Installation on Red Hat with SELinux

elrido edited this page Jul 9, 2016 · 3 revisions

This tutorial on how to install httpd, php70 and PrivateBin on a minimal red hat or CentOS 7 installation was provided by @pozzo-balbi and was originally published at pozzo-balbi.com/help/Zerobin under Creative Commons Attribution ShareAlike 3.0 license.

Prerequisits

Assuming you are running a VM with minimal installation, you will need to install the following. First php in the latest version and httpd.

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php70w php70w-opcache php70w-gd php70w-intl php70w-mbstring php70w-mcrypt php70w-xml httpd httpd-tools

Update php.ini:

sed -i 's/expose_php = On/expose_php = Off/' /etc/php.ini
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini
sed -i 's/;date.timezone =/date.timezone = Europe\/Berlin/' /etc/php.ini
sed -i 's/;mail.log = syslog/mail.log = syslog/' /etc/php.ini
sed -i 's/;realpath_cache_size = 16k/realpath_cache_size = 256k/' /etc/php.ini
sed -i 's/;realpath_cache_ttl = 120/realpath_cache_ttl = 1200/' /etc/php.ini

Now customize httpd. Remove unnecessary modules (for PrivateBin) from /etc/httpd/conf.modules.d. Uncomment as needed.

00-base.conf:

