Geekly Articles each Day
📜 ⬆️ ⬇️

Increase web application stack security (LAMP virtualization, step 1/6)

Configuring Apache / Lighttpd / Nginx Web Server Access to Network File System (NFS) Files


We continue to translate a series of lessons on virtualization and setting up a LAMP server from www.cyberciti.biz and proceed to the first practical step - creating a network storage file

Creating NFSv4.0 (Network File System) shared network access storages in Linux and Unix OSs is not much different from creating other Apache / Lighttpd / Nginx shared network resources. To do this, we make the following settings of our file server / VM vm05 with the IP address 192.168.1.14 .

Linux NFS server: synchronous or asynchronous mode


You need to choose the most suitable mode for you NFS-server. In the asynchronous mode ( a sync option ), responses to requests to the server occur without waiting for the end of the recording or changes in the disk files (if the recording occurs at the time of access). The performance of this mode is higher, but it is achieved at the cost of data integrity and a rough reboot of the server (in case of system failure or other reasons) can lead to data loss or damage. In the synchronous mode of operation ( sync option ), the response to a request to the server occurs only at the end of the recording. We strongly recommend that you use this one — the second synchronization mode with NFS caching enabled on the Apache / Lighttpd / Nginx local nodes, i.e. servers vm 01 and vm 02 .

How to create a “shared” network resource


To begin with, using the yum-manager , install the NFS server software packages:
# yum groupinstall "NFS file server"

or so ...
 # yum install nfs-utils nfs4-acl-tools portmap

... and activate the installed services:
 # chkconfig nfs on # chkconfig rpcbind on # chkconfig rpcidmapd on # chkconfig nfslock on

Create an NFS server user account.


We will use the Apache user credentials to share files with the NFS server. The same accounts will be used on servers vm01 , vm02 , vm03 and vm05 . To create a user account on the NFSv4 server, we will use the useradd command :
 ################################################################################## ### ,    CentOS/RHEL,     apache      ### ###  UID/GID 48,   apache   vm01  vm02         ### ###                                                           ### ################################################################################## # /usr/sbin/groupadd -g 48 apache # /usr/sbin/useradd -s /sbin/nologin -g 48 -u 48 -M -d /var/www apache # /usr/bin/passwd -l apache

Do not install the Apache2 web server on the NFSv4 server.
')

/etc/idmapd.conf setting up nfs server


The NFSv4 ID service name daemon (rpc.idmapd) provides the kernel for the client and the NFSv4 server, linking the latter through queries and converting the ID into names, and the names into IDs. To configure the daemon, edit the file /etc/idmapd.conf:
 # vi /etc/idmapd.conf

The following settings will be specified for the local NFSv4 domain. The default DNS name of the host should be replaced with the domain name of your host.

 Domain = cyberciti.biz

Also make sure that the mapping settings are written as follows:

 [Mapping] Nobody-User = nobody Nobody-Group = nobody

Save and close the file.

File System Sharing


To create a network share / var / www / static and / var / www / html , perform the following steps. Use the mkdir command to create the desired directory on the NFSv04 server:
 # mkdir -p /exports/{static,html}

Link the directories created with the / exports directory:
 # mount --bind /var/www/html /exports/html # mount --bind /var/www/static /exports/static

Edit the / etc / fstab file :
 # vi /etc/fstab

Adding to it the following entries:
 /var/www/html /exports/html none bind /var/www/static /exports/static none bind

Save and close the file. Now edit the / etc / exports file:
 # vi /etc/exports

Add the following parameters to it:
 ################################# ###   vm01  vm02 ### ### by vivek Thu June 21,2012 ### ################################# ##   nfs, fsid=0  NFSv4 ## /exports  192.168.1.10(rw,fsid=0,no_subtree_check,async) 192.168.1.11(rw,fsid=0,no_subtree_check,async) ###  NFS   www.cyberciti.biz ### /exports/html  192.168.1.10(rw,no_subtree_check,async,nohide) 192.168.1.11(rw,no_subtree_check,async,nohide) #      «-» (ro).                   # #     ,    «--» (rw)# /exports/static 192.168.1.10(ro,no_subtree_check,async,nohide) 192.168.1.11(ro,no_subtree_check,async,nohide)

Save and close the file. Now you can start nfs and related services :
 # /sbin/service rpcbind start # /sbin/service rpcidmapd start # /sbin/service nfslock start # /sbin/service nfs start

Securing the NFSv04 server


You can set up a firewall and configure TCPWrapper using the script provided by the link. Alternatively, configure the iptables table using fixed ports on the NFS server. You can also use network view or network (mask) machines ( vm01 , vm02 ) on your network by lifting the NFS file system from this server. Edit the / etc / sysconfig / iptables file by adding the following parameters. Make sure that these parameters are written before the LOG and DROP lines:
 ##   nfsv4-                           ## -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT

Save and close the file. Restart the iptables service :
 # service iptables restart

"Share" resources


Now you can upload static files in the / var / www / static and php / html files in the / var / www / html server directories. Do not put Unix-sockets on the shared file system NFS. If you use SELinux, you must configure the standard permissions and rights of the owner of the files with the SELinux security requirements, but you can (temporarily) disable SELinux to test the system. For more details, see the cyberciti.biz materials:

  1. Temporary disabling of SELinux [ eng ]
  2. Disabling SELinux for Apache / httpd on Linux (not recommended) [ eng ]


Last note on NFS




Source: https://habr.com/ru/post/148004/

More articles:


All Articles