edmundli
asked on
Apache port 80 to 80xx
I had apache 1.3.9 with redhat 6.0. It is working fine with port 80 ( I use root login and install from /usr/local/apache)
It works fine. However, I would like to change to install a new one with less access, such that using www user. with uid 500 group. (Plan to have 8090)
I know that I can not work with port under 1024 if there is not a root.
So how can I show
http://aaa.bbb.com.sg instead of
http://aaa.bbb.com.sg:8090
(If I use www user to install my apache)
Can I use Virtual host ?
Can I use listen port ?
....
It works fine. However, I would like to change to install a new one with less access, such that using www user. with uid 500 group. (Plan to have 8090)
I know that I can not work with port under 1024 if there is not a root.
So how can I show
http://aaa.bbb.com.sg instead of
http://aaa.bbb.com.sg:8090
(If I use www user to install my apache)
Can I use Virtual host ?
Can I use listen port ?
....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ok, i might have missed something here, so bear with me.
your first apache server, the one running on port 80, was started as root. But after apache starts, it binds to port 80, and then all of the server processes run as the user/group specified in the config file. The only process that remains as root, is the initial process, which is used to start up new servers if needed (which is why it stays root).
You can run as www under port 80 by changing the config file.
As for running on the other port, unless you do some fancy port redirection at your router/gateway, clients will have to refer to your machine as http://your.hostname.com:8090/ This is mildly annoying, as most users never see a port number with other web sites.
Is there another reason that you want to listen on port 8090? Or is it just so you don't have to start the server as root?
I would honestly recommend that you start the server as root, have apache change it's user/group id and run it on port 80, unless you have other reasons for using another port (security by obscurity comes to mind, but it's not a good strategy).
dennis
your first apache server, the one running on port 80, was started as root. But after apache starts, it binds to port 80, and then all of the server processes run as the user/group specified in the config file. The only process that remains as root, is the initial process, which is used to start up new servers if needed (which is why it stays root).
You can run as www under port 80 by changing the config file.
As for running on the other port, unless you do some fancy port redirection at your router/gateway, clients will have to refer to your machine as http://your.hostname.com:8090/ This is mildly annoying, as most users never see a port number with other web sites.
Is there another reason that you want to listen on port 8090? Or is it just so you don't have to start the server as root?
I would honestly recommend that you start the server as root, have apache change it's user/group id and run it on port 80, unless you have other reasons for using another port (security by obscurity comes to mind, but it's not a good strategy).
dennis
ASKER
Dear Dennis,
For your point:
Is there another reason that you want to listen on port 8090? Or is it just so you don't have to start the server as root?
I would honestly recommend that you start the server as root, have apache change it's
user/group id and run it on port 80, unless you have other reasons for using another port
(security by obscurity comes to mind, but it's not a good strategy).
There is no special reason to run as port 8090 at all this is just a example.
From your recommenation,
I will login as root and uncompress, configure, make , make all in /usr/local/apache ?
If I use user www with group www and group id let say 505 then login as www and install .....
Can I do this by using port 80 ?
Can you recommend me steps by steps to do this ? I will follow your steps since I am new learner of apache web
Best Regards
Edmund
For your point:
Is there another reason that you want to listen on port 8090? Or is it just so you don't have to start the server as root?
I would honestly recommend that you start the server as root, have apache change it's
user/group id and run it on port 80, unless you have other reasons for using another port
(security by obscurity comes to mind, but it's not a good strategy).
There is no special reason to run as port 8090 at all this is just a example.
From your recommenation,
I will login as root and uncompress, configure, make , make all in /usr/local/apache ?
If I use user www with group www and group id let say 505 then login as www and install .....
Can I do this by using port 80 ?
Can you recommend me steps by steps to do this ? I will follow your steps since I am new learner of apache web
Best Regards
Edmund
well, the easiest way to install apache under RedHat is via the RPMs. On my box, Apache is running as user nobody group nodody, which is the safest user/group you can run with. Go to ftp.redhat.com, and download the apache RPM for your distribution, or you can use your original instalation disc.
to install Apache via the rpm, do the following as root:
rpm --install apache.rpm
where apache.rpm is the name of the RPM file for Apache.
After you do this, Apache will automatically be configured to startup, and will run as user nobody, group nobody. The html documents will go in /home/httpd/htdocs, the cgi's in /home/httpd/cgi-bin.
If you need to change any other configuration, go to /etc/httpd and edit the configuration files there. To reread the configuration, type /etc/rc.d/init.d/httpd start
You can verify that you are not running as root by doing a ps -ef | grep httpd.
Only the first process should be root, all others will be nobody.
You shouldn't need a www user, because nobody is going to have less privaleges than any other user you create.
At this point, you should be ready to go
good luck,
dennis
to install Apache via the rpm, do the following as root:
rpm --install apache.rpm
where apache.rpm is the name of the RPM file for Apache.
After you do this, Apache will automatically be configured to startup, and will run as user nobody, group nobody. The html documents will go in /home/httpd/htdocs, the cgi's in /home/httpd/cgi-bin.
