當(dāng)前位置：首頁(yè) > 运维知识 > linux >内容正文

linux

Linux添加网站后无法显示,Linux：SElinux导致网站无法访问

發(fā)布時(shí)間：2023/12/10 linux 31 豆豆

生活随笔收集整理的這篇文章主要介紹了 Linux添加网站后无法显示,Linux：SElinux导致网站无法访问小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

通過(guò)更改SElinux狀態(tài)可以判斷出，當(dāng)SElinux處于關(guān)閉狀態(tài)時(shí)，網(wǎng)站內(nèi)容訪問(wèn)正常。

[root@master1-192-168-117-18 ~]# setenforce 0

[root@master1-192-168-117-18 ~]# getenforce

Permissive

[root@master1-192-168-117-18 ~]# setenforce 1

[root@master1-192-168-117-18 ~]# getenforce 0

Enforcing

查看網(wǎng)站的主目錄的SElinux安全上下文值：

[root@master1-192-168-117-18 ~]# ls -Zd /var/www/html/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

[root@master1-192-168-117-18 ~]# ls -Zd /home/wwwroot/

drwxr-xr-x. root root system_u:object_r:user_home_dir_t:s0 /home/wwwroot/

將新添加的主目錄SElinux上下文值與系統(tǒng)默認(rèn)主目錄保持一致：

[root@master1-192-168-117-18 ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/*

注意，執(zhí)行上述設(shè)置之后，還無(wú)法立即訪問(wèn)網(wǎng)站，還需要使用restorecon命令將設(shè)置好的SELinux安全上下文立即生效。在使用restorecon命令時(shí)，可以加上-Rv參數(shù)對(duì)指定的目錄進(jìn)行遞歸操作，以及顯示SELinux安全上下文的修改過(guò)程。

[root@master1-192-168-117-18 ~]# restorecon -Rv /home/wwwroot/

restorecon reset /home/wwwroot context system_u:object_r:user_home_dir_t:s0->system_u:object_r:httpd_sys_content_t:s0

restorecon reset /home/wwwroot/index.html context system_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

[root@master1-192-168-117-18 ~]# ls -Zd /home/wwwroot/

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /home/wwwroot/

[root@master1-192-168-117-18 ~]# ^C

個(gè)人用戶主頁(yè)功能

第1步：在httpd服務(wù)程序中，默認(rèn)沒(méi)有開(kāi)啟個(gè)人用戶主頁(yè)功能。為此，我們需要編輯下面的配置文件，然后在第17行的UserDir disabled參數(shù)前面加上井號(hào)(#)，表示讓httpd服務(wù)程序開(kāi)啟個(gè)人用戶主頁(yè)功能；同時(shí)再把第24行的UserDir public_html參數(shù)前面的井號(hào)(#)去掉(UserDir參數(shù)表示網(wǎng)站數(shù)據(jù)在用戶家目錄中的保存目錄名稱，即public_html目錄)。最后，在修改完畢后記得保存。

[root@master1-192-168-117-18 ~]# vim /etc/httpd/conf.d/userdir.conf

1 #

2 # UserDir: The name of the directory that is appended onto a user's home

3 # directory if a ~user request is received.

4 #

5 # The path to the end user account 'public_html' directory must be

6 # accessible to the webserver userid. This usually means that ~userid

7 # must have permissions of 711, ~userid/public_html must have permissions

8 # of 755, and documents contained therein must be world-readable.

9 # Otherwise, the client will only receive a "403 Forbidden" message.

10 #

12 #

13 # UserDir is disabled by default since it can confirm the presence

14 # of a username on the system (depending on home directory

15 # permissions).

16 #

17 # UserDir disabled

19 #

20 # To enable requests to /~user/ to serve the user's public_html

21 # directory, remove the "UserDir disabled" line above, and uncomment

22 # the following line instead:

23 #

24 UserDir public_html

27 #

28 # Control access to UserDir directories. The following is an example

29 # for a site where these directories are restricted to read-only.

