Friday, November 15, 2013

Opening up web server ports on CentOS/selinux

I was setting up a test webserver that I could run a couple different web apps. There are a few things you need to know in order to set this up. There are three modifications that you need to make to be able to do this from a default installation. These mods are through httpd, selinux, iptables.

Let's say I want to open a port on 8000. First, make your modifications to the apache config. This should be located in /etc/httpd/conf/httpd.conf

Listen 8000
<VirtualHost *:8000>
    # ServerName
    DocumentRoot /path/to/web/directory
    SetEnv APPLICATION_ENV "development"
    <Directory /path/to/web/directory>
        DirectoryIndex index.php
        AllowOverride All
        Order allow,deny
        Allow from all

Great, that's all set up. Let's try and restart the httpd service

service http restart

Stopping httpd:                                            [OK]
Starting httpd:                                            [FAILED]
(98)Address already in use: make_sock: could not bind to address [::]:8000

What? What's going on? Listing the services using netstats doesn't reveal that the port is taken. Doing some research reveals that CentOS is shipped with selinux setup and that I need to open a port for that

semanage port -a -t http_port_t -p tcp 8000

After this step, go ahead and restart the httpd service.

service http restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [OK]

Yay, everything is working right? Navigate to and nothing responds. Check the apache logs and there's not even an access attempt. Do a little more research and it looks like the default CentOS installation comes with iptables installed and tightly regulated. You'll find the config file at /etc/sysconfig/iptables. Add the following line.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT

Now all we need to do is restart iptables and we're all set

service iptables restart

No comments:

Post a Comment