Solved

Apache port 80 to 80xx

Posted on 2000-04-06
9
278 Views
Last Modified: 2010-03-18
I had apache 1.3.9 with redhat 6.0. It is working fine with port 80 ( I use root login and install from /usr/local/apache)

It works fine. However, I would like to change to install a new one with less access, such that using www user. with uid 500 group. (Plan to have 8090)

I know that I can not work with port under 1024 if there is not a root.

So how can I show

http://aaa.bbb.com.sg instead of
http://aaa.bbb.com.sg:8090

(If I use www user to install my apache)
Can I use Virtual host ?
Can I use listen port ?
....
0
Comment
Question by:edmundli
  • 5
  • 4
9 Comments
 
LVL 2

Accepted Solution

by:
munsie earned 40 total points
Comment Utility
well, it looks like you have a couple of things here...

if all you are doing is trying to make apache run under something besides root, your mostly there already.

by default, apache will not keep root when it starts up.  It only uses root to bind to the listen port.  It then switches to the specified user in the configuration file.  Look for the User and Group directives in your config files.  On my default RH6.1 install, User and Group are set to nobody.  And a quick look with ps -ef shows that only the first httpd is running as root.. the rest are all nobody/nobody.

If you want to change the user/group, just enter the name or number of the user and group in the above fields and restart the server.

Now, if you still want to run another server on port 8090, you can add a Listen directive to your config files.  Just look for the Listen 80 thats already there and on the next line put in a Listen 8090.  This will cause apache to listen and reply on both ports.

If you want to run two separate servers, one on 80, one on 8090, you need to create a new directory of configuration files, and start another copy of apache.  But typically, you shouldn't need to do this, because the security measures built in to Apache prevent most problems you would encounter.

good luck,
dennis
0
 

Author Comment

by:edmundli
Comment Utility
Thanks,

I got some feedback. I am using apache installed with root and running on port 80. (For my first apache web server). Afterward, I am planning to build a new apache with more secuity issue. I will go some user like www, and group www as my apache. As I know that only root user has the right to use port under 1024. As as result I can not use port 80. Am I right ?

Since I did build a web site under my first apache (installed by root) eg.

http://xxx.yyy.zzzz
(ip address 202.67.43.3)

But Now I will rebuild a new apache with new machine by using www user and www group. of course this is not a root user, As a result I can not start port 80. I have to start it above 1024 let say 8090. (202.67.43.4)

Afterward, I will use DNS to chnage the web server ip address to 202.67.43.4
http://xxx.yyy.zzzz:8090  


The question is :

Can I use http://xxx.yyy.zzzz in my new web server ?

I can try
listen 202.67.43.4:80
listen 202.67.43.4:8090

Am I correct ?
0
 
LVL 2

Expert Comment

by:munsie
Comment Utility
ok, i might have missed something here, so bear with me.

your first apache server, the one running on port 80, was started as root.  But after apache starts, it binds to port 80, and then all of the server processes run as the user/group specified in the config file.  The only process that remains as root, is the initial process, which is used to start up new servers if needed (which is why it stays root).

You can run as www under port 80 by changing the config file.

As for running on the other port, unless you do some fancy port redirection at your router/gateway, clients will have to refer to your machine as http://your.hostname.com:8090/  This is mildly annoying, as most users never see a port number with other web sites.

Is there another reason that you want to listen on port 8090?  Or is it just so you don't have to start the server as root?

I would honestly recommend that you start the server as root, have apache change it's user/group id and run it on port 80, unless you have other reasons for using another port (security by obscurity comes to mind, but it's not a good strategy).

dennis
0
 

Author Comment

by:edmundli
Comment Utility
Dear Dennis,

For your point:
Is there another reason that you want to listen on port 8090?  Or is it just so you don't                    have to start the server as root?

I would honestly recommend that you start the server as root, have apache change it's
user/group id and run it on port 80, unless you have other reasons for using another port
(security by obscurity comes to mind, but it's not a good strategy).

There is no special reason to run as port 8090 at all this is just a example.

From your recommenation,

I will login as root and uncompress, configure, make , make all in /usr/local/apache ?

If I use user www with group www and group id let say 505 then login as www and install .....

Can I do this by using port 80 ?

Can you recommend me steps by steps to do this ? I will follow your steps since I am new learner of apache web

Best Regards
Edmund

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Expert Comment

by:munsie
Comment Utility
well, the easiest way to install apache under RedHat is via the RPMs.  On my box, Apache is running as user nobody group nodody, which is the safest user/group you can run with.  Go to ftp.redhat.com, and download the apache RPM for your distribution, or you can use your original instalation disc.

to install Apache via the rpm, do the following as root:

rpm --install apache.rpm

where apache.rpm is the name of the RPM file for Apache.

After you do this, Apache will automatically be configured to startup, and will run as user nobody, group nobody.  The html documents will go in /home/httpd/htdocs, the cgi's in /home/httpd/cgi-bin.

If you need to change any other configuration, go to /etc/httpd and edit the configuration files there.  To reread the configuration, type /etc/rc.d/init.d/httpd start

You can verify that you are not running as root by doing a ps -ef | grep httpd.

Only the first process should be root, all others will be nobody.

You shouldn't need a www user, because nobody is going to have less privaleges than any other user you create.

At this point, you should be ready to go

good luck,
dennis
0
 

Author Comment

by:edmundli
Comment Utility
Dear dennis,

Since I do experinece in the tar .. configure, make, make all commends to setup apache, and I can predefine my apache location e.g

/usr/local/apache

And I can start, stop process in /usr/local/apache/bin

Configure /usr/local/apache/conf etc

This is the reason I use a user www,

login in as www and start install the apache

So In this case, Can I set www as user access right as nobody, group as nobody ... any ideas ?

I did not try before.

Edmund
0
 
LVL 2

Expert Comment

by:munsie
Comment Utility
it doesn't matter what user you use to compile apache.  root typically has to do the make install step because the directories it installs to are owned by root, but you can use any user as long as the user has the permissions to install in the directories you specified in the configuration.

After you install, you can have Apache run as any user/group you want.  If you want to have it run as www after installing as root, that will still work.  If you want to have it run as nobody after installing as www or as root, it will still work.

typically, if I'm installing a new package, I will compile the package with my own login.  Then I will su to root to do the final install.  For apache, I set the user/group to nobody, and have root do the startup during normal system startup.

for your situation, after doing the install, just set the User and Group directives in your httpd.conf (or it may be in one of the other apache config files) to www.  Make sure that you have a www user and a www group, and make sure that the www user can read from the htdocs directory, and that all of the cgi's can still run as the www user.

The easiest way to check if the www user has the proper permissions is to su - www, and make sure you can read all of the html files and that you can still run the cgi's.

For additional security, before you bring the server live, disable logins on the www account by typing usermod -L www

This locks the password, so the user cannot login.  Apache will still startup as the www user, but anyone trying to telnet in will not be able to use the www user as a way in.

If for some reason you need to unlock the account, type usermod -U www.

good luck,
dennis
0
 

Author Comment

by:edmundli
Comment Utility
Let me sum up your suggestion

Example: I will use /usr/local/apache as my apache program

Login as root:
cd /usr/local/apache

complie, make, make install by root

I set one user www and group nobody or I will user user nobody, group nobody

I has the home directory
/usr/local/apache

if i use www , then I need to change
user www
group nobody

Am I correct ?
0
 
LVL 2

Expert Comment

by:munsie
Comment Utility
that will work.

good luck,
dennis
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now