30 #

32 AllowOverride FileInfo AuthConfig Limit Indexes

33 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

34 Require method GET POST OPTIONS

"/etc/httpd/conf.d/userdir.conf" 36L, 1254C 已寫(xiě)入

第2步：在用戶家目錄中建立用于保存網(wǎng)站數(shù)據(jù)的目錄及首頁(yè)面文件。另外，還需要把家目錄的權(quán)限修改為755，保證其他人也有權(quán)限讀取里面的內(nèi)容。

[aa@master1-192-168-117-18 ~]$ mkdir public_html

[aa@master1-192-168-117-18 ~]$ echo "世界那么大，我出去看看！" > public_html/index.html

[aa@master1-192-168-117-18 ~]$ chmod -Rf 755 /home/aa/

第3步：重新啟動(dòng)httpd服務(wù)程序，在瀏覽器的地址欄中輸入網(wǎng)址，其格式為“網(wǎng)址/~用戶名”(其中的波浪號(hào)是必需的，而且網(wǎng)址、波浪號(hào)、用戶名之間沒(méi)有空格)，從理論上來(lái)講就可以看到用戶的個(gè)人網(wǎng)站了。不出所料的是，系統(tǒng)顯示報(bào)錯(cuò)頁(yè)面，如圖10-9所示。這一定還是SELinux惹的禍。

第4步：使用getsebool命令查詢并過(guò)濾出所有與HTTP協(xié)議相關(guān)的安全策略。其中，off為禁止?fàn)顟B(tài)，on為允許狀態(tài)。

[root@master1-192-168-117-18 ~]# getsebool -a | grep http

httpd_anon_write --> off

httpd_builtin_scripting --> on

httpd_can_check_spam --> off

httpd_can_connect_ftp --> off

httpd_can_connect_ldap --> off

httpd_can_connect_mythtv --> off

httpd_can_connect_zabbix --> off

httpd_can_network_connect --> off

httpd_can_network_connect_cobbler --> off

httpd_can_network_connect_db --> off

httpd_can_network_memcache --> off

httpd_can_network_relay --> off

httpd_can_sendmail --> off

httpd_dbus_avahi --> off

httpd_dbus_sssd --> off

httpd_dontaudit_search_dirs --> off

httpd_enable_cgi --> on

httpd_enable_ftp_server --> off

httpd_enable_homedirs --> off

httpd_execmem --> off

httpd_graceful_shutdown --> on

httpd_manage_ipa --> off

httpd_mod_auth_ntlm_winbind --> off

httpd_mod_auth_pam --> off

httpd_read_user_content --> off

httpd_run_ipa --> off

httpd_run_preupgrade --> off

httpd_run_stickshift --> off

httpd_serve_cobbler_files --> off

httpd_setrlimit --> off

httpd_ssi_exec --> off

httpd_sys_script_anon_write --> off

httpd_tmp_exec --> off

httpd_tty_comm --> off

httpd_unified --> off

httpd_use_cifs --> off

httpd_use_fusefs --> off

httpd_use_gpg --> off

httpd_use_nfs --> off

httpd_use_openstack --> off

httpd_use_sasl --> off

httpd_verify_dns --> off

named_tcp_bind_http_port --> off

prosody_bind_http_port --> off

[root@master1-192-168-117-18 ~]# setsebool -P httpd_enable_homedirs=on

通過(guò)身份驗(yàn)證訪問(wèn)網(wǎng)頁(yè)

第1步：先使用htpasswd命令生成密碼數(shù)據(jù)庫(kù)。-c參數(shù)表示第一次生成；后面再分別添加密碼數(shù)據(jù)庫(kù)的存放文件，以及驗(yàn)證要用到的用戶名稱(該用戶不必是系統(tǒng)中已有的本地賬戶)。

[root@master1-192-168-117-18 ~]# htpasswd -c /etc/httpd/passwd aa

New password:

Re-type new password:

Adding password for user aa

第2步：第2步：編輯個(gè)人用戶主頁(yè)功能的配置文件。隨后保存并退出配置文件，重啟httpd服務(wù)程序即可生效。