LFCE.4 Linux Service Management - HTTP Services

LFCE: Linux Service Management - HTTP Services

[toc]

---

Basic

server1:

1. install the Wireshark

$ yum install wireshark
$ sudo usermod -a -G wireshark server

1. run dig

$ wireshark
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
^Z
[1]+  Stopped                 wireshark
$ bg
[1]+ wireshark &

// query DNS info from DNS server
// query the nameserver recorder from the zone pluralsight.com
$ dig ns pluralsight.com
;; ANSWER SECTION:
pluralsight.com.	172800	IN	NS	ns-209.awsdns-26.com.
pluralsight.com.	172800	IN	NS	ns-604.awsdns-11.net.
pluralsight.com.	172800	IN	NS	ns-1441.awsdns-52.org.
pluralsight.com.	172800	IN	NS	ns-1885.awsdns-43.co.uk.


// query A record
$ dig www.pluralsight.com
;; ANSWER SECTION:
www.pluralsight.com.	60	IN	CNAME	www.pluralsight.com.cdn.cloudflare.net.
www.pluralsight.com.cdn.cloudflare.net.	300 IN A 104.19.162.127
www.pluralsight.com.cdn.cloudflare.net.	300 IN A 104.19.161.127



3. check Wireshark

in wireshark:
7	2.941553840	192.168.3.100	192.168.1.1	DNS	98	Standard query 0x8b0c NS pluralsight.com OPT
8	2.968661480	192.168.1.1	192.168.3.100	DNS	371	Standard query response 0x8b0c NS pluralsight.com NS ns-1441.awsdns-52.org NS ns-1885.awsdns-43.co.uk NS ns-209.awsdns-26.com NS ns-604.awsdns-11.net A 205.251.197.161 AAAA 2600:9000:5305:a100::1 A 205.251.199.93 AAAA 2600:9000:5307:5d00::1 A 205.251.192.209 AAAA 2600:9000:5300:d100::1 A 205.251.194.92 OPT

11	6.529480347	192.168.3.100	192.168.1.1	DNS	102	Standard query 0xd8db A www.pluralsight.com OPT
12	6.568521843	192.168.1.1	192.168.3.100	DNS	174	Standard query response 0xd8db A www.pluralsight.com CNAME www.pluralsight.com.cdn.cloudflare.net A 104.19.162.127 A 104.19.161.127 OPT

1. run curl. command line web browser.

1. run curl
$ curl www.pluralsight.com


2. check Wireshark

1	0.000000000	192.168.3.100	192.168.1.1	DNS	79	Standard query 0x2652 A www.pluralsight.com
2	0.000028645	192.168.3.100	192.168.1.1	DNS	79	Standard query 0x6457 AAAA www.pluralsight.com
3	0.040925199	192.168.1.1	192.168.3.100	DNS	163	Standard query response 0x2652 A www.pluralsight.com CNAME www.pluralsight.com.cdn.cloudflare.net A 104.19.161.127 A 104.19.162.127
4	0.040976040	192.168.1.1	192.168.3.100	DNS	187	Standard query response 0x6457 AAAA www.pluralsight.com CNAME www.pluralsight.com.cdn.cloudflare.net AAAA 2606:4700::6813:a17f AAAA 2606:4700::6813:a27f
// 3 way handshake
5	0.045745751	192.168.3.100	104.19.161.127	TCP	74	60574 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3078042070 TSecr=0 WS=128
6	0.091137032	104.19.161.127	192.168.3.100	TCP	60	80 → 60574 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
7	0.091205185	192.168.3.100	104.19.161.127	TCP	54	60574 → 80 [ACK] Seq=1 Ack=1 Win=29200 Len=0
// actual http request
8	0.091441906	192.168.3.100	104.19.161.127	HTTP	137	GET / HTTP/1.1
9	0.092424260	104.19.161.127	192.168.3.100	TCP	60	80 → 60574 [ACK] Seq=1 Ack=84 Win=65535 Len=0
10	0.141061232	104.19.161.127	192.168.3.100	HTTP	390	HTTP/1.1 301 Moved Permanently //301 redirect
// teartdown
11	0.141109848	192.168.3.100	104.19.161.127	TCP	54	60574 → 80 [ACK] Seq=84 Ack=337 Win=30016 Len=0
12	0.141335706	192.168.3.100	104.19.161.127	TCP	54	60574 → 80 [FIN, ACK] Seq=84 Ack=337 Win=30016 Len=0
13	0.141883382	104.19.161.127	192.168.3.100	TCP	60	80 → 60574 [ACK] Seq=337 Ack=85 Win=65535 Len=0
14	0.190931059	104.19.161.127	192.168.3.100	TCP	60	80 → 60574 [FIN, ACK] Seq=337 Ack=85 Win=65535 Len=0
15	0.190977065	192.168.3.100	104.19.161.127	TCP	54	60574 → 80 [ACK] Seq=85 Ack=338 Win=30016 Len=0

