Centos + Cpanel + Subversion + Apache 2 + Proxy works

Centos + Cpanel + Subversion + Apache 2 + Proxy works

My mission was install subversion on our server withour breaking cpanel. After so much googling I was able to do it. It took me like a week to figure out a method which will work without any issues on cpanel. The main issue was cpanel still doesn’t support apache 2 series. They do have support on edge version but it is highly unstable and doesn’t compile all the needed modules for php. In apache 1.3 the support for mod_dav is not very good. The only alternative for subversion was to use apache 2 series. So I started digging for articles.

I found there is a method to install both apache 1.3 and apache 2 together. Only thing is we have to use another port than 80 for apache 2. Let me go step by step like how I installed subversion.

1. Install subversion : This was really easy on centos. I just have to use yum and it does it all.

yum install subversion

This will install all libraries needed for subversion to work. Sometimes you may come across an issue with perl-uri. Just Google for “perl uri rpm” and you can download an install the same. In my case I had to download and install.

rpm -ivh perl-URI-1.35-2.2.noarch.rpm

2. The next thing was to create a repository.

cd /var/
mkdir -p repo/source/
svnadmin create /var/repo/source

With above commands I created a subversion repo named source. You can check inside the directory if lot of files are created. If created subversion works fine .

3. Now we can proceed with apache 2 installation. I choosed apache 2.0.59

./configure –prefix=/usr/local/apache2 –with-port=2080 –enable-dav –enable-dav-fs –enable-proxy –enable-rewrite –enable-so
make
make install
/usr/local/apache2/bin/apachectl start

Apache2 installed at port 2080 with dav , proxy and rewrite and started so simple .

4. Now we have to compile mod_svn for apache 2. For this I had to download the source of subversion. Please check the version of subversion installed. You can check with the help of yum.

yum info subversion

Next download the same of subversion source and you need to compile mod_svn.

./configure –with-apxs=/usr/local/apache2/bin/apxs
make
make install

Now mod_svn is installed and activated on apache2. We can configure apache 2 to serve svn files with the help of mod_dav.

5. Configure apache 2 for svn. To do this I had to change the settings httpd.conf of apache 2. This file will be located here /usr/local/apache2/conf/httpd.conf

<location>
DAV svn
SVNPath /var/repo/source
</location>

Restart apache2 once you made the above changes. Now you should be able to see the svn files from this url http://localhost:2080/svn/. You should be able to see the subversion files at revision 0. There is will be nothing in it as we have not added any files.

6. Now we have add proxy to apache 1.3 so that we can internally proxy the files between apache 2 and apache 1. You can download the source of currently installed apache 1.3 or you can find the same in /home/installd/buildapache/apache_1.3.xx/src/modules/proxy
Just goto that directory and run this command

/usr/local/apache/bin/apxs -i -c *.c

That will install mod_proxy to apache 1.3

7. You have add this setting to apache 1.3 conf file to proxy the http://localhost:2080/svn/ in standard port 80 of some website.
Add these line to any virtual host present in the conf file.

ProxyRequests Off
ProxyPass / http://locahost:2080/svn

I had added for the virtual host svn.imthi.com.

You can view my subversion at http://svn.imthi.com/ username : guest and password : guest.

All done. If you wish add authentication you can Google on how to add simple http authentication. You can even add policies if you want. The final setting should look something like this with authentication and polices

<location>
DAV svn
SVNPath /var/repo/source
AuthzSVNAccessFile /var/repo/conf/svnpolicy
AuthType Basic
AuthName “Imthiaz Subversion repository”
AuthUserFile /var/repo/conf/svnusers
Require valid-user
</location>

For this svn book will be of great use. Have fun …!!!

Install Apache1 and Apache 2 on same server..

I found there is a method to install both apache 1.3 and apache 2 together. Only thing is we have to use another port than 80 for apache 2. Let me go step by step like how I installed subversion.

Now we can proceed with apache 2 installation. I choosed apache 2.0.59

wget http://www.reverse.net/pub/apache/httpd/httpd-2.0.63.tar.gz

./configure –prefix=/usr/local/apache2 –with-port=2080 –enable-dav –enable-dav-fs –enable-proxy –enable-rewrite –enable-so
make
make install
/usr/local/apache2/bin/apachectl start

Apache2 installed at port 2080.

