http://thelinuxsource.org/api.php?action=feedcontributions&user=Support&feedformat=atomThe Linux Source - User contributions [en]2024-03-28T13:48:07ZUser contributionsMediaWiki 1.23.15http://thelinuxsource.org/index.php/Multi-NICMulti-NIC2020-07-21T14:40:23Z<p>Support: </p>
<hr />
<div>=== Multi-NIC Routing (ent 7) ===<br />
The multi-NIC routing scenario has not yet been tried/tested on Enterprise 7. Things may work correctly based on (possibly) proper gateway settings per NIC (if this works correctly under ent 7). If not, we know how to add static routes on ent 7, and can replicate the configuration for pre-ent 7 envs via Network Manager (nmcli).<br />
<br />
There was some testing done here, we ended up doing the Source-based Routing (below).<br />
<br />
=== Multi-NIC Routing (before ent 7) ===<br />
Before Enterprise 7, since we could not have a gateway (that works) per interface (even though it lets you set a gateway in every interface config file; but which overwrites the default gateway), we have to set the default gateway to the outside or customer facing network (since we cannot possibly know all IP's/networks these connections would be coming from), and then set static routes to every possible network and host it needs access to for our inside network. Here is an example for /etc/sysconfig/network-scripts/route-eth1 (where the eth0/default is the primary/outside/customer network, and eth1 is the secondary/internal/private network).<br />
<br />
Static list for NOTEL (example, the NOTEL data center no longer exists)<br />
# default network (set this for your specific env/stack)<br />
ADDRESS0=172.200.200.0<br />
NETMASK0=255.255.255.0<br />
GATEWAY0=172.200.200.1<br />
# VPN network<br />
ADDRESS1=10.100.100.0<br />
NETMASK1=255.255.255.0<br />
GATEWAY1=172.200.200.1<br />
# DNS host 1<br />
ADDRESS2=210.210.90.80<br />
NETMASK2=255.255.255.255<br />
GATEWAY2=172.200.200.1<br />
# DNS host 2<br />
ADDRESS3=210.210.120.140<br />
NETMASK3=255.255.255.255<br />
GATEWAY3=172.200.200.1<br />
# spacewalk host<br />
ADDRESS4=172.200.90.60<br />
NETMASK4=255.255.255.255<br />
GATEWAY4=172.200.200.1<br />
# trusted host<br />
ADDRESS5=172.200.90.50<br />
NETMASK5=255.255.255.255<br />
GATEWAY5=172.200.200.1<br />
<br />
=== Teaming (ent 7) ===<br />
1. add the teaming inferface<br />
# nmcli con add type team con-name team0 ifname team0 config '{"runner": {"name": "loadbalance"}}'<br />
<br />
2. set IP address info<br />
# nmcli con mod team0 ipv4.method manual ipv4.addresses 172.100.200.140/24<br />
<br />
3. add the first NIC<br />
# nmcli con add type team-slave con-name team0-slave1 ifname em1 master team0<br />
<br />
4. add the second NIC<br />
# nmcli con add type team-slave con-name team0-slave2 ifname em2 master team0<br />
<br />
=== Bonding (before ent 7) ===<br />
Before Enterprise 7, interface Bonding was configured via various config files in /etc/sysconfig/network-scripts/ (this has been rewritten in ent 7 and is now called Teaming), example setup;<br />
<br />
eth0 config (ifcfg-eth0)<br />
# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
HWADDR=D4:BE:D9:AA:D7:16<br />
MASTER=bond0<br />
SLAVE=yes<br />
<br />
eth1 config (ifcfg-eth1)<br />
# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes <br />
HWADDR=D4:BE:D9:AA:D7:18<br />
MASTER=bond0<br />
SLAVE=yes<br />
<br />
bond0 config (ifcfg-bond0)<br />
DEVICE=bond0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BONDING_OPTS="miimon=100 mode=1"<br />
IPADDR=172.200.110.140<br />
NETMASK=255.255.255.0<br />
<br />
Additional bond IP's<br />
bond0:0 config (ifcfg-bond0:0)<br />
DEVICE=bond0:0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
IPADDR=172.200.110.200<br />
NETMASK=255.255.255.0<br />
<br />
ifconfig output<br />
bond0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16<br />
inet addr:172.200.110.140 Bcast:172.200.110.255 Mask:255.255.255.0<br />
inet6 addr: fe80::d6be:d9ff:feaa:d716/64 Scope:Link<br />
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br />
RX packets:951518061 errors:0 dropped:244110 overruns:0 frame:0<br />
TX packets:377721364 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:0<br />
RX bytes:868579848472 (808.9 GiB) TX bytes:88332253777 (82.2 GiB)<br />
<br />
bond0:0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16<br />
inet addr:172.200.110.200 Bcast:172.200.110.255 Mask:255.255.255.0<br />
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br />
<br />
eth0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16<br />
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1<br />
RX packets:244110 errors:0 dropped:244110 overruns:0 frame:0<br />
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:15623040 (14.8 MiB) TX bytes:0 (0.0 b)<br />
<br />
eth1 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:18<br />
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1<br />
RX packets:3095102322 errors:0 dropped:0 overruns:0 frame:0<br />
TX packets:2613440853 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:2651544232860 (2.4 TiB) TX bytes:1948544659918 (1.7 TiB)<br />
<br />
=== Renumbering Ports (ent 6) ===<br />
Example is from a R630 system used as an appliance with 4 ports on the motherboard that had 2 coppper & 2 fiber. For this appliance they wanted the 2 copper ports to be eth0/1 and the fiber be eth2/3, but a recently built system had them designated in reverse. The renaming/mapping went as follows;<br />
eth0 (fiber) -> eth2<br />
eth1 (fiber) -> eth3<br />
eth2 (copper) -> eth0<br />
eth3 (copper) -> eth1<br />
<br />
Relabel the ports by changing the udev net rules file, change eth0 to eth2, etc, change only the NAME= lines (as mentioned in the comment at the top of the file)<br />
# vi /etc/udev/rules.d/70-persistent-net.rules<br />
<br />
Rename all the network config files<br />
# cd /etc/sysconfig/network-script/<br />
# cp ifcfg-eth* /tmp/<br />
# cp /tmp/ifcfg-eth0 ifcfg-eth2<br />
etc<br />
<br />
Fix the device names in each file, new ifcfg-eth0 has DEVICE=eth2, change this to say eth0, etc<br />
# vi ifcfg-eth?<br />
<br />
Reboot when done to properly pick up all the udev/network config changes/etc<br />
<br />
=== Source-based Routing (ent 7) ===<br />
Note: using NetworkManager<br />
<br />
In this scenario, the system is using the gateway on the primary NIC. Any incoming packets on the 2nd interface end up going out the primary interface, and packets are not returning to devices on the 2nd network.<br />
<br />
Note: table '2' was chosen since this is the 2nd NIC. Names can be used if the proper mapping is set in /etc/iproute2/rt_tables<br />
<br />
1. Add policy routing to NetworkManager<br />
# yum install NetworkManager-dispatcher-routing-rules<br />
# systemctl enable NetworkManager-dispatcher.service<br />
# systemctl start NetworkManager-dispatcher.service<br />
<br />
2. Add policy rule<br><br />
Note: ens33 is the 2nd NIC, 10.160.130.250 is the NIC IP<br />
# vi /etc/sysconfig/network-scripts/rule-ens33<br />
iif ens33 table 2<br />
from 10.160.130.250 table 2<br />
<br />
3. Add static routes using policy rules (may be able to do this w/nmcli)<br><br />
Note: 10.60.130.0/24 is the subnet/cidr of the 2nd network, 10.160.130.1 is the gateway<br />
# vi /etc/sysconfig/network-scripts/route-ens33<br />
10.160.130.0/24 dev ens33 table 2<br />
default via 10.160.130.1 dev ens33 table 2<br />
<br />
4. Load the new/changed config files<br />
# nmcli connection reload<br />
# nmcli connection down ens33 ; nmcli connection up ens33</div>Supporthttp://thelinuxsource.org/index.php/Multi-NICMulti-NIC2020-07-21T14:39:24Z<p>Support: </p>
<hr />
<div>=== Multi-NIC Routing (ent 7) ===<br />
The multi-NIC routing scenario has not yet been tried/tested on Enterprise 7. Things may work correctly based on (possibly) proper gateway settings per NIC (if this works correctly under ent 7). If not, we know how to add static routes on ent 7, and can replicate the configuration for pre-ent 7 envs via Network Manager (nmcli).<br />
<br />
There was some testing done here, we ended up doing the Source-based Routing (below).<br />
<br />
=== Multi-NIC Routing (before ent 7) ===<br />
Before Enterprise 7, since we could not have a gateway (that works) per interface (even though it lets you set a gateway in every interface config file; but which overwrites the default gateway), we have to set the default gateway to the outside or customer facing network (since we cannot possibly know all IP's/networks these connections would be coming from), and then set static routes to every possible network and host it needs access to for our inside network. Here is an example for /etc/sysconfig/network-scripts/route-eth1 (where the eth0/default is the primary/outside/customer network, and eth1 is the secondary/internal/private network).<br />
<br />
Static list for NOTEL (example, the NOTEL data center no longer exists)<br />
# default network (set this for your specific env/stack)<br />
ADDRESS0=172.200.200.0<br />
NETMASK0=255.255.255.0<br />
GATEWAY0=172.200.200.1<br />
# VPN network<br />
ADDRESS1=10.100.100.0<br />
NETMASK1=255.255.255.0<br />
GATEWAY1=172.200.200.1<br />
# DNS host 1<br />
ADDRESS2=210.210.90.80<br />
NETMASK2=255.255.255.255<br />
GATEWAY2=172.200.200.1<br />
# DNS host 2<br />
ADDRESS3=210.210.120.140<br />
NETMASK3=255.255.255.255<br />
GATEWAY3=172.200.200.1<br />
# spacewalk host<br />
ADDRESS4=172.200.90.60<br />
NETMASK4=255.255.255.255<br />
GATEWAY4=172.200.200.1<br />
# trusted host<br />
ADDRESS5=172.200.90.50<br />
NETMASK5=255.255.255.255<br />
GATEWAY5=172.200.200.1<br />
<br />
=== Teaming (ent 7) ===<br />
1. add the teaming inferface<br />
# nmcli con add type team con-name team0 ifname team0 config '{"runner": {"name": "loadbalance"}}'<br />
<br />
2. set IP address info<br />
# nmcli con mod team0 ipv4.method manual ipv4.addresses 172.100.200.140/24<br />
<br />
3. add the first NIC<br />
# nmcli con add type team-slave con-name team0-slave1 ifname em1 master team0<br />
<br />
4. add the second NIC<br />
# nmcli con add type team-slave con-name team0-slave2 ifname em2 master team0<br />
<br />
=== Bonding (before ent 7) ===<br />
Before Enterprise 7, interface Bonding was configured via various config files in /etc/sysconfig/network-scripts/ (this has been rewritten in ent 7 and is now called Teaming), example setup;<br />
<br />
eth0 config (ifcfg-eth0)<br />
# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet<br />
DEVICE=eth0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
HWADDR=D4:BE:D9:AA:D7:16<br />
MASTER=bond0<br />
SLAVE=yes<br />
<br />
eth1 config (ifcfg-eth1)<br />
# Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet<br />
DEVICE=eth1<br />
BOOTPROTO=none<br />
ONBOOT=yes <br />
HWADDR=D4:BE:D9:AA:D7:18<br />
MASTER=bond0<br />
SLAVE=yes<br />
<br />
bond0 config (ifcfg-bond0)<br />
DEVICE=bond0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
BONDING_OPTS="miimon=100 mode=1"<br />
IPADDR=172.200.110.140<br />
NETMASK=255.255.255.0<br />
<br />
Additional bond IP's<br />
bond0:0 config (ifcfg-bond0:0)<br />
DEVICE=bond0:0<br />
BOOTPROTO=none<br />
ONBOOT=yes<br />
IPADDR=172.200.110.200<br />
NETMASK=255.255.255.0<br />
<br />
ifconfig output<br />
bond0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16<br />
inet addr:172.200.110.140 Bcast:172.200.110.255 Mask:255.255.255.0<br />
inet6 addr: fe80::d6be:d9ff:feaa:d716/64 Scope:Link<br />
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br />
RX packets:951518061 errors:0 dropped:244110 overruns:0 frame:0<br />
TX packets:377721364 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:0<br />
RX bytes:868579848472 (808.9 GiB) TX bytes:88332253777 (82.2 GiB)<br />
<br />
bond0:0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16<br />
inet addr:172.200.110.200 Bcast:172.200.110.255 Mask:255.255.255.0<br />
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br />
<br />
eth0 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:16<br />