---

install and configure HTTP services with Apache

configuration directives: defines settings, behavior of system

• ServerRoot: /etc/httpd/
• Listen: 80
• include: to include other config file into this config file.
• user/group: tell apache which user to run
• DocumentRoot: /var/www/htmlactully web decument, content.
• options
• allowoverride

scoped directives: limit the scope, apply to only that part of server

• for VMs
• to build complex “scoped” configurations
• directoriesm files, modules, virtual hosts

<Directory />
    AllowOverride none
    Require all none
</Directory>

Installing Apache, Working with the httpd Service, and Apache Configuration Files

server1:

1. install and run apache

$ sudo yum install httpd httpd-tools httpd-manual

$ firewall-cmd --permanent --add-service=http
$ firewall-cmd --reload

$ systemctl start httpd
$ systemctl enable httpd

$ ps -aux --forest
root      5364  0.1  0.4 273844 10824 ?        Ss   17:26   0:00 /usr/sbin/httpd -DFOREGROUND
apache    5368  0.0  0.3 286060  8320 ?        S    17:26   0:00  \_ /usr/sbin/httpd -DFOREGROUND
apache    5370  0.0  0.5 1475000 13720 ?       Sl   17:26   0:00  \_ /usr/sbin/httpd -DFOREGROUND
apache    5371  0.0  0.4 1343872 11672 ?       Sl   17:26   0:00  \_ /usr/sbin/httpd -DFOREGROUND
apache    5372  0.0  0.4 1343872 11672 ?       Sl   17:26   0:00  \_ /usr/sbin/httpd -DFOREGROUND

1. configure

/etc/httpd/conf/httpd.conf:

# ServerRoot: The top of the directory tree under which the server's configuration, error, and log files are kept.
ServerRoot "/etc/httpd"
#Listen 12.34.56.78:80
Listen 80
# LoadModule foo_module modules/mod_foo.so
Include conf.modules.d/*.conf    # any file ends with conf in that path
# user
User apache
Group apache
# ServerAdmin: Your address, where problems with the server should be e-mailed.  This address appears on some server-generated pages, such as error documents.  e.g. admin@your-domain.com
ServerAdmin root@localhost

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/var/www/html"

# Relax access to content within /var/www.
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Supplemental configuration
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

$ apachectl status
$ vi /sbin/apachectl
$ apachectl configtest # check the config file

1.基于域名 use local host file for a name-based virtual host.

1. modify /etc/hosts
# add
192.168.3.100   server1.demo.local server1
192.168.3.100   222.demo.local www


2. make content for the apache Server

$ echo "This is server1.demo.local" > /var/www/html/index.html  # DocumentRoot

$ mkdir -p /var/www/html/www.demo.local
$ echo "This is www.demo.local" > /var/www/html/www.demo.local/index.html


3. create virtual host file
$ cd /etc/httpd/conf.d
$ vi www.demo.local.conf    # it will look for file end with .conf

<VirtualHost *:80>
    DocumentRoot /var/www/html/www.demo.local
    ServerName www.demo.local
</VirtualHost>


4. test
$ httpd -t
Syntax OK

# read the host config file and output what configured
httpd -t -D DUMP_VHOSTS
*:80                   www.demo.local (/etc/httpd/conf.d/www.demo.local.conf:1)


5. the VirtualHost will cover the base
$ systemctl restart httpd.service
$ curl https://www.demo.local