Access http://localhost:2080/test.html and check below. I have 2 apaches running on same server. lol

[root@sabarish htdocs]# ps aux | grep httpd
nobody   18409  0.0  0.5   4104  1248 ?        S    12:28   0:00 /usr/local/apache2/bin/httpd -k start
nobody   18410  0.0  0.5   4104  1248 ?        S    12:28   0:00 /usr/local/apache2/bin/httpd -k start
nobody   18793  0.0  0.4   4104  1140 ?        S    12:34   0:00 /usr/local/apache2/bin/httpd -k start
root     18804  0.0  1.6  22852  4068 ?        Ss   12:34   0:00 /usr/sbin/httpd
apache   18807  0.0  0.9  22984  2316 ?        S    12:34   0:00 /usr/sbin/httpd
apache   18808  0.0  1.1  22984  2800 ?        S    12:34   0:00 /usr/sbin/httpd
apache   18809  0.0  1.1  22984  2796 ?        S    12:34   0:00 /usr/sbin/httpd
apache   18810  0.0  0.9  22984  2320 ?        S    12:34   0:00 /usr/sbin/httpd

Security Context of fie

Viewing  Security Context of fie…

RHEL 5 features SElinux installed by default. SElinux has the ability to protect every file on your system.

How is this done?

SELinux lables every file on your system with a security context. The security context is stored in the extended atrubits of the file. To view the security context for a file issue the following from a command prompt.

# ls -Z <file_name>

Replace the <file_name> with a file name. An example of the security context for resolv.conf.

Command:

# ls -Z /etc/reslov.conf

Output:

-rw-r–r– root root system_u:object_r:net_conf_t /etc/resolv.conf

The break down

Let’s focus on “system_u:object_r:net_conf_t”

On a typical setup SELinux uses 3 fields for a security context separated by colons.

user:role:type

In our example resolv.conf is a system file. We can tell this by looking at the user field of the security context. In our case system_u.

resolv.conf is an object file because it is labled as “object_r” in the role field and protected by the “net_conf_t” rule.

This is just a basic introduction into the world of SElinux

Basics of SeLinux- Enable/Disable SeLinux.

Files Related to SELinux :

The following sections describe SELinux configuration files and related file systems.

The /selinux/ Pseudo-File System

The /selinux/ pseudo-file system contains commands that are most commonly used by the kernel subsystem. This type of file system is similar to the /proc/ pseudo-file system.

In most cases, administrators and users do not need to manipulate this component compared to other SELinux files and directories.

The following example shows sample contents of the /selinux/ directory:

-rw-rw-rw- 1 root root 0 Sep 22 13:14 access
dr-xr-xr-x 1 root root 0 Sep 22 13:14 booleans
–w——- 1 root root 0 Sep 22 13:14 commit_pending_bools
-rw-rw-rw- 1 root root 0 Sep 22 13:14 context
-rw-rw-rw- 1 root root 0 Sep 22 13:14 create
–w——- 1 root root 0 Sep 22 13:14 disable
-rw-r–r– 1 root root 0 Sep 22 13:14 enforce
-rw——- 1 root root 0 Sep 22 13:14 load
-r–r–r– 1 root root 0 Sep 22 13:14 mls
-r–r–r– 1 root root 0 Sep 22 13:14 policyvers
-rw-rw-rw- 1 root root 0 Sep 22 13:14 relabel
-rw-rw-rw- 1 root root 0 Sep 22 13:14 user

For example, running the cat command on the enforce file reveals either a 1 for enforcing mode or 0 for permissive mode.
SELinux Configuration Files

The following sections describe SELinux configuration and policy files, and related file systems located in the /etc/ directory.
The /etc/sysconfig/selinux Configuration File

There are two ways to configure SELinux under Red Hat Enterprise Linux: using the Security Level Configuration Tool (system-config-securitylevel), or manually editing the configuration file (/etc/sysconfig/selinux).

The /etc/sysconfig/selinux file is the primary configuration file for enabling or disabling SELinux, as well as setting which policy to enforce on the system and how to enforce it.

———————————————————————————————————
The /etc/sysconfig/selinux contains a symbolic link to the actual configuration file, /etc/selinux/config.
———————————————————————————————————

The following explains the full subset of options available for configuration:

* SELINUX=<enforcing|permissive|disabled> — Defines the top-level state of SELinux on a system.

1) enforcing — The SELinux security policy is enforced.
2) permissive — The SELinux system prints warnings but does not enforce policy. This is useful for debugging and troubleshooting purposes. In permissive mode, more denials will be logged, as subjects will be able to continue with actions otherwise denied in enforcing mode. For example, traversing a directory tree will produce multiple avc: denied messages for every directory level read, where a kernel in enforcing mode would have stopped the initial traversal and kept further denial messages from occurring.
3) disabled — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.

