572
edits
Changes
→Controlling Access to Pages
[[Category:OPS335]][[Category:OPS335 Labs]]
==OBJECTIVE & PREPARATION==[[Image:lamp.png|thumb|right|300px|To provide additional help make your web resource more dynamic (for web apps such as webmail) several services are also required. A popular acronym to represent these foundations and servers is referred to as '''LAMP'''. It stands for '''Linux''', '''Apache''', '''MySQL''', and '''PHP''' (or ''Python'').<br><br>Image by Shmuel Csaba Otto Traian,<br>https://commons.wikimedia.org/w/index.php?curid=28224098)<br>(via: [http://creativecommons.org/licenses/by-sa/3.0 Commons Attribution-Share Alike 3.0]) ]]In this lab, we will look at several separate technologies that are used with the Apache web server to install, configure and run web applications.
<ol><li value==INVESTIGATION 1"2">On your host machine, again refresh your web-browser. Notice that in a web browser the ''index.php'' file isn't treated as a default page and the contents don't contain the date, but instead are displaying the text in the php code you entered into the index.php file (refer to above code).</li><li>The reason this occurs is that the PHP interpreter hasn't been installed on your vm by default.</li><li>Install the php package on your vm1 machine, and restart your webserver. NOTE: INSTALLING & CONFIGURING A SAMBA SERVER==The php package comes with a working default Apache configuration so you don't need to enable it manually.</li><li>Refresh the webpage for your web-browser on your host machine. You should now notice that you see the date instead of the call to the date command. Refresh your webpage several times to see how the time changes. This is simply a "trivial example" of dynamic web content does it does provide a simple demonstration of how scripting languages can be used to create more dynamic webpages.</li></ol>
For security, it is important to allow access to general areas of your webpage, but also limit access to other sub-directories that contain other webpages or documents. Penetration Tester or hackers may be able to navigate your file systems within your html directory to obtain unauthorised information.
'''Perform the following steps:'''
#Make certain As the root user on your gateway/host, try to forward incoming http connections that both arrive on your '''VM1''' and '''VM2''' machines are runninghost to the web server on vm1. Use an iptables command something like this:<br><source>iptables -t nat -A PREROUTING -i *yourinterface* -p tcp --dport 80 -j DNAT --to 192.168.X.2</source>#Switch You will also need to your '''VM2''' machine as create a rule in the FORWARD chain in the '''root''' userdefault table to accept connections to port 80.#Issue To test this setup you'll need to use another machine outside your own network. If you are using an SSD and VMWare, you can simply use the following Linux command windows host. If you are using a removable drive, ask a classmate on another PC to install Samba server utlity:<br>act as the partner. In either case, enter your host's external IP address in their browser''yum install samba samba-client'''<br>s address window.#Copy Have the file partner machine view both '''/etc/samba/smbindex.confhtml''' to another filename by issuing the following command:<br>and '''cp /etc/samba/smbindex.conf /etc/samba/smb.conf.originalphp'''#Clear the contents of the configuration file by running Create a new directory called '''cat /dev/null > /etc/samba/smb.confprivate'''#Edit inside your '''/etc/samba/smb.confDocumentRoot''' so that the file that contains the following lines:and move index.php inside it. [global] workgroup = WORKGROUP server string = "put # Have your real name here without the quotes" encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd [home] comment = "put your real name here without the quotes" path = /home/partner view both files again.<yourSenecaIDbr> public = yes writable = yes printable = no create mask = 0765<olbr><li value="3">Append (add) You will now modify the following parameter to settings on the bottom of the '''[global] section''' that will limit access web-server to the share so that only prevent machines in your virtual outside our network and those in from accessing the lab room will be able to access it:private directory.</libr></olbr> hosts allow = 192.168.x. 127.0.0.1<ol><li value="4">Append (add) # Add the following parameter directory statement to your apache configuration file. The default pathname for the apache configuration file is: '''[home] section/etc/httpd/conf/httpd.conf''' so that only your user account can access that share(NOTE:</li></ol> valid users = <yourSenecaID><ol><li value="5">Create a Samba account and password for yourSenecaID by issuing replace the following commandX with your own network octet):<br>'''smbpasswd -a <yourSenecaID>'''</li></ol>
{{Admon/tipimportant |Changing Existing Samba Account PasswordsDo not overwrite existing settings|If you need to change a userThere should already be two Directory statements in that file. One for '''s existing Samba account password, you can issue the following command as root: /var/www''' and one for '''smbpasswd username/var/www/html'''. Add your new Directory statement after them. Do not overwrite them.}}