$ curl https://server1.demo.local

$ mkdir -p /var/www/html/server1.demo.local
$ mv /var/www/html/index.html /var/www/html/server1.demo.local
$ cp /etc/httpd/conf.d/www.demo.local.conf /etc/httpd/conf.d/server1.demo.local.conf
$ vi /etc/httpd/conf.d/server1.demo.local.conf  # change to server1.demo.local
$ httpd -t -D DUMP_VHOSTS
$ systemctl restart httpd.service



这是一种最通用的情况,已经给服务器设置了多个域名,然后希望访问不同的域名来访问不同的网站文件.
修改httpd.conf的配置
# Use name-based virtual hosting.
#
NameVirtualHost *  表示在apache监听的所有IP和所有端口(此时只有80)上做多域名虚拟主机
<VirtualHost *>
    ServerAdmin [email]xxx@xxx.com[/email]
    DocumentRoot /var/www/html/s1
    ServerName s1.domain1.com
    ErrorLog logs/ error_log
    TransferLog logs/ access_log
</VirtualHost>

<VirtualHost *>
    ServerAdmin [email]xxx@ixxx.com[/email]
    DocumentRoot /var/www/html/s2
    ServerName  s2.domain1.com
    ErrorLog logs/error_log
    TransferLog logs/access_log
</VirtualHost>
测试虚拟主机配置
[root@server1 conf]# ../bin/httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:*                    is a NameVirtualHost
         default server s1.domain1.com (/usr/local/apache2/conf/httpd.conf:1066)
         port * namevhost s1.domain1.com (/usr/local/apache2/conf/httpd.conf:1066)
         port * namevhost s2.domain1.com (/usr/local/apache2/conf/httpd.conf:1075)
Syntax OK
说明语法没问题,然后在测试机上访问这两个域名:s1.domain1.com和s2.domain1.com可以看到各自的页面
问题:如果以IP访问,看到的是什么?
是s1的页面,注意上面的这段话
*:*                    is a NameVirtualHost
default server s1.domain1.com
意思十分明显,我们在*:*(apache监听的任意IP任意端口上)做了多域名虚拟主机,而s1.domain1.com是这个缺省的服务器.也就是说访问*:*,除非访问的是我们设置的域名,否则默认会转向到s1.domain1.com.

Demo: Configuring Apache to Use a Non-default Document Root and Listen Port

1. change default Directory

   semanage fcontext -at
   httpd_sys_content_t "/var/ww2/html/ww2.demo.local/(/.*)?"
   

2. running on another port

   semanage prot -at http_port_t -p tcp 81
   

a name-based host in Non-default directory

server1:

1. add host in /etc/hosts

vi /etc/hosts
// add line
192.168.1.100 ww2.demo.local ww2


2. make content dir

mkdir -p /var/ww2/html/ww2.demo.local
echo "this is ww2.demo.local" > /var/ww2/html/ww2.demo.local/index.html


3. make configure

cd /etc/httpd/conf.d/
cp www.demo.local.conf ww2.demo.local.conf

vi ww2.demo.local.conf
// change
<VirtualHost *:80>
    DocumentRoot /var/ww2/html/www.demo.local
    ServerName ww2.demo.local
</VirtualHost>

httpd -t -D DUMP_VHOSTS   // test configure
systemctl restart httpd



4. check

curl https://ww2.demo.local   // got a error page

1. modify new directory

vi ww2.demo.local.conf
// change
<VirtualHost *:80>
    DocumentRoot /var/ww2/html/www.demo.local
    ServerName ww2.demo.local
</VirtualHost>

<Directory "/var/ww2">
    AllowOverride none
    Require all granted
</Directory>

<Directory "/var/ww2/html">
    Options Indexes FollowSymLinks
    AllowOverride none
    Require all granted
</Directory>

httpd -t -D DUMP_VHOSTS   // test configure
systemctl restart httpd


2. adjust SELinux

semanage fcontext -at httpd_sys_content_t "/var/ww2(/.*)?"

