572
edits
Changes
m
* (Course Notes on the Apache Web Server)
* [http://www.hitmill.com/computers/apache.htm Apache Resources]
{{Admon/tip |Apache Webserver Resources|Apache web-server configuration can be a very complex topic (covering an entire course!). Although this lab focuses only on one small application of a web-server, you can refer to the following link to refer to additional configuration help: [http://www.hitmill.com/computers/apache.htm Apache Resources].}}
</li>::NOTE:If your machine does not have the semage '''semanage''' command, use yum to install the '''policycoreutils-python ''' package.<li>You will also need to tell selinux to allow the webserver to open connections to the MTAs with <source>setsebool -P httpd_can_network_connect 1</source></li>
::* '<source>$config['smtp_server']$config['smtp_serversmtp_user']= '';$config['::* smtp_pass'] = '';$config['default_host']'''::* '''$config['default_port']'''</source>
===Online Submission (Peter CallaghanYou's Classes only)===Follow ll get the instructions for lab 6 on blackboardsame grade regardless of how you choose to submit your work.
===In Class Submission (Murray Saul's Classes only)===::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck6.bash checking bash shell script by issuing the command:<br><br>and run '''wget httphttps://matrixict.senecac.onsenecacollege.ca/~peterandrew.callaghansmith/filesops335/OPS335/labcheck6labcheck5.bash'''<br><br>set execute permission and run the shell script on your '''host''' machine. ::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
To be completed by an instructor who uses in-class submissions.->
→INVESTIGATION 3: INSTALL, CONFIGURE & RUN WEBMAIL APPLICATION (Roundcube Mail)
=== Online Resources===
* [http://www.liquidweb.com/kb/how-to-install-apache-on-centos-7/ Installing Apache Webserver on Centos7]
* [http://www.w3schools.com/php/default.asp PHP Tutorial] (w3schools.com)
* [http://www.w3schools.com/sql/ MySQL / SQL Language Resources] (w3schools.com)
== INVESTIGATION 1: SETTING UP A WEBSERVER WITH DYNAMIC WEBPAGES ==
Next we need to install, configure and run a webserver on one of our Linux VMs.
'''Perform the following steps:'''
#Make certain you are in your '''VM1''' machine.
#Install the Apache package (the name of the package is: '''httpd''').
#Start the httpd service, and enable this service to start automatically upon system startup.
#Using a text browser such as '''lynx ''' on vm1 go to http://localhost. You should get the "Fedora Apache Test Page" which indicates your web server is running on the local virtual machine.
#Make certain to configure your firewall to allow access to the httpd service (i.e. the Apache serves HTTP traffic which goes over TCP port '''80''') and keep the changes past rebooting.
#Open a web-browser in your '''host''' machine and enter the following URL: '''vm1.youruserid.ops'''.<br />If you setup your Apache webserver correctly, you should be able to view the Apache Test page.
'''Perform the following steps:'''
#'''Copy ''' the '''index.html''' file to as '''index.php''' and modify it to contain:<br><source>Hello, this is a web page on vm1.youruserid.ops and the current time is <?php system("date"); ?>!</source>
<ol><li value="2">On your host machine, again refresh your in the web-browsermanually add '''/index.php'''. Notice that in a web browser the ''index.php'' file isn't treated as a default page and the contents don't contain the date, but instead are displaying the text in the php code you entered into the index.php file (refer to above code).</li>
<li>The reason this occurs is that the PHP interpreter hasn't been installed on your vm by default.</li>
<li>Install the '''php ''' package on your vm1 machine, and restart your webserver. NOTE: The php package comes with a working default Apache configuration so you don't need to enable it manually.</li><li>Refresh the webpage for in your web-browser on your host machine. You should now notice that you see the date instead of the call to the date command. Refresh your webpage several times to see how the time changes. This is simply a "trivial example" of dynamic web content does it does provide a simple demonstration of how scripting languages can be used to create more dynamic webpages.</li>
</ol>
=== Controlling Access to Pages ===
For security, it is important to allow access to general areas of your webpage, but also limit access to other sub-directories that contain other webpages or documents. Penetration Tester Testers or hackers may be able to navigate your file systems within your html directory to obtain unauthorised information.
There are many common-sense safeguards, such as creating an index.html file in your default directory that will display a webpage instead of the directory index. On the other hand, there are also safeguards that you can setup to provide additional protection to your data on your web server.