<olsource><li value="6Directory ">Confirm the user you created has been added using the following command:<br>'''pdbedit -L -v'''</li><li>Test and review your configuration with the command:<br>'''testparm'''</li><li>Use the '''systemctl''' command to start the smb.service and enable the service to run on boot-up<var/li><li>If you are in one of the sections with SELinux set to enforcing, you will need to tell it to allow samba access to home directories: '''setsebool -P samba_enable_home_dirs 1'''<www/li><li>Use the '''ss -nautp''' command to see with port Samba is running on.<html/li><li>Use the information in the previous step to modify the firewall on VM2 machine to allow samba traffic.</li><li>Test to see that you can connect to your Samba server (locally) by issuing the following command:<br>'''smbclient -U <yourSenecaID> -L 127.0.0.1'''</li><li>When prompted, enter your Samba account password.</li><li>The output from that issued command show appear similar to example displayed below:</li></olprivate"> Sharename Type Comment --------- ---- ------- home Disk Your Name AllowOverride None IPC$ IPC IPC Service ("Your Name") Domain=[WORKGROUP] OS=[Windows 6 Require ip 192.1] Server=[Samba 4168.2.3] Server Comment ------ ------- WorkGroup Master --------- ------ <ol><li value="13">To access the Samba client shell on your local Samba share, issue the following command:<br>'''smbclient '\\127.0X.0.1\home' -U <yourSenecaID>'''</li><li>Enter your Samba account password.24</li><li>Issue the help command to note common commands (''dir'', ''cd'', ''ls'', ''put'', ''get''). Note how similar they are to ''sftp'' commands.</li><li>Enter '''exit''' to terminal your local Samba session.</liDirectory></olsource>
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
==INVESTIGATION 2: CONNECTING TO A LINUX SMB SERVER FROM A LINUX CLIENTSETTING UP AN ONLINE DATABASE==
# Modify the Directory statement for your private directory to prevent any machine other than your vm1 from accessing it.# Re-start the web-server and try to access the page from another machine. Make sure that you can '''not''' do so before you continue.# Install the '''php-mysql''' module so that the installation of php your web server is using can execute sql statements. You will have to restart the service after installing it.#Modify the index.php page in your private directory to match the code below. This will test that your web server can connect to the database (replace the <user> and <password> with values appropriate for your machine):<br><source><?php$mysqli ===Accessing Files new mysqli("localhost", "<user>", "<password>");if ($mysqli->connect_errno) { echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;}echo $mysqli->host_info . "\n";?></source>#Once that page shows a successful connection on a Linux Samba Server your VM ('''Localhost via UNIX socket''' via Windows Explorer ===the '''lynx''' application) this step is complete.
'''Perform the following tasks:Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book'''
{| cellpadding="15" width="40%" align="right" cellpadding="10"
|- valign="top"
|width="10%" |[[Image:samba-loginRoundcube.png|thumb|right|300px200px|You will be prompted (once only) for the Samba user-name and password for your '''VM2Roundcube''' machine)webmail application Logo<br>GPL,<br> https://commons. wikimedia.org/w/index.php?curid=1772791]] |width="10%" |[[Image:samba3roundcube-map-drivepic.png|thumb|right|300px|You can create a Screencapture of '''mapped network drive (z:)roundcube''' for your Linux Samba server network share)webmail application running in order to send and receive mail messages via a web-browser. ]]
|}
In the investigation, we will simply install, configure and run the '''roundcube''' webmail application.'''Perform the following steps on vm1:'''<ol><li value=>Perform a search on the roundcube application in order to access the website.</li><li>Either Download the "5zipped tarball"from their website from a direct link or use the wget command to download directly from a download link (This part may take some effort depending on the Sourceforge website).</li><li> You will be prompted Extract the "zipped tarball" and rename the generated directory that contains download source code to enter : '''webmail'''. Also make sure that '''webmail''' is a sub-directory of your VM2 username and password '''DocumentRoot'''.* Use the '''--no-same-owner''' option when extracting the tar achive to ensure that the files do not keep the original owner (one time onlywho will not exist on your system). Refer </li><li>Change the ownership of the '''temp''' and '''logs''' directories so they belong to diagram on rightapache.<br/li><brli>This service needs to be able to write to several directories ('''temp''' and '''NOTE:logs''' It may take approximately 30 seconds ) that SELinux prevents write access to. If you are in a section that has SELinux set to display '''enforcing''', run the file contentsfollowing commands to let it know that apache should be allowed to write to files in those directories.<brsource>semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'restorecon -v -R /var/www/html/webmail<br/source></li><li>Where ::If your successful? If machine does nothave the semage command, try use yum to troubleshoot install the problem first, then ask your lab assistant or instructor for assistancepolicycoreutils-python package.<li>You will also need to tell selinux to allow the webserver to open connections to the MTAs with <source>setsebool -P httpd_can_network_connect 1</source></li><li>Close In the directory now named "webmail", there will be a file named '''INSTALL''' which will walk you through the rest of the Windows Explorer application windowRoundcube installation.<br /li><libr />Click on Some installation tips to consider:::* Be careful about copying & pasting the MySQL setup part: take time and pay attention to detail: do not try to "rush it".::* You will need to install additional Apache modules including: '''STARTphp-xml''' menu, and click on '''Computerphp-mbstring'''.::* Don't forget to set the password in the roundcube configuration.</li><li>Click To make things easier, RoundCube has a well configured installation page available through your local web browser (You will see a note about it in the '''INSTALL''' file).