24/7/365 Support

Enabling CentOS system users and building publishing directories

In this process, we will learn how Apache provides you with the option to allow your system users to host web pages within their home directories. This approach has been used by ISPs since the outset of web hosting and in many respects, it continues to flourish due to its ability to avoid the more complex method of virtual hosting. In the previous process, you were shown how to install the Apache web server, and with the desire to provide hosting facilities for system users, it is the purpose of this process to show you how this can be achieved in CentOS 7.

To Start With: What Do You Need?

To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges and a console-based text editor of your choice. It is expected that your server will be using a static IP address that supports a hostname or domain name and that the Apache web server is already installed and currently running. Also, at least one system user account should be available on the server.

The Process

To provide the functionality offered by this process, no additional packages are required but we will need to make some modifications to the Apache configuration file.

  1. To begin, log in as root and open the Apache userdir configuration file in your favorite text editor by typing the following command after you have created a backup copy of it first:
    cp /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/userdir.conf.BAK vi /etc/httpd/conf.d/userdir.conf
  2. In the file, locate the directive that reads as UserDir disabled. Change it to the following:
    UserDir public_html
  3. Now scroll down to the <Directory "/home/*/public_html"> section and replace the existing block with the one here:
    <Directory /home/*/public_html>
                AllowOverride All
               Options Indexes FollowSymLinks
               Require all granted
    </Directory>
  4. Save and exit the file. Now log in as any system user to work with your publishing web directory (su -<username>), and then create a web publishing web folder in your home directory and a new home page for your user:
    mkdir ~/public_html && vi ~/public_html/index.html
  5. Now add the required HTML. You can use the following code as a starting point but it is expected that you will modify it to suit your own needs:
    <!DOCTYPE html>
    <html lang="en">
    <head><title>Welcome to my web folder's home page</title></head>
    <body><h1>Welcome to my personal home page</h1></body>
    </html>
  6. Now modify the permissions of the Linux system user’s <username> home folders by typing:
    chmod 711 /home/<username>
  7. Set the read/write permissions for public_html 755 so Apache can execute it later:
    chmod 755 ~/public_html -R
  8. Now log in as root again using su -root to configure SELinux appropriately for the use of http home directories:
    setsebool -P httpd_enable_homedirs true
  9. As root, change the SELinux security context for your user’s web public directory (this needs policycoreutils-python package to be installed) with the username <user>:
    semanage fcontext -a -t httpd_user_content_t /home/<user>/public_html restorecon -Rv /home/<user>/public_html
  10. To complete this process, simply reload the httpd service configuration:
    apachectl configtest && systemctl reload httpd
  11.  You can now test your setup by browsing to (substitute <username> appropriately): http://<SERVER IP ADDRESS>/~<username> in any browser.

How Does It Work?

In this process, we learned how easy it is to host your own peers by enabling user directories on the Apache web server.

So what did we learn from this experience?

We began the process by making a few minor configuration changes to Apache’s userdir.conf in order to set up the user directory support. We activated the user directories by adjusting the UserDir directive from disabled to pointing to the name of the HTML web directory within each user’s home directory, which will contain all our user’s web content, and call this public_html (you can change this directory name to anything you like but public_html is the de facto standard for naming it). Then we proceeded to modify the <Directory /home/*/public_html> tag. This directive applies all its enclosed options to the parts of the filesystem defined in the beginning tag /home/*/public_html. In our example, the following options are enabled for this directory: Indexes are used whenever a directory does not have index.html. This will show the file and folder content of the directory as HTML. As we will see in the process Securing Apache, this should be avoided for your web root whereas, for serving user directories, this can be a good choice if you just want to make your home folder accessible to your peers so they can quickly share some files (if you have any security concerns, remove this option). The FollowSymLinks option allows symbolic links (man ln) from this public_html directory to any other directory or file in the filesystem. Again, avoid this in your web root folder but for home directories, it can be useful if you need to make files or folders accessible within the public_html folder without the need to copy them into it (user directories often have disk quotas). Next we configured access control to the public_html folder. We did so by setting Require all granted, which tells Apache that in this public_html folder anyone from everywhere can access the contents through the HTTP protocol. If you want to restrict access to your public_html folder then you can replace all granted with different options. To allow access based on a hostname use, for example Require host example.com. With the ip parameter we can restrict the public_html folder to an internally available network only, for example Require ip 192.168.1.0/24. This is particularly useful if your web server has multiple network interfaces and one IP address is used for connecting to the public Internet and another one for your internal private network. You can add multiple Require lines within a Directory block. Remember to always set at least Require local which allows local access.

Having saved our work, we then began to make various changes to the home directories. First we created the actual public_html folder within our user’s home directory, which will be the actual personal web publishing folder later. Next, we changed its permissions to 755 which means that our user can do everything in the folder but all the other users and groups can only read and execute its content (and change into this folder). This type of permission is needed because all the files in the public_html folder will be accessed by a user named apache with the group apache if someone requests its content via the Apache web server later. If no read or execute permissions are set for the other users flag (man chmod), we will get an Access denied message in our browser. This will also be the case if we do not change the permissions for the parent /home/<username> directory in advance because parent directory permissions can affect its child subfolder permissions. A normal user home directory in CentOS Linux has the permissions 700 which means that the home directory’s owner can do anything but everyone else is completely locked out of the home folder and its content.

As written before, the Apache user needs access to the subfolder public_html so we have to change the permissions to 711 for the home folder so that everyone else can at least change into the directory (and then access the subfolder public_html as well since this is set to be read/write accessible). Next, we set the security context of our new web folder for SELinux. On systems running SELinux, it’s mandatory to set all the Apache web publishing folders to the httpd_user_content_t SELinux label (along with their contents) in order to make them available to Apache. Also, we made sure to set the correct SELinux Boolean to enable Apache home directories (which is enabled by default): httpd_enable_homedirs is true, read Working with SELinux to learn more about SELinux.

You should be aware that the previous process of managing the home directories should be repeated for each user. You will not have to restart Apache every time you enable a new system user but, having completed these steps for the first time, it will be simply a matter of reloading the configuration of the httpd service to reflect the initial changes made to the configuration file. From this point on, your local system users can now publish web pages using a unique URL based on their username.

 

Help Category:

What Our Clients Say