LoadModule access_compat_module modules/mod_access_compat.so
  #Group authorizations based on host (name or IP address)
#LoadModule actions_module modules/mod_actions.so #Execute CGI scripts based on media type or request method.
#LoadModule alias_module modules/mod_alias.so  #Provides for mapping different parts of the host filesystem in the document tree and for URL redirection
#LoadModule allowmethods_module modules/mod_allowmethods.so #Easily restrict what HTTP methods can be used on the server
#LoadModule auth_basic_module modules/mod_auth_basic.so  #Basic HTTP authentication
#LoadModule auth_digest_module modules/mod_auth_digest.so  #User authentication using MD5 Digest Authentication
#LoadModule authn_anon_module modules/mod_authn_anon.so #Allows "anonymous" user access to authenticated areas
#LoadModule authn_core_module modules/mod_authn_core.so #Core Authentication
#LoadModule authn_dbd_module modules/mod_authn_dbd.so #User authentication using an SQL database
#LoadModule authn_dbm_module modules/mod_authn_dbm.so #User authentication using DBM files
#LoadModule authn_file_module modules/mod_authn_file.so #User authentication using text files
#LoadModule authn_socache_module modules/mod_authn_socache.so #Manages a cache of authentication credentials to relieve the load on backends
LoadModule authz_core_module modules/mod_authz_core.so
 #Core Authorization
#LoadModule authz_dbd_module modules/mod_authz_dbd.so #Group Authorization and Login using SQL
#LoadModule authz_dbm_module modules/mod_authz_dbm.so #Group authorization using DBM files
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so #Group authorization using plaintext files
#LoadModule authz_host_module modules/mod_authz_host.so  #Group authorizations based on host (name or IP address)
#LoadModule authz_owner_module modules/mod_authz_owner.so #Authorization based on file ownership
#LoadModule authz_user_module modules/mod_authz_user.so #User Authorization
#LoadModule autoindex_module modules/mod_autoindex.so #Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command
LoadModule cache_module modules/mod_cache.so
 #RFC 2616 compliant HTTP caching filter.
LoadModule cache_disk_module modules/mod_cache_disk.so
 #Disk based storage module for the HTTP caching filter.
LoadModule data_module modules/mod_data.so
 #Convert response body into an RFC2397 data URL
#LoadModule dbd_module modules/mod_dbd.so #Manages SQL database connections
LoadModule deflate_module modules/mod_deflate.so
 #Compress content before it is delivered to the client
LoadModule dir_module modules/mod_dir.so
 #Provides for "trailing slash" redirects and serving directory index files
#LoadModule dumpio_module modules/mod_dumpio.so #Dumps all I/O to error log as desired.
#LoadModule echo_module modules/mod_echo.so #A simple echo server to illustrate protocol modules
#LoadModule env_module modules/mod_env.so #Modifies the environment which is passed to CGI scripts and SSI pages
LoadModule expires_module modules/mod_expires.so
 #Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
#LoadModule ext_filter_module modules/mod_ext_filter.so #Pass the response body through an external program before delivery to the client
#LoadModule filter_module modules/mod_filter.so  #Context-sensitive smart filter configuration module
LoadModule headers_module modules/mod_headers.so
 #Customization of HTTP request and response headers
#LoadModule include_module modules/mod_include.so #Server-parsed html documents (Server Side Includes)
#LoadModule info_module modules/mod_info.so #Provides a comprehensive overview of the server configuration
LoadModule log_config_module modules/mod_log_config.so
 #Logging of the requests made to the server
#LoadModule logio_module modules/mod_logio.so #Logging of input and output bytes per request
#LoadModule mime_magic_module modules/mod_mime_magic.so #Determines the MIME type of a file by looking at a few bytes of its contents
LoadModule mime_module modules/mod_mime.so
 #Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)
#LoadModule negotiation_module modules/mod_negotiation.so  #Provides for content negotiation
LoadModule remoteip_module modules/mod_remoteip.so
 #Replaces the original client IP address for the connection with the useragent IP address list presented by a proxies or a load balancer via the request headers. 
#LoadModule reqtimeout_module modules/mod_reqtimeout.so #Set timeout and minimum data rate for receiving requests
LoadModule rewrite_module modules/mod_rewrite.so
 #Provides a rule-based rewriting engine to rewrite requested URLs on the fly
#LoadModule setenvif_module modules/mod_setenvif.so #Allows the setting of environment variables based on characteristics of the request
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #Slot-based shared memory provider.
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #Slot-based shared memory provider.
#LoadModule socache_dbm_module modules/mod_socache_dbm.so #DBM based shared object cache provider.
#LoadModule socache_memcache_module modules/mod_socache_memcache.so #Memcache based shared object cache provider.
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 #shmcb based shared object cache provider.
#LoadModule status_module modules/mod_status.so #Provides information on server activity and performance
#LoadModule substitute_module modules/mod_substitute.so #Perform search and replace operations on response bodies
#LoadModule suexec_module modules/mod_suexec.so #Allows CGI scripts to run as a specified user and Group
LoadModule unique_id_module modules/mod_unique_id.so
 #Provides an environment variable with a unique identifier for each request
LoadModule unixd_module modules/mod_unixd.so
 #Basic (required) security for Unix-family platforms.
#LoadModule userdir_module modules/mod_userdir.so #User-specific directories
#LoadModule version_module modules/mod_version.so #Version dependent configuration
#LoadModule vhost_alias_module modules/mod_vhost_alias.so  #Provides for dynamically configured mass virtual hosting

#LoadModule buffer_module modules/mod_buffer.so #Support for request buffering
#LoadModule watchdog_module modules/mod_watchdog.so #provides infrastructure for other modules to periodically run tasks
#LoadModule heartbeat_module modules/mod_heartbeat.so #Sends messages with server status to frontend proxy
#LoadModule heartmonitor_module modules/mod_heartmonitor.so #Centralized monitor for mod_heartbeat origin servers
#LoadModule usertrack_module modules/mod_usertrack.so #Clickstream logging of user activity on a site 
#LoadModule dialup_module modules/mod_dialup.so #Send static content at a bandwidth rate limit, defined by the various old modem standards
#LoadModule charset_lite_module modules/mod_charset_lite.so #Specify character set translation or recoding
#LoadModule log_debug_module modules/mod_log_debug.so #Additional configurable debug logging
#LoadModule ratelimit_module modules/mod_ratelimit.so #Bandwidth Rate Limiting for Clients
#LoadModule reflector_module modules/mod_reflector.so #Reflect a request body as a response via the output filter stack.
#LoadModule request_module modules/mod_request.so #Filters to handle and make available HTTP request bodies
#LoadModule sed_module modules/mod_sed.so #Filter Input (request) and Output (response) content using sed syntax
#LoadModule speling_module modules/mod_speling.so #Attempts to correct mistaken URLs by ignoring capitalization, or attempting to correct various minor misspellings.