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1<br />
RX packets:244110 errors:0 dropped:244110 overruns:0 frame:0<br />
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:15623040 (14.8 MiB) TX bytes:0 (0.0 b)<br />
<br />
eth1 Link encap:Ethernet HWaddr D4:BE:D9:AA:D7:18<br />
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1<br />
RX packets:3095102322 errors:0 dropped:0 overruns:0 frame:0<br />
TX packets:2613440853 errors:0 dropped:0 overruns:0 carrier:0<br />
collisions:0 txqueuelen:1000<br />
RX bytes:2651544232860 (2.4 TiB) TX bytes:1948544659918 (1.7 TiB)<br />
<br />
=== Renumbering Ports (ent 6) ===<br />
Example is from a R630 system used as an appliance with 4 ports on the motherboard that had 2 coppper & 2 fiber. For this appliance they wanted the 2 copper ports to be eth0/1 and the fiber be eth2/3, but a recently built system had them designated in reverse. The renaming/mapping went as follows;<br />
eth0 (fiber) -> eth2<br />
eth1 (fiber) -> eth3<br />
eth2 (copper) -> eth0<br />
eth3 (copper) -> eth1<br />
<br />
Relabel the ports by changing the udev net rules file, change eth0 to eth2, etc, change only the NAME= lines (as mentioned in the comment at the top of the file)<br />
# vi /etc/udev/rules.d/70-persistent-net.rules<br />
<br />
Rename all the network config files<br />
# cd /etc/sysconfig/network-script/<br />
# cp ifcfg-eth* /tmp/<br />
# cp /tmp/ifcfg-eth0 ifcfg-eth2<br />
etc<br />
<br />
Fix the device names in each file, new ifcfg-eth0 has DEVICE=eth2, change this to say eth0, etc<br />
# vi ifcfg-eth?<br />
<br />
Reboot when done to properly pick up all the udev/network config changes/etc<br />
<br />
=== Source-based Routing (ent 7) ===<br />
Note: using NetworkManager<br />
<br />
In this scenario, the system is using the gateway on the primary NIC. Any incoming packets on the 2nd interface end up going out the primary interface, and packets are not returning to devices on the 2nd network.<br />
<br />
Note: table '2' was chosen since this is the 2nd NIC. Names can be used if the proper mapping is set in /etc/iproute2/rt_tables<br />
<br />
1. Add policy routing to NetworkManager<br />
# yum install NetworkManager-dispatcher-routing-rules<br />
# systemctl enable NetworkManager-dispatcher.service<br />
# systemctl start NetworkManager-dispatcher.service<br />
<br />
2. Add policy rule<br><br />
Note: ens33 is the 2nd NIC, 10.160.130.250 is the NIC IP<br />
# vi /etc/sysconfig/network-scripts/rule-ens33<br />
iif ens33 table 2<br />
from 10.160.130.250 table 2<br />
<br />
3. Add static routes using policy rules (may be able to do this w/nmcli)<br />
Note: 10.60.130.0/24 is the subnet/cidr of the 2nd network, 10.160.130.1 is the gateway<br />
# vi /etc/sysconfig/network-scripts/route-ens33<br />
10.160.130.0/24 dev ens33 table 2<br />
default via 10.160.130.1 dev ens33 table 2<br />
<br />
4. Load the new/changed config files<br />
# nmcli connection reload<br />
# nmcli connection down ens33 ; nmcli connection up ens33</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-12T11:48:27Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account (or an application account)<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
Multiple users/processes needing access to a single account (or an application account)<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
=== Reference ===<br />
<br />
ls output<br />
<br />
Note: the + means some ACL's have been set<br />
<br />
# ls -ld somedir<br />
drwxrwxr-x+ 2 buildapp1 scmadmins 6 May 12 04:08 somedir<br />
<br />
# ls -l somefile<br />
-rw-rw-r--+ 1 joe scmadmins 9 May 12 04:12 somefile<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit<br />
<br />
Options (some)<br />
-c like verbose but report only when a change is made<br />
-R change files and directories recursively<br />
<br />
<br />
=== setfacl details/usage ===<br />
<br />
Options (some)<br />
-b remove all extended ACL entries<br />
-d operations apply to the default ACL<br />
-k remove the default ACL<br />
-m modify the current ACL(s) of file(s)<br />
-n don't recalculate the effective rights mask<br />
-R recurse into subdirectories<br />
-x remove entries from the ACL(s) of file(s)<br />
--mask do recalculate the effective rights mask<br />
--set set the ACL of file(s), replacing the current ACL<br />
--test test mode (ACLs are not modified)</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-12T11:46:17Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account (or an application account)<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
Multiple users/processes needing access to a single account (or an application account)<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
Note: the + means some ACL's have been set<br />
<br />
# ls -ld somedir<br />
drwxrwxr-x+ 2 buildapp1 scmadmins 6 May 12 04:08 somedir<br />
<br />
# ls -l somefile<br />
-rw-rw-r--+ 1 joe scmadmins 9 May 12 04:12 somefile<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit<br />
<br />
Options (some)<br />
-c like verbose but report only when a change is made<br />
-R change files and directories recursively<br />
<br />
<br />
=== setfacl details/usage ===<br />
<br />
Options (some)<br />
-b remove all extended ACL entries<br />
-d operations apply to the default ACL<br />
-k remove the default ACL<br />
-m modify the current ACL(s) of file(s)<br />
-n don't recalculate the effective rights mask<br />
-R recurse into subdirectories<br />
-x remove entries from the ACL(s) of file(s)<br />
--mask do recalculate the effective rights mask<br />
--set set the ACL of file(s), replacing the current ACL<br />
--test test mode (ACLs are not modified)</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-12T11:34:28Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account (or an application account)<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
Multiple users/processes needing access to a single account (or an application account)<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
Note: the + means some ACL's have been set<br />
<br />
# ls -ld somedir<br />
drwxrwxr-x+ 2 buildapp1 scmadmins 6 May 12 04:08 somedir<br />
<br />
# ls -l somefile<br />
-rw-rw-r--+ 1 joe scmadmins 9 May 12 04:12 somefile<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit<br />
<br />
Options (some)<br />
-c, --changes like verbose but report only when a change is made<br />
-R, --recursive change files and directories recursively<br />
<br />
<br />
=== setfacl details/usage ===<br />
<br />
Options (some)</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-12T11:16:39Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account (or an application account)<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
Multiple users/processes needing access to a single account (or an application account)<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
Note: the + means some ACL's have been set<br />
<br />
# ls -ld somedir<br />
drwxrwxr-x+ 2 buildapp1 scmadmins 6 May 12 04:08 somedir<br />
<br />
# ls -l somefile<br />
-rw-rw-r--+ 1 joe scmadmins 9 May 12 04:12 somefile<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-12T11:04:07Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's)<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
Multiple users/processes needing access to a single account<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to leaving out the -d, which would be existing files)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T21:38:30Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
Multiple users/processes needing access to a single account<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to no -d which would be existing files)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T21:37:43Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Multiple users/processes needing access to a single account<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to no -d which would be existing files)<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T21:35:36Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Multiple users/processes needing access to a single account<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to no -d which would be existing files)<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl somedir<br />
# file: somedir/<br />
# owner: lisa<br />
# group: staff<br />
# flags: -s-<br />
user::rwx<br />
user:joe:rwx #effective:r-x<br />
group::rwx #effective:r-x<br />
group:cool:r-x<br />
mask::r-x<br />
other::r-x<br />
default:user::rwx<br />
default:user:joe:rwx #effective:r-x<br />
default:group::r-x<br />
default:mask::r-x<br />
default:other::---<br />
<br />
<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T21:26:45Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Multiple users/processes needing access to a single account<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Note: m - modify, R - recursive, d - default perms (for new files, as opposed to no -d which would be existing files)<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T21:21:11Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Multiple users/processes needing access to a single account<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T21:20:19Z<p>Support: </p>
<hr />
<div>=== Basic perms ===<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
Multiple users/processes needing access to a single account<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
Single user/process needing access to a multiple accounts<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
=== ACL's ===<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl<br />
<br />
<br />
<br />
=== chmod details/usage ===<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T21:16:26Z<p>Support: </p>
<hr />
<div>=== Basic perms<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
*Multiple users/processes needing access to a single account*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG appuser nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG appuser $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/appuser -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/appuser -type d -exec chmod g=rwxs '{}' ;<br />
<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/appuser -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
*Single user/process needing access to a multiple accounts*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildapp1 scmadmins<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do usermod -aG $U scmadmins ; done<br />
<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildapp1 -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildapp1 -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildapp1 -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildapp1 buildapp2 ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
<br />
<br />
=== ACL's<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/Shared/Reports<br />
# setfacl -dRm u:joe:rw /home/Shared/Reports<br />
<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:gary:r /home/Shared/Reports<br />
# setfacl -dRm u:gary:r /home/Shared/Reports<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/Shared/Reports/Weekly_Client_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl<br />
<br />
<br />
<br />
=== chmod details/usage<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T16:59:29Z<p>Support: </p>
<hr />
<div>=== Basic perms<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
*Multiple users/processes needing access to a single account*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG lisapp nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG lisapp $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/lisapp -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/lisapp -type d -exec chmod g=rwxs '{}' ;<br />
<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/lisapp -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