If you need to change any other configuration, go to /etc/httpd and edit the configuration files there. To reread the configuration, type /etc/rc.d/init.d/httpd start
You can verify that you are not running as root by doing a ps -ef | grep httpd.
Only the first process should be root, all others will be nobody.
You shouldn't need a www user, because nobody is going to have less privaleges than any other user you create.
At this point, you should be ready to go
good luck,
dennis
ASKER
Dear dennis,
Since I do experinece in the tar .. configure, make, make all commends to setup apache, and I can predefine my apache location e.g
/usr/local/apache
And I can start, stop process in /usr/local/apache/bin
Configure /usr/local/apache/conf etc
This is the reason I use a user www,
login in as www and start install the apache
So In this case, Can I set www as user access right as nobody, group as nobody ... any ideas ?
I did not try before.
Edmund
Since I do experinece in the tar .. configure, make, make all commends to setup apache, and I can predefine my apache location e.g
/usr/local/apache
And I can start, stop process in /usr/local/apache/bin
Configure /usr/local/apache/conf etc
This is the reason I use a user www,
login in as www and start install the apache
So In this case, Can I set www as user access right as nobody, group as nobody ... any ideas ?
I did not try before.
Edmund
it doesn't matter what user you use to compile apache. root typically has to do the make install step because the directories it installs to are owned by root, but you can use any user as long as the user has the permissions to install in the directories you specified in the configuration.
After you install, you can have Apache run as any user/group you want. If you want to have it run as www after installing as root, that will still work. If you want to have it run as nobody after installing as www or as root, it will still work.
typically, if I'm installing a new package, I will compile the package with my own login. Then I will su to root to do the final install. For apache, I set the user/group to nobody, and have root do the startup during normal system startup.
for your situation, after doing the install, just set the User and Group directives in your httpd.conf (or it may be in one of the other apache config files) to www. Make sure that you have a www user and a www group, and make sure that the www user can read from the htdocs directory, and that all of the cgi's can still run as the www user.
The easiest way to check if the www user has the proper permissions is to su - www, and make sure you can read all of the html files and that you can still run the cgi's.
For additional security, before you bring the server live, disable logins on the www account by typing usermod -L www
This locks the password, so the user cannot login. Apache will still startup as the www user, but anyone trying to telnet in will not be able to use the www user as a way in.
If for some reason you need to unlock the account, type usermod -U www.
good luck,
dennis
After you install, you can have Apache run as any user/group you want. If you want to have it run as www after installing as root, that will still work. If you want to have it run as nobody after installing as www or as root, it will still work.
typically, if I'm installing a new package, I will compile the package with my own login. Then I will su to root to do the final install. For apache, I set the user/group to nobody, and have root do the startup during normal system startup.
for your situation, after doing the install, just set the User and Group directives in your httpd.conf (or it may be in one of the other apache config files) to www. Make sure that you have a www user and a www group, and make sure that the www user can read from the htdocs directory, and that all of the cgi's can still run as the www user.
The easiest way to check if the www user has the proper permissions is to su - www, and make sure you can read all of the html files and that you can still run the cgi's.
For additional security, before you bring the server live, disable logins on the www account by typing usermod -L www
This locks the password, so the user cannot login. Apache will still startup as the www user, but anyone trying to telnet in will not be able to use the www user as a way in.
If for some reason you need to unlock the account, type usermod -U www.
good luck,
dennis
ASKER
Let me sum up your suggestion
Example: I will use /usr/local/apache as my apache program
Login as root:
cd /usr/local/apache
complie, make, make install by root
I set one user www and group nobody or I will user user nobody, group nobody
I has the home directory
/usr/local/apache
if i use www , then I need to change
user www
group nobody
Am I correct ?
Example: I will use /usr/local/apache as my apache program
Login as root:
cd /usr/local/apache
complie, make, make install by root
I set one user www and group nobody or I will user user nobody, group nobody
I has the home directory
/usr/local/apache
if i use www , then I need to change
user www
group nobody
Am I correct ?
that will work.
good luck,
dennis
good luck,
dennis
ASKER
I got some feedback. I am using apache installed with root and running on port 80. (For my first apache web server). Afterward, I am planning to build a new apache with more secuity issue. I will go some user like www, and group www as my apache. As I know that only root user has the right to use port under 1024. As as result I can not use port 80. Am I right ?
Since I did build a web site under my first apache (installed by root) eg.
http://xxx.yyy.zzzz
(ip address 202.67.43.3)
But Now I will rebuild a new apache with new machine by using www user and www group. of course this is not a root user, As a result I can not start port 80. I have to start it above 1024 let say 8090. (202.67.43.4)
Afterward, I will use DNS to chnage the web server ip address to 202.67.43.4
http://xxx.yyy.zzzz:8090
The question is :
Can I use http://xxx.yyy.zzzz in my new web server ?
I can try
listen 202.67.43.4:80
listen 202.67.43.4:8090
Am I correct ?