Tag Archives: HTTPD

Securing DNS and Web Servers

In this introductory article, I will present several methods for helping to secure DNS and Web Servers. I am using BIND 9.9.4 and Apache HTTPD 2.4.6 on CentOS 6.4. BIND and HTTPD are by far the most common DNS and Web Server platforms. I will show how to build the software from source, as well as perform an initial secure configuration. I will presume a minimal installation of CentOS 6.4. If you’re using another Linux or UNIX variant, you will need to adjust the procedures accordingly. This article presumes that the reader is already familiar with DNS and Web Servers, particularly BIND and HTTPD.

Fully hardening these services is a very complex subject and we only touch on the major aspects of configuration below.

Continue reading →

SELinux: Allowing httpd to Listen on Non-Standard Ports

If you attempt to have httpd listen on a non-standard port (we’ll get to what’s “standard” and what isn’t in a moment) on an SELinux enabled host, SELinux will deny the request. Let’s try it out (on a CentOS 6.4 box):

# cd /etc/httpd/conf.d
# echo "Listen 8585" > listen.conf
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:
(13)Permission denied: make_sock: could not bind to address [::]:8585
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8585
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

# cd /etc/httpd/conf.d

# echo "Listen 8585" > listen.conf

# service httpd restart

Stopping httpd: [ OK ]

Starting httpd:

(13)Permission denied: make_sock: could not bind to address [::]:8585

(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8585

no listening sockets available, shutting down

Unable to open logs

[FAILED]

Kaboom! As you can see, the error message is quite clear “(13)Permission denied: make_sock: could not bind to address”. Let’s take a look at the audit logs and see what’s going on:

type=AVC msg=audit(1371477046.382:20195): avc:  denied  { name_bind } for  pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1371477046.382:20195): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fd0fa0ede00 a2=1c a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1371477046.382:20196): avc:  denied  { name_bind } for  pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1371477046.382:20196): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fd0fa0edd40 a2=10 a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1371477046.382:20195): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1371477046.382:20195): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fd0fa0ede00 a2=1c a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1371477046.382:20196): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1371477046.382:20196): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fd0fa0edd40 a2=10 a3=7fffb095d3ec items=0 ppid=16428 pid=16429 auid=666 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=674 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

There are two sets of messages there, one for the IPv4 bind, the other for the IPv6 bind. The AVC message actually makes it clear what’s going on:

type=AVC msg=audit(1371477046.382:20195): avc: denied { name_bind } for pid=16429 comm="httpd" src=8585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

You can see that the violation is from source context (scontext) unconfined_u:system_r:httpd_t which is the httpd process, and the target context (tcontext) is system_u:object_r:port_t with target class (tclass) tcp_socket. The denied port (8585 in this case) is also logged in the src field.

SELinux will only allow httpd to bind to ports of type http_port_t. Here, we can see that httpd is attempting to bind to a port of type port_t - which is going to be denied by the policy. We need to define port 8585 as a port of type http_port_t. semanage is the tool for that - and you’ll need the policycoreutils-python package installed:

# yum install policycoreutils-python
# rpm -qf `which semanage`
policycoreutils-python-2.0.83-19.30.el6.x86_64

# yum install policycoreutils-python

# rpm -qf `which semanage`

policycoreutils-python-2.0.83-19.30.el6.x86_64

First, let’s look at which ports are currently defined as type http_port_t:

# semanage port -l | grep '^http_port_t'
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

1 2	# semanage port -l \| grep '^http_port_t' http_port_t tcp 80, 443, 488, 8008, 8009, 8443

And add our desired listen port, 8585/tcp to the list:

# semanage port -a -t http_port_t -p tcp 8585
# semanage port -l | grep '^http_port_t'
http_port_t                    tcp      8585, 80, 443, 488, 8008, 8009, 8443

