SHELL Scripting

Example1:

#/bin/bash

a=''
case $@ in
        testfile) for user in $(cat $1);do
                echo "Adding user:" $user
                useradd -s /bin/false $user
                done
                ;;
        $a) echo "Usage: /root/createusers"
                ;;
        *) echo "Input File Not Found"

esac

Example2:

#!/bin/bash

case $@ in

postconf)

         echo "postroll"

         ;;

postroll)

         echo "postconf"

         ;;

*)

         echo "/root/random postconf|postroll"

         ;;

esac

Example3:

#/bin/bash

for (( counter=100; counter>1; counter-- ));do

        echo $counter

done

exit 0

Managing MariaDB

Creating database environment

• yum -y install mariadb mariadb-libs mariadb-test
• systemctl start mariadb
• systemctl enable mariadb
• mysql_secure_installation
• set mysql root password

Creating a Database

• mysql -uroot -p
• create database friends;
• use friends;
• MariaDB [friends]> create table name (FirstName VARCHAR(40), LastName VARCHAR(40), age INT, year INT);
• MariaDB [friends]> insert into name (FirstName,LastName,age,year) values ('Ion','Rivera',35,2010);
• MariaDB [friends]> insert into name (FirstName,LastName,age,year) values ('Syl','Carrion',35,2010);
• MariaDB [friends]> insert into name (FirstName,LastName,age,year) values ('Harold','Gray',35,2010);

MariaDB [friends]> select * from name;

+-----------+----------+------+------+

| FirstName | LastName | age  | year |

+-----------+----------+------+------+

| Ion       | Rivera   |   35 | 2010 |

| Syl       | Carrion  |   35 | 2010 |

| Harold    | Gray     |   35 | 2010 |

+-----------+----------+------+------+

3 rows in set (0.01 sec)

Managing User

• MariaDB [(none)]> create user erick@localhost identified by '123456';
• MariaDB [mysql]> select user from user where user='erick';
• MariaDB [mysql]>use friends;
• MariaDB [friends]> grant select,update,insert,delete on friends.* to erick@localhost;
• MariaDB [friends]> flush privileges;
• MariaDB [friends]> show grants for erick@localhost;

MariaDB [friends]> show grants for erick@localhost;

+--------------------------------------------------------------------------------------------------------------+

| Grants for erick@localhost                                                                                   |

+--------------------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'erick'@'localhost' IDENTIFIED BY PASSWORD '*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9' |

| GRANT SELECT, INSERT, UPDATE, DELETE ON `friends`.* TO 'erick'@'localhost'                                   |

+--------------------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

• [root@server6 ~]# mysql -uerick -p
• MariaDB [(none)]> quit

Backing up Database

• Creating a Logical Database Backup
• mysqldump -u root -p friends > /root/friends-db.dump
• mysqldump -u root -p --all-databases > /root/all-db.dump
• Creating a Physical Database Backup
• mount |grep mysql
• mysql -uroot -p
• MariaDB [(none)]> flush tables with read lock; or systemctl stop mariadb
• [root@server6 ~]# lvcreate -L 5G -s -n lv_mariadb-snapshot /dev/vgsan/lv_mariadb
• MariaDB [none]> unlock tables;
• mkdir /mariadb_snapshot
• mount -o nouuid /dev/vgsan/lv_mariadb-snapshot /mariadb_snapshot/
• tar -cvf mariadb-snapshot.04-28-2016.tar /mariadb_snapshot/
• umount /mariadb_snapshot
• tar -tvf mariadb-snapshot.04-28-2016.tar

Restoring a Database backup

• Logical Backup
• mysql -u root -p < mariadb.backup
• Physical Backup
• systemctl stop mariadb
• rm -rf /var/lib/mysql/*
• tar -xvf mariadb-snapshot.tar -C /var/lib/
• mv mariadb_snapshot/* mysql/
• rm -rf mariadb_snapshot
• semanage fcontext -a -t mysqld_db_t "(/var/lib/.*?)"
• restorecon -Rv /var/lib/

Managing SSH

Configuring Key-based Authentication

• generate key
• ssh-keygen -t dsa
• copy key to another server
• ssh-copy-id server2
• ssh without typing the key passphrase
• ssh-agent /bin/bash
• ssh-add

