Apache HTTPD on RHEL/CentOS/SL

Owned by Alex Perez Mendez
Last updated: Sept 17, 2019
2 min read

The Apache HTTP server is the Apache Software Foundation's web server. See the project's website for more details.

Contents

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

1. System Preparation

1.1. Add the Moonshot libraries and configure the server

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL.

1.2. Configure SELinux to allow httpd to create network connections

Existing SELinux policies will not allow HTTPD to connect to the RP proxy using RadSec, thus precluding Moonshot from work.

To persistently allow such connections, use the following command:

setsebool -P httpd_can_network_connect 1

2. Installation Instructions

  1. To use the Apache module, install it:

    yum install mod_auth_gssapi

  2. Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user.

    su - --shell=/bin/bash apache
cat path_to_ca.pem
cat path_to_client.pem 
cat path_to_client.key

  3. Verify that the KeepAlive option is enabled in the Apache configuration file /etc/httpd/conf/httpd.conf:

    KeepAlive On

  4. Restart Apache:

    service httpd restart

3. Configuration Instructions

Shibboleth2 Apache module incompatibility

Please read Section in Apache HTTPD on module incompatibilities.

3.1. Protecting a location with Moonshot

To protect a particular location on your Apache server, you must configure it with an AuthType of Negotiate (CentOS 6) or GSSAPI (CentOS 7).

Here's a sample configuration that can get you started to allow anyone with a valid Moonshot account to access /wherever:

CentOS 6 
<Location "/wherever">
    AuthType Negotiate
    AddHandler cgi-script .cgi
    Options +ExecCGI
    Require valid-user
    GssapiNameAttributes json
</Location>
CentOS 7 
<Location "/wherever">
    AuthType GSSAPI
    AddHandler cgi-script .cgi
    Options +ExecCGI
    Require valid-user
    GssapiNameAttributes json
    GssapiConnectionBound On
    GssapiAcceptorName HTTP@hostname
</Location>

Configuration Directives

For more information on the configuration directives supported by the GSSAPI module, see its homepage at https://github.com/modauthgssapi/mod_auth_gssapi. Additionally, in an effort to provide cross-compatibility, the Negotiate module broadly supports the GssapiNameAttributes configuration directive.