RHEL7: Configure Apache access restrictions on directories.

Share this link

Note: This is an RHCE 7 exam objective. It has been renamed in June 2016 from “Configure private directories” to “Configure access restrictions on directories” without any particular change.

Prerequisites

First, follow the instructions to install an Apache web server.

Then, create a private directory (called here private):

# cd /var/www/html 
# mkdir private
# echo "This is a test." > private/index.html
# restorecon -R .

There are several ways to restrict access to this directory:

1) host-based private directories

To only allow the test.example.com host (add the name/IP address in the /etc/hosts file if necessary) to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:

<Directory "/var/www/html/private">
AllowOverride None
Options None
Require host test.example.com
</Directory>

Check the configuration file:

# apachectl configtest
Syntax OK

2) user-based private directories

To only allow me to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:

<Directory "/var/www/html/private">
AuthType Basic
AuthName "Password protected area"
AuthUserFile /etc/httpd/conf/passwd
Require user me
</Directory>

Check the configuration file:

# apachectl configtest
Syntax OK

Create the passwd file and store me‘s password:

# htpasswd -c /etc/httpd/conf/passwd me
New password: your password
Re-type new password: your password
Adding password for user me
# chmod 600 /etc/httpd/conf/passwd
# chown apache:apache /etc/httpd/conf/passwd

Note: The .htpasswd file can be used locally instead of the httpd.conf file in 1) and 2) for the same purpose.

Whatever the option chosen, restart the httpd service:

# systemctl restart httpd

Configuration Check

Check the httpd service:

# yum install -y curl
# curl -u user:password http://localhost

or

# yum install -y elinks
# elinks http://localhost/private

Useful Tip

If you forget the syntax of some Apache directives, install the httpd-manual package and browse the documentation in the /usr/share/httpd/manual/howto directory:

# yum install -y httpd-manual
# elinks /usr/share/httpd/manual/howto/auth.html

Thanks to Jeromeza for this tip.

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.20 out of 5)
Loading...
33 comments on “RHEL7: Configure Apache access restrictions on directories.
  1. abu3lia says:

    Hi,
    I’ve tried the command [# htpasswd -c passwd user01] but this didn’t create the [passwd] file until I entered the full path for the destination location.

    Regards.

  2. nariman1064 says:

    If during the exam or real life, you have to create the webserver directory under any location other than /var/www/,
    It will certainly take more time to reconfigure everything:
    If you look at “/etc/httpd/conf/httpd.conf” you will notice there are several lines in that file that point to “/var/www/” to set or call different things.
    If in an actual work case, you have to point to a different directory, then there are no issues with taking your time and changing all the paths in httpd.conf to the new location. However, during the exam you have little time to play with these things, the best solution in this case would be to use symlinks.
    Let’s say if you are asked to put your webserver files under /newlocation/, you can create everything there and then create a symlink under /var/www/html for it and in the “/etc/httpd/conf.d/vhosts.conf” file, refer to the symlink for the location :
    Another thing you need to remember is that you have also more work to do other than just restorecon -R :
    Example : let’s say you have to create your webserver under /life/world/ directory instead of /var/www/ ;
    In this case, Selinux will prevent the access and you need to perform below commands to fix the issue:
    (we assume semanage is already installed)
    # semanage fcontext -a -t httpd_sys_script_exec_t “/life/world(/.*)?”
    # semanage fcontext -a -t httpd_sys_content_t “/life/world(/.*)?”
    # restorecon -R -v /life/world/

    • CertDepot says:

      I perfectly agree. Thanks.

      • jeromeza says:

        Could you guys perhaps explain why this option no longer works?

        Symbolic link not allowed or link target not accessible: /var/www/html/dummy-host.example.com/index.html

        # cat /var/www/html/dummy-host.example.com/index.html
        selinux test

        # ls -latrh /var/www/html/dummy-host.example.com/
        index.html > /website/index.html

        • jeromeza says:

          I found the solution myself:

          ====================================
          HTTP – USING AN ALTERNATIVE WEB DIR
          ====================================

          #### INSTALL REQUIRED PACKAGES ####
          yum groupinstall -y “Web server”
          yum -y install setroubleshoot-server selinux-policy

          #### START AND ENABLE SERVICE ####
          systemctl enable httpd
          systemctl start httpd

          #### ADD FIREWALL RULES ####
          firewall-cmd –permanent –add-service=https
          firewall-cmd –reload

          #### MAKE NEW WEB DIR ####
          mkdir /web
          echo testing > /web/index.html

          #### SET SELINUX CONTECT ####

          NOTE: CHECK MAN SEMANAGE-FCONTEXT
          semanage fcontext -a -t httpd_sys_content_t “/web(/.*)?”
          restorecon -R /web

          #### CREATE SYMLINK TO /VAR/WWW/HTML ####

          NOTE: WE DO THIS SO WE DON’T NEED TO EDIT ANY HTTPD CONF FILES FOR DIFFERENT LOCATIONS OR SET DIRECTORY RULES

          ln -s /web/* /var/www/html/mysite/

          NOTE: MAKE SURE /var/www/html/mysite/ IS LISTED AS THE DOCUMENTROOT IN YOUR VHOST CONFIG

          #### RESTART APACHE ####
          systemctl restart httpd

          #### CHECK SITE ####
          curl http://localhost

          • Lisenet says:

            This probably works as long as you have all symlinks in place and none of them are broken. However, what is your plan for making directories available? Say you have a private file located under /web/private/secret.html. How do you think to publish it?