# semanage port -a -t http_port_t -p tcp 8585

# semanage port -l | grep '^http_port_t'

http_port_t tcp 8585, 80, 443, 488, 8008, 8009, 8443

Looks good. Fire up httpd:

# service httpd start
Starting httpd:                                            [  OK  ]

1 2	# service httpd start Starting httpd: [ OK ]

And test with nc or similar:

# echo "GET /" | nc localhost 8585
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>

# echo "GET /" | nc localhost 8585

...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>

<head>

Running Puppet Master under Apache and Passenger - CentOS 6.4

I have been running my puppetmaster using the embedded WEBrick server for a while. I decided it was time to migrate to something a little more robust - namely Apache and Passenger. I loosely followed the documentation available on the Puppet site, although that covers Passenger 3.0.x and I’m using 4.0.x, and the supplied Apache configuration does not work. There were also a few other changes I had to make along the way to suit my configuration requirements. My puppetmaster is running CentOS 6.4.

Continue reading →

WordPress: Avoiding Infinite Recursion with mod_rewrite and mod_fastcgi

Whilst converting tokiwinter.com away from mod_php to mod_fastcgi/PHP-FPM, I experienced the following error:

[Thu Jul 11 14:29:31 2013] [error] [client 192.168.122.1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

1	[Thu Jul 11 14:29:31 2013] [error] [client 192.168.122.1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

Enabling LogLevel debug for the VirtualHost showed the following extra detail:

[Thu Jul 11 14:29:31 2013] [debug] core.c(3072): [client 192.168.122.1] r->uri = /index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php
...

[Thu Jul 11 14:29:31 2013] [debug] core.c(3072): [client 192.168.122.1] r->uri = /index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php

...

We can see that the rewrites required for WordPress in .htaccess are interfering with the correct operation of mod_fastcgi. The net result - HTTP 500 Internal Server Error for all our clients.

The fix is easy enough - add the following additional rewrite to .htaccess for the WordPress installation:

RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)
RewriteRule . - [L]

1 2	RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*) RewriteRule . - [L]

i.e. if the request URI is a mod_fastcgi request, do not apply any rewrites. My complete .htaccess file in my WordPress VirtualHost is now:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)
RewriteRule . - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)

RewriteRule . - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

This works for me with the following VirtualHost configuration:

NameVirtualHost *:80
<VirtualHost *:80>
	ServerAdmin toki@tokiwinter.com
	ServerName tokiwinter.com
	ServerAlias www.tokiwinter.com	
	DocumentRoot /var/www/virtualhosts/tokiwinter.com/htdocs
	ScriptAlias "/cgi-bin/" "/var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/"
	FastCGIExternalServer /var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000
	ErrorLog logs/tokiwinter.com-error_log
	CustomLog logs/tokiwinter.com-access_log common
	<Directory />
		AllowOverride all
		Order allow,deny
		Allow from all
		AddType application/x-httpd-fastphp5 .php
		Action application/x-httpd-fastphp5 /cgi-bin/php5.fcgi
	</Directory>
	DirectoryIndex index.php
</VirtualHost>

NameVirtualHost *:80

ServerAdmin toki@tokiwinter.com

ServerName tokiwinter.com

ServerAlias www.tokiwinter.com

DocumentRoot /var/www/virtualhosts/tokiwinter.com/htdocs

ScriptAlias "/cgi-bin/" "/var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/"

FastCGIExternalServer /var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

ErrorLog logs/tokiwinter.com-error_log

CustomLog logs/tokiwinter.com-access_log common

AllowOverride all

Order allow,deny

Allow from all

AddType application/x-httpd-fastphp5 .php

Action application/x-httpd-fastphp5 /cgi-bin/php5.fcgi

</Directory>

DirectoryIndex index.php

</VirtualHost>

Your mileage may well vary.

