httpd with SElinux

Giving httpd access to other folders (apart from default SElinux allowed folders):

  • system-config-selinux rocks!!
    Go to System-> Administration -> SELinux Management (or system-config-selinux from command line).
    Type httpd in Filter and press enter. You will see that files that allow httpd write access have the Selinux File Type httpd_cache_t:s0. So.. now you know what to do right? Say you want to give httpd write access to folder /var/lib/dokuwiki/data/cache, then add a new file labelling using the Add button with the following details:
    File specifications: /var/lib/dokuwiki/data/cache(/.*)? File Type: all files SELinux Type: httpd_cache_t MLS: s0
    and then
    restorecon /var/lib/dokuwiki/data/cache

OR

  • Go to /var/lib/dokuwiki/data and apply the selinux file type to cache directorychcon -R -t httpd_cache_t /var/lib/dokuwiki/data/cache
    And now, httpd should have write access to this folder.
  • *Running httpd on other ports:**
    Open /etc/httpd/http.conf and change
    Listen 80
    to
    Listen 81

If you use VirtualHosts, you need to change the ports there instead (<VirtualHost *:81>)
Giving httpd access to other ports:
Go to Network Port in SELinux Administration and filter of “80” and press enter. You will see an entry for http_port_t. Create a similar new entry for port 81 for SELinux Port type http_port_1.
And that’s it.
Links to posts that helped me:
Dan Walsh’s Blog

Notes on SElinux

LDAP authentication through Apache for svn, trac or anything else for that matter :P

Apache can be used as an access method for things like svn, trac, and even a whole file system through webdav. And apache also supports authentication through LDAP. Hence Apache can be used to authenticate the services that it provides through LDAP.

Here is how it is done :

For SVN :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<VirtualHost *:80>
ServerName                          repos.nitt.edu
DocumentRoot                        "/var/www/svn/DocumentRoot/"
ErrorLog logs/repos.nitt.edu-error_log
CustomLog logs/repos.nitt.edu-access_log combined


<Location /pragyan>
DAV svn
SVNPath /var/www/svn/pragyan
<LimitExcept OPTIONS REPORTGET>
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthName "Pragyan SVN LDAP Authentication"
AuthLDAPURL ldap://localhost:389/ou=Pragyan,dc=www,dc=nitt,dc=edu?cn?sub?(objectClass=*)
AuthLDAPGroupAttribute contact
require valid-user
require ldap-group listName=coding,ou=Groups,ou=Pragyan,dc=www,dc=nitt,dc=edu
</LimitExcept>
</Location>
</VirtualHost>

For trac :

1
2
3
4
5
6
7
8
9
10
<Location "/trac/delta/login">
AuthType Basic
AuthName "Delta Trac LDAP Authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://delta.nitt.edu:389/ou=Webteam,dc=delta,dc=nitt.edu?uid?sub?(objectClass=*)
AuthLDAPGroupAttribute memberUid
require valid-user
require ldap-group cn=webteam,ou=Groups,ou=Webteam,dc=delta,dc=nitt.edu
</Location>

CrAzY SVN / HTTPD Errors!!! (301, 302 .....)

Yup.

SVN IS MAD.

Sorry, SVN and HTTPD team up to drive people crazy.

I just came across two (or maybe three) of their misdoing in my effort to setup SVN on http://repos.nitt.edu

  1. First, with this nitt.edu.conf in /etc/httpd/conf.d directory :
    1
    2
    3
    4
    5
    6
    7
    <VirtualHost *:80>
        ServerName                          repos.nitt.edu
        DocumentRoot            "/var/www/html"</pre>
    I got an error
    <pre><span style="color:#ff0000;">RA layer request failed
    svn: PROPFIND request failed on '/pragyan'
    svn: PROPFIND of '/pragyan': 302 Found (http://repos.nitt.edu)</span>
    I found this article : http://ynniv.com/blog/2005/12/troubling-svn-error.html

It said that the error occurs when some cms meddles with the way non existent file message (404) is shown. This,… was my case. (Thanks to my Praygan CMS). So then I changed my document root to /var/www/svn.

Then with

1
2
3
4
5
6
7
8
<VirtualHost *:80>
ServerName                          repos.nitt.edu
DocumentRoot            "/var/www/svn"</pre>
I got an error
<pre><span style="color:#ff0000;">RA layer request failed
svn: PROPFIND request failed on '/pragyan'
svn: PROPFIND of '/pragyan': 301 Moved Permanently (http://repos.nitt.edu)
</span>

Article that helped me in this grave time of need was : http://subversion.tigris.org/faq.html#http-301-error

It said that the error occurs because, when configuring SVN to work with httpd, the virtualhost document root shouldn’t contain the repository location (or httpd gets confused or something). My repos location was /var/www/svn/pragyan (which was within Document root). I simply changed the DocumentRoot to /var/www/svn/DocumentRoot and all started working well again.

public_html web server - without mod_userdir

Hell, what does the title mean??

It means this :

Allow people to put files in the public_html folder in their home directories and allow it to be seen through the web server of that server in this format : http://servername/~username/hisorherfiles

Most people use mod_userdir to allow ~username directories in their webservers. However, there is simple rewrite rule workaround that eliminates the need for mod_userdir.  I needed this because we had the home directories on the server, but the users had no login accounts on the server and they needed their public_html to work.

Here is how it goes :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#First, disable the default thing : 
<IfModule mod_userdir.c>
UserDir disable
</IfModule>
#Then the rewrite rule
</pre>
<pre>#To prevent access to files ~something.html and #something.html#
<Files ~ ".*(~|#)$">
Order allow,deny
Deny from all
</Files>
#To show public_html access
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/~\w+/.*$
RewriteRule /~(\w+)/(.*) /webteam/$1/public_html/$2
RewriteCond %{REQUEST_URI} ^/~\w+$
RewriteRule /~(\w+) /webteam/$1/public_html/
#To enable .htaccess rules in public_html
<Directory /webteam/*/public_html>
AllowOverride All
</Directory>