  3. jeromeza says:

    I’ve found that elinks doesn’t seem to handle the auth properly and I don’t get through to the private content.

    Curl seems to a) actually work for me b) be quicker:

    curl -u me:password http://localhost

  4. jeromeza says:

    yum install -y httpd-manual
    less /usr/share/httpd/manual/howto/auth.html

    This helps greatly if you forget the syntax for the auth based directives.

  5. sumon1142 says:

    Hi, how to create the Access Restricted Directory with virtual host configuration? I wrote the Directory stanza in /etc/httpd/conf.d/private.conf and create passwd file. below is my private.conf configuration:

    AuthType Basic
    AuthName “Secret Files”
    AuthUserFile “/etc/httpd/passwd”
    Require user sam

    DocumentRoot /var/www/html/private

    when I am trying to connect using http://localhost/private, it returns ‘not found’ error.

    Can you please explain, What am i missing?

  6. asifshabir says:

    How can we restrict a whole domain.
    e.g
    *.example.local.

    I am trying this without dns but it does not seem to work.

    Options None
    AllowOverride None

    Require all granted
    Require not host *.example.local

  7. Honest Abe says:

    Hi CertDepot,

    Thanks for the tutorials. They provide a very solid base to experiment on.

    I am facing a weird behavior in Curl while practicing access restrictions.

    I have set up Access Restrictions as follows –
    Directory Paths – /var/www/html/{host,user}private/index.html

    where http://webserver/hostprivate should allow/deny specific hosts to view the page
    & http://webserver/userprivate should ask for user’s authentication.

    Configuration :
    A. /etc/httpd/conf.d/01_hostprivate.conf
    <Directory /var/www/html/hostprivate>
    AllowOverride None
    #Options None
    Require host CentOS-Client1.example.com
    #Require ip 10.10.100.2
    </Directory>

    B./etc/httpd/conf.d/02_userprivate.conf
    <Directory /var/www/html/userprivate>
    #AllowOverride None
    AuthType Basic
    AuthName “Restricted Files”
    # (Following line optional)
    AuthBasicProvider file
    AuthUserFile /etc/httpd/conf.d/hpasswd
    Require user mike
    </Directory>

    Firewall is allowed, SELinux is enforced, contexts are correct, permissions are good as well.

    For some weird reason, while curling from (allowed) client, I get the following:

    [root@CentOS-Client1 ~]# curl -k http://10.10.100.1/hostprivate
    <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
    <html><head>
    <title>301 Moved Permanently</title>
    </head><body>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a href=”http://10.10.100.1/hostprivate/” rel=”nofollow”>here</a>.</p>
    </body></html>

    [root@CentOS-Client1 ~]# curl -u mike:redhat http://10.10.100.1/userprivate
    <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
    <html><head>
    <title>301 Moved Permanently</title>
    </head><body>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a href=”http://10.10.100.1/userprivate/” rel=”nofollow”>here</a>.</p>
    </body></html>

    However, lynx and firefox are working as expected, since they are prompting for username and password. Any ideas why curl is vomiting?

  8. muhammad.shakeeb says:

    Hi,
    How can I restrict specific ip on apache 2.4.6?
    My configuration is not restricting.

    DocumentRoot “/var/test”

    #
    #
    Directory “/var/test/sysdbagroup”
    AllowOverride AuthConfig
    Require ip 192.168.0.101
    /Directory

    Seems its not working on 2.4 version.

    • Lisenet says:

      The following works for me when put in the Directory section:

         AllowOverride None
         Options None
         Require ip 10.8.8.1/32
      • muhammad.shakeeb says:

        so how would .htaccess works if AllowOverride None. My Scenario is if user1 belongs to dba group and coming from 192.168.0.101, web should be accessible if not then should be denied.

        • Lisenet says:

          Then you can use the following for the group:

          AuthType Basic
          AuthName "Group"
          AuthGroupFile "/path/to/file"
          AuthUserFile "/another/path/to/file"
          Require group dba

          If you want to restrict to specific IPs, then add:

          Require ip 10.8.8.1/32

          To require all conditions to be met, put both into RequireAll.

      • muhammad.shakeeb says:

        what if I need to call .htaccess. For e.g if user1 belongs to dba group and coming from 192.168.0.101 should be allowed else denied.

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 10 minutes.
Set up a default configuration HTTP server with SELinux in Enforcing mode and active firewalld configuration.

RHCE7: Task of the day

Allowed time: 10 minutes.
Change the SSH process configuration to only listen on the 443 port.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...