// push down on the existing content
restorecon -Rv /var/ww2


curl https://ww2.demo.local   // now it works

1. running on another port

1. change file
vi ww2.demo.local.conf
// change
Listen 82
<VirtualHost *:82>
    DocumentRoot /var/ww2/html/www.demo.local
    ServerName ww2.demo.local
</VirtualHost>

<Directory "/var/ww2">
    AllowOverride none
    Require all granted
</Directory>

<Directory "/var/ww2/html">
    Options Indexes FollowSymLinks
    AllowOverride none
    Require all granted
</Directory>



2. allow firewall

firewall-cmd --add-port=82/tcp --permanent
firewall-cmd --reload



3. to let SELinux allow

semanage prot -at http_port_t -p tcp 82


4. test
systemctl restart httpd
curl https://ww2.demo.local:82

---

implement security services with Apache

install and configure ssl with apache and virtual hosts

encryption:

• eavesdropping (http-clear text)
• MITM (interact and act as target)
• solution:
  • server authentication (digital certificate)
  • message intergrity (hash)

server - CA - client

client use the public key, with message. server decrypt the message.

1. generate a CSR request, certificate signing request
2. CA sign the certificate

self-signed ceritificates

HTTPS:

• HTTP over TLS
• TLS use digital certificate to verify identity

OpenSSL:

• openssl
• openssl-libs

configure HTTPS on Apache

1. generate certificate request with openssl
2. have the CSR signed
   • Certificate Authority
   • self-signed
3. configure Apache to use the certificate
   • configure the certificate and private key
4. allow access to TCP/443 via firewall

1. install
yum install openssl openssl-libs -y


2. generate a self signed certificate
// generate key
openssl genrsa -out www.demo.local.key 2048

// generate csr
openssl req -new -key www.demo.local.key -out www.demo.local.csr
CountryName:
CommanName: the name to connect
A challenge passwd: enterkey-none
An optional company name: enterkey-none

// self-signed
openssl x509 -req -days 365 -signkey www.demo.local.key -in www.demo.local.csr -out www.demo.local.crt

ls www.demo.local.*
www.demo.local.crt
www.demo.local.csr
www.demo.local.key

chmod 600 www.demo.local.*

mv www.demo.local.key /etc/pki/tls/private/
mv www.demo.local.crt /etc/pki/tls/certs/
mv www.demo.local.conf /etc/httpd/conf.d/

// tell SELinux about these new files
restorecon -RvF /etc/pki/tls/



3. configure HTTPS apache and virtual hosts
// module for apache to enable ssl
yum install mod_ssl -y

cat /etc/httpd/conf.d/ssl.conf
// confirm
Listen 443 https

cd /etc/httpd/conf.d/
// secure virtual hosts
vi /etc/httpd/conf.d/www.demo.local.conf
// change
// Listen 443
<VirtualHost *:443>
    DocumentRoot "/var/html/www.demo.local"
    ServerName www.demo.local:443
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/www.demo.local.crt
    SSLCertificateKeyFile /etc/pki/tls/private/www.demo.local.key
</VirtualHost>

httpd -t -D DUMP_VHOSTS
systemctl restart httpd.service

setsebool -P httpd_read_user_content 1


firewall-cmd --permanent --add-service=https
firewall-cmd --reload


// check
curl https://www.demo.local    // get error
curl https://www.demo.local -k

// connect to see cert
// check if its cert error
openssl s_client -connect www.demo.local:443 -state | more
openssl s_client -connect www.google.local:443 -state | more

use openssl to verify a remote certificate

vi www.demo.local.conf


- auth with user
<VirtualHost *:443>
    DocumentRoot "/var/html/www.demo.local"
    ServerName www.demo.local:443
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/www.demo.local.crt
    SSLCertificateKeyFile /etc/pki/tls/private/www.demo.local.key
</VirtualHost>
// choice 1
<Directory "/var/www/html/www.demo.local/">
    AllowOverride None
    AuthType Basic
    AuthName " please enter name and passwd"
    AuthUserFile /etc/httpd/conf.d/.userdb
    Require user demo
</Directory>
// choice 2
<Directory "/var/www/html/www.demo.local/">
    AllowOverride AuthConfig
    Require user demo
</Directory>