*Single user/process needing access to a multiple accounts*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildnss scmadmins<br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do usermod -aG $U scmadmins ; done<br />
<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildnss -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildnss -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildnss -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
<br />
<br />
=== ACL's<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/CSP1/Data<br />
# setfacl -dRm u:joe:rw /home/CSP1/Data<br />
<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:joe:r /home/CSP1/Data<br />
# setfacl -dRm u:joe:r /home/CSP1/Data<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/CSP1/Data/Weekly_Data_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl<br />
<br />
<br />
<br />
=== chmod details/usage<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T16:57:49Z<p>Support: </p>
<hr />
<div>=== Basic perms<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
*Multiple users/processes needing access to a single account*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG lisapp nrpe <br />
OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG lisapp $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/lisapp -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/lisapp -type d -exec chmod g=rwxs '{}' ;<br />
<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/lisapp -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
*Single user/process needing access to a multiple accounts*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildnss scmadmins<br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do usermod -aG $U scmadmins ; done<br />
<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildnss -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildnss -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildnss -type f -exec chmod g+w '{}' ; <br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
<br />
<br />
=== ACL's<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/CSP1/Data<br />
# setfacl -dRm u:joe:rw /home/CSP1/Data<br />
<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:joe:r /home/CSP1/Data<br />
# setfacl -dRm u:joe:r /home/CSP1/Data<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/CSP1/Data/Weekly_Data_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl<br />
<br />
<br />
<br />
=== chmod details/usage<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/PermissionsPermissions2020-05-11T16:55:44Z<p>Support: Created page with "=== Basic perms Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account Limitations/Is..."</p>
<hr />
<div>=== Basic perms<br />
<br />
Depending on scripts/processes being run, some only need to read files (read-only), but some need read/write access, to the alternate account<br />
<br />
Limitations/Issues<br />
* additional app/process users will all be set to either all read/write access or all read-only access, if both are needed, ACL's must be used (like in some samba env's) * umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
*Multiple users/processes needing access to a single account*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG lisapp nrpe OR if you have many users <br />
# for U in nrpe snmp cacti applog ; do usermod -aG lisapp $U ; done <br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/lisapp -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/lisapp -type d -exec chmod g=rwxs '{}' ;<br />
<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/lisapp -type f -exec chmod g+w '{}' ;<br />
<br />
<br />
*Single user/process needing access to a multiple accounts*<br />
<br />
1. Add users to proper group<br />
<br />
# usermod -aG buildnss scmadmins<br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do usermod -aG $U scmadmins ; done<br />
<br />
<br />
2. Set directory perms so that new files all belong to the same group<br />
<br />
read-only<br />
# find /home/buildnss -type d -exec chmod g=rxs '{}' ;<br />
read/write<br />
# find /home/buildnss -type d -exec chmod g=rwxs '{}' ;<br />
OR if you have many users<br />
# for U in buildnss buildfalcon ; do find /home/$U -type d -exec chmod g=rxs '{}' ; ; done<br />
<br />
3. Optionally set write access, for read/write option<br />
<br />
# find /home/buildnss -type f -exec chmod g+w '{}' ; OR if you have many users<br />
# for U in buildnss buildfalcon ; do find /home/$U -type f -exec chmod g+w '{}' ; ; done<br />
<br />
<br />
<br />
<br />
<br />
=== ACL's<br />
<br />
Limitations/Issues<br />
* umask may need to be modified where multiple processes are creating files/directories (i.e.; umask settings for both files and directories in samba, umask settings in ftp server configuration, etc.)<br />
<br />
<br />
For a directory tree;<br />
<br />
Read/write users;<br />
<br />
# setfacl -Rm u:joe:rw /home/CSP1/Data<br />
# setfacl -dRm u:joe:rw /home/CSP1/Data<br />
<br />
<br />
Read-Only users;<br />
<br />
# setfacl -Rm u:joe:r /home/CSP1/Data<br />
# setfacl -dRm u:joe:r /home/CSP1/Data<br />
<br />
<br />
For a file;<br />
<br />
# setfacl -m u:joe:rw /home/CSP1/Data/Weekly_Data_Report-20100704.xml<br />
<br />
<br />
Reference<br />
<br />
ls output<br />
<br />
# ls -l<br />
<br />
<br />
getfacl output<br />
<br />
# getfacl<br />
<br />
<br />
<br />
=== chmod details/usage<br />
<br />
The format for chmod's symbolic mode used in this doc is [ugoa...][[+-=][perms...]...]<br />
<br />
The letters 'ugoa' control which user/group/etc the access to the file or directory will be changed<br />
'u' (user) permissions for the user who owns the file/directory (u)<br />
'g' (group) permissions for other users who are members of the group (g)<br />
'o' (other) other users that are not in the group permissions (o) (aka world readable)<br />
'a' (all) all of the above <br />
The '+-=' operators control how the permissions are set on the file or directory<br />
'+' (add) causes the selected permissions to be added to the existing permissions<br />
'-' (remove) causes them to be removed<br />
'=' (set) causes them to be the only permissions<br />
<br />
The letters 'rwxXst' select the new permissions for the affected users:<br />
'rwx' (r) read, (w) write, (x) execute (or search/access for directories)<br />
'X' execute/search only if the file is a directory or already has execute permission for some user<br />
's' set user or group ID on execution<br />
't' restricted deletion flag or sticky bit</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-11-15T18:56:56Z<p>Support: /* Files/Directories Layout */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default httpd.conf file<br><br />
Note: for ent 7: many of these lines are not in the main httpd.conf file any longer (as they were split out into several additional files that could be copied into a conf.d type dir), and the last line is: Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is: Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
/etc/httpd/conf/vhost.d/0-mask (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost.d/`hostname -s` (non-https config - DISCOURAGED - default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here) - we put additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.vhost.d/0-mask.conf (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost.d/`hostname -s`.conf (non-https config - DISCOURAGED - default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
/usr/share/doc/httpd-2.4.6/httpd-default.conf - additional config directives we use/change (see httpd.conf Example above), copied to conf.d-run<br />
/usr/share/doc/httpd-2.4.6/httpd-info.conf - additional config directives we use/change (see httpd.conf Example above), copied to conf.d-run<br />
/usr/share/doc/httpd-2.4.6/httpd-mpm.conf - additional config directives we use/change (see httpd.conf Example above), copied to conf.d-run<br />
/usr/share/doc/httpd-2.4.6/proxy-html.conf - additional config directives we use/change, copied to conf.d (as a reference and/or if needed as a proxy, and copied to conf.d-run)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-11-15T18:51:48Z<p>Support: /* httpd.conf Example */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default httpd.conf file<br><br />
Note: for ent 7: many of these lines are not in the main httpd.conf file any longer (as they were split out into several additional files that could be copied into a conf.d type dir), and the last line is: Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is: Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
/etc/httpd/conf/vhost.d/0-mask (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost.d/`hostname -s` (non-https config - DISCOURAGED - default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here) - we put additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.vhost.d/0-mask.conf (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost.d/`hostname -s`.conf (non-https config - DISCOURAGED - default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-11-07T16:19:13Z<p>Support: /* httpd.conf Example */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default httpd.conf file<br><br />
Note: for ent 7, the last line is: Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is: Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
/etc/httpd/conf/vhost.d/0-mask (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost.d/`hostname -s` (non-https config - DISCOURAGED - default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here) - we put additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.vhost.d/0-mask.conf (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost.d/`hostname -s`.conf (non-https config - DISCOURAGED - default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-04-10T16:01:29Z<p>Support: /* Files/Directories Layout */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default ssl.conf file<br><br />
Note: for ent 7, the last line is: Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is: Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
/etc/httpd/conf/vhost.d/0-mask (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost.d/`hostname -s` (non-https config - DISCOURAGED - default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d/ - default auto load config location - DISABLED - installation of new packages MAY add a config file here<br />
/etc/httpd/conf.d-run/ - active auto load config location (if you really want a config activated from conf.d, copy it here) - we put additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.vhost.d/0-mask.conf (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost.d/`hostname -s`.conf (non-https config - DISCOURAGED - default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-04-10T15:06:38Z<p>Support: /* Files/Directories Layout */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default ssl.conf file<br><br />
Note: for ent 7, the last line is: Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is: Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
/etc/httpd/conf/vhost.d/0-mask (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost.d/`hostname -s` (non-https config - DISCOURAGED - default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.d-run/ - additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.vhost.d/0-mask.conf (non-https config - DISCOURAGED - mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost.d/`hostname -s`.conf (non-https config - DISCOURAGED - default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-04-10T15:02:23Z<p>Support: /* SSL Example */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default ssl.conf file<br><br />
Note: for ent 7, the last line is: Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is: Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.d-run/ - additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-04-10T15:01:57Z<p>Support: /* httpd.conf Example */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default ssl.conf file<br><br />
Note: for ent 7, the last line is: Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.d-run/ - additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-04-10T15:01:08Z<p>Support: /* httpd.conf Example */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default ssl.conf file<br><br />
Note: for ent 7, the last line is Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.d-run/ - additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/ApacheApache2019-04-10T14:59:57Z<p>Support: /* httpd.conf Example */</p>
<hr />
<div>=== Policy ===<br />
{{Apache-Policy}}<br />
<br />
=== Overview ===<br />
Our Changes<br><br />
The Apache configuration has been modified slightly to address several security concerns.<br><br />
When installing additional apache modules, and some optional software, a config file is added to the conf.d directory, which automatically enables the module/software by default. However, most of these are not actually wanted or needed, nor ever get used. In our case, these end up being disabled by default, since we actually use a conf.d-run directory instead (the module/software configs that are actually needed/desired are copied from conf.d to conf.d-run).<br><br />
We also create vhost.d (for http URL's) and vhost-ssl.d (for https URL's) directories for virtual host/URL config files. Our current policy is to also include a 0-mask file in these directories which does not serve out any of the sites (when going to the servers IP), but require a valid URL to get to a real/application page.<br><br />
There are some slight differences with enterprise 7 (and newer/Fedora), which changes the vhost naming, with conf.vhost.d and conf.vhost-ssl.d directories. 7 also adds a conf.modules.d, and thus has our corresponding conf.modules.d-run directory is configured/added.<br><br />
SSL/Certificates<br><br />
For IP/certs used for any/all URL's, the first cert defined for the IP (in our mask file) is the cert used for all subsequent URL definitions for that IP (essentially all other cert directives are unused/ignored). To use more than one cert (or more than one domain where wildcard certs are used), additional IP's would need to be used (and the mask section duplicated for the additional IP).<br><br />
Note: recent changes to kickstart no longer install a cert on every system. This breaks Apache, as it will not start out of the chute from kickstart. Install a valid prod or non-prod cert via yum to resolve.<br><br />
Note: 2.2.9 added support for ProxyPassReverse balancer://<br />
<br />
=== Documentation References ===<br />
Enterprise 6<br />
http://httpd.apache.org/docs/2.2/<br />
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.2/howto/auth.html<br />
<br />
Enterprise 7<br />
http://httpd.apache.org/docs/2.4/<br />
http://httpd.apache.org/docs/2.4/mod/mod_proxy.html<br />
http://httpd.apache.org/docs/2.4/howto/auth.html<br />
<br />
=== VHost Example ===<br />
Note: the mask section we put in a file named 0-mask (we add the '0-' so it shows up in the dir listing first, i.e. it gets loaded first by apache), the real virtual host (or many virtual host files) should be in their own file(s) based on their URL(s) (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
#ProxyTimeout 1200<br />
#ProxyStatus Full<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
# load balancer settings for multiple app servers<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
#ProxyPass /apache-info !<br />
#ProxyPass /apache-status !<br />
#ProxyPass /balancer-manager !<br />
#ProxyPass /jmx-console !<br />
#ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
VirtualHost line should have :80 instead of :443 if not ssl/https (and should be in vhost.d dir)<br />
All SSL* lines are ssl only, do not include these if not ssl/https<br />
Proxy* lines are only if this is a proxy for another app server(s) or a local app (use appropriate IP's)<br />
<br />
=== Proxy VHost Example ===<br />
Note: the mask section should be/is in a file named 0-mask, the real virtual host(s) (syslog in this case) should be in their own file(s) based on their URL (a file named 'syslog' in this case)<br />
<br />
# mask server name & url's<br />
<VirtualHost 172.16.1.11:443><br />
ServerName 172.16.1.11<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# uncomment if used for the real url's below<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
</VirtualHost><br />
<br />
# real url's below<br />
<VirtualHost 172.16.1.11:443><br />
ServerName syslog1.example.com<br />
ServerAlias syslog1.prd.example.net syslog1<br />
DocumentRoot /home/httpd/syslog1/public_html<br />
ServerAdmin webmaster@example.com<br />
<br />
SetOutputFilter DEFLATE<br />
<br />
# settings for being a proxy<br />
ProxyTimeout 1200<br />
ProxyStatus Full<br />
SSLProxyEngine on<br />
# load balancer settings for multiple app servers<br />
#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED<br />
#<Proxy balancer://cluster1><br />
# BalancerMember http://172.16.1.12:8080 route=1<br />
# BalancerMember http://172.16.1.13:8080 route=2<br />
# ProxySet stickysession=ROUTEID<br />
#</Proxy><br />
ProxyPass /apache-info !<br />
ProxyPass /apache-status !<br />
ProxyPass /balancer-manager !<br />
ProxyPass /jmx-console !<br />
ProxyPass /web-console !<br />
# single app server settings<br />
#ProxyPass / http://172.16.1.12:8080/app-path/<br />
#ProxyPassReverse / http://172.16.1.12:8080/app-path/<br />
# multiple app servers settings (requires Header & Proxy balancer section above)<br />
#ProxyPass / balancer://cluster1/app-path/<br />
#ProxyPassReverse / balancer://cluster1/app-path/<br />
<br />
# turn on some minimal caching (on disk) - causes issues where authentication is used<br />
#CacheEnable disk /<br />
#CacheRoot "/var/cache/mod_proxy"<br />
#CacheDirLevels 3<br />
#CacheDirLength 5<br />
#CacheIgnoreCacheControl On<br />
#CacheMaxFileSize 100000<br />
#CacheIgnoreNoLastMod On<br />
#CacheMaxExpire 1209600<br />
#CacheIgnoreQueryString On<br />
<br />
# ssl settings<br />
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly<br />
SSLEngine on<br />
SSLCertificateFile /etc/pki/tls/certs/star.example.com.crt<br />
SSLCertificateKeyFile /etc/pki/tls/private/star.example.com.key<br />
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt<br />
#SSLCARevocationFile /etc/pki/tls/certs/LatestCRL.pem<br />
<br />
# require client certs<br />
#SSLVerifyClient require<br />
#SSLVerifyDepth 10<br />
#SSLCACertificateFile /etc/pki/tls/certs/companyCA.crt<br />
<br />
# logging<br />
ErrorLog logs/syslog1-error_log<br />
# for log analyzers<br />
CustomLog logs/syslog1-access_log combined<br />
# for humans<br />
CustomLog logs/syslog1-custom_log custom<br />
</VirtualHost><br />
<br />
=== httpd.conf Example ===<br />
We change the following lines in the default ssl.conf file<br />
Note: for ent 7, the last line is Include conf.vhost.d/*.conf<br />
ServerTokens Prod<br />
<br />
KeepAlive On<br />
<br />
#LoadModule authn_file_module modules/mod_authn_file.so<br />
#LoadModule authn_alias_module modules/mod_authn_alias.so<br />
#LoadModule authn_anon_module modules/mod_authn_anon.so<br />
#LoadModule authn_dbm_module modules/mod_authn_dbm.so<br />
<br />
#LoadModule authz_owner_module modules/mod_authz_owner.so<br />
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so<br />
#LoadModule authz_dbm_module modules/mod_authz_dbm.so<br />
<br />
#LoadModule ldap_module modules/mod_ldap.so<br />
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so<br />
#LoadModule include_module modules/mod_include.so<br />
<br />
#LoadModule logio_module modules/mod_logio.so<br />
#LoadModule env_module modules/mod_env.so<br />
#LoadModule ext_filter_module modules/mod_ext_filter.so<br />
<br />
#LoadModule expires_module modules/mod_expires.so<br />
<br />
#LoadModule dav_module modules/mod_dav.so<br />
<br />
#LoadModule dav_fs_module modules/mod_dav_fs.so<br />
#LoadModule vhost_alias_module modules/mod_vhost_alias.so<br />
#LoadModule negotiation_module modules/mod_negotiation.so<br />
<br />
#LoadModule actions_module modules/mod_actions.so<br />
#LoadModule speling_module modules/mod_speling.so<br />
#LoadModule userdir_module modules/mod_userdir.so<br />
<br />
#LoadModule substitute_module modules/mod_substitute.so<br />
#LoadModule rewrite_module modules/mod_rewrite.so<br />
#LoadModule proxy_module modules/mod_proxy.so<br />
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<br />
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so<br />
#LoadModule proxy_http_module modules/mod_proxy_http.so<br />
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so<br />
#LoadModule proxy_connect_module modules/mod_proxy_connect.so<br />
<br />
#LoadModule suexec_module modules/mod_suexec.so<br />
<br />
#LoadModule cgi_module modules/mod_cgi.so<br />
#LoadModule version_module modules/mod_version.so<br />
<br />
Include conf.d-run/*.conf<br />
<br />
ExtendedStatus On<br />
<br />
Options FollowSymLinks<br />
<br />
<Directory /home/httpd/*/public_html><br />
AllowOverride None<br />
Options FollowSymLinks<br />
<Limit GET POST OPTIONS><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS><br />
Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ts # %h (%a) %u \"%{User-Agent}i\"" custom<br />
#LogFormat "%t \"%v -> %U\" \"%{Referer}i %r\" %>s %Bb %Ob %Ts # %h (%a) %Ib %u \"%{User-Agent}i\"" customio<br />
<br />
ServerSignature Off<br />
<br />
Options MultiViews FollowSymLinks<br />
<br />
#AddLanguage ca .ca<br />
#AddLanguage cs .cz .cs<br />
#AddLanguage da .dk<br />
#AddLanguage de .de<br />
#AddLanguage el .el<br />
#AddLanguage en .en<br />
#AddLanguage eo .eo<br />
#AddLanguage es .es<br />
#AddLanguage et .et<br />
#AddLanguage fr .fr<br />
#AddLanguage he .he<br />
#AddLanguage hr .hr<br />
#AddLanguage it .it<br />
#AddLanguage ja .ja<br />
#AddLanguage ko .ko<br />
#AddLanguage ltz .ltz<br />
#AddLanguage nl .nl<br />
#AddLanguage nn .nn<br />
#AddLanguage no .no<br />
#AddLanguage pl .po<br />
#AddLanguage pt .pt<br />
#AddLanguage pt-BR .pt-br<br />
#AddLanguage ru .ru<br />
#AddLanguage sv .sv<br />
#AddLanguage zh-CN .zh-cn<br />
#AddLanguage zh-TW .zh-tw<br />
<br />
#LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW<br />
<br />
#ForceLanguagePriority Prefer Fallback<br />
<br />
#AddHandler type-map var<br />
<br />
#AddType text/html .shtml<br />
#AddOutputFilter INCLUDES .shtml<br />
<br />
<Location /server-status><br />
SetHandler server-status<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
<Location /server-info><br />
SetHandler server-info<br />
Order deny,allow<br />
Deny from all<br />
Allow from 127.0.0.1 10.117.100<br />
</Location><br />
<br />
# Security Directives<br />
# note: FileETag changes break DAV<br />
FileETag MTime Size<br />
TraceEnable Off<br />
Header always append X-Frame-Options SAMEORIGIN<br />
<br />
Include conf/vhost.d/*<br />
<br />
=== SSL Example ===<br />
We change the following lines in the default ssl.conf file (make sure there is no SSLProtocol & SSLCipherSuite lines in any VirtualHost configurations, or setting the default SSLProtocol & SSLCipherSuite lines in ssl.conf have no effect)<br><br />
Note: for ent 7, the last line is Include conf.vhost-ssl.d/*.conf<br />
#<VirtualHost _default_:443><br />
<br />
#SSLEngine on<br />
<br />
SSLProtocol all -SSLv2 -SSLv3<br />
<br />
Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"<br />
SSLInsecureRenegotiation off<br />
SSLHonorCipherOrder on<br />
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"<br />
<br />
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt<br />
<br />
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key<br />
<br />
#<Files ~ ".(cgi|shtml|phtml|php3?)$"><br />
# SSLOptions +StdEnvVars<br />
#</Files><br />
#<Directory "/var/www/cgi-bin"><br />
# SSLOptions +StdEnvVars<br />
#</Directory><br />
<br />
#</VirtualHost><br />
<br />
Include conf/vhost-ssl.d/*<br />
<br />
=== Files/Directories Layout ===<br />
<br />
Files<br />
<br />
(before ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (available from subversion)<br />
/etc/httpd/conf/vhost-ssl.d/0-mask (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf/vhost-ssl.d/`hostname -s` (default virtual host config)<br />
<br />
(ent 7)<br />
/etc/httpd/conf/httpd.conf - main config (minimal config - see conf.d-run (active/in use) or /usr/share/doc/httpd-2.4.*/ (not active) for others, available from subversion)<br />
/etc/httpd/conf.d-run/ssl.conf - ssl config (ssl related directives, available from subversion)<br />
/etc/httpd/conf.d-run/ - additional config files of misc Directives (/home/httpd perms, apache TimeOuts, status pages settings, etc.)<br />
/etc/httpd/conf.vhost-ssl.d/0-mask.conf (mask config & NameVirtualhost setting)<br />
/etc/httpd/conf.vhost-ssl.d/`hostname -s`.conf (default virtual host config)<br />
/etc/httpd/conf.modules.d-run/00-ssl.conf - ssl config (LoadModule setting only)<br />
/etc/httpd/conf.modules.d-run/ - additional LoadModule configs (needed to make apache function, proxy modules, etc.)<br />
<br />
Dirs<br />
<br />
Notes: The use of .d-run directories protects the currently configured apache from being affected by updates changes and insecure additions of configuration files from installation of new packages. We want additions to be disabled by default, per policy. If a feature is needed, the file is copied from the corresponding .d directory to the .d-run equivalent (ex; from conf.d to conf.d-run).<br />
<br />
(before ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
| |-- vhost-ssl.d : (ssl virtual host files)<br />
| `-- vhost.d : (non-ssl virtual host files)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /var/run/httpd/)<br />
<br />
(ent 7)<br />
/etc/httpd/<br />
|-- conf : (main apache conf dir)<br />
|-- conf.d : (unused, new installs/updates go here)<br />
|-- conf.d-run : (real/runtime conf.d dir)<br />
|-- conf.modules.d : (unused, new installs/updates go here)<br />
|-- conf.modules.d-run : (real/runtime conf.modules.d dir)<br />
|-- conf.vhost-ssl.d : (ssl virtual host files)<br />
|-- conf.vhost.d : (non-ssl virtual host files)<br />
|-- logs : (link to /var/log/httpd/)<br />
|-- modules : (link to /usr/lib64/httpd/modules/)<br />
`-- run : (link to /run/httpd/)<br />
<br />
=== Apache Quick Reference ===<br />
<br />
Commands<br />
<br />
Preferred Restart (does not disconnect users/no downtime)<br />
# service httpd graceful<br />
<br />
Status<br />
# service httpd status<br />
<br />
Test Configuration<br />
# service httpd configtest<br />
<br />
Misc Settings<br />
<br />
Port 80/http redirect to https<br />
Redirect Permanent / https://wiki.example.com/<br />
<br />
redirect to login page<br />
Redirect Permanent / https://beagle.example.com/WORMS/login.htm<br />
<br />
Enable compression<br />
SetOutputFilter DEFLATE<br />
<br />
Interesting URL's<br />
https://hostname/apache-status (current traffic)<br />
https://hostname/apache-info (configuration)</div>Supporthttp://thelinuxsource.org/index.php/LVMLVM2017-10-22T01:08:00Z<p>Support: </p>
<hr />
<div>(all of these apply to both VM and physical systems)<br />
<br />
=== Resizing Existing Mountpoints (adding more space) ===<br />
1. if this is Enterprise 3 or older, umount partition (not needed under Ent 4 and newer)<br />
# umount /home/arsystem<br />
<br />
2. check free space available<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
<br />
3. add desired space to partition<br />
Ent 7<br />
# lvextend -l +1413 -r /dev/pri/arsystem<br />
OR<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# xfs_growfs /dev/pri/arsystem<br />
<br />
Ent 5/6<br />
# lvextend -l +1413 -r /dev/pri/arsystem<br />
OR<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# resize2fs /dev/pri/arsystem<br />
<br />
Ent 4 only (e2fsadm not avail on Ent 4);<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# ext2online /dev/pri/arsystem<br />
<br />
Ent 3 only;<br />
# e2fsadm -l +1413 /dev/pri/arsystem<br />
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)<br />
<br />
4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)<br />
# mount /arsystem<br />
<br />
=== Resizing Existing Mountpoints (reducing space) ===<br />
1. if this is Ent 3 or older, umount partition (not needed under Ent 4 and newer)<br />
# umount /home/arsystem<br />
<br />
2. check free space available<br />
# df -h | grep arsystem<br />
/dev/mapper/pri-arsystem 199G 13M 198G 1% /home/arsystem<br />
<br />
3. set desired space of partition<br />
Ent 7<br />
NOTE: if reducing xfs, backup your data, you have to recreate the filesystem, all will be lost!<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# mkfs -t xfs /dev/pri/arsystem<br />
<br />
Ent 5/6<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# resize2fs /dev/pri/arsystem<br />
<br />
Ent 4 only (e2fsadm not avail on Ent 4);<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# ext2online /dev/pri/arsystem<br />
<br />
Ent 3 only;<br />
# e2fsadm -L 10G /dev/pri/arsystem<br />
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)<br />
<br />
4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)<br />
# mount /home/arsystem<br />
<br />
=== Resizing SWAP ===<br />
1. unmount swap (the one you want to resize - 'usually' there is only one)<br />
# swapoff /dev/pri/swap<br />
<br />
2. check free space, then add desired space to partition<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
# lvextend -L +4g /dev/pri/swap<br />
<br />
3. rebuild swap filesystem (there is no swap resize command)<br />
# mkswap /dev/pri/swap<br />
<br />
4. re-enable swap<br />
# swapon /dev/pri/swap<br />
<br />
5. verify using 'free' command that new size is in use<br />
# free | grep Swap<br />
Swap: 4192924 0 4192924<br />
<br />
=== Adding Partitions (existing space available) ===<br />
1. create new logical volume;<br />
# lvcreate -L 8G -n arsystem pri<br />
OR;<br />
to use all of the remaining space, check "Free PE" from vgdisplay, then use -l option instead of -L, example;<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
# lvcreate -l 1413 -n arsystem pri<br />
<br />
2. create filesystem;<br />
Ent 7<br />
# mkfs -t xfs /dev/pri/arsystem<br />
Ent 6<br />
# mkfs -t ext4 /dev/pri/arsystem<br />
Ent 5 or earlier<br />
# mkfs -t ext3 /dev/pri/arsystem<br />
<br />
3. make mountpoint;<br />
# mkdir /home/arsystem<br />
<br />
4. add to fstab;<br />
# vi /etc/fstab<br />
<br />
5. test fstab entry by mounting w/fstab info;<br />
# mount /home/arsystem<br />
<br />
=== Removing Partitions (for re-allocating/freeing up space) ===<br />
1. umount partition<br />
# umount /u001<br />
<br />
2. remove LVM volume<br />
# lvremove /dev/pri/u001<br />
<br />
3. remove from fstab<br />
# vi /etc/fstab<br />
<br />
=== Snapshot Partitions ===<br />
create a snapshot of an existing LVM partition<br />
# lvcreate -L 1G -s -n remedyss /dev/pri/remedy<br />
Note: this can now be mounted and used to back up this frozen copy of your filesystem. To remove when done, follow Removing Partitions (above)<br />
<br />
=== Restore Snapshots ===<br />
1. unmount the partition to make sure nothing else can write to it while restoring<br />
# umount /dev/pri/remedy<br />
2. merge the snapshot back into the original partition<br />
# lvconvert --merge /dev/pri/remedyss<br />
<br />
=== Adding New Drives (existing space NOT available) ===<br />
(this step assumes you added a new drive, whether physical for a physical sys, or virtual for a virtual sys)<br />
1. create a single partition as type LVM (8e) for the whole drive<br />
# fdisk /dev/sdb<br />
Note: if the new drive was added to a 'live' system, and it is not showing under 'fdisk -l', rescan with (may need to do this with more than host0, i.e. host0, host1, etc.):<br />
echo "- - -" > /sys/class/scsi_host/host0/scan<br />
<br />
2. initialize new drive as LVM<br />
# pvcreate /dev/sdb1<br />
<br />
3. add new drive to existing LVM volume<br />
# vgextend pri /dev/sdb1<br />
OR<br />
# vgcreate sec /dev/sdb1<br />
<br />
=== Renaming Volume Group & Logical Volume Names ===<br />
*Rename Logical Volume (partition name)*<br />
# lvrename /dev/pri/HomeVol home<br />
(make sure to update fstab with the change)<br />
<br />
*Rename Volume Group*<br />
# vgrename VolGroup00 pri<br />
(make sure to update fstab with the change)</div>Supporthttp://thelinuxsource.org/index.php/LVMLVM2017-10-22T00:32:45Z<p>Support: </p>
<hr />
<div>(all of these apply to both VM and physical systems)<br />
<br />
=== Resizing Existing Mountpoints (adding more space) ===<br />
1. if this is Enterprise 3 or older, umount partition (not needed under Ent 4 and newer)<br />
# umount /home/arsystem<br />
<br />
2. check free space available<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
<br />
3. add desired space to partition<br />
Ent 7<br />
# lvextend -l +1413 -r /dev/pri/arsystem<br />
OR<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# xfs_growfs /dev/pri/arsystem<br />
<br />
Ent 5/6<br />
# lvextend -l +1413 -r /dev/pri/arsystem<br />
OR<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# resize2fs /dev/pri/arsystem<br />
<br />
Ent 4 only (e2fsadm not avail on Ent 4);<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# ext2online /dev/pri/arsystem<br />
<br />
Ent 3 only;<br />
# e2fsadm -l +1413 /dev/pri/arsystem<br />
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)<br />
<br />
4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)<br />
# mount /arsystem<br />
<br />
=== Resizing Existing Mountpoints (reducing space) ===<br />
1. if this is Ent 3 or older, umount partition (not needed under Ent 4 and newer)<br />
# umount /home/arsystem<br />
<br />
2. check free space available<br />
# df -h | grep arsystem<br />
/dev/mapper/pri-arsystem 199G 13M 198G 1% /home/arsystem<br />
<br />
3. set desired space of partition<br />
Ent 7<br />
NOTE: if reducing xfs, backup your data, you have to recreate the filesystem, all will be lost!<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# mkfs -t xfs /dev/pri/arsystem<br />
<br />
Ent 5/6<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# resize2fs /dev/pri/arsystem<br />
<br />
Ent 4 only (e2fsadm not avail on Ent 4);<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# ext2online /dev/pri/arsystem<br />
<br />
Ent 3 only;<br />
# e2fsadm -L 10G /dev/pri/arsystem<br />
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)<br />
<br />
4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)<br />
# mount /home/arsystem<br />
<br />
=== Resizing SWAP ===<br />
1. unmount swap (the one you want to resize - 'usually' there is only one)<br />
# swapoff /dev/pri/swap<br />
<br />
2. check free space, then add desired space to partition<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
# lvextend -L +4g /dev/pri/swap<br />
<br />
3. rebuild swap filesystem (there is no swap resize command)<br />
# mkswap /dev/pri/swap<br />
<br />
4. re-enable swap<br />
# swapon /dev/pri/swap<br />
<br />
5. verify using 'free' command that new size is in use<br />
# free | grep Swap<br />
Swap: 4192924 0 4192924<br />
<br />
=== Adding Partitions (existing space available) ===<br />
1. create new logical volume;<br />
# lvcreate -L 8G -n arsystem pri<br />
OR;<br />
to use all of the remaining space, check "Free PE" from vgdisplay, then use -l option instead of -L, example;<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
# lvcreate -l 1413 -n arsystem pri<br />
<br />
2. create filesystem;<br />
Ent 7<br />
# mkfs -t xfs /dev/pri/arsystem<br />
Ent 6<br />
# mkfs -t ext4 /dev/pri/arsystem<br />
Ent 5 or earlier<br />
# mkfs -t ext3 /dev/pri/arsystem<br />
<br />
3. make mountpoint;<br />
# mkdir /home/arsystem<br />
<br />
4. add to fstab;<br />
# vi /etc/fstab<br />
<br />
5. test fstab entry by mounting w/fstab info;<br />
# mount /home/arsystem<br />
<br />
=== Removing Partitions (for re-allocating/freeing up space) ===<br />
1. umount partition<br />
# umount /u001<br />
<br />
2. remove LVM volume<br />
# lvremove /dev/pri/u001<br />
<br />
3. remove from fstab<br />
# vi /etc/fstab<br />
<br />
=== Snapshot Partitions ===<br />
create a snapshot of an existing LVM partition<br />
# lvcreate -L1G -s -n remedyss /dev/pri/remedy<br />
Note: this can now be mounted and used to back up this frozen copy of your filesystem. To remove when done, follow Removing Partitions (above)<br />
<br />
=== Restore Snapshots ===<br />
1. unmount the partition to make sure nothing else can write to it while restoring<br />
# umount /dev/pri/remedy<br />
2. merge the snapshot back into the original partition<br />
# lvconvert --merge /dev/pri/remedyss<br />
<br />
=== Adding New Drives (existing space NOT available) ===<br />
(this step assumes you added a new drive, whether physical for a physical sys, or virtual for a virtual sys)<br />
1. create a single partition as type LVM (8e) for the whole drive<br />
# fdisk /dev/sdb<br />
Note: if the new drive was added to a 'live' system, and it is not showing under 'fdisk -l', rescan with (may need to do this with more than host0, i.e. host0, host1, etc.):<br />
echo "- - -" > /sys/class/scsi_host/host0/scan<br />
<br />
2. initialize new drive as LVM<br />
# pvcreate /dev/sdb1<br />
<br />
3. add new drive to existing LVM volume<br />
# vgextend pri /dev/sdb1<br />
OR<br />
# vgcreate sec /dev/sdb1<br />
<br />
=== Renaming Volume Group & Logical Volume Names ===<br />
*Rename Logical Volume (partition name)*<br />
# lvrename /dev/pri/HomeVol home<br />
(make sure to update fstab with the change)<br />
<br />
*Rename Volume Group*<br />
# vgrename VolGroup00 pri<br />
(make sure to update fstab with the change)</div>Supporthttp://thelinuxsource.org/index.php/LVMLVM2017-10-21T23:57:59Z<p>Support: </p>
<hr />
<div>(all of these apply to both VM and physical systems)<br />
<br />
=== Resizing Existing Mountpoints (adding more space) ===<br />
1. if this is Enterprise 3 or older, umount partition (not needed under Ent 4 and newer)<br />
# umount /home/arsystem<br />
<br />
2. check free space available<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
<br />
3. add desired space to partition<br />
Ent 7<br />
# lvextend -l +1413 -r /dev/pri/arsystem<br />
OR<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# xfs_growfs /dev/pri/arsystem<br />
<br />
Ent 5/6<br />
# lvextend -l +1413 -r /dev/pri/arsystem<br />
OR<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# resize2fs /dev/pri/arsystem<br />
<br />
Ent 4 only (e2fsadm not avail on Ent 4);<br />
# lvextend -l +1413 /dev/pri/arsystem<br />
# ext2online /dev/pri/arsystem<br />
<br />
Ent 3 only;<br />
# e2fsadm -l +1413 /dev/pri/arsystem<br />
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)<br />
<br />
4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)<br />
# mount /arsystem<br />
<br />
=== Resizing Existing Mountpoints (reducing space) ===<br />
1. if this is Ent 3 or older, umount partition (not needed under Ent 4 and newer)<br />
# umount /home/arsystem<br />
<br />
2. check free space available<br />
# df -h | grep arsystem<br />
/dev/mapper/pri-arsystem 199G 13M 198G 1% /home/arsystem<br />
<br />
3. set desired space of partition<br />
Ent 7<br />
NOTE: if reducing xfs, backup your data, you have to recreate the filesystem, all will be lost!<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# mkfs -t xfs /dev/pri/arsystem<br />
<br />
Ent 5/6<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# resize2fs /dev/pri/arsystem<br />
<br />
Ent 4 only (e2fsadm not avail on Ent 4);<br />
# lvreduce -L 10G /dev/pri/arsystem<br />
# ext2online /dev/pri/arsystem<br />
<br />
Ent 3 only;<br />
# e2fsadm -L 10G /dev/pri/arsystem<br />
Note: if you run this command and the fsck gives errors, fix the errors by running fsck manually, and then run the command again (it will not do it's resizing until fsck runs cleanly)<br />
<br />
4. if this is Ent 3 or older, mount partition (not needed under Ent 4 and newer)<br />
# mount /home/arsystem<br />
<br />
=== Resizing SWAP ===<br />
1. unmount swap (the one you want to resize - 'usually' there is only one)<br />
# swapoff /dev/pri/swap<br />
<br />
2. check free space, then add desired space to partition<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
# lvextend -L +4g /dev/pri/swap<br />
<br />
3. rebuild swap filesystem (there is no swap resize command)<br />
# mkswap /dev/pri/swap<br />
<br />
4. re-enable swap<br />
# swapon /dev/pri/swap<br />
<br />
5. verify using 'free' command that new size is in use<br />
# free | grep Swap<br />
Swap: 4192924 0 4192924<br />
<br />
=== Adding Partitions (existing space available) ===<br />
1. create new logical volume;<br />
# lvcreate -L 8G -n arsystem pri<br />
OR;<br />
to use all of the remaining space, check "Free PE" from vgdisplay, then use -l option instead of -L, example;<br />
# vgdisplay pri | grep "Free PE"<br />
Free PE / Size 1413 / 44.16 GB<br />
# lvcreate -l 1413 -n arsystem pri<br />
<br />
2. create filesystem;<br />
Ent 7<br />
# mkfs -t xfs /dev/pri/arsystem<br />
Ent 6<br />
# mkfs -t ext4 /dev/pri/arsystem<br />
Ent 5 or earlier<br />
# mkfs -t ext3 /dev/pri/arsystem<br />
<br />
3. make mountpoint;<br />
# mkdir /home/arsystem<br />
<br />
4. add to fstab;<br />
# vi /etc/fstab<br />
<br />
5. test fstab entry by mounting w/fstab info;<br />
# mount /home/arsystem<br />
<br />
=== Removing Partitions (for re-allocating/freeing up space) ===<br />
1. umount partition<br />
# umount /u001<br />
<br />
2. remove LVM volume<br />
# lvremove /dev/pri/u001<br />
<br />
3. remove from fstab<br />
# vi /etc/fstab<br />
<br />
=== Snapshot Partitions ===<br />
create a snapshot of an existing LVM partition<br />
# lvcreate -L1G -s -n remedyss /dev/pri/remedy<br />
Note: this can now be mounted and used to back up this frozen copy of your filesystem. To remove when done, follow Removing Partitions (above)<br />
<br />
<br />
=== Adding New Drives (existing space NOT available) ===<br />
(this step assumes you added a new drive, whether physical for a physical sys, or virtual for a virtual sys)<br />
1. create a single partition as type LVM (8e) for the whole drive<br />
# fdisk /dev/sdb<br />
Note: if the new drive was added to a 'live' system, and it is not showing under 'fdisk -l', rescan with (may need to do this with more than host0, i.e. host0, host1, etc.):<br />
echo "- - -" > /sys/class/scsi_host/host0/scan<br />
<br />
2. initialize new drive as LVM<br />
# pvcreate /dev/sdb1<br />
<br />
3. add new drive to existing LVM volume<br />
# vgextend pri /dev/sdb1<br />
OR<br />
# vgcreate sec /dev/sdb1<br />
<br />
=== Renaming Volume Group & Logical Volume Names ===<br />
*Rename Logical Volume (partition name)*<br />
# lvrename /dev/pri/HomeVol home<br />
(make sure to update fstab with the change)<br />
<br />
*Rename Volume Group*<br />
# vgrename VolGroup00 pri<br />
(make sure to update fstab with the change)</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T21:50:13Z<p>Support: </p>
<hr />
<div>Note: 'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
http://mirror.centos.org/centos/5/os/x86_64/CentOS<br />
http://mirror.centos.org/centos/6/os/x86_64/Packages<br />
http://mirror.centos.org/centos/7/os/x86_64/Packages<br />
2. wget the package/url (may need to specify a proxy, or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')<br />
ENT 5<br />
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm<br />
ENT 6<br />
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-9.el6.centos.12.3.x86_64.rpm<br />
ENT 7<br />
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-3.1611.el7.centos.x86_64.rpm<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-9.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-3.1611.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-menus htmlview Deployment_Guide-en-US <br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt redhat-menus<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager Red_Hat_Enterprise_Linux-Release_Notes-7-en-US</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T20:53:05Z<p>Support: </p>
<hr />
<div>Note: 'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
http://mirror.centos.org/centos/5/os/x86_64/CentOS<br />
http://mirror.centos.org/centos/6/os/x86_64/Packages<br />
http://mirror.centos.org/centos/7/os/x86_64/Packages<br />
2. wget the package/url (may need to specify a proxy, or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')<br />
ENT 5<br />
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm<br />
ENT 6<br />
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-9.el6.centos.12.3.x86_64.rpm<br />
ENT 7<br />
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-3.1611.el7.centos.x86_64.rpm<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-9.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-3.1611.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-menus htmlview Deployment_Guide-en-US <br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt redhat-menus<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T20:48:51Z<p>Support: </p>
<hr />
<div>Note: 'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
http://mirror.centos.org/centos/5/os/x86_64/CentOS<br />
http://mirror.centos.org/centos/6/os/x86_64/Packages<br />
http://mirror.centos.org/centos/7/os/x86_64/Packages<br />
2. wget the package/url (may need to specify a proxy, or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')<br />
ENT 5<br />
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm<br />
ENT 6<br />
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-9.el6.centos.12.3.x86_64.rpm<br />
ENT 7<br />
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-3.1611.el7.centos.x86_64.rpm<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python Deployment_Guide-en-US htmlview redhat-menus<br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt redhat-menus<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T20:38:10Z<p>Support: </p>
<hr />
<div>Notes: only tested on RedHat 6, currently adding RedHat 5 steps.<br><br />
'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
http://mirror.centos.org/centos/5/os/x86_64/CentOS<br />
http://mirror.centos.org/centos/6/os/x86_64/Packages<br />
http://mirror.centos.org/centos/7/os/x86_64/Packages<br />
2. wget the package/url (may need to specify a proxy, or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')<br />
ENT 5<br />
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm<br />
ENT 6<br />
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
ENT 7<br />
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-3.1611.el7.centos.x86_64.rpm<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python Deployment_Guide-en-US htmlview redhat-menus<br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt redhat-menus<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights subscription-manager</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T20:23:13Z<p>Support: </p>
<hr />
<div>Notes: only tested on RedHat 6, currently adding RedHat 5 steps.<br><br />
'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
http://mirror.centos.org/centos/5/os/x86_64/CentOS<br />
http://mirror.centos.org/centos/6/os/x86_64/Packages<br />
http://mirror.centos.org/centos/7/os/x86_64/Packages<br />
2. wget the package/url (may need to specify a proxy) (or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')<br />
ENT 5<br />
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm<br />
ENT 6<br />
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
ENT 7<br />
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-3.1611.el7.centos.x86_64.rpm<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python Deployment_Guide-en-US htmlview redhat-menus<br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt redhat-menus<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T20:10:42Z<p>Support: </p>
<hr />
<div>Notes: only tested on RedHat 6, currently adding RedHat 5 steps.<br><br />
'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
http://mirror.centos.org/centos/5/os/x86_64/CentOS<br />
http://mirror.centos.org/centos/6/os/x86_64/Packages<br />
http://mirror.centos.org/centos/7/os/x86_64/Packages<br />
2. wget the package/url (may need to specify a proxy) (or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')<br />
ENT 5<br />
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm<br />
ENT 6<br />
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
ENT 7<br />
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-3.1611.el7.centos.x86_64.rpm<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python Deployment_Guide-en-US htmlview redhat-menus<br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T20:09:36Z<p>Support: </p>
<hr />
<div>Notes: only tested on RedHat 6, currently adding RedHat 5 steps.<br><br />
'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
http://mirror.centos.org/centos/5/os/x86_64/CentOS<br />
http://mirror.centos.org/centos/6/os/x86_64/Packages<br />
http://mirror.centos.org/centos/7/os/x86_64/Packages<br />
2. wget the package/url (may need to specify a proxy) (or use 'curl --proxy sc9-proxy.example.net:3128 -O http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm')<br />
ENT 5<br />
# wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm<br />
ENT 6<br />
# wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
ENT 7<br />
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python Deployment_Guide-en-US htmlview redhat-menus<br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T20:08:18Z<p>Support: </p>
<hr />
<div>Notes: only tested on RedHat 6, currently adding RedHat 5 steps.<br><br />
'cat /etc/redhat-release' shows RedHat or Oracle before these steps<br />
<br />
1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url<br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS]<br />
[http://mirror.centos.org/centos/6/os/x86_64/Packages]<br />
[http://mirror.centos.org/centos/7/os/x86_64/Packages]<br />
2. wget the package/url (may need to specify a proxy) (or use 'curl --proxy sc9-proxy.example.net:3128 -O [http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm]')<br />
ENT 5<br />
# wget [http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm] <br />
[http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm]<br />
ENT 6<br />
# wget [http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm]<br />
ENT 7<br />
# wget [http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm]<br />
3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release<br><br />
Note: 'cat /etc/redhat-release' shows CentOS after this step<br />
RedHat 5<br />
# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm<br />
# rpm -e redhat-release-5Server redhat-release-notes-5Server<br />
RedHat 6<br />
# rpm -i --force centos-release-6-8.el6.centos.12.3.x86_64.rpm<br />
# rpm -e redhat-release-server<br />
RedHat 7<br />
# rpm -e --nodeps redhat-release-server<br />
# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave<br />
# rpm -i --force centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm<br />
4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo<br />
<br />
5. remove additional RedHat packages and replace with corresponding CentOS packages<br />
RedHat 5<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python Deployment_Guide-en-US htmlview redhat-menus<br />
NOTE : order is important for RPM dependencies<br />
RedHat 6<br />
# rpm -e --nodeps redhat-indexhtml<br />
# yum install centos-indexhtml<br />
# yum update redhat-logos<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights<br />
IF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml<br />
# yum reinstall lynx<br />
RedHat 7<br />
# rpm -e --nodeps redhat-indexhtml redhat-logos<br />
# yum install centos-indexhtml centos-logos<br />
# yum update abrt<br />
# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights</div>Supporthttp://thelinuxsource.org/index.php/Convert_RH/OL_To_CentOSConvert RH/OL To CentOS2017-06-14T19:59:42Z<p>Support: Created page with "= Converting RedHat/Oracle Systems to CentOS\n\nNotes: only tested on RedHat 6, currently adding RedHat 5 steps.\n'cat /etc/redhat-release' shows RedHat or Oracle before thes..."</p>
<hr />
<div>= Converting RedHat/Oracle Systems to CentOS\n\nNotes: only tested on RedHat 6, currently adding RedHat 5 steps.\n'cat /etc/redhat-release' shows RedHat or Oracle before these steps\n\n1. browse to the centos repo to get the link for the latest centos-release package, right-click/copy link/url\n{panel}\n[http://mirror.centos.org/centos/5/os/x86_64/CentOS]\n[http://mirror.centos.org/centos/6/os/x86_64/Packages]\n[http://mirror.centos.org/centos/7/os/x86_64/Packages]\n{panel}\n\n2. wget the package/url (may need to specify a proxy) (or use 'curl --proxy sc9-proxy.example.net:3128 -O [http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm]')\n{panel}\nENT 5\n# wget [http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-11.el5.centos.x86_64.rpm] [http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-notes-5.11-0.x86_64.rpm]\nENT 6\n# wget [http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm]\nENT 7\n# wget [http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm]\n{panel}\n\n3. install centos-release (plus release notes dependency for RedHat 5) and remove redhat-release\nNote: 'cat /etc/redhat-release' shows CentOS after this step\n{panel}\nRedHat 5\n# rpm -i --force centos-release-5-11.el5.centos.x86_64.rpm centos-release-notes-5.11-0.x86_64.rpm\n# rpm -e redhat-release-5Server redhat-release-notes-5Server\nRedHat 6\n# rpm -i --force centos-release-6-8.el6.centos.12.3.x86_64.rpm\n# rpm -e redhat-release-server\nRedHat 7\n# rpm -e --nodeps redhat-release-server\n# rm -rf /usr/share/redhat-release /usr/share/doc/redhat-release /etc/system-release-cpe.rpmsave /etc/os-release.rpmsave\n# rpm -i --force centos-release-7-2.1511.el7.centos.2.10.x86_64.rpm\n{panel}\n\n4. system can now be subscribed to CentOS spacewalk channel with --force option, or add CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo\n\n5. remove additional RedHat packages and replace with corresponding CentOS packages\n{panel}\nRedHat 5\n# yum update redhat-logos\n# rpm -e redhat-support-tool redhat-support-lib-python Deployment_Guide-en-US htmlview redhat-menus\n\nNOTE : order is important for RPM dependencies\n\nRedHat 6\n# rpm -e --nodeps redhat-indexhtml\n# yum install centos-indexhtml\n# yum update redhat-logos\n# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights\nIF you see a yum message about lynx-2.x.x-xx.el6.x86_64 has missing requires of redhat-indexhtml\n# yum reinstall lynx\nRedHat 7\n# rpm -e --nodeps redhat-indexhtml redhat-logos\n# yum install centos-indexhtml centos-logos\n# yum update abrt\n# rpm -e redhat-support-tool redhat-support-lib-python redhat-access-insights</div>Supporthttp://thelinuxsource.org/index.php/DistroDistro2017-06-14T19:59:28Z<p>Support: Created page with "CentOS RedHat OracleLinux Convert RH/OL To CentOS"</p>
<hr />
<div>[[CentOS]]<br />
<br />
[[RedHat]]<br />
<br />
[[OracleLinux]]<br />
<br />
[[Convert RH/OL To CentOS]]</div>Supporthttp://thelinuxsource.org/index.php/The_Linux_SourceThe Linux Source2017-06-14T19:57:57Z<p>Support: </p>
<hr />
<div>Welcome to The Linux Source<br />
<br />
Feel free to add pages/comments/etc.<br />
<br />
Due to excessive spam abuse, adding/editing/etc. now requires an approved login, which will also be verified via a valid email address. When creating an account, please state your desire to add appropriate Linux related content.<br />
<br />
Any Linux OS and any Linux subject matter is welcome here. If you do not see an appropriate section, please add it (though things may get reorganized/moved around from time-to-time as pages proliferate). If you have suggestions/input on the content or how things are organized, we would appreciate some input.<br />
<br />
[[Notes]] <- read this first!! Overview of some of the info / steps covered in the documentation on this site (i.e. you may not need/want to do all of the steps documented and why)<br />
<br />
<br />
[[ABRT]]<br />
<br />
[[Android]] - it runs Linux<br />
<br />
[[Apache]]<br />
<br />
[[Authorization]] - LDAP / IPA / Etc. (PAM?)<br />
<br />
[[Cert Mgmt]] - OpenSSL / Java / KeyTool<br />
<br />
[[Config Mgmt]] - Ansible / Puppet / Salt / Etc.<br />
<br />
[[Cron]]<br />
<br />
[[Database]]<br />
<br />
[[Distro]] - distro specific procedures<br />
<br />
[[DNS]] - Bind / Unbound / IPPlan / Etc.<br />
<br />
[[Docker]]<br />
<br />
[[Editors]] - VI / Etc.<br />
<br />
[[Filesystems]] - Disk / Filesystem / LVM / RAM disks / Etc.<br />
<br />
[[FTP]]<br />
<br />
[[GPG]]<br />
<br />
[[Hardware]] - Dell Systems / SuperMicro / Etc.<br />
<br />
[[Kickstart]] - Automating Installation<br />
<br />
[[Mail]] - Postfix / Dovecot / Etc.<br />
<br />
[[Misc]]<br />
<br />
[[Misc Apps]]<br />
<br />
[[Misc OS]] - Logwatch / Logrotate / Etc.<br />
<br />
[[Monitoring]] - Nagios / SNMP / Etc.<br />
<br />
[[Network]] - Linux Network Configuration<br />
<br />
[[NFS]]<br />
<br />
[[Permissions]] (file / dir perms)<br />
<br />
[[Registration]] - registering a commercial Linux distro<br />
<br />
[[Samba]]<br />
<br />
[[Security]]<br />
<br />
[[Services]]<br />
<br />
[[Shell]] - Bash primarily<br />
<br />
[[Software Mgmt]] - YUM / DNF / RPM / Etc.<br />
<br />
[[Squid]]<br />
<br />
[[SSH]] - Server / Client / Keys / Trusted Host<br />
<br />
[[Standards]] - some Standards & Conventions<br />
<br />
[[Sudo]]<br />
<br />
[[Syslog]]<br />
<br />
[[TCPwrappers]]<br />
<br />
[[Time Services]] - NTP / Chrony / Timezones / Etc.<br />
<br />
[[Update Mgmt]] - Satellite / Spacewalk / Foreman / Katello<br />
<br />
[[User Mgmt]]<br />
<br />
[[Versioning]] - Subversion / GIT / Etc.<br />
<br />
[[VPN]]<br />
<br />
[[Vulnerabilities]] - some Vulnerabilities mentioned, mainly some of the recent biggies</div>Supporthttp://thelinuxsource.org/index.php/MySQL/MariaDB_ReferenceMySQL/MariaDB Reference2017-06-13T22:52:00Z<p>Support: </p>
<hr />
<div>*List Databases<br />
mysql> show databases;<br />
<br />
*List Tables<br />
mysql> show tables;<br />
<br />
*Change Passwords<br><br />
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running<br />
# mysqladmin -u root password 'new-password'<br />
<br />
*Delete Database<br />
mysql> drop database test;<br />
<br />
*Creating a new DB and assigning permissions<br />
<br />
Command line/scripted<br><br />
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running<br />
# mysqladmin -p create wikidb<br />
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p<br />
<br />
mySQL command line<br><br />
Note: this is added to the mysql command history (not a good idea to leave the password exposed):<br />
# mysql -p<br />
mysql> create database wikidb;<br />
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';<br />
<br />
*Table Structure<br />
describe SystemEvents;<br />
<br />
*View Data (Some Query Examples)<br />
select * from user;<br />
select Host,User,Grant_priv from user;<br />
select Host,Db,User,Grant_priv from db;<br />
select * from SystemEvents where SysLogTag='CROND';<br />
select * from SystemEvents limit 5;<br />
select * from SystemEvents where SysLogTag like '%[%' limit 5; <br />
<br />
*Modify Data<br />
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';<br />
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';<br />
<br />
*Delete From Table<br />
delete from SystemEvents where SysLogTag='CROND';</div>Supporthttp://thelinuxsource.org/index.php/MySQL/MariaDB_ReferenceMySQL/MariaDB Reference2017-06-13T22:51:16Z<p>Support: </p>
<hr />
<div>*List Databases<br />
mysql> show databases;<br />
<br />
*List Tables<br />
mysql> show tables;<br />
<br />
*Change Passwords<br><br />
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running<br />
# mysqladmin -u root password 'new-password'<br />
<br />
*Delete Database<br />
mysql> drop database test;<br />
<br />
