Today I am going to try to configure the User Directory on the Apache server. Encountered a difficult problem. The configuration process, problems and their solutions are summarized as follows:
1. Conventional configuration:
Add user web:
adduser web
passwd web
Create the public_html directory in the web user directory and set the permissions to 755:
mkdir public_html
chmod 755 public_html -R
Modify /etc/http/httpd.conf:
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disable
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
UserDir public_html
</IfModule>
2. Testing and problems occur:
http://127.0.0.1/~web
================================
Forbidden
You don't have permission to access /~web on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
-------------------------------------------------- ----------------------------------
Apache/2.0.54 (Fedora) Server at 127.0.0.1 Port 80
Generally, when this problem occurs, the problem that comes to mind is the access permission of the directory. After a long time of checking and adjusting, the problem has not been solved. During this period, I thought about whether it was a problem with Selinux. I went in and looked around, but found nothing to change. (Later facts prove that sometimes intuition is very accurate. The difference between whether you can find the answer is often whether you go deeper in intuition).
3. Solution to the problem. After searching for Apache 403 on Google for a long time, I finally saw in a blog that the author encountered exactly the same problem as me: the configuration of Apache and the directory were fine, but the page could not be displayed. The solution is to modify Selinux's access control to public_html.
Use the following command to modify the folder security attributes
chcon -R -t httpd_user_content_t public_html/
4. Summary of related knowledge:
Fedora Core 5 SELinux FAQ
http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-public_html Q: How do I make a user public_html directory work under SELinux?
A: This process presumes that you have enabled user public HTML directories in your Apache configuration file, /etc/httpd/conf/httpd.conf. This process only covers serving static Web content. For more information about Apache HTTP and SELinux, refer to http://fedora.redhat.com/docs/selinux-apache-fc3/.
If you do not already have a ~/public_html directory, create it and populate it with the files and folders to be served.
cd ~mkdir public_htmlcp /path/to/content ~/public_html
At this point, httpd is configured to serve the contents, but you still receive a 403 forbidden error. This is because httpd is not allowed to read the security type for the directory and files as they are created in the user's home directory. Change the security context of the folder and its contents recursively using the -R option:
ls -Z -d public_html/drwxrwxr-x auser auser user_u:object_r:user_home_t public_htmlchcon -R -t httpd_user_content_t public_html/ls -Z -d public_html/drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html/ls -Z public_html/- rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t bar.html-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t baz.html-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t foo.html
You may notice at a later date that the user field, set here to user_u, is changed to system_u. This does not affect how the targeted policy works. The field that matters is the type field.
Your static webpages should now be served correctly. If you continue to have errors, ensure that the Boolean which enables user home directories is enabled. You can set it using system-config-securitylevel. Select the SELinux tab, and then select the Modify SELinux Policy area. Select Allow HTTPD to read home directories. The changes take effect immediately.
Analysis of the commands used:
ls -Z -d public_html/
#Display the security context of the file/directory -Z, --context
Display security context so it fits on most displays. Displays only mode, user, group, security context and file name.-d, --directory
list directory entries instead of contents, and do not dereference symbolic links
chcon -R -t httpd_user_content_t public_html/
#Modify the security context of files/directories -R, --recursive
change files and directories recursively-t, --type
set type TYPE in the target security context