10.5.3 is based on the port number

The port number-based virtual host feature allows users to access web site resources on the server by specifying a port number. P ort number-based configuration is the most complex when using Apache to configure virtual site hosting capabilities. S o we need to consider not only the configuration of the httpd service, but also the monitoring of newly opened ports by the SELinux service. In general, it is reasonable to use port numbers such as 80, 443, 8080 to provide website access services, and if you use other port numbers, you will be limited by the SELinux service.

In the next experiment, we will consider not only the limitations of the SELinux security context applied in the directory, but also the control of the SELinux domain over the httpd service program.

Step 1: Create two directories in /home/wwwroot to hold data for different sites and write the home file of the site to each of them. Each home page file should have information that clearly distinguishes between the content of different websites, so that we can check the results more intuitively later.

(root@linuxprobe.) mkdir -p/home/wwwroot/6111(root@linuxprobe) mkdir -p/home/wwwroot/6222(root@linuxprobe) s echo "port:6111" Step home/wwwroot/6111/index.html 2: root@linuxprobe Add parameters for listening to ports 6111 and 6222, respectively home/wwwroot/6222/index.html, on lines 43 and 44 of the httpd service profile.

[root@linuxprobe ~]# vim /etc/httpd/conf/httpd.conf .................. O mit some of the output information... 3 3 # 34 # Listen: Allows you to bind Apache to specific IP addresses and/or 35 # ports, instead of the default. S ee also the <VirtualHost> 36 # directive. 3 7 # 38 # Change this to Listen on specific IP addresses as shown below to 39 # prevent Apache from glomming onto all bound IP addresses. 4 0 # 41 #Listen 12.34.56.78:80 42 Listen 80 43 Listen 6111 44 Listen 6222 .................. O mit some of the output information... S tep 3: Start at approximately 113 lines in the profile of the httpd service, add two port number-based virtual host site parameters, and then save and exit. Remember that the httpd service needs to be restarted before these configurations take effect.

[root@linuxprobe ~]# vim /etc/httpd/conf/httpd.conf .................. O mit some of the output information... 1 13 <VirtualHost 192.168.10.10:6111> 114 DocumentRoot "/home/wwwroot/6111" 115 ServerName www.linuxprobe.com 116 <Directory "/home/wwwroot/6111"> 117 AllowOverride None 118 Require all granted 119 </Directory> 120 </VirtualHost> 121 <VirtualHost 192.168.10.10:6222> 122 DocumentRoot "/home/wwwroot/6222" 123 ServerName b bs.linuxprobe.com 124 <Directory "/home/wwwroot/6222"> 125 AllowOverride None 126 Require all granted 127 </Directory> 128 </VirtualHost> .................. O mit some of the output information... S tep 4: Because we store the site data directory in the /home/wwwroot directory, we still have to set the SELinux security context of the site data directory file correctly to match the website service function. Finally, remember to use the restorecon command to make the newly configured SELinux security context effective immediately.

[root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111 [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6111/ [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6222 [root@linuxprobe ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/6222/ [root@linuxprobe ~]# restorecon -Rv /home/wwwroot/ restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/6111 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/6111/index.html context unconfined_u:object_r :home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/6222 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/6222/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 [ r oot@linuxprobe ~]# systemctl restart httpd Job for httpd.service failed. S ee 'systemctl status httpd.service' and 'journalctl -xn' for details. H ell! A fter properly configuring the httpd service program and the SELinux security context and restarting the httpd service, an error message was reported. T his is because the SELinux service detects that ports 6111 and 6222 were not originally resources that the Apache service should need, but are now being used as httpd service providers, so SELinux refuses to use the Apache service to use both ports. We can use the semanage command to query and filter out a list of all ports related to the HTTP protocol and allowed by the SELinux service.

[root@linuxprobe ~]# semanage port -l | g rep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 Step 5: SELinux does not include 6111 and 6222 port numbers by default, so these two port numbers need to be added manually. T his will take effect immediately and will remain in effect after the system restarts. Set up and restart the httpd service program, and then you can see the content of the page, as shown in Figure 10-17.

[root@linuxprobe ~]# semanage port -a -t http_port_t -p tcp 6111 [root@linuxprobe ~]# semanage port -a -t http_port_t -p tcp 6222 [root@linuxprobe ~]# semanage port -l| grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 6222, 6111, 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 [root@linuxprobe ~]# systemctl restart httpd [root@linuxprobe ~]# firefox

Figure 10-17 Access the virtual host site based on the port number