</li> ::* Go onto your host, open Firefox and on the address bar type "vm1.<yourSenecaID>.ops/webmail/installer", make sure your dns on host can resolve the Map Network Drive buttonweb address. Alternatively, and create a instead of "vm1.<yourSenecaID>.ops" you can input the ip address of your vm1, "192.168.X.2/webmail/installer", change X to your own IP octet. ::* Inside the web browser installer, ensure all required options are "'''mapped network driveok''' (called it drive ", if "'''ZDOM:not ok'''" it means you need to install additional php packages (yum install php-xml php-mbstring) which . Once everything is a Samba share of your VM2 machine for ready (it will not let you continue otherwise) click next go to the next page. ::* On the home directorynext page, insert "vm3.</liyourSenecaID>.ops" under the '''imap settings''' '''default_host''' field and "143" in '''default_port''' field. Insert "vm2.<liyourSenecaID>When finished.ops" under '''smtp settings''' '''smtp_server''' field, click on and "25" in '''smtp_port''' field. ::* Under '''Database setup''' '''Networkdb_dsnw''' , enter "localhost" as your database server, "roundcubemail" for database name. Put "roundcube" as Database user, and the password you set for the roundcube user when you configured that in Windows the previous steps for database password. Everything else can be left as default. ::* Click next to create the configuration file manager , then download it to confirm that your host. By default it will be saved under "~SenecaID/Downloads". Transfer the network share is presentfiles to vm1 using scp and place it inside /var/www/html/webmail/config folder.</li><li>Try ::* Go to create test config page if you are not there already and "Check config file" should be ok. "Check DB config" should also be ok, if not check your mysql settings. ::* Finally test your configuration by sending email using your smtp server through test field provided by webmail installer, you should receive a file test email sent by RoundCube. Test your IMAP settings by simply loging in with your SenecaID and vm3 password on Windows on your Linux Samba machinethe same webpage. Were ::* If everything works properly you able can skip to create a save a step 10. *Remember you can edit the configuration file?manually by editing "/var/www/html/webmail/config/config.inc.php".</li><li>Switch to Note that both of your VM2 machine IMAP and check to SMTP servers are on different machines (i.e. not on vm1). Therefore, you should see if that custom values in the following parameters in the Roundcube configuration file was created in your home directory.</li></ol>:
::* '''$config['smtp_server']'''
::* '''$config['default_host']'''
::* '''$config['default_port']'''
:::'''Record steps, commands, and your observations from this INVESTIGATION in your OPS335 lab log-bookNOTE:'''The last <u>two</u> entries above refer to your IMAP server
</li><li>Now that you have Roundcube installed it is time to test if the roundcube webmail application is working by logging on, then sending and receiving e-mail messages:*Using a webbrowser, navigate to vm1.<yourdomain>.ops/webmail and login.*Use the interface provided to send and receive email.</li><li>If mail sent through roundcube is sending from the wrong domain (i.e. user@vm3.yourdomain.ops instead of user@yourdomain.ops), each user can override it in the settings tab, or you can set:::* '''$config['mail_domain']''' </li></ol> '''Record steps, commands, and your observations in INVESTIGATION 3 in your OPS335 lab log-book''' {{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use the Bash shell script that you were advised to create in order to backup all of your VMs.}} ==COMPLETING THE LAB==In completing this lab you You now have gained experience using a service complete LAMP stack and could host a variety of web-pages that allows remote could include dynamically generated content and database access to files stored on a Linux server. You also have also learned how to use several a webpage that is relying on a number of different tools services cooperating in order for it to access those files, both from a Linux and Windows client.work properly.
'''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.'''
===Online Submission(Peter Callaghan's Classes only)===Follow the instructions for lab 6 on moodleblackboard.
===In Class Submission(Murray Saul's Classes only)===::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck6.bash checking bash shell script by issuing the command:<br><br>'''Arrange evidence (command output) for each of these items wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck6.bash'''<br><br>set execute permission and run the shell script on your screen'''host''' machine. ::*For '''Peter's classes''', then ask your instructor follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to review them and sign off on the lab's completion:''more'''command) and show output to instructor.::<span style="color:green;font-size:1.5em;">✓</span>Completed Lab6 log-book notes.
==EXPLORATION QUESTIONS==
#What does SMB stand for?#What does CIFS the term LAMP stand for?Briefly describe the purpose of each of the following items in LAMP.#What is the purpose of the '''testparm''' commandmajor difference between a static web document and a dynamic document?#What does the text inside square brackets in the '''smb.conf''' file term "server-side programming" mean? (e.g., "[home]").#Explain What is the meaning purpose of the line "create mask = 0765" in the smbcreating and using an index.conf html file?#What does is the '''smbpasswd''' command dopurpose of creating and using an index.php file?