[root@server6 ~]# ssh-agent /bin/bash

[root@server6 ~]# ssh-add

Enter passphrase for /root/.ssh/id_dsa:

Identity added: /root/.ssh/id_dsa (/root/.ssh/id_dsa)

[root@server6 ~]# ssh server7

Last login: Wed Apr 27 17:20:44 2016 from 192.168.23.148

Changing ssh port

• vim /etc/ssh/sshd_config
• Port 2022
• semanage port -a -t ssh_port_t -p tcp 2022
• semanage port -l|grep ssh
• ssh_port_t                     tcp      2022, 22
• firewall-cmd --permanent --add-port=2022/tcp
• firewall-cmd --reload

Creating SSH Tunnels

• on server1
• ssh -fNL 4444:server8.example.com:80 root@server7.example.com -p 2022
• elinks http://localhost:4444

[root@server6 ~]# netstat -tulpen|grep -i ssh

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          22725      1694/sshd

tcp        0      0 127.0.0.1:4444          0.0.0.0:*               LISTEN      0          174870     15288/ssh

tcp6       0      0 :::22                   :::*                    LISTEN      0          22734      1694/sshd

tcp6       0      0 ::1:4444                :::*                    LISTEN      0          174869     15288/ssh

• ssh -fNL 2020:www.sandervanvugt.nl:80 root@server8.example.com
• elinks http://www.sandervanvugt.nl:2020

Setting up an SMTP server

Email Server Roles

• Email Transmission: SMTP
• Email Reception: POP, IMAP
• End user mail clients: Evolution, mutt

Configuring postfix

• on server1
• vim /etc/postfix/main.cf
• inet_interfaces = all
• myorigin = example.com
• mydestination=
• inet_protocols=ipv4
• on server2
• relayhost = [server1.example.com]
• inet_interfaces = loopback-only
• mynetworks = 127.0.0.0/8 [::1]/128
• mydestination=
• inet_protocols=ipv4
• send mail from server2 to a user on server1.

Configuring iSCSI Target and Initiator

Configuring iSCSI Target

• installation
• yum -y install targetcli
• systemctl start target
• systemctl enable target
• enable iscsi-target service in firewalld
• firewall-cmd --permanent --add-service=iscsi-target
• firewall-cmd --reload
• using partition
• fdsik /dev/sdb
• create new 3G partition
• n
• p
• +3G
• w
• if DNS is not configured make sure to add servers in /etc/hosts
• 192.168.23.145 server6 server6.example.com
• 192.168.23.144 server7 server7.example.com
• 192.168.23.146 server8 server8.example.com

• configuring target
• targetcli
• create block
• cd backstores
• /backstores> block/ create block1 /dev/vgsan/lv_san1
• /backstores> block/ create block2 /dev/vgsan/lv_san2
• create target
• cd iscsi
• /iscsi> create iqn.2016-04.com.example:target
• create acls
• /iscsi> cd iqn.2016-04.com.example:target/
• /iscsi/iqn.20...xample:target> cd tpg1/
• /iscsi/iqn.20...e:target/tpg1> acls/ create iqn.2016-04.com.example:server7
• /iscsi/iqn.20...e:target/tpg1> acls/ create iqn.2016-04.com.example:server8
• create luns
• /iscsi/iqn.20...e:target/tpg1> luns/ create /backstores/block/block1
• /iscsi/iqn.20...e:target/tpg1> luns/ create /backstores/block/block2
• configure portals - if 0.0.0.0:3260 is already exist delete it first.
• /iscsi/iqn.20...e:target/tpg1> portals/ delete 0.0.0.0 3260
• /iscsi/iqn.20...e:target/tpg1> portals/ create 192.168.23.145 3260 <-- IP of target server.

