通过更改SElinux状态可以判断出,当SElinux处于关闭状态时,网站内容访问正常。 [root@master1-192-168-117-18 ~]# setenforce 0 [root@master1-192-168-117-18 ~]# getenforce Permissive [root@master1-192-168-117-18 ~]# setenforce 1 [root@master1-192-168-117-18 ~]# getenforce 0 Enforcing
查看网站的主目录的SElinux安全上下文值: [root@master1-192-168-117-18 ~]# ls -Zd /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ [root@master1-192-168-117-18 ~]# ls -Zd /home/wwwroot/ drwxr-xr-x. root root system_u:object_r:user_home_dir_t:s0 /home/wwwroot/
将新添加的主目录SElinux上下文值与系统默认主目录保持一致: [root@master1-192-168-117-18 ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/*
注意,执行上述设置之后,还无法立即访问网站,还需要使用restorecon命令将设置好的SELinux安全上下文立即生效。在使用restorecon命令时,可以加上-Rv参数对指定的目录进行递归操作,以及显示SELinux安全上下文的修改过程。
[root@master1-192-168-117-18 ~]# restorecon -Rv /home/wwwroot/ restorecon reset /home/wwwroot context system_u:object_r:user_home_dir_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/index.html context system_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0 [root@master1-192-168-117-18 ~]# ls -Zd /home/wwwroot/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /home/wwwroot/ [root@master1-192-168-117-18 ~]# ^C
个人用户主页功能
第1步:在httpd服务程序中,默认没有开启个人用户主页功能。为此,我们需要编辑下面的配置文件,然后在第17行的UserDir disabled参数前面加上井号(#),表示让httpd服务程序开启个人用户主页功能;同时再把第24行的UserDir public_html参数前面的井号(#)去掉(UserDir参数表示网站数据在用户家目录中的保存目录名称,即public_html目录)。最后,在修改完毕后记得保存。 [root@master1-192-168-117-18 ~]# vim /etc/httpd/conf.d/userdir.conf 1 # 2 # UserDir: The name of the directory that is appended onto a user's home 3 # directory if a ~user request is received. 4 # 5 # The path to the end user account 'public_html' directory must be 6 # accessible to the webserver userid. This usually means that ~userid 7 # must have permissions of 711, ~userid/public_html must have permissions 8 # of 755, and documents contained therein must be world-readable. 9 # Otherwise, the client will only receive a "403 Forbidden" message. 10 # 11 <IfModule mod_userdir.c> 12 # 13 # UserDir is disabled by default since it can confirm the presence 14 # of a username on the system (depending on home directory 15 # permissions). 16 # 17 # UserDir disabled 18 19 # 20 # To enable requests to /~user/ to serve the user's public_html 21 # directory, remove the "UserDir disabled" line above, and uncomment 22 # the following line instead: 23 # 24 UserDir public_html 25 </IfModule> 26 27 # 28 # Control access to UserDir directories. The following is an example 29 # for a site where these directories are restricted to read-only. 30 # 31 <Directory "/home/*/public_html"> 32 AllowOverride FileInfo AuthConfig Limit Indexes 33 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec 34 Require method GET POST OPTIONS 35 </Directory>
"/etc/httpd/conf.d/userdir.conf" 36L, 1254C 已写入
第2步:在用户家目录中建立用于保存网站数据的目录及首页面文件。另外,还需要把家目录的权限修改为755,保证其他人也有权限读取里面的内容。 [aa@master1-192-168-117-18 ~]$ mkdir public_html [aa@master1-192-168-117-18 ~]$ echo "世界那么大,我出去看看!" > public_html/index.html [aa@master1-192-168-117-18 ~]$ chmod -Rf 755 /home/aa/
第3步:重新启动httpd服务程序,在浏览器的地址栏中输入网址,其格式为“网址/~用户名”(其中的波浪号是必需的,而且网址、波浪号、用户名之间没有空格),从理论上来讲就可以看到用户的个人网站了。不出所料的是,系统显示报错页面,如图10-9所示。这一定还是SELinux惹的祸。
第4步:使用getsebool命令查询并过滤出所有与HTTP协议相关的安全策略。其中,off为禁止状态,on为允许状态。 [root@master1-192-168-117-18 ~]# getsebool -a | grep http httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off named_tcp_bind_http_port --> off prosody_bind_http_port --> off
[root@master1-192-168-117-18 ~]# setsebool -P httpd_enable_homedirs=on
通过身份验证访问网页
第1步:先使用htpasswd命令生成密码数据库。-c参数表示第一次生成;后面再分别添加密码数据库的存放文件,以及验证要用到的用户名称(该用户不必是系统中已有的本地账户)。 [root@master1-192-168-117-18 ~]# htpasswd -c /etc/httpd/passwd aa New password: Re-type new password: Adding password for user aa 第2步:第2步:编辑个人用户主页功能的配置文件。随后保存并退出配置文件,重启httpd服务程序即可生效。 [root@master1-192-168-117-18 ~]# vim /etc/httpd/conf.d/userdir.conf
1 # 2 # UserDir: The name of the directory that is appended onto a user's home 3 # directory if a ~user request is received. 4 # 5 # The path to the end user account 'public_html' directory must be 6 # accessible to the webserver userid. This usually means that ~userid 7 # must have permissions of 711, ~userid/public_html must have permissions 8 # of 755, and documents contained therein must be world-readable. 9 # Otherwise, the client will only receive a "403 Forbidden" message. 10 # 11 <IfModule mod_userdir.c> 12 # 13 # UserDir is disabled by default since it can confirm the presence 14 # of a username on the system (depending on home directory 15 # permissions). 16 # 17 # UserDir disabled 18 19 # 20 # To enable requests to /~user/ to serve the user's public_html 21 # directory, remove the "UserDir disabled" line above, and uncomment 22 # the following line instead: 23 # 24 UserDir public_html 25 </IfModule> 26 27 # 28 # Control access to UserDir directories. The following is an example 29 # for a site where these directories are restricted to read-only. 30 # 31 <Directory "/home/*/public_html"> 32 AllowOverride all 33 authuserfile "/etc/httpd/passwd" 34 authname "My privately website" 35 authtype basic 36 require user aa 37 </Directory> 38
"/etc/httpd/conf.d/userdir.conf" 38L, 1217C 已写入