Actions made while SELinux is disabled may cause the file system to no longer have the proper security context as defined by the policy. Running fixfiles relabel prior to enabling SELinux will relabel the file system so that SELinux works properly when enabled. For more information, refer to the fixfiles(8) manpage.

Additional white space at the end of a configuration line or as extra lines at the end of the file may cause unexpected behavior. To be safe, remove unnecessary white spaces.

SELINUXTYPE=<targeted|strict> — Specifies which policy is currently being enforced by SELinux.

1) targeted — Only targeted network daemons are protected.

2) Important Important

The following daemons are protected in the default targeted policy: dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and syslogd. The rest of the system runs in the unconfined_t domain.

The policy files for these daemons can be found in /etc/selinux/targeted/src/policy/domains/program and are subject to change, as newer versions of Red Hat Enterprise Linux are released.

Policy enforcement for these daemons can be turned on or off, using Boolean values controlled by Security Level Configuration Tool (system-config-securitylevel). Switching a Boolean value for a targeted daemon disables the policy transition for the daemon, which prevents, for example, init from transitioning dhcpd from the unconfined_t domain to the domain specified in dhcpd.te. The domain unconfined_t allows subjects and objects with that security context to run under standard Linux security.

strict — Full SELinux protection, for all daemons. Security contexts are defined for all subjects and objects, and every single action is processed by the policy enforcement server.

The /etc/selinux/ Directory

The /etc/selinux/ directory is the primary location for all policy files as well as the main configuration file.

The following example shows sample contents of the /etc/selinux/ directory:

-rw-r–r– 1 root root 448 Sep 22 17:34 config
drwxr-xr-x 5 root root 4096 Sep 22 17:27 strict
drwxr-xr-x 5 root root 4096 Sep 22 17:28 targeted

The two subdirectories, strict/ and targeted/, are the specific directories where the policy files of the same name (i.e., strict and targeted) are contained.

For more information on SELinux policy and policy configuration, refer to the rhel-pwg-selinux.

SELinux Utilities:

The following are some of the most commonly used SELinux utilities:

* /usr/bin/setenforce — Modifies in real-time the mode SELinux is running. By executing setenforce 1, SELinux is put in enforcing mode. By executing setenforce 0, SELinux is put in permissive mode. To actually disable SELinux, you need to either set the parameter in /etc/sysconfig/selinux or pass the parameter selinux=0 to the kernel, either in /etc/grub.conf or at boot time.

* /usr/bin/sestatus -v — Gets the detailed status of a system running SELinux. The following example shows an excerpt of sestatus output:

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Policy version: 18

* /usr/bin/newrole — Runs a new shell in a new context, or role. Policy must allow the transition to the new role.

* /sbin/restorecon — Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context.

* /sbin/fixfiles — Checks or corrects the security context database on the file system.

Mysql Login Problems…..

Do so:

service mysql stop

wait until MySQL shuts down. Then run

mysqld_safe –skip-grant-tables &

then you will be able to login as root with no password.

mysql -uroot mysql

In MySQL command line prompt issue the following command:

UPDATE user SET password=PASSWORD(“abcd”) WHERE user=”root”;
FLUSH PRIVILEGES;
EXIT

/etc/init.d/mysqld restart

At this time your root password is reset to “abcd” and MySQL will now
know the privileges and you’ll be able to login with your new password:

mysql -uroot -p mysql

Adding HTTPS To Chkservd….. :)

If you constantly find that Apache is being restarted without SSL support, or you’re like me and just like to have a piece of mind, you can easily add this to the cPanel Monitor (chkservd). Here’s how:

1. Login to your server with root access.

2. Do the following at the shell prompt:
pico -w /usr/local/cpanel/src/chkservd/chkserv.d/https

You can use your own favorite text editor if you would like

3. Add the following all on ONE LINE:

service[https]=443,GET / HTTP/2.0; killall -TERM httpd; sleep 2;
killall -9 httpd; /etc/rc.d/init.d/httpd stop; /etc/rc.d/init.d/httpd startssl;
/usr/local/apache/bin/apachectl startssl

4. Now save the file and exit (In pico, CTRL-X and Y).

5. Now we are going to edit the chkservd config file:
pico /etc/chkserv.d/chkservd.conf

6. add the following to it somewhere within the file. I usually add it right after the httpd line so it looks nice and neat:

https:1

7. Exit and save again. (Ctrl-X and Y in pico)

8. Finally, restart the cPanel monitor:
service chkservd restart

Now if you login via WHM and go to the check the “Service Manager”, you will see https listed there! If it goes down, cPanel will automatically restart it for you.