/> ls

o- / ......................................................................................................................... [...]

  o- backstores .............................................................................................................. [...]

  | o- block .................................................................................................. [Storage Objects: 2]

  | | o- block1 ................................................................. [/dev/vgsan/lv_san1 (2.0GiB) write-thru activated]

  | | o- block2 ................................................................. [/dev/vgsan/lv_san2 (2.0GiB) write-thru activated]

  | o- fileio ................................................................................................. [Storage Objects: 0]

  | o- pscsi .................................................................................................. [Storage Objects: 0]

  | o- ramdisk ................................................................................................ [Storage Objects: 0]

  o- iscsi ............................................................................................................ [Targets: 1]

  | o- iqn.2016-04.com.example:target .................................................................................... [TPGs: 1]

  |   o- tpg1 ............................................................................................... [no-gen-acls, no-auth]

  |     o- acls .......................................................................................................... [ACLs: 2]

  |     | o- iqn.2016-04.com.example:server7 ...................................................................... [Mapped LUNs: 1]

  |     | | o- mapped_lun0 ................................................................................ [lun0 block/block1 (rw)]

  |     | o- iqn.2016-04.com.example:server8 ...................................................................... [Mapped LUNs: 1]

  |     |   o- mapped_lun1 ................................................................................ [lun1 block/block2 (rw)]

  |     o- luns .......................................................................................................... [LUNs: 2]

  |     | o- lun0 .............................................................................. [block/block1 (/dev/vgsan/lv_san1)]

  |     | o- lun1 .............................................................................. [block/block2 (/dev/vgsan/lv_san2)]

  |     o- portals .................................................................................................... [Portals: 1]

  |       o- 192.168.23.145:3260 .............................................................................................. [OK]

  o- loopback ......................................................................................................... [Targets: 0]

Configuring iSCSI Initiator

• in server7.example.com
• yum -y install iscsi-initiator-utils
• systemctl start iscsi
• systemctl enable iscsi
• vim /etc/iscsi/initiatorname.iscsi
• InitiatorName=iqn.2016-04.com.example:server7
• discover targets at a given IP address
• command is very long to memorize "man iscsiadm" and see the example at the bottom.
• iscsiadm --mode discoverydb --type sendtargets --portal 192.168.23.145 --discover
• login
• command is very long to memorize "man iscsiadm" and see the example at the bottom
• iscsiadm --mode node --targetname iqn.2016-04.com.example:target --portal 192.168.23.145:3260 --login

[root@server7 ~]# iscsiadm --mode discoverydb --type sendtargets --portal 192.168.23.145 --discover

192.168.23.145:3260,1 iqn.2016-04.com.example:target

[root@server7 ~]# iscsiadm --mode node --targetname iqn.2016-04.com.example:target --portal 192.168.23.145:3260 --login

Logging in to [iface: default, target: iqn.2016-04.com.example:target, portal: 192.168.23.145,3260] (multiple)

Login to [iface: default, target: iqn.2016-04.com.example:target, portal: 192.168.23.145,3260] successful.

• to check 
• yum -y install lsscsi
• lsscsi

[root@server7 ~]# lsscsi

[1:0:0:0]    cd/dvd  NECVMWar VMware IDE CDR10 1.00  /dev/sr0

[2:0:0:0]    disk    VMware,  VMware Virtual S 1.0   /dev/sda

[2:0:1:0]    disk    VMware,  VMware Virtual S 1.0   /dev/sdb

[3:0:0:0]    disk    LIO-ORG  block1           4.0   /dev/sdc  <--iscsi device

• creating filesystem using iscsi device
• mkdir /data
• mkfs.xfs /dev/sdc
• make the filesystem persistent upon boot
• vim /etc/fstab
• /dev/sdc /data  xfs     _netdev 0 0 <--make sure to put _netdev - network device
• mount /data

[root@server7 ~]# df -h /data

Filesystem      Size  Used Avail Use% Mounted on

/dev/sdc        2.0G   33M  2.0G   2% /data

Setting up SAMBA server

• Accessing samba share
• smbclient -L //localhost
• smbclient -U erick //localhost/data
• Mounting samba share
• yum -y install cifs-utils
• mount -o username=erick //localhost/share /mnt

• Installation
• yum -y install samba samba-client
• systemctl start smb nmb
• systemctl enable smb nmb
• firewall-cmd --permanent --add-service=samba
• firewall-cmd --reload

• Creating share with read access from specific user, changing workgroup and allowing specific network.
• Create linux and samba user <-- linux user should exist first, before creating samba user.
• useradd -s /sbin/nologin erick
• smbpasswd -a erick
• mkdir /sambashare
• semanage fcontext -a -t samba_share_t "/sambashare(/.*)?"
• restorecon -R -v /sambashare
• setfacl -m u:erick:r-X /sambashare
• getfacl /sambashare
• vim /etc/samba/smb.conf

[global]
workgroup = TESTGROUP

[data]

        comment = data

        path = /sambashare

        browseable = yes

        writable = yes

        valid users = erick

        read only = yes

        hosts allow = 192.168.23.