AllowOverride AuthConfig: .htaccess
AuthType Basic
AuthName " please enter name and passwd"
AuthUserFile /etc/httpd/conf.d/.userdb


- basic on IP:
<Directory "/var/www/html/www.demo.local/">
    Require ip 192.168.1.0/24
</Directory>

- block ip
<Directory "/var/www/html/www.demo.local/">
    <ReuireALL>
    Require all granted
    Require not ip 192.168.1.0/24
    </ReuireALL>
</Directory>

1. auth with user and group

server1:

vi /etc/httpd/conf.d/www.demo.local.conf
<VirtualHost *:443>
    DocumentRoot "/var/html/www.demo.local"
    ServerName www.demo.local:443
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/www.demo.local.crt
    SSLCertificateKeyFile /etc/pki/tls/private/www.demo.local.key
</VirtualHost>

<Directory "/var/www/html/www.demo.local/">
    AllowOverride AuthConfig
    Require user demo
</Directory>


vi /var/www/html/www.demo.local/.htaccess
AuthType Basic
AuthName " please enter name and passwd"
AuthUserFile /etc/httpd/conf.d/.userdb

htpasswd -c /etc/httpd/conf.d/.userdb demo
New Passwd: xxx

more .userdb
demo:$aorl$jsshddh


httpd -t -D DUMP_VHOSTS
systemctl restart httpd.service

// test
// use browser
www.demo.local
// use curl
curl -k https://demo:userpasswd@www.demo.local

1. block a ip

server2:

ping www.demo.local


server1:

vi /etc/httpd/conf.d/www.demo.local.conf
...
<Directory "/var/www/html/www.demo.local/">
    AllowOverride AuthConfig
    <ReuireALL>
        Require all granted
        Require not ip 192.168.0.0/16
        Require user demo
    </ReuireALL>
</Directory>


http -t -D DUMP_VHOSTS
systemctl restart httpd.service


server2:
curl -k https://demo:userpasswd@www.demo.local
// been block

---

troubleshoot and logging the apache

configur log file ip, browser type, resource

logging architecture:

• level
  • server level
  • virtual host: separate log file
• AccessLog
  • LogFormat
• ErrorLog
  • ErrorLogFormat
  • Loglevel

log formats:

%h %l %u %t "%r" %>s %b "{Referer}i" "{User-agent}i" Combined

• request resource
• 172.16.94.1 - demo [18/Aug/2018:13:24:@4 -0500] “GET /index.html HTTP/1.1” 200 25 “-“ “curl/7.51.0”

log file location:

• default: /etc/httpd/logs

log file rotation:

• at server startup or restart

tail -f : read realtime grep/egrep : search awk : extract text from file

examining log files

setup logging

server1:

vi /etc/httpd/conf.d/www.demo.local.conf
<VirtualHost *:443>
    DocumentRoot "/var/html/www.demo.local"
    ServerName www.demo.local:443
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/www.demo.local.crt
    SSLCertificateKeyFile /etc/pki/tls/private/www.demo.local.key
    CustomLog "logs/www.demo.local.access_log" combined
</VirtualHost>

<Directory "/var/www/html/www.demo.local/">
    AllowOverride AuthConfig
    Require user demo
</Directory>

httpd -t -D DUMP_VHOSTS
systemctl restart httpd.service


ll /etc/httpd/
// theres a mount to
logs -> ../../var/log/httpd

ls /etc/httpd/logs
access-log
error-log
ssl-access-log
ssl-error-log
ssl-request-log


vi /etc/httpd/conf/httpd.conf
// check
LogFormat


// access
curl -k https://demo:userpasswd@www.demo.local

ls /var/log/httpd
access_log
error_log
ssl_access_log
ssl_error_log
ssl_request_log
www.demo.local.access_log


tail -f /var/log/httpd/www.demo.local.access_log &
// log with curl
curl -k https://demo:userpasswd@www.demo.local
// with log coming with it
fg


cd var/log/httpd
awk '{print $1}' access_log* | sort | uniq -c | sort



tail /var/log/httpd/www.demo.local.access_log
172.16.94.1 - demo [18/Aug/2018:13:24:@4 -0500] "GET /index.html HTTP/1.1" 200 25 "-" "curl/7.51.0"

.