RHEL7: Configure Apache access restrictions on directories.

Share this link

Note: This is an RHCE 7 exam objective. It has been renamed in June 2016 from “Configure private directories” to “Configure access restrictions on directories” without any particular change.

Prerequisites

First, follow the instructions to install an Apache web server.

Then, create a private directory (called here private):

# cd /var/www/html 
# mkdir private
# echo "This is a test." > private/index.html
# restorecon -R .

There are several ways to restrict access to this directory:

1) host-based private directories

To only allow the test.example.com host (add the name/IP address in the /etc/hosts file if necessary) to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:

<Directory "/var/www/html/private">
AllowOverride None
Options None
Require host test.example.com
</Directory>

Check the configuration file:

# apachectl configtest
Syntax OK

2) user-based private directories

To only allow me to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:

<Directory "/var/www/html/private">
AuthType Basic
AuthName "Password protected area"
AuthUserFile /etc/httpd/conf/passwd
Require user me
</Directory>

Check the configuration file:

# apachectl configtest
Syntax OK

Create the passwd file and store me‘s password:

# htpasswd -c /etc/httpd/conf/passwd me
New password: your password
Re-type new password: your password
Adding password for user me
# chmod 600 /etc/httpd/conf/passwd
# chown apache:apache /etc/httpd/conf/passwd

Note: The .htpasswd file can be used locally instead of the httpd.conf file in 1) and 2) for the same purpose.

Whatever the option chosen, restart the httpd service:

# systemctl restart httpd

Configuration Check

Check the httpd service:

# yum install -y curl
# curl -u user:password http://localhost

or

# yum install -y elinks
# elinks http://localhost/private

Useful Tip

If you forget the syntax of some Apache directives, install the httpd-manual package and browse the documentation in the /usr/share/httpd/manual/howto directory:

# yum install -y httpd-manual
# elinks /usr/share/httpd/manual/howto/auth.html

Thanks to Jeromeza for this tip.

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.20 out of 5)
Loading...

27
Leave a Reply

Please Login to comment
7 Comment threads
20 Thread replies
5 Followers
 
Most reacted comment
Hottest comment thread
10 Comment authors
Honest Abeugurustaogluasifshabirsumon1142Lisenet Recent comment authors
  Subscribe  
newest oldest
Notify of
abu3lia
Member
abu3lia

Hi,
I’ve tried the command [# htpasswd -c passwd user01] but this didn’t create the [passwd] file until I entered the full path for the destination location.

Regards.

nariman1064
Member
nariman1064

If during the exam or real life, you have to create the webserver directory under any location other than /var/www/, It will certainly take more time to reconfigure everything: If you look at “/etc/httpd/conf/httpd.conf” you will notice there are several lines in that file that point to “/var/www/” to set or call different things. If in an actual work case, you have to point to a different directory, then there are no issues with taking your time and changing all the paths in httpd.conf to the new location. However, during the exam you have little time to play with these… Read more »

jeromeza
Member
jeromeza

I’ve found that elinks doesn’t seem to handle the auth properly and I don’t get through to the private content.

Curl seems to a) actually work for me b) be quicker:

curl -u me:password http://localhost

jeromeza
Member
jeromeza

yum install -y httpd-manual
less /usr/share/httpd/manual/howto/auth.html

This helps greatly if you forget the syntax for the auth based directives.

sumon1142
Member
sumon1142

Hi, how to create the Access Restricted Directory with virtual host configuration? I wrote the Directory stanza in /etc/httpd/conf.d/private.conf and create passwd file. below is my private.conf configuration:

AuthType Basic
AuthName “Secret Files”
AuthUserFile “/etc/httpd/passwd”
Require user sam

DocumentRoot /var/www/html/private

when I am trying to connect using http://localhost/private, it returns ‘not found’ error.

Can you please explain, What am i missing?

asifshabir
Member
asifshabir

How can we restrict a whole domain.
e.g
*.example.local.

I am trying this without dns but it does not seem to work.

Options None
AllowOverride None

Require all granted
Require not host *.example.local

Lisenet
Member

Your configuration will cause Apache to perform a reverse DNS lookup on the client IP address, therefore if you don’t have a reverse DNS zone configured, it will not work.

Sam
Member
Sam

I suspect you will need a DNS for this.

Honest Abe
Member
Honest Abe

Hi CertDepot, Thanks for the tutorials. They provide a very solid base to experiment on. I am facing a weird behavior in Curl while practicing access restrictions. I have set up Access Restrictions as follows – Directory Paths – /var/www/html/{host,user}private/index.html where http://webserver/hostprivate should allow/deny specific hosts to view the page & http://webserver/userprivate should ask for user’s authentication. Configuration : A. /etc/httpd/conf.d/01_hostprivate.conf <Directory /var/www/html/hostprivate> AllowOverride None #Options None Require host CentOS-Client1.example.com #Require ip 10.10.100.2 </Directory> B./etc/httpd/conf.d/02_userprivate.conf <Directory /var/www/html/userprivate> #AllowOverride None AuthType Basic AuthName “Restricted Files” # (Following line optional) AuthBasicProvider file AuthUserFile /etc/httpd/conf.d/hpasswd Require user mike </Directory> Firewall is allowed, SELinux… Read more »

Lisenet
Member

Try adding a forward slash “/” to the URLs, for example:

# curl -k http://10.10.100.1/hostprivate/

# # curl -u mike:redhat http://10.10.100.1/userprivate/

Honest Abe
Member
Honest Abe

Sorry, didn’t test it as quickly as I should have.
Thanks Thomas. U are spot on !

[root@CentOS-Client1 ~]# curl -k http://10.10.100.1/hostprivate/
Access granted to Client1 only
[root@CentOS-Client1 ~]# curl -u mike:redhat http://10.10.100.1/userprivate/
only for Mike
[root@CentOS-Client1 ~]#

Sam
Member
Sam

Looks interesting. I know elinks has the same issue. I suspect it is something to do with the ciphers used.

Have you looked at the log file(s) on the server? Sometimes, these can give you a clue. There is also a debug mode called verbose. At a quick look on the man file I would suggest you look up anyauth and variation.

Lisenet
Member

What ciphers are you referring to? If you look at the ouput posted, all connections as well as redirects are plain text HTTP.

Sam
Member
Sam

I am taking a guess that there is a mismatch between the server/client with no-cipher/cipher(ssl)/(other).

Lisenet
Member

Sorry, but I’m still puzzled. Taking a guess based on what? The 301 redirect goes to HTTP, there is no TLS/SSL involved as far as I can tell.

Sam
Member
Sam

Ok I missed that. However I have come across errors where the cipher/Authorization gives strange errors. In addition I was thinking there is a difference between authorization and encryption communication.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user called tom. Create a directory named /private. Use an acl to only allow access (rwx) to tom to the private directory.

RHCE7: Task of the day

Allowed time: 10 minutes.
Change the SSH process configuration to only listen on the 443 port.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...