'''Perform the following steps:'''
# As the root user on your gateway/host, try to forward incoming http connections that arrive on your host to the web server on vm1. Use an iptables command something like this:<br><source>iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.X.2</source>OR this (whichever works):<br><source>iptables -t nat -A PREROUTING -i *yourinterfaceexternalinterface* -p tcp --dport 80 -j DNAT --to 192.168.X.2</source> {{Admon/important |Do not save these rules|The PREROUTING rule above will redirect all HTTP requests to vm1. That will be a problem in the future when you run yum install or yum update, which downloads things over HTTP.}}
# You will also need to create a rule in the FORWARD chain in the default table to accept connections to port 80.
# To test this setup you'll need to use another machine outside your own network. If you are using an SSD and VMWare, For this purpose you can simply use the windows host. If you are using a removable drive, ask a classmate on another PC to act as the partner. In either case, enter your host's external IP address in their browser's address window(machine running Vmware).# Have the partner external machine view both '''index.html''' and '''index.php'''
# Create a new directory called '''private''' inside your '''DocumentRoot''' and move index.php inside it.
# Have your partner view View both files again.<br><br>You will now modify the settings on the web-server to prevent machines outside our network from accessing the private directory.<br><br>
# Add the following directory statement to your apache configuration file. The default pathname for the apache configuration file is: '''/etc/httpd/conf/httpd.conf''' (NOTE: replace the X with your own network octet):
</source>
This sets up separate rules and access permissions for that subdirectory. Your partner should no longer be able to access any pages in the private directory (or any sub-directories of it)from external machines, but your other internal machines (including your host) should still have access.
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
#Install '''mariadb-server'''.<br /><br /> The MySQL and MariaDB are actually two <u>separate</u> projects run by different groups, yet they are compatible; therefore, you can use documentation from one to configure the other. <br><br>
#'''NOTE:''' When installing mariadb, make certain that you have not just the '''client''' but also the '''server software'''.
#When you start the MySQL service, check the system log file for instructions regarding how to set the root password. Even though we will '''not ''' configure our MySQL service to be '''accessible over the network''', it is accepted as a "best practice" configuring for network access for each MySQL installation.
#Note that the MySQL service has two root passwords:<ul><li>For the localhost</li><li>For external requests</li></ul>
#Refer Start the mariadb server, then refer to the log file (by running '''journalctl -xe''') to learn how to run the two commands in order to generate the appropriate passwords.<br><br>NOTE: Use a password you make up yourself, but do <u>not</u> generate a use your own secret password, since you will be storing that password in a plain text file for later reference.
#Start the service and ensure that it will start automatically every time the machine boots.
'''Perform the following steps:'''
# Modify the Directory statement for your '''private ''' directory to prevent any machine other than your vm1 from accessing it.
# Re-start the web-server and try to access the page from another machine. Make sure that you can '''not''' do so before you continue.
# Install the '''php-mysql''' module so that the installation of php your web server is using can execute sql statements. You will have to restart the service after installing it.
#Modify the '''index.php ''' page in your '''private ''' directory to match the code below. This will test that your web server can connect to the database (replace the <user> and <password> with values appropriate for your machine):<br><source>
<?php
$mysqli = new mysqli("localhost", "<user>", "<password>");
In the investigation, we will simply install, configure and run the '''roundcube''' webmail application.
'''Perform the following steps on vm1:'''
<ol><li>Perform a search on the roundcube application in order to access the website.</li><li>Either Download the lastest '''Complete''' "zipped tarball" from their website from a direct link or use (https://roundcube.net/download/) using wget on the wget command to download directly from a download link (This part may take some effort depending on the Sourceforge website).</li>
<li>Extract the "zipped tarball" and rename the generated directory that contains download source code to: '''webmail'''. Also make sure that '''webmail''' is a sub-directory of your '''DocumentRoot'''.
* Use the '''--no-same-owner''' option when extracting the tar achive to ensure that the files do not keep the original owner (who will not exist on your system).</li>
<li>Change the ownership of the '''temp''' and '''logs''' directories so they belong to '''apache'''.</li><li>If you're not in Andrew's sections and you have SELinux enabled: This service needs to be able to write to several directories ('''temp''' and '''logs''') that SELinux prevents write access to. If you are in a section that has SELinux set to '''enforcing''', run the following commands to let it know that apache should be allowed to write to files in those directories.