How to Load Balance Tomcat with Apache HTTPD and mod_jk

In the following article, I’ll demonstrate how we can use Apache HTTPD to load balance across two Apache Tomcat instances. Whilst in this example the Apache HTTPD load balancer is a single point of failure, we could implement (although outside the scope of this article) a failover HTTPD instance clustered using one of the many available clustering stacks (RHCS, or something more lightweight like keepalived). Then, we’d have a highly-available load balancer.

There are a few ways we can use HTTPD to load balance, via the use of loadable modules. mod_proxy_http is the simplest, and can be used to load balance any service that “speaks” plain HTTP. mod_proxy_ajp is a simple AJP balancer module, with a slight performance increase of mod_proxy_http. However, mod_proxy_ajp is purported to be rather buggy when compared with other similar modules. Hence, we’ll use mod_jk. This is a very active module developed alongside Tomcat, and in many years of working with it I’ve never experienced a major bug or a configuration requirement it couldn’t handle.

Continue reading →

SELinux: Allowing HTTPD to Connect to PHP-FPM

When running PHP-FPM (PHP FastCGI Process Manager), it can be configured to listen on a UNIX socket, or a TCP port. When using the latter on an SELinux enabled system, you will receive HTTP 500 Internal Server Errors if SELinux is not configured correctly.

For example, on my system, I’m using the following directive (in my example.com VirtualHost):

FastCGIExternalServer /var/www/www.example.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

1	FastCGIExternalServer /var/www/www.example.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

However, the default value of the httpd_can_network_connect SELinux boolean is false, or off. Therefore, httpd is unable to connect to the PHP-FPM pool listening on 127.0.0.1:9000.

You will see AVC denial messages in /var/log/audit/audit.log such as:

type=AVC msg=audit(1373344647.677:17670): avc:  denied  { name_connect } for  pid=24124 comm="httpd" dest=9000
 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

1 2	type=AVC msg=audit(1373344647.677:17670): avc: denied { name_connect } for pid=24124 comm="httpd" dest=9000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

To fix this issue, set the httpd_can_network_connect SELinux boolean to true, or on, remembering the -P option so that this change persists across system reboots.

# setsebool -P httpd_can_network_connect on

1	# setsebool -P httpd_can_network_connect on

Puppet Module: apache2: VirtualHost templates

Module: apache2

Purpose: This module shows how an ERB template can be used to create VirtualHost definitions

File: apache2/manifests/init.pp

Notes: This is the base class. It can just be included within a node definition to install a stock httpd from yum. Also sets up a site-specific define - see comments in file.

# apache2/init.pp - base apache class
# 
# Supports only CentOS at this stage. Installs latest httpd from yum and
# copies standard httpd.conf into place.
#
# Removes welcome.conf
#
# Sets up site-specific define so you can do things like this:
# 
# node "somenode" {
#    include apache2
#    apache2::site-specific "node-special-config.conf"
#    apache2::site-specific "ssl.conf"
# }
# and so on.
class apache2 {
  case $::operatingsystem {
    'CentOS' : {
      $confdir = "/etc/httpd/conf.d"
      $logdir  = "/var/log/httpd"
      package { "httpd":  ensure => "latest",
                before => File["/etc/httpd/conf/httpd.conf"] }
      service { "httpd":  ensure => running,
                enable => true,
                require => Package["httpd"] }
      file { "/etc/httpd/conf/httpd.conf":
                source => "puppet:///modules/apache2/default-httpd.conf",
                owner  => "root",
                group  => "root",
                mode   => "0644",
                before => Service["httpd"],
                notify => Service["httpd"] }
      # get rid of baboon.conf
      file { "${confdir}/welcome.conf":
                ensure  => absent,
                require => Package["httpd"],
                before  => Service["httpd"] }
      exec { "/sbin/restorecon /etc/httpd/conf/httpd.conf":
                subscribe => File["/etc/httpd/conf/httpd.conf"],
                refreshonly => true }
    }
    default : {
      fail('Operating system unsupported by Apache class')
    }
  }
  define site-specific() {
    file { "${apache2::confdir}/${name}":
                source => "puppet:///modules/apache2/${name}",
                owner  => "root",
                group  => "root",
                mode   => "0644",
                notify => Service["httpd"] }
  }
}

