Building a Secure Web Server with CentOS 5 - Part 3
Posted on 05 Jan 2010 by Ray Heffer
In the following steps, we will base our configuration on a fictitious company called Happy Burger who has already registered the domain name, happyburger.net. We will point www.happyburger.net to the IP address of this web server. When you are creating your own site, substitute the customer name and domain name for that of the actual customer. If a Happy Burger really exists, then this is in no way associated with them and is purely coincidental!
Create a User Account
The first step is to create a user account that will be associated with this website and be used to authenticate via FTP. When creating the password, make sure that it is at least 8 characters, alphanumeric, mixed case and includes numbers. I usually generate random passwords for this.
# adduser –s /sbin/nologin happyburger
# passwd happyburger
Creating the directory structure
Each website must have the following directory structure in order to support access logs, web statistics, .htpasswd files, CGI scripts and the public web directory.
/home/.sites/happyburger/: This path will contain a directory for each website. Each directory should be named after the customer name, in lowercase.
/home/.sites/happyburger/web/: This path contains the website contents (public root).
/home/.sites/happyburger/web/stats/: This path will contain the Webalizer statistics, and is password protected using .htaccess.
/home/.sites/happyburger/private/: This path is not accessible from the internet, and contains the .htpasswd file.
/home/.sites/happyburger/cgi-bin/: Apache uses this path as the CGI script directory, by using a script alias.
/home/.sites/happyburger/logs/: This path stores the log files that Apache generates.
Create the structure as follows:
# cd /home/.sites
# mkdir happyburger
# cd happyburger
# mkdir web cgi-bin private logs
# cd web
# mkdir stats
Now change the ownership of these directories, substituting
# cd /home/.sites
# chown <username> happyburger -R
Configuring Apache
As Apache will be configured using multiple ‘virtual hosts’ we need to create a separate configuration file for each virtual host. To do this we will create a vhost directory, and configure the Apache configuration file to read each of these virtual host configurations.
# cd /etc/httpd/vhost (If this directory does not exist then you will need to create it)
Now we will create the virtual host configuration file for this particular website.
# vi happyburger.conf
Now enter the following into the newly created configuration file:
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /home/.sites/happyburger/web
ServerName www.happyburger.net
ServerAlias happyburger.net
ServerAlias www.happyburger.com
ServerAlias happyburger.com
ScriptAlias /cgi-bin/ /home/.sites/happyburger/cgi-bin/
<Directory /home/.sites/happyburger/web>
Options FollowSymLinks
Options +Includes +ExecCGI
AllowOverride All
</Directory>
</VirtualHost>
Once this has been saved, we will then need to configure Apache to include this in the main configuration.
# vi /etc/httpd/conf/httpd.conf
At the end of the configuration file add the following line:
Include /etc/httpd/vhost/happyburger.conf
Now restart httpd:
# /etc/init.d/httpd restart
Configuring FTP (VSFTP)
Before the new account can login with FTP, you must add the new user to vsftp.user_list which contains a list of all accounts permitted to use the FTP service.
# vi /etc/vsftpd.user_list
Add the new user to the list.