Chapter 2. Installing the JBCS Apache HTTP Server on RHEL from archive files

On Red Hat Enterprise Linux (RHEL) versions 7, 8, and 9, Red Hat JBoss Core Services (JBCS) provides a distribution of the Apache HTTP Server that you can install from archive files. You can download and extract the archive files from the Software Downloads page on the Red Hat Customer Portal. You must install the base archive file for the original 2.4.57 release. You can also install the latest service pack release, if any.

When you install the Apache HTTP Server from an archive file, you can manage the product in different ways. For example, you can use a system daemon at system startup or manage the Apache HTTP Server from a command line.

Note

From the 2.4.57 Service Pack 2 release onward, JBCS also supports installation of the Apache HTTP Server 2.4.57 from archive files on RHEL 9. For JBCS Apache HTTP Server 2.4.57 installations on RHEL 9, the base archive file is Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Patch 02 for RHEL 9 x86_64.

2.1. Downloading and extracting the Apache HTTP Server archive file on RHEL

You can download the Apache HTTP Server archive files from the Software Downloads page on the Red Hat Customer portal. Depending on the Red Hat Enterprise Linux (RHEL) version that you are using, the steps to download the archive files are slightly different.

Note

If you have write access to the intended installation directory, you can install the archive file with non-root privileges.

Prerequisites

  • You have installed the krb5-workstation and mailcap packages.

    If you want to install these packages, enter the following command as the root user:

    # yum install krb5-workstation mailcap

Procedure

  1. Open a browser and log in to the Software Downloads page on the Red Hat Customer Portal.
  2. From the Product drop-down menu, select Apache HTTP Server.
  3. From the Version drop-down menu, select the correct JBCS version.
  4. Depending on the RHEL version that you are using, perform one of the following steps:

    • If you are using RHEL 7, on the Releases tab, click Download next to the Red Hat JBoss Core Services Apache HTTP Server 2.4.57 for RHEL 7 x86_64 file.
    • If you are using RHEL 8, on the Releases tab, click Download next to the Red Hat JBoss Core Services Apache HTTP Server 2.4.57 for RHEL 8 x86_64 file.
    • If you are using RHEL 9, click the Security Advisories tab. Then click Download next to the Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Patch 02 for RHEL 9 x86_64 file.

      Note

      The Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Patch 02 for RHEL 9 x86_64 file is the base archive file for installing the JBCS Apache HTTP Server 2.4.57 on RHEL 9.

  5. Extract the downloaded archive file to your installation directory.

    Note

    On RHEL systems, install the Apache HTTP Server in the /opt/ directory.

    The extraction of the archive file automatically creates the top-level jbcs-httpd24-2.4/httpd directory for the Apache HTTP Server. This document refers to the jbcs-httpd24-2.4/httpd directory as HTTPD_HOME.

  6. To install the latest service pack release, if any, perform the following steps:

    1. On the Software Downloads page, click the Security Advisories tab.
    2. On the Security Advisories tab, click Download next to the latest JBCS Apache HTTP Server 2.4.57 patch archive file that matches the platform and architecture for your system.

      For example, if you want to install the Service Pack X release of the Apache HTTP Server 2.4.57 on RHEL 8, click Download next to the Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Patch X for RHEL 8 x86_64 file.

      Note

      Service pack releases are cumulative. By downloading the latest service pack release, you also install any previous service pack releases automatically.

2.2. Apache HTTP Server configuration for managing archive installations from the command line

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can start and stop the Apache HTTP Server directly from the command line. Before you can run the Apache HTTP Server from the command line, you must perform the following series of configuration tasks:

2.2.1. Creating an Apache user

Before you run the Apache HTTP Server from the command line for the first time, you must create the apache user account and group. You must also assign ownership of the Apache directories to the apache user, so that the user can run the Apache HTTP Server.

Note

You must perform all steps in this procedure as the root user.

Procedure

  1. On a command line, go to the HTTPD_HOME directory.
  2. To create the apache user group, enter the following command:

    # groupadd -g 48 -r apache
  3. To create the apache user in the apache user group, enter the following command:

    # /usr/sbin/useradd -c "Apache" -u 48 -g apache -s /sbin/nologin -r apache
  4. To assign ownership of the Apache directories to the apache user, enter the following command:

    # chown -R apache:apache *

Verification

  • To verify that the apache user is the owner of the directory, enter the following command:

    # ls -l

2.2.2. Disabling or enabling SSL support

Before you run the Apache HTTP Server, you can choose to disable or enable SSL support by renaming the SSL configuration file. The Apache HTTP Server supports SSL by default.

Procedure

  1. Go to the HTTPD_HOME/conf.d/ directory.
  2. To enable or disable SSL, perform either of the following steps:

    • If you want to disable SSL, rename ssl.conf to ssl.conf.disabled.
    • If you want to re-enable SSL, rename ssl.conf.disabled to ssl.conf.

2.2.3. Running the Apache HTTP Server post-installation script

Before you run the Apache HTTP Server from the command line for the first time, you must run the Apache HTTP Server post-installation script.

Procedure

  1. On a command line, go to the HTTPD_HOME directory.
  2. Enter the following command:

     ./.postinstall

2.3. Starting the Apache HTTP Server from the command line when installed from an archive file

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can start the Apache HTTP Server directly from the command line.

Procedure

  1. On a command line, go to the HTTPD_HOME/sbin/ directory.
  2. Enter the following command as the root user:

     ./apachectl start

2.4. Stopping the Apache HTTP Server from the command line when installed from an archive file

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can stop a running instance of the Apache HTTP Server directly from the command line.