# apache2/init.pp - base apache class

# Supports only CentOS at this stage. Installs latest httpd from yum and

# copies standard httpd.conf into place.

# Removes welcome.conf

# Sets up site-specific define so you can do things like this:

# node "somenode" {

# include apache2

# apache2::site-specific "node-special-config.conf"

# apache2::site-specific "ssl.conf"

# }

# and so on.

class apache2 {

case $::operatingsystem {

'CentOS' : {

$confdir = "/etc/httpd/conf.d"

$logdir = "/var/log/httpd"

package { "httpd": ensure => "latest",

before => File["/etc/httpd/conf/httpd.conf"] }

service { "httpd": ensure => running,

enable => true,

require => Package["httpd"] }

file { "/etc/httpd/conf/httpd.conf":

source => "puppet:///modules/apache2/default-httpd.conf",

owner => "root",

group => "root",

mode => "0644",

before => Service["httpd"],

notify => Service["httpd"] }

# get rid of baboon.conf

file { "${confdir}/welcome.conf":

ensure => absent,

require => Package["httpd"],

before => Service["httpd"] }

exec { "/sbin/restorecon /etc/httpd/conf/httpd.conf":

subscribe => File["/etc/httpd/conf/httpd.conf"],

refreshonly => true }

}

default : {

fail('Operating system unsupported by Apache class')

}

define site-specific() {

file { "${apache2::confdir}/${name}":

source => "puppet:///modules/apache2/${name}",

owner => "root",

group => "root",

mode => "0644",

notify => Service["httpd"] }

}

File: apache2/manifests/vhost.pp

Notes: Contains the virtual host definition. Supports only port 80 (else we’d need to ensure SELinux had the correct configuration for http_port_t, etc.), and fairly basic VirtualHost configuration. Anything more “fancy” can be implemented using the site-specific define set up in init.pp, or by using a custom $template.

# apache2/vhost.pp
#
# Define to set up a basic templated Apache 2 vhost.
# 
# $document_root - Value for DocumentRoot
# $template - Path to template file (defaults to standard port 80
#             based template
# $priority - Priority to use in filename prefix
# $servername - Value for ServerName
# $serveraliases - Value(s) for ServerAlias
# $options - Value for Options
# $port - Only supports port 80 at present (would need to take into
#         account SELinux, multiple defines of Listen would break things,
#         etc.
# $vhost_name - Used in VirtualHost tag
#
# Example:
#
#     apache2::vhost { "example2.com":
#        document_root => "/var/www/example2.com/htdocs",
#        serveraliases => [ "www.example2.com", "example2.com" ]
#    }
define apache2::vhost (
  $document_root  = "",
  $template   = "apache2/vhost-default.conf.erb",
  $priority   = "10",
  $servername   = "${name}",
  $serveraliases  = "",
  $options    = "Indexes FollowSymLinks MultiViews",
  $port     = "80",
  $vhost_name   = "${name}"
) {
  # doesn't matter if this gets included multiple times
  # for each vhost invocation - it's a singleton
  include apache2
  # get the logdir from our parent class
  $logdir = $apache2::logdir
  # at the moment, this only supports port 80 else SELinux will
  # explode
  if $port != "80" {
    fail("You have specified a port other than 80 - don't do that")
  }
  # we already check for operating system in the core
  # apache2 class and deal with unsupported OSes there
  file { "${apache2::confdir}/${priority}-${name}.conf":
        content => template("$template"),
        owner => "root",
        group => "root",
        mode  => "0644",
        require => Package["httpd"],
        notify  => Service["httpd"]
  }
}