<source>
semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'
restorecon -v -R /var/www/html/webmail
</source>
<li>In the directory now named "webmail", there will be a file named '''INSTALL''' which will walk you through the rest of the Roundcube installation.
<br /><br />Some installation tips to consider:
<li>To make things easier, RoundCube has a well configured installation page available through your local web browser (You will see a note about it in the '''INSTALL''' file).</li>
::* Go onto your host, open Firefox and on the address bar type "'''vm1.<yourSenecaID>.ops/webmail/installer"''', make sure your dns on host can resolve the web address. Alternatively, instead of "vm1.<yourSenecaID>.ops" you can input the ip address of your vm1, "'''192.168.X.2/webmail/installer"''', change X to your own IP octet.
::* Inside the web browser installer, ensure all required options are "'''ok'''", if "'''DOM: not ok'''" it means you need to install additional php packages (yum install php-xml php-mbstring). Once everything is ready (it will not let you continue otherwise) click next go to the next page.
::* On the next page, under the '''IMAP settings''' insert "'''vm3.<yourSenecaID>.ops" under the '''imap settingsin ''' default_host'''default_hostfield and ''' field and "143" ''' in '''default_port''' field. Insert "Under '''SMTP settings''' insert '''vm2.<yourSenecaID>.ops" under '''smtp settings''' in '''smtp_server''' field, and "'''25" ''' in '''smtp_port''' field. Ensure '''smtp_user/smtp_pass''' is '''empty''' and '''uncheck''' the "Use the current IMAP username and password for SMTP authentication" checkbox. ::* Under '''Database setup''' '''db_dsnw''', enter "localhost" as your database server, "roundcubemail" for database name. Put "roundcube" as Database user, and the password you set for the roundcube user when you configured that in the previous steps step for database password. Everything else can be left as default. ::* Click next Next to create the configuration file, then download it to your '''host'''. By default it will be saved under "'''~SenecaIDyourSenecaID/Downloads"'''. Transfer the files that file '''to vm1 ''' using '''scp ''' and place it inside '''/var/www/html/webmail/config ''' folder.
::* Go to test config page if you are not there already and "Check config file" should be ok. "Check DB config" should also be ok, if not check your mysql settings.
::* Finally Make sure your SMTP and IMAP servers are running, then finally test your configuration by sending email using your smtp server through test field provided by webmail installer, you should receive a test email sent by RoundCube. Test your IMAP settings by simply loging in with your SenecaID and vm3 password on the same webpage. ::* If everything works properly you can skip '''skip to''' step 109. *Remember you can edit the configuration file manually by editing "/var/www/html/webmail/config/config.inc.php".
</li>
<li>Note that both of your IMAP and SMTP servers are on different machines (i.e. not on vm1). Therefore, you should see custom values in the following parameters in the Roundcube configuration file:
:::'''NOTE:''' The last <u>two</u> entries above refer to your IMAP server
</li>
<li>Now that you have Roundcube installed it is time to test if the roundcube webmail application is working by logging on, then sending and receiving e-mail messages:
*Using a the Firefox webbrowser, navigate to '''vm1.<yourdomain>.ops/webmail ''' and login(using the username only).
*Use the interface provided to send and receive email.</li>
<li>If mail sent through roundcube is sending from the wrong domain (i.e. user@vm3.yourdomain.ops instead of user@yourdomain.ops), each user can override it in the settings tab, or you can set:
'''Record steps, commands, and your observations in INVESTIGATION 3 in your OPS335 lab log-book'''
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump or rsync command, and you should use the Bash shell script that you were advised to create in order to backup all of your VMs.}}
== COMPLETING THE LAB ==
You now have a complete LAMP stack and could host a variety of web-pages that could include dynamically generated content and database access. You also have a webpage that is relying on a number of different services cooperating in order for it to work properly.
===Online Submission===Follow the instructions for lab 6 on blackboard.<!--===Andrew'''Depending s sections=== You may choose to:* Submit screenshots of your work on your professor Blackboard, in which case you will either be asked don't need to come to submit the lab in class, or online. Follow * Or come to the appropriate set of instructions belowlab, show me your work, and talk to me about it.I want to hear what you'''ve learned and answer any questions you have.
::<span style="color:green;font-size:1.5em;">✓</span>Completed Lab6 log-book notes.
==EXPLORATION QUESTIONS==