1. Refer tp https://www.techotopia.com/index.php/Configuring_a_CentOS_Based_Web_Server for Configuring a CentOS Based Web Server.
Requirements for Configuring a Web Server
To set up your own web site you need a computer, an operating system, a web server, a domain name, a name server and an IP address.
The computer can be any system capable of running Linux. In terms of an operating system, we will, of course, assume you are using CentOS. As previously mentioned Centos supports the Apache web server which can easily be installed once CentOS is up and running. A domain name can be registered with any domain name registration service.
If your ISP provides static IP addresses then you will need to associate your domain with your static IP address. This is achieved using a name server. Some domain registration services will provide this service for you. If yours does not, you can create a free account at http://www.zoneedit.com and use their name servers to point your domain name at your static IP address.
If you do not have a static IP address (i.e. your ISP provides you with a dynamic address which changes frequently) then you can use one of a number of free services which map your dynamic IP address to your domain name. One such service is provided by http://www.dnsExit.com.
Once you have your domain name and your name server configured the next step is install and configure your web server.
Installing the Apache Web Server on CentOS
The current release of CentOS typically installs the Apache web server by default. To check whether the server is already installed, open a Terminal window (Applications->System Tools->Terminal) and run the following command:
rpm -q httpd
If rpm generates output similar to the following, the apache server is already installed:
httpd-2.2.3-31.el5.centos
Alternatively, if rpm generates a "package httpd is not installed" then the next step, obviously, is to install it. This can be performed either from the command-line or using the Add/Remove Software tool. To use this tool, open the System->Administration desktop menu and select Add/Remove Software. Enter your root password if prompted to do so. Select the Search tab and search for httpd. After the search completes the Apache HTTP Server should be listed in the search results. Click on the toggle next to the httpd server. Finally, click on the Apply button to begin the installation.
To install Apache from the command-line start a terminal window (Applications->System Tools->Terminal) and run the following command at the command prompt:
yum install httpd
Starting the Apache Web Server
Once the Apache server is installed, the next step is to verify that the server is running and, if it is not yet running, to start it.
The status of the server can be verified from the command-line or via the GUI Service Configuration tool. To check the status of the Apache httpd service from the command-line, enter the following command in a Terminal window:
/sbin/service httpd status
If the above command indicates that the httpd service is not running, it can be launched from the command-line as follows:
/sbin/service httpd start
If you would like the Apache httpd service to start automatically when the system boots, this can be achieved by running the following command:
/sbin/chkconfig --level 3 httpd on
To configure the Apache service using the Service Configuration tool, select the System->Administration->Services menu option and scroll down the list of services until you find httpd. Select the item in the list and click on the Start button. To ensure the services starts automatically on reboot, also click in the Enable toolbar button.
Testing the Web Server
Once the installation is complete the next step is to verify the web server is up and running. To do this fire up the web browser by clicking on the Fweb browser icon in the top desktop panel and enter 127.0.0.1 in the address bar (127.0.0.1 is the loop-back network address which tells the system to connect to the local machine). The browser should load the Apache 2 Test Page. Congratulations, you have now installed the web server and served up what will hopefully be the first of many web pages.
Configuring the Apache Web Server for Your Domain
The next step in setting up your web server is to configure it for your domain name. This is performed in the /etc/httpd directory. To configure the web server open a terminal window and change directory to /etc/httpd. In this directory you will find a number of sub-directories. Change directory into the conf sub-directory where you will find an httpd.conf file which contains the configuration settings for the Apache server.
Edit the httpd.conf file using your favorite editor using the su command to ensure you have write permission to the file. Once loaded, there are a number of settings that need to be changed to match your environment:
The ServerAdmin directive defines an administrative email address for people wishing to contact the webmaster for your site. Change this to an appropriate email address where you can be contacted:
ServerAdmin webmaster@myexample.com
0th step
===========
The ServerName and ServerAlias directives need to be defined so that the web server knows which virtual host this configuration file refers to:
ServerName comsics.usm.my
First step
=========
We need to define where the web site files are going to be located using the DocumentRoot directive. The tradition is to use /var/www/domain-name:
DocumentRoot /var/www/comsics.usm.my
Next, create the /var/www/comsics.usm.my directory and place an index.html file in it. For example:
comsics.usm.my in /var/www/comsics.usm.my
Welcome to comsics.usm.my in /var/www/comsics.usm.my.
Second step
===========
In /etc/httpd/conf, append to the line 'Options Indexes FollowSymLinks' with 'Includes ExecCGI', so that appended line becomes
..
..
Options Indexes FollowSymLinks FollowSymLinks Includes ExecCGI
# Options Indexes FollowSymLinks
..
3rd step
===========
Next, add the following line just right after the above section
Options +Indexes
A worked version of httpd.conf can be found in http://comsics.usm.my/configrepo/howto/customise_centos/webserver/httpd.conf.centos7.worked
4th step
===========
Then change the permission
chown -R root:apache /var/www/comsics.usm.my
chmod -R +x /var/www/comsics.usm.my
5th step
===========
The last step is to restart the apache web server to make sure it picks up our new settings:
/sbin/service httpd restart
==============================
Web Server and Firewall Issues
==============================
If your CentOS system is configured to use a firewall, you will need to ensure that HTTP traffic on port 80 is permitted in order for external systems to be able to access your web server. To this end, refer to
2. https://www.ipserverone.info/operation-system/centos/change-firewall-rules-in-centos-7/
A firewall blocks many things, including some web applications that we want (such as Apache), but turning off the firewall also introduces vulnerabilities to our system.