# apache2/vhost.pp

# Define to set up a basic templated Apache 2 vhost.

# $document_root - Value for DocumentRoot

# $template - Path to template file (defaults to standard port 80

# based template

# $priority - Priority to use in filename prefix

# $servername - Value for ServerName

# $serveraliases - Value(s) for ServerAlias

# $options - Value for Options

# $port - Only supports port 80 at present (would need to take into

# account SELinux, multiple defines of Listen would break things,

# etc.

# $vhost_name - Used in VirtualHost tag

# Example:

# apache2::vhost { "example2.com":

# document_root => "/var/www/example2.com/htdocs",

# serveraliases => [ "www.example2.com", "example2.com" ]

# }

define apache2::vhost (

$document_root = "",

$template = "apache2/vhost-default.conf.erb",

$priority = "10",

$servername = "${name}",

$serveraliases = "",

$options = "Indexes FollowSymLinks MultiViews",

$port = "80",

$vhost_name = "${name}"

) {

# doesn't matter if this gets included multiple times

# for each vhost invocation - it's a singleton

include apache2

# get the logdir from our parent class

$logdir = $apache2::logdir

# at the moment, this only supports port 80 else SELinux will

# explode

if $port != "80" {

fail("You have specified a port other than 80 - don't do that")

}

# we already check for operating system in the core

# apache2 class and deal with unsupported OSes there

file { "${apache2::confdir}/${priority}-${name}.conf":

content => template("$template"),

owner => "root",

group => "root",

mode => "0644",

require => Package["httpd"],

notify => Service["httpd"]

}

File: apache2/templates/vhost-default.conf.erb

Notes: ERB template for the VirtualHost configuration

NameVirtualHost <%= @vhost_name %>:<%= @port %>
<VirtualHost <%= @vhost_name %>:<%= @port %>>
    ServerName <%= @servername %>
    <% if @serveraliases != "" -%>
    <% if @serveraliases.is_a? Array -%>
    ServerAlias <%= @serveraliases.flatten.join(" ") %>
    <% else -%>
    ServerAlias <%= @serveraliases %>
    <% end -%>
    <% end -%>
    DocumentRoot <%= @document_root %>
    <Directory <%= @document_root %>>
        Options <%= @options %>
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
    ErrorLog <%= @logdir %>/<%= @servername %>_error.log
    CustomLog <%= @logdir %>/<%= @servername %>_access.log combined
    LogLevel warn
    ServerSignature Off
</VirtualHost>

NameVirtualHost <%= @vhost_name %>:<%= @port %>

ServerName <%= @servername %>

<% if @serveraliases != "" -%>

<% if @serveraliases.is_a? Array -%>

ServerAlias <%= @serveraliases.flatten.join(" ") %>

<% else -%>

ServerAlias <%= @serveraliases %>

<% end -%>

DocumentRoot <%= @document_root %>

Options <%= @options %>

AllowOverride None

Order allow,deny

allow from all

</Directory>

ErrorLog <%= @logdir %>/<%= @servername %>_error.log

CustomLog <%= @logdir %>/<%= @servername %>_access.log combined

LogLevel warn

ServerSignature Off

</VirtualHost>

Apache HTTPD mod_rewrite: one RewriteCond to many RewriteRules

Within Apache HTTPD’s mod_rewrite, RewriteCond only applies one RewriteRule that comes immediately after the RewriteCond itself. It didn’t seem like such a great idea to have to duplicate a lengthy RewriteCond definition half a dozen times for multiple RewriteRules.

