Apache Web Application Configuration

Each time you make a configuration change to the Apache server you must restart (or at the very least reload) the http service. Remember to start apache for the first time do:

sudo systemctl start apache2

sudo systemctl reload apache2

Now get the web server running...

Lets create a webpage in the main apache document directory, known as the DocumentRoot. Use your favourite editor.

sudo nano /var/www/html/hello.html

The contents of this file should be:

<html>
<body>
<h1>HOST</h1>
<p>
I am clever
</p>
</body>
</html>

The "/var/www/html/hello.html" file must be readable by other. This should be the default. If you create directories in this DocumentRoot, then they must be executable by others. However if needed you can always do this manually:

chmod 701 /var/www/html/some_directory
chmod o+r /var/www/html/hello.html

You can direct your browser to see this page by using the URL

http://yourmachinename/hello.html

[root@host-19-17 kali]# hostname
host-19-17.linuxzoo.net

Create the following directories, each of which must be executable for other:

• /var/www/html/web
• /var/www/html/vm

Remember to use sudo.

In each of these new directories create a file called "hello.html", indentical to hello.html from /var/www/html/public_html, except in "web/hello.html" replace the word HOST with WEB. In "vm/hello.html" replace the word HOST with VM. Case is important.

You are now going to create two virtual hosts in your apache configuration.

The names of your virtual hosts have to be worked out by yourself from your current hostname. Type in the command "hostname" and you will get something like:

host-3-2.linuxzoo.net

Your machine is known by this name in DNS. It is also known by two other names, where the word "host" has been replaced with "web" and "vm". It is these two names which we are going to use in our virtual host definition. In this example of host-3-2, this machine is therefore also known as:

web-3-2.linuxzoo.net
vm-3-2.linuxzoo.net

IMPORTANT: Do not just copy this example, as your machine number is likely to have a different name from the example. Use "hostname" and work your machine names out for yourself. Note too that your hostname can change each time you reboot, so double check each time you reboot!

Once you have your web and vm machine names, you need to create a virtual host entry for each of web-?-?.linuxzoo.net and vm-?-?.linuxzoo.net, so that the DocumentRoot of web is /var/www/html/web and the DocumentRoot of vm is /var/www/html/vm.

Each VirtualHost tagged area (you need 2) looks something like:

<VirtualHost *:80>
    ServerAdmin noreply@linuxzoo.net
    DocumentRoot /home/gordon/public_html/db/public_html/activesql
    ServerName www.mywebsite.com
</VirtualHost>

The VirtualHost information goes into a special file. Create a file called "mysite.conf" in "/etc/apache2/sites-available/". Put your two virtual host definition into that file. Remember to use sudo.

Once the file exists you need to activate it using

sudo a2ensite mysite

It is easy to make a syntax error in the config file. If you have problems you can check for syntax errors using the command:

apache2ctl -t

You should now be able to view your own pages by using your browser, opening a new window, and visiting e.g. http://vm-?-?.linuxzoo.net/hello.html, after replacing the "?" with the actual numbers. Try it for "web" too.

These questions are concerned with the configuration of Basic Authentication in apache.

Create a directory in /var/www/html called "tom" and ensure it is executable by others. This should be the default permissions.

Now within that new directory "tom", create a file p1.html and ensure it is readable by others. This should be the default permissions. The contents of this file should be:

<html>
<body>
<h1>TOM</h1>
<p>
Document body goes here.
</p>
</body>
</html>

Use can if needed use the chmod commands from earlier, except this time on tom and on p1.html rather than hello.html. Again much easier to "su" to tom.

To use basic authentication in the /var/www/http/tom directory you need to add permission for this in the apache configuration. We will add this to the mysite.conf file we created earlier.

Edit the file

sudo nano /etc/apache2/sites-available/mysite.conf

and insert the following at the end

<Directory /var/www/html/tom/>
        AllowOverride FileInfo AuthConfig Limit Indexes
        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
        Require method GET POST OPTIONS
</Directory>

Remember to restart apache after this configuration change.

  sudo systemctl reload apache2
  

Create the following directories in the tom directory, each of which must be executable by others:

• /var/www/html/tom/richard
• /var/www/html/tom/harry

In each of these new directories create a file similar to p1.html, but called:

• /var/www/html/tom/richard/p2.html
• /var/www/html/tom/harry/p3.html

In "richard/p2.html" replace the word TOM with RICHARD. In "harry/p3.html" replace the word TOM with HARRY. Case is important.

Create a password file for basic authentication in /var/www/. Remember to use sudo.

The htpasswd command allows you to create the file, and to add users to the file. Use it to create a basic authentication password file called "/var/www/webpasswd". Put into this file two users with the following passwords:

User: richard              Password: pass1
User: harry                Password: pass2

Secure the tom/richard directory by using an appropriate .htaccess file in that directory so only a user with the basic authentication details of richard, password pass1, can access the files.

Confim the behaviour by visiting with your browser your secured page: http://host-1-1.linuxzoo.net/tom/richard/p2.html
Remember to replace the "1-1" with your host number.

Secure the tom/harry directory so only a user with the basic authentication details of group "magic" can access the contents.

To answer this question, create a group file "/var/www/webgroup" with the following contents:

magic: richard harry

Make sure in the .htaccess file in the harry directory you use only "Require group" and not some sort of "Require user" command.

You will likely have to enable the apache component which looks after group based Basic Authentication. You need to do:

  sudo a2enmod authz_groupfile
  sudo systemctl restart apache2
  

Once working try accessing these resources using your browser.

Now we will create a simple server-side CGI script. Firstly, With an editor and using sudo edit /usr/lib/cgi-bin/hack.htm and insert the following Python code.

#!/usr/bin/python3
import os
from urllib.parse import parse_qs

user=""

try:
    url = os.environ['QUERY_STRING']
    user = parse_qs(url)['user'][0]
except Exception as e:
    pass

print ("Content-Type: text/html; charset=ISO-8859-1")
print ("")
print ("<body>")
print ("<h1>Welcome to hack",url,"</h1>")
print ("<p>Glad to have you back ",user,"</p>",sep="")
print ("</body>")

You also need to "sudo chmod o+x /usr/lib/cgi-bin/hack.htm".

  sudo a2enmod cgi
  sudo systemctl restart apache2
  

You can access this via the browser using "http://YOURHOSTNAME/cgi-bin/hack.htm?user=Gordon", where YOURHOSTNAME is the string given when you type "hostname". The string "Gordon" can be replaced with any name you like. Try it.

This script hosts a cross-scripting issue. If "user=gordon" become something more risky, like

hack.htm?user=gordon<script>alert("YouAreHacked")</script>

Then when you run this you get to run arbitary javascript on the page. This can be adapted to ask for passwords on sites hosted by banks, or make spoof pages look like they are genuine. Try it (you should get a popup alert if it works).

The right thing to do here is to sanitise the script. To do this edit the file. Add the following new line just after the "import os" line

import re

And directly after the line with the word "pass", enter the following lines

pattern=r'[^a-zA-Z0-9]'
if re.search(pattern,user):
    user="hacker"

Note the indents are significant in python.