00-dav.conf:

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so

00-lua.conf:

#LoadModule lua_module modules/mod_lua.so

00-proxy.conf:

#LoadModule proxy_module modules/mod_proxy.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so

01-cgi.conf:

<IfModule mpm_worker_module>
#   LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_event_module>
#   LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#   LoadModule cgi_module modules/mod_cgi.so
</IfModule>

Next adjust settings for modules in /etc/httpd/conf.d .

mv /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/autoindex.conf.orig
mv /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/userdir.conf.orig
touch /etc/httpd/conf.d/autoindex.conf
touch /etc/httpd/conf.d/userdir.conf

Last but not least configure Apache httpd itself.

cd /etc/httpd/conf
cp httpd.conf httpd.conf.orig
#sed -i 's/ServerAdmin root@localhost/ServerAdmin youremail@example.com/' /etc/httpd/conf/httpd.conf # change against your email if needed
sed -i 's/Listen 80/Listen 0.0.0.0:80/' /etc/httpd/conf/httpd.conf
sed -i 's/LogLevel warn/LogLevel error/' /etc/httpd/conf/httpd.conf
sed -i 's/#EnableMMAP off/EnableMMAP on/' /etc/httpd/conf/httpd.conf
#echo -e "ServerSignature off\nServerTokens Prod\nExtendedStatus Off\nStartServers 10\nMinSpareServers 1\nMaxSpareServers 2\nServerLimit 12\nMaxClients 12\nMaxRequestsPerChild 10000\nKeepAlive on\nKeepAliveTimeout 120" | cat - /etc/httpd/conf/httpd.conf > /etc/httpd/conf/temp && mv /etc/httpd/conf/temp /etc/httpd/conf/httpd.conf <<< y
cat >> /etc/httpd/conf.d/custom.conf << EOF
ServerSignature off
ServerTokens Prod
ExtendedStatus Off
StartServers 10
MinSpareServers 1
MaxSpareServers 2
ServerLimit 12
MaxClients 12
MaxRequestsPerChild 10000
KeepAlive on
KeepAliveTimeout 120
<Directory "/var/www/html/paste/data">
 Require all denied
</Directory>
<Directory "/var/www/html/paste/tmp">
 Require all denied
</Directory>
<Directory "/var/www/html/paste/cfg">
 Require all denied
</Directory>
<Directory "/var/www/html/paste/lib">
 Require all denied
</Directory>
 ExpiresActive On
 ExpiresDefault A2592000 # (= one month)
 Header set Cache-Control "max-age=2592000, public"
<FilesMatch "\.(pl|php|cgi|spl)$">
 Header unset Cache-Control
 Header unset Expires
 Header unset Last-Modified
 FileETag None
 Header unset Pragma
</FilesMatch>
EOF
setsebool -P httpd_execmem=1
setsebool -P httpd_builtin_scripting=1
systemctl enable httpd

Installation

Download the latest version of PrivateBin and extract it to /var/www/html/paste.

Create directories needed by PrivateBin, update permissions and (re)start httpd:

cd /var/www/html/paste
mkdir data
mkdir tmp
chown apache:apache *
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/tmp(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/data(/.*)?"
systemctl restart httpd

Update selinux after some time with:

cd /var/log/audit
grep hugetlbfs audit.log | audit2allow -M hugetlbfs
semodule -i hugetlbfs.pp

Nginx/Naxsi

If using nginx with naxsi on your reverse proxy, add these whitelist_rules:

BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1315 "mz:$URL:/paste/|$HEADERS_VAR:cookie";
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:nickname";
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:nickname";
BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:nickname";
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.