to Clipboard Toggle word wrap
  3. To view the httpd processes, execute the following command: 
    ~]$ ps -eZ | grep httpd
system_u:system_r:httpd_t:s0    19780 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19781 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19782 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19783 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19784 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    19785 ?        00:00:00 httpd
    Copy to Clipboard Toggle word wrap
    The SELinux context associated with the httpd processes is system_u:system_r:httpd_t:s0. The second last part of the context, httpd_t, is the type. A type defines a domain for processes and a type for files. In this case, the httpd processes are running in the httpd_t domain.
SELinux policy defines how processes running in confined domains (such as httpd_t) interact with files, other processes, and the system in general. Files must be labeled correctly to allow httpd access to them. For example, httpd can read files labeled with the httpd_sys_content_t type, but cannot write to them, even if Linux (DAC) permissions allow write access. Booleans must be enabled to allow certain behavior, such as allowing scripts network access, allowing httpd access to NFS and CIFS volumes, and httpd being allowed to execute Common Gateway Interface (CGI) scripts.
When the /etc/httpd/conf/httpd.conf file is configured so httpd listens on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443, the semanage port command must be used to add the new port number to SELinux policy configuration. The following example demonstrates configuring httpd to listen on a port that is not already defined in SELinux policy configuration for httpd, and, as a consequence, httpd failing to start. This example also demonstrates how to then configure the SELinux system to allow httpd to successfully listen on a non-standard port that is not already defined in the policy. This example assumes the httpd package is installed. Run each command in the example as the root user:
  1. Enter the following command to confirm httpd is not running: 
    ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
	  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
          Active: inactive (dead)
    Copy to Clipboard Toggle word wrap
    If the output differs, stop the process: 
    ~]# systemctl stop httpd.service
    Copy to Clipboard Toggle word wrap
  2. Use the semanage utility to view the ports SELinux allows httpd to listen on: 
    ~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
    Copy to Clipboard Toggle word wrap
  3. Edit the /etc/httpd/conf/httpd.conf file as root. Configure the Listen option so it lists a port that is not configured in SELinux policy configuration for httpd. In this example, httpd is configured to listen on port 12345: 
    # Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 127.0.0.1:12345
    Copy to Clipboard Toggle word wrap
  4. Enter the following command to start httpd: 
    ~]# systemctl start httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
    Copy to Clipboard Toggle word wrap
    An SELinux denial message similar to the following is logged: 
    setroubleshoot: SELinux is preventing the httpd (httpd_t) from binding to port 12345. For complete SELinux messages. run sealert -l f18bca99-db64-4c16-9719-1db89f0d8c77
    Copy to Clipboard Toggle word wrap
  5. For SELinux to allow httpd to listen on port 12345, as used in this example, the following command is required: 
    ~]# semanage port -a -t http_port_t -p tcp 12345
    Copy to Clipboard Toggle word wrap
  6. Start httpd again and have it listen on the new port: 
    ~]# systemctl start httpd.service
    Copy to Clipboard Toggle word wrap
  7. Now that SELinux has been configured to allow httpd to listen on a non-standard port (TCP 12345 in this example), httpd starts successfully on this port.
  8. To prove that httpd is listening and communicating on TCP port 12345, open a telnet connection to the specified port and issue a HTTP GET command, as follows: 
    ~]# telnet localhost 12345
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 02 Dec 2009 14:36:34 GMT
Server: Apache/2.2.13 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Content-Type: text/html; charset=UTF-8
[...continues...]
    Copy to Clipboard Toggle word wrap

[14] For more information, see the section named The Apache HTTP Sever in the System Administrator's Guide.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat