Red Hat Enterprise Linux 5 Administration Unleashed

328CHAPTER 15Creating a Web Server with the Apache HTTP ServerAll files accessed via the web server must be labeled with the proper security context. Forexample, if SELinux is enabled and the DocumentRoot location is modified, the SELinuxsecurity context of the new location must be changed. A list of valid security contexts andtheir usages are given in the httpd_selinux man page read with the man httpd_selinuxcommand. Refer to the “Modifying Security Contexts” section of Chapter 23, for step-bystepinstructions on changing the DocumentRoot.The targeted SELinux policy allows for CGI scripts and allows the Apache HTTP Server toread home directories. Other features such as allowing Apache to run as an FTP server arenot allowed by default to increase security. SELinux booleans must be explicitly set to 1 toallow these additional features. All of the SELinux booleans that affect the Apache HTTPserver are described in the httpd_selinux man page viewable with the man httpd_selinuxcommand.These SELinux booleans can be set with the setsebool command or with the SELinuxManagement Tool, both of which are discussed in Chapter 23. To use the SELinuxManagement Tool, start it by selecting Administration, SELinux Management from theSystem menu on the top panel of the desktop or by executing the system-config-selinuxcommand. Enter the root password when prompted if running as a non-root user. SelectBoolean from the list on the left. On the right, click the triangle icon next to HTTPDService to view a list of booleans.Allowing ConnectionsBy default, the Apache HTTP server uses TCP and UDP port 80 for HTTP transfers andTCP and UDP port 443 for HTTPS secure transfers. Verify that your firewall settings allowincoming requests from port 80 if serving non-encrypted web pages and port 443 ifserving encrypted pages.If custom IPTables rules are being used, refer to Chapter 24, “Configuring a Firewall,” fordetails on how to allow these ports.If using a default security level in Red Hat Enterprise Linux, use the Security LevelConfiguration tool to allow the system to serve web pages. Start the application by clickingon the System menu on the top panel of the desktop and then selecting Administration,Security Level and Firewall or by executing the system-config-securitylevel command.Enter the root password when prompted if running as a non-root user.As shown in Figure 15.1, select the WWW (HTTP) option in the Trusted services sectionto allow requests on port 80, and select the Secure WWW (HTTPS) option to allow securerequests on port 443. Click OK to enable the changes immediately.