Turns out there is a fairly simple trick to achieve exactly what I was looking for: if the RewriteCond is negated and followed by RewriteRule . – [S=n] to skip the following n rules, the RewriteRules in essence are only applied when the singular RewriteCond is true. Like so:

RewriteCond %{REQUEST_URI} !^/(pattern1|pattern2|pattern3)/$ [NC]
RewriteRule . - [S=3]
RewriteRule ^/pattern1/$ /someURL.php [L]
RewriteRule ^/pattern2/$ /someURL2.php [L]
RewriteRule ^/pattern3/$ /iLikeDoughnuts.php [L]

RewriteCond %{REQUEST_URI} !^/(pattern1|pattern2|pattern3)/$ [NC]

RewriteRule . - [S=3]

RewriteRule ^/pattern1/$ /someURL.php [L]

RewriteRule ^/pattern2/$ /someURL2.php [L]

RewriteRule ^/pattern3/$ /iLikeDoughnuts.php [L]

Now the last three rules are skipped if the condition is not true or, in reverse, they are applied if the condition is true. Each pattern is then handled individually, and the [L] rewrite option will cause only the pertinent rule to be applied - processing will stop after the first matched condition.

Apache httpd: How to Use htpasswd to Password Protect Areas of your Site

This doesn’t cover the basics of configuring httpd, etc. You should know how to do that! Also, this is being done on an old RHEL 4 box.

If you’re having trouble with selinux blocking CGI in weird and wonderful ways, disable it:

setsebool -P httpd_disable_trans 1
getsebool -a | grep httpd_disable_trans

1 2	setsebool -P httpd_disable_trans 1 getsebool -a \| grep httpd_disable_trans

Anyway … modify /etc/httpd/conf/httpd.conf and add a <Directory> directive for the directory that you wish to protect, e.g. :

# sed -n '275,+7 p' /etc/httpd/conf/httpd.conf
<Directory />
   Options FollowSymLinks
   AllowOverride None
   AuthName "Restricted area!"
   AuthType Basic
   AuthUserFile /usr/local/etc/httpd/users
   require valid-user
</Directory>

# sed -n '275,+7 p' /etc/httpd/conf/httpd.conf

Options FollowSymLinks

AllowOverride None

AuthName "Restricted area!"

AuthType Basic

AuthUserFile /usr/local/etc/httpd/users

require valid-user

</Directory>

It will protect all subdirectories under the directory too. You can obviously just specify a specific directory if you want, but I want to password protect the entire website.

Create a directory for your htpasswd file - do not put this under your DocumentRoot - somewhere under the ServerRoot is good, but I put it in /usr/local/etc/httpd:

# mkdir -p /usr/local/etc/httpd
# chown apache:apache /usr/local/etc/httpd
# chmod 700 /usr/local/etc/httpd

# mkdir -p /usr/local/etc/httpd

# chown apache:apache /usr/local/etc/httpd

# chmod 700 /usr/local/etc/httpd

Then create the htpasswd file and add your first user

# htpasswd -c /usr/local/etc/httpd/users jsmith

1	# htpasswd -c /usr/local/etc/httpd/users jsmith

It will then prompt for password.

1	It will then prompt for password.

I always chown apache:apache /usr/local/etc/httpd/users and then chmod 400 /usr/local/etc/httpd/users.

The -c is not required when adding further users to the users file

htpasswd /usr/local/etc/httpd/users newuser

1	htpasswd /usr/local/etc/httpd/users newuser

Then, just restart httpd (only needed as we changed the httpd.conf file - you don’t need to restart httpd after just adding/deleting users with htpasswd), and browse!

apachectl restart

1	apachectl restart

(or service httpd restart, /etc/init.d/httpd stop && /etc/init.d/httpd start, whatever….)

Done !

Toki Winter

Advanced UNIX for the experienced system administrator

Tag Archives: HTTPD

Securing DNS and Web Servers

SELinux: Allowing httpd to Listen on Non-Standard Ports

Running Puppet Master under Apache and Passenger - CentOS 6.4

WordPress: Avoiding Infinite Recursion with mod_rewrite and mod_fastcgi

How to Load Balance Tomcat with Apache HTTPD and mod_jk

SELinux: Allowing HTTPD to Connect to PHP-FPM

Puppet Module: apache2: VirtualHost templates

Apache HTTPD mod_rewrite: one RewriteCond to many RewriteRules

Apache httpd: How to Use htpasswd to Password Protect Areas of your Site