In CentOS 7, iptables are replaced by firewalld service. To maintain security of our system, there are steps to configure it so that only certain ports are allowed to pass through while blocking access to unauthorized or unknown applications using unlisted ports.
Step 1: Start Firewall Service
Start your firewall service via the command:
systemctl start firewalld.service
Step 2: Understand Firewall “Zones”
In CentOS 7, the firewalld service is introduced, it also introduces “zones”. Each zone has a different set of firewall rules.
To find out which zone your firewall service has, run the command:
firewall-cmd --get-zones
Then, use the following command to see which is the default zone that your firewall runs on startup:
firewall-cmd --get-default-zone
The use this line of command to see which zone is currently active, as well as which Ethernet port is active within the zone:
firewall-cmd --get-active-zones
The following list describes what each of the default zones does:
drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.
Step 3: Making Custom Zones
To avoid misconfiguration of the default zones, we can make our on zones with it’s own set of rules, using the command:
firewall-cmd --permanent --new-zone=sshweb
This creates a zone called “sshweb”. A “success” will be outputted to show that the zone is created successfully, or you can confirm it using:
firewall-cmd --permanent --get-zones
But, it won’t be available in the current firewall instance, as you can see by using the command without the “–permanent” prefix:
firewall-cmd --get-zones
To add it into the firewall’s active configuration, we need to reload the firewall first, then check the zones again:
firewall-cmd --reload
firewall-cmd --get-zones
Step 4: Configure Zone Services
The example zone “sshweb” is created to allow SSH and HTTP services, and we can add services to our zone using the command:
firewall-cmd --zone=sshweb --add-service=ssh
firewall-cmd --zone=sshweb --add-service=http
firewall-cmd --zone=sshweb --add-service=https
After that, use the following command to check if the services are added correctly:
firewall-cmd --zone=sshweb --list-all
Now test the configurations. If it works, reapply the rules using “–permanent” prefix:
firewall-cmd --zone=sshweb --permanent --add-service=ssh
firewall-cmd --zone=sshweb --permanent --add-service=http
firewall-cmd --zone=sshweb --permanent --add-service=https
Important Note: Don’t restart the service yet, as we still need to assign ports for bypassing the firewall. If not you might get locked out from accessing the server.
Now test the configurations. If it works, reapply the rules using “–permanent” prefix:
firewall-cmd --zone=sshweb --permanent --add-service=ssh
firewall-cmd --zone=sshweb --permanent --add-service=http
firewall-cmd --zone=sshweb --permanent --add-service=https
Important Note: Don’t restart the service yet, as we still need to assign ports for bypassing the firewall. If not you might get locked out from accessing the server.
Step 5: Configure Zone Ports
To allow a specific port to pass through firewall (80 for HTTP and ssh_port number for SSH), use the following command:
firewall-cmd --zone=sshweb --permanent --add-port=80/tcp
firewall-cmd --zone=sshweb --permanent --add-port=/tcp
(Note: Adding a “–permanent” prefix will make the setting stay even after system reboot.)
This adds the port into the zone’s whitelist. To verify if the port is successfully added, type in:
firewall-cmd --reload
firewall-cmd --zone=sshweb --list-all
Look at “port” line and check if the port you added is listed. There are also other information about the zone you are currently using
Restart the firewall service and check the services using the commands:
systemctl restart firewalld.service
Step 6: Set Zone Interface
Identify the relevant interface via
ifconfig
The output looks like
enp6s0: flags=4099 mtu 1500
ether 00:23:ae:a0:6a:2c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
enp7s4: flags=4163 mtu 1500
inet 10.205.19.208 netmask 255.255.254.0 broadcast 10.205.19.255
inet6 fe80::1a7d:9285:6533:de14 prefixlen 64 scopeid 0x20
ether 1c:af:f7:ed:32:d4 txqueuelen 1000 (Ethernet)
RX packets 952821 bytes 1298361348 (1.2 GiB)
RX errors 0 dropped 6 overruns 0 frame 0
TX packets 564537 bytes 42586479 (40.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
In the example, above, the interface is enp7s4. The presence of the interface enp7s4 can be confirmed by
ls /etc/sysconfig/network-scripts/ifcfg-*
To use the custom zone, we need to add our interface, eth0 to the zone that we have created:
firewall-cmd --zone=sshweb --change-interface=enp7s4
We can then check if it’s added using the command:
firewall-cmd --zone=sshweb --list-all
To fully associate the interface with our custom zone (prevent it from reverting to using default zone “public”), access the network config file for the interface eth0 and add in the line “ZONE=sshweb”.
cat /etc/sysconfig/network-scripts/ifcfg-enp7s4
Restart your network and firewall services using the following commands:
systemctl restart network.service
systemctl restart firewalld.service
Now you can check your active zones using the line:
firewall-cmd --get-active-zones
Now all ports other than the ones you have set in the zone will be blocked.
Type
service httpd restart
Launch a browser to check if the webpage comsics.usm.my has been set up. If succesful, you should see 'Welcome to comsics.usm.my in /var/www/comsics.usm.my'.