*Creating a new DB and assigning permissions<br />
<br />
Command line/scripted<br><br />
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running<br />
# mysqladmin -p create wikidb<br />
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p<br />
<br />
mySQL command line - note: this is added to the mysql command history (not a good idea to leave the password exposed):<br />
# mysql -p<br />
mysql> create database wikidb;<br />
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';<br />
<br />
*Table Structure<br />
describe SystemEvents;<br />
<br />
*View Data (Some Query Examples)<br />
select * from user;<br />
select Host,User,Grant_priv from user;<br />
select Host,Db,User,Grant_priv from db;<br />
select * from SystemEvents where SysLogTag='CROND';<br />
select * from SystemEvents limit 5;<br />
select * from SystemEvents where SysLogTag like '%[%' limit 5; <br />
<br />
*Modify Data<br />
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';<br />
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';<br />
<br />
*Delete From Table<br />
delete from SystemEvents where SysLogTag='CROND';</div>Supporthttp://thelinuxsource.org/index.php/MySQL/MariaDB_ReferenceMySQL/MariaDB Reference2017-06-13T22:50:19Z<p>Support: </p>
<hr />
<div>*List Databases<br />
mysql> show databases;<br />
<br />
*List Tables<br />
mysql> show tables;<br />
<br />
*Change Passwords<br />
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running<br />
# mysqladmin -u root password 'new-password'<br />
<br />
*Delete Database<br />
mysql> drop database test;<br />
<br />
*Creating a new DB and assigning permissions<br />
<br />
Command line/scripted<br />
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running<br />
# mysqladmin -p create wikidb<br />
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p<br />
<br />
mySQL command line - note: this is added to the mysql command history (not a good idea to leave the password exposed):<br />
# mysql -p<br />
mysql> create database wikidb;<br />
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';<br />
<br />
*Table Structure<br />
describe SystemEvents;<br />
<br />
*View Data (Some Query Examples)<br />
select * from user;<br />
select Host,User,Grant_priv from user;<br />
select Host,Db,User,Grant_priv from db;<br />
select * from SystemEvents where SysLogTag='CROND';<br />
select * from SystemEvents limit 5;<br />
select * from SystemEvents where SysLogTag like '%[%' limit 5; <br />
<br />
*Modify Data<br />
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';<br />
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';<br />
<br />
*Delete From Table</div>Supporthttp://thelinuxsource.org/index.php/MySQL/MariaDB_ReferenceMySQL/MariaDB Reference2017-06-13T22:49:07Z<p>Support: </p>
<hr />
<div>*List Databases<br />
mysql> show databases;<br />
<br />
*List Tables<br />
mysql> show tables;<br />
<br />
*Change Passwords<br />
# mysqladmin -u root password 'new-password'<br />
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history - make sure to delete the shell script after running<br />
<br />
*Delete Database<br />
mysql> drop database test;<br />
<br />
*Creating a new DB and assigning permissions<br />
<br />
Command line/scripted<br />
# mysqladmin -p create wikidb<br />
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p<br />
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history (preferred/more secure method) - make sure to delete the shell script after running<br />
<br />
mySQL command line - note: this is added to the mysql command history (not a good idea to leave the password exposed):<br />
# mysql -p<br />
mysql> create database wikidb;<br />
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';<br />
<br />
*Table Structure<br />
describe SystemEvents;<br />
<br />
*View Data (Some Query Examples)<br />
select * from user;<br />
select Host,User,Grant_priv from user;<br />
select Host,Db,User,Grant_priv from db;<br />
select * from SystemEvents where SysLogTag='CROND';<br />
select * from SystemEvents limit 5;<br />
select * from SystemEvents where SysLogTag like '%[%' limit 5; <br />
<br />
*Modify Data<br />
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';<br />
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';<br />
<br />
*Delete From Table</div>Supporthttp://thelinuxsource.org/index.php/MySQL/MariaDB_ReferenceMySQL/MariaDB Reference2017-06-13T22:45:32Z<p>Support: </p>
<hr />
<div>*List Databases<br />
mysql> show databases;<br />
<br />
*List Tables<br />
mysql> show tables;<br />
<br />
*Change Passwords<br />
# mysqladmin -u root password 'new-password'<br />
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history - make sure to delete the shell script after running<br />
<br />
*Delete Database<br />
mysql> drop database test;<br />
<br />
*Creating a new DB and assigning permissions<br />
<br />
Command line/scripted<br />
# mysqladmin -p create wikidb<br />
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p<br />
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history - make sure to delete the shell script after running<br />
<br />
mySQL command line - note: this is added to the mysql command history (not a good idea to leave the password exposed):<br />
# mysql -p<br />
mysql> create database wikidb;<br />
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';<br />
<br />
*Table Structure<br />
describe SystemEvents;<br />
<br />
*View Data (Some Query Examples)<br />
select * from user;<br />
select Host,User,Grant_priv from user;<br />
select Host,Db,User,Grant_priv from db;<br />
select * from SystemEvents where SysLogTag='CROND';<br />
select * from SystemEvents limit 5;<br />
select * from SystemEvents where SysLogTag like '%[%' limit 5; <br />
<br />
*Modify Data<br />
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';<br />
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';<br />
<br />
*Delete From Table</div>Supporthttp://thelinuxsource.org/index.php/MySQL/MariaDB_ReferenceMySQL/MariaDB Reference2017-06-13T21:39:11Z<p>Support: </p>
<hr />
<div>*List Databases<br />
mysql> show databases;<br />
<br />
*List Tables<br />
mysql> show tables;<br />
<br />
*Change Passwords<br />
# mysqladmin -u root password 'new-password'<br />
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history - make sure to delete the shell script after running<br />
<br />
*Delete Database<br />
mysql> drop database test;<br />
<br />
*Creating a new DB and assigning permissions<br />
<br />
Command line/scripted<br />
# mysqladmin -p create wikidb<br />
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p<br />
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history - make sure to delete the shell script after running<br />
<br />
mySQL command line - note: this is added to the mysql command history (not a good idea to leave the password exposed):<br />
# mysql -p<br />
mysql> create database wikidb;<br />
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';<br />
<br />
*Table Structure<br />
describe SystemEvents;<br />
<br />
*View Data (Some Query Examples)<br />
select * from user;<br />
select Host,User,Grant_priv from user;<br />
select * from SystemEvents where SysLogTag='CROND';<br />
select * from SystemEvents limit 5;<br />
select * from SystemEvents where SysLogTag like '%[%' limit 5; <br />
<br />
*Modify Data<br />
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';<br />
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';<br />
<br />
*Delete From Table</div>Supporthttp://thelinuxsource.org/index.php/MySQL/MariaDB_ReferenceMySQL/MariaDB Reference2017-06-13T21:38:33Z<p>Support: </p>
<hr />
<div>*List Databases*<br />
mysql> show databases;<br />
<br />
*List Tables*<br />
mysql> show tables;<br />
<br />
*Change Passwords*<br />
# mysqladmin -u root password 'new-password'<br />
Note: the mysqladmin command should be run from a shell script, so as to not have this critical password exposed in the command history - make sure to delete the shell script after running<br />
<br />
*Delete Database*<br />
mysql> drop database test;<br />
<br />
*Creating a new DB and assigning permissions*<br />
<br />
Command line/scripted<br />
# mysqladmin -p create wikidb<br />
# echo "grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';" | mysql -p<br />
Note: the echo command should be run from a shell script, so as to not have a critical password exposed in the command history - make sure to delete the shell script after running<br />
<br />
mySQL command line - note: this is added to the mysql command history (not a good idea to leave the password exposed):<br />
# mysql -p<br />
mysql> create database wikidb;<br />
mysql> grant index, create, select, insert, update, delete, alter, lock tables on wikidb.* to 'wikiuser'@'localhost' identified by 'password';<br />
<br />
*Table Structure*<br />
describe SystemEvents;<br />
<br />
*View Data (Some Query Examples)*<br />
select * from user;<br />
select Host,User,Grant_priv from user;<br />
select * from SystemEvents where SysLogTag='CROND';<br />
select * from SystemEvents limit 5;<br />
select * from SystemEvents where SysLogTag like '%[%' limit 5; <br />
<br />
*Modify Data*<br />
update SystemEvents set SysLogTag='CROND:' where SysLogTag='CROND';<br />
update SystemEvents set SysLogTag='sshd:' where SysLogTag like 'sshd[%';<br />
<br />
*Delete From Table*</div>Supporthttp://thelinuxsource.org/index.php/LogAnalyzer_ModsLogAnalyzer Mods2017-06-12T20:45:39Z<p>Support: </p>
<hr />
<div>PARENT PAGE LINK: [[LogAnalyzer]]<br />
<br />
=== Purging mySQL database ===<br />
This rsyslog configuration writes everything to a mySql database, as well as to the standard log files. The OS has the logrotate process to manage the log files, but if you wish to manage or periodically purge the mySql data, you can set up the following cron job (thanks to Michael Meckelein for posting this in a forum):<br><br />
NOTE: you may want to setup another user which has delete permissions (like syslog-purge) to do the periodic cleanup for this cron process<br />
mysql -u syslog-purge -p somepwA -e “delete from SystemEvents where ReceivedAt < date_add(current_date, interval -28 day)” Syslog</div>Supporthttp://thelinuxsource.org/index.php/LogAnalyzer_ModsLogAnalyzer Mods2017-06-12T20:45:25Z<p>Support: </p>
<hr />
<div>PARENT PAGE LINK: [[LogAnalyzer]]<br />
<br />
<br />
=== Purging mySQL database ===<br />
This rsyslog configuration writes everything to a mySql database, as well as to the standard log files. The OS has the logrotate process to manage the log files, but if you wish to manage or periodically purge the mySql data, you can set up the following cron job (thanks to Michael Meckelein for posting this in a forum):<br><br />
NOTE: you may want to setup another user which has delete permissions (like syslog-purge) to do the periodic cleanup for this cron process<br />
mysql -u syslog-purge -p somepwA -e “delete from SystemEvents where ReceivedAt < date_add(current_date, interval -28 day)” Syslog</div>Supporthttp://thelinuxsource.org/index.php/LogAnalyzer_ModsLogAnalyzer Mods2017-06-12T20:44:16Z<p>Support: Created page with "=== Purging mySQL database === This rsyslog configuration writes everything to a mySql database, as well as to the standard log files. The OS has the logrotate process to man..."</p>
<hr />
<div>=== Purging mySQL database ===<br />
This rsyslog configuration writes everything to a mySql database, as well as to the standard log files. The OS has the logrotate process to manage the log files, but if you wish to manage or periodically purge the mySql data, you can set up the following cron job (thanks to Michael Meckelein for posting this in a forum):<br><br />
NOTE: you may want to setup another user which has delete permissions (like syslog-purge) to do the periodic cleanup for this cron process<br />
mysql -u syslog-purge -p somepwA -e “delete from SystemEvents where ReceivedAt < date_add(current_date, interval -28 day)” Syslog</div>Support