Apache Web Application Configuration

Each time you make a configuration change to the Apache server you must restart (or at the very least reload) the http service. Remember to start apache for the first time do:

service apache2 start

service apache2 reload

Now get the web server running...

Apache allows you do have a URL which starts with /~username. This redirects the server to look for files in /home/username/public_html/. So for instance http://machine/~dave/hello.html would look for a file in /home/dave/public_html/hello.html. This feature is called userdir.

Enable the userdir feature by doing

a2enmod userdir
service apache2 restart

To demonstrate this feature, create a user called "dave".

adduser dave

When you need to do something AS a particular user (e.g. dave) you should "su - dave". You will then log in as that user. When you want to go back to being "root", just press CTRL+D. You can check who you are at any particular moment by doing "whoami". Note, pressing CTRL+D ends the current session, so if you press it twice it will log you out! If you get "permission denied" then you are probably "su"ed to a normal user and you are trying to do a "root" level command.

Create a public_html directory in dave's home directory, and create a file hello.html in the public_html. The contents of this file should be:

<html>
<body>
<h1>HOST</h1>
<p>
I am clever
</p>
</body>
</html>

The "/home/dave" and "/home/dave/public_html" must be executable by others, and the "/home/dave/public_html/hello.html" file must be readable by other. This should be the default. However if needed you can always do this manually:

chmod 701 /home/dave /home/dave/public_html
chmod o+r /home/dave/public_html/hello.html

You can direct your browser to see this page by using the URL

http://yourmachinename/~dave/hello.html

[root@host-19-17 dave]# hostname
host-19-17.linuxzoo.net

Create the following directories, owned by dave (so su - dave first), each of which must be executable for other:

• /home/dave/public_html/web
• /home/dave/public_html/vm

It is much much easier to su to dave before trying to create these accounts.

In each of these new directories create a file called "hello.html", similar to hello.html from /home/dave/public_html, except in "web/hello.html" replace the word HOST with WEB. In "vm/hello.html" replace the word HOST with VM. Case is important.

You now need to create a virtual host file to hold your virtual hosts. Create a file called "mysite" in "/etc/apache2/sites-available/". Put your virtual host definition into that file.

Using the <VirtualHost> tags in this mysite file (add them into the file) create two VirtualHosts. Remember this file is "/etc/apache2/sites-available/mysite"

Once the file exists you need to activate it using

a2ensite mysite

The names of your virtual hosts have to be worked out by yourself from your current hostname. Type in the command "hostname" and you will get something like:

host-3-2.linuxzoo.net

Your machine is known by this name in DNS. It is also known by two other names, where the word "host" has been replaced with "web" and "vm". In this example of host-3-2, this machine is also known as:

web-3-2.linuxzoo.net
vm-3-2.linuxzoo.net

IMPORTANT: Do not just copy this example, as your machine number is likely to be entirely different. Use "hostname" and work your machine names out for yourself. Note too that your hostname can change each time you reboot, so double check each time you reboot!

Once you have your web and vm machine names, create a virtual host entry for each of web-?-?.linuxzoo.net and vm-?-?.linuxzoo.net, so that the DocumentRoot of web is /home/dave/public_html/web and the DocumentRoot of vm is /home/dave/public_html/vm.

Each VirtualHost tagged area (you need 2) looks something like:

<VirtualHost *:80>
    ServerAdmin me@grussell.org
    DocumentRoot /home/gordon/public_html/db/public_html/activesql
    ServerName sql.grussell.org
</VirtualHost>

It is easy to make a syntax error in the config file. If you have problems you can check for syntax errors using the command:

apache2ctl -t

You should now be able to view your own pages by using your browser, opening a new window, and visiting e.g. http://vm-?-?.linuxzoo.net/hello.html, after replacing the "?" with the actual numbers. Try it for "web" too.

These questions are concerned with the configuration of Basic Authentication in apache.

Build a user called "tom" to experiment with. Use

adduser tom

You also need to have the apache service (httpd) running. This question uses UserDir, but you should have already enabled that above.

Now create a user called "tom", create a public_html directory in tom's home directory, and create a file p1.html in the public_html. Make use of the "su - tom" command to keep ownership correct. The contents of this file should be:

<html>
<body>
<h1>TOM</h1>
<p>
Document body goes here.
</p>
</body>
</html>

The default permissions on the /home/tom directories and files should be sufficient, but if not then these should always allow the apache user to access the files and directories.

Use can if needed use the chmod commands from earlier, except this time on tom and on p1.html rather than hello.html. Again much easier to "su" to tom.

Create the following directories, each of which must be executable by others:

• /home/tom/public_html/richard
• /home/tom/public_html/harry

In each of these new directories create a file similar to p1.html, but called:

• /home/tom/public_html/richard/p2.html
• /home/tom/public_html/harry/p3.html

In "richard/p2.html" replace the word TOM with RICHARD. In "harry/p3.html" replace the word TOM with HARRY. Case is important.

Create a password file for basic authentication. Best to be "tom" to do this properly.

The htpasswd command allows you to create the file, and to add users to the file. Use it to create a basic authentication password file called "/home/tom/webpasswd". Put into this file two users with the following passwords:

User: richard              Password: pass1
User: harry                Password: pass2

Secure the public_html/richard directory by using an appropriate .htaccess file in that directory so only a user with the basic authentication details of richard, password pass1, can access the files.

Confim the behaviour by visiting with your browser your secured page: http://host-1-1.linuxzoo.net/~tom/richard/p2.html
Remember to replace the "1-1" with your host number.

Secure the public_html/harry directory so only a user with the basic authentication details of group "magic" can access the contents.

To answer this question, create a group file "/home/tom/webgroup" with the following contents:

magic: richard harry

Make sure in the .htaccess file in the harry directory you use only "Require group" and not some sort of "Require user" command.

Once working try accessing these resources using your browser.

Now we will create a simple server-side script. Firstly, run

chmod o+w /usr/lib/cgi-bin

With an editor and while you are user dave (so return to root again and then su - to dave), edit /usr/lib/cgi-bin/hack.htm and insert the following code.

#!/usr/bin/perl
use strict;
use CGI qw(:standard);
import_names("Q");
print header('-X-XSS-Protection'=>0);
print '<body>';
print h1 "Welcome to hack";
print p "Glad to have you back $Q::user\n";
print '</body>';

You also need to "chmod o+x /usr/lib/cgi-bin/hack.htm".

You can access this via the browser using "http://YOURHOSTNAME/cgi-bin/hack.htm?user=Gordon", where YOURHOSTNAME is the string given when you type "hostname". The string "Gordon" can be replaced with any name you like. Try it.

Once complete, test the change with the "alert" javascript injection and see what happens.

This script hosts a cross-scripting issue. If "user=gordon" become something more risks, like

hack.htm?user=gordon<script>alert("YouAreHacked")</script>

Note that in chrome (and presumably others) it detecte this as an XSS problem and protected the browser automatically. I had to disable this safety check using a flag in the script.

The right thing to do here is to sanitise the script. To do this edit the file and delete the last two lines:

print p "Glad to have you back $Q::user\n";
print '</body>';

my $u=$Q::user;
$u = "hacker" if $u !~ m/^[a-zA-Z0-9]+$/;
print p "Glad to have you back $u\n";
print '</body>';