Prerequisites

Procedure

  1. On a command line, go to the HTTPD_HOME/sbin/ directory.
  2. Enter the following command as the root user:

     ./apachectl stop

2.5. Running the Apache HTTP Server from the command line without root privileges

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can start the Apache HTTP Server from the command line as a user without root privileges. In this situation, you can use a non-root user account, such as the apache user.

Procedure

  1. Stop all instances of the Apache HTTP Server :

    pkill httpd
  2. In the HTTPD_HOME/conf/httpd.conf file, set the http listen port to higher than 1024:

    Listen 2080
    ServerName <hostname>:2080
  3. In the HTTPD_HOME/conf.d/ssl.conf file, set the https listen port to higher than 1024:

    Listen 2443
  4. Change the ownership of the logs directory:

    chown -R apache:apache HTTPD_HOME/logs/
  5. Change the ownership of the run directory:

    chown -R apache:apache HTTPD_HOME/var/run/
  6. Verify that httpd is running under the apache user only rather than the root and apache users:

    $ ps -eo euser,egroup,comm | grep httpd

    This command produces the following type of output:

    apache   apache   httpd
    apache   apache   httpd
    apache   apache   httpd
    ...
    Important

    Limit the file permissions of the apache user and enable SELinux . This helps to prevent the following scenarios:

    • Unauthorized access or modification of files and directories by website users
    • Unwanted changes to the Apache HTTP Server configuration files

2.6. Managing Apache HTTP Server by using systemd when installed from an archive file

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can use a system daemon to perform management tasks. Using the Apache HTTP Server with a system daemon provides a way to start the Apache HTTP Server services at system startup. The system daemon also provides start, stop and status check functions.

On RHEL versions 7, 8, and 9, the default system daemon is systemd.

Prerequisites

Procedure

  1. To determine which system daemon is running, enter the following command:

    $ ps -p 1 -o comm=

    If systemd is running, the following output is displayed:

    systemd
  2. To set up the Apache HTTP Server for systemd, run the .postinstall.systemd script as the root user:

    # cd HTTPD_HOME
    # sh httpd/.postinstall.systemd
  3. To control the Apache HTTP Server by using systemd, enter any of the following commands as the root user:

    • To enable the Apache HTTP Server services to start at system startup:

      # systemctl enable jbcs-httpd24-httpd.service
    • To start the Apache HTTP Server:

      # systemctl start jbcs-httpd24-httpd.service
    • To stop the Apache HTTP Server:

      # systemctl stop jbcs-httpd24-httpd.service
    • To verify the status of the Apache HTTP Server:

      # systemctl status jbcs-httpd24-httpd.service
      Note

      Any user can run the systemctl status command.

Important

To revert any changes that the .postinstall.systemd script affects, you can enter the following command:

# cd HTTPD_HOME
# sh httpd/.postinstall.services.cleanup

For more information about using systemd, see the Additional resources links.

2.7. SELinux policies for the Apache HTTP Server

You can use Security-Enhanced Linux (SELinux) policies to define access controls for the Apache HTTP Server. These policies are a set of rules that determine access rights to the product.

2.7.1. SELinux policy information

The SELinux security model is enforced by the kernel and ensures that applications have limited access to resources such as file system locations and ports. SELinux policies ensure that any errant processes that are compromised or poorly configured are restricted or prevented from running.

The jbcs-httpd24-httpd-selinux packages in your Apache HTTP Server installation provide a mod_proxy_cluster policy. The following table contains information about the supplied SELinux policy.

Table 2.1. RPMs and Default SELinux Policies

NamePort InformationPolicy Information

mod_proxy_cluster

Two ports (6666 for TCP and 23364 for UDP) are added for httpd_port_t to allow the httpd process to use them.

A post-installation script configures the context mapping for /var/cache/mod_proxy_cluster to enable the httpd process to write at this location.

Additional resources

2.7.2. Installing SELinux policies for an Apache HTTP Server archive installation

In this release, the archive packages provide SELinux policies. The root Apache HTTP Server folder includes a .postinstall.selinux file. If required, you can run the .postinstall.selinux script.

Important

By default, the SELinux policy that the Apache HTTP Server provides is not active and the Apache HTTP Server processes run in the unconfined_t domain. This domain does not confine the processes. If you choose not to enable the SELinux policy that is provided, restrict file access for the apache user, so that the apache user only has access to the files and directories that are necessary for the Apache HTTP Server runtime.

Procedure

  1. Install the selinux-policy-devel package:

    yum install -y selinux-policy-devel
  2. Run the .postinstall.selinux script:

    cd <httpd_home>
    sh .postinstall.selinux
  3. Make and install the SELinux module:

    cd <httpd_home>/selinux/
    make -f /usr/share/selinux/devel/Makefile
    semodule -i jbcs-httpd24-httpd.pp
  4. Apply the SELinux contexts for the Apache HTTP Server:

    restorecon -r <httpd_home>
  5. Add access permissions to the required ports for the Apache HTTP Server:

    semanage port -a -t http_port_t -p tcp 6666
    semanage port -a -t http_port_t -p udp 23364
  6. Start the Apache HTTP Server service:

    <httpd_home>/sbin/apachectl start
  7. Check the context of the running process expecting httpd_t:

    $ ps -eZ | grep httpd | head -n1
    
    unconfined_u:unconfined_r:httpd_t:s0-s0:c0.c1023 2864 ? 00:00:00 httpd
  8. Verify the contexts of the httpd directories. For example:

    ls -lZ <httpd_home>/logs/