• systemctl restart smb
• testparm <--checking configuration
• smbclient -U erick //localhost/data <--test

• Creating share with read/write and read access from multiple user.
• Create linux and samba user <-- linux user should exist first, before creating samba user.
• useradd -s /sbin/nologin dimple
• useradd -s /sbin/nologin andrei
• smbpasswd -a dimple
• smbpasswd -a andrei
• mkdir /sambashare2
• semanage fcontext -a -t samba_share_t "/sambashare2(/.*)?"
• restorecon -R -v /sambashare2
• setfacl -m u:dimple:rwX /sambashare2
• setfacl -m u:andrei:r-X /sambashare2
• getfacl sambashare2
• vim /etc/samba/smb.conf

[data2]

        comment = data2

        path = /sambashare2

        browseable = yes

        writable = yes

        valid users = dimple andrei

        read only = no

• systemctl restart smb
• testparm <--checking configuration
• to test
• yum -y install cifs-utils
• mount -o username=dimple //localhost/data2 /dimple
• user dimple should have rwx permission to data2

[root@server2 dimple]# df -h .

Filesystem         Size  Used Avail Use% Mounted on

//localhost/data2   18G  4.2G   14G  24% /dimple

[root@server2 dimple]# touch dimple.txt

[root@server2 dimple]# ls -l dimple.txt

-rw-r--r--. 1 dimple dimple 0 Apr 26 12:13 dimple.txt

• mount -o username=andrei //localhost/data2 /andrei
• user andrei should have read only access to data2

[root@server2 andrei]# df -h .

Filesystem         Size  Used Avail Use% Mounted on

//localhost/data2   18G  4.2G   14G  24% /andrei

[root@server2 andrei]# touch andrei.txt

touch: cannot touch ‘andrei.txt’: Permission denied

• SMB multiuser mount
• yum -y install cifs-utils
• mkdir -p /mnt/sambashare
• vim /root/smb-multiuser.txt
• username=dimple
• password=123456
• chmod 0600 /root/smb-multiuser.txt
• vim /etc/fstab
• //server2/data2 /mnt/sambashare cifs defaults,sec=ntlmssp,credentials=/root/smb-multiuser.txt,multiuser 0 0

[root@server3 sambashare]# df -h .

Filesystem       Size  Used Avail Use% Mounted on

//server2/data2   18G  4.2G   14G  24% /mnt/sambashare

[root@server3 sambashare]# ls -l

total 4

-rw-r--r--. 1 1001 1001 17 Apr 26 12:19 dimple.txt

-rw-r--r--. 1 1001 1001  0 Apr 26 12:26 sample.txt

Setting up Kerberized NFS

• Setting up Selinux for NFS
• vim /etc/sysconfig/nfs
• RPCNFSDARGS="-V 4.2"
• semanage fcontext  -a -t public_content_rw_t "/secureshell(/.*)?"
• restorecon -R -v /secureshare/

• On NFS Server
• make the keytab available in NFS server
• cp /tmp/nfs.keytab /etc/krb5.keytab
• start and enable nfs-server and nfs-secure-server
• systemctl start nfs-server
• systemctl enable nfs-server
• systemctl start nfs-secure-server
• systemctl enable nfs-secure-server
• mkdir /secureshare
• vim /etc/exports
• /secureshare *.example.com(sec=krb5p,rw)
• exportfs -r
• firewall-cmd --permanent --add-service=nfs
• firewall-cmd  --reload
• On NFS Client server
• make the keytab available in NFS client
• cp /tmp/nfs.keytab /etc/krb5.keytab
• systemctl start nfs-secure
• systemctl enable nfs-secure
• mount -o sec=krb5p,v4.2 server2:/secureshare /mnt
• vim /etc/fstab
• server2:/secureshare /mnt nfs defaults,v4.2,sec=krb5p 0 0

Before:

[root@server3 ~]# ls -dZ /secureshare

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /secureshare

After:

[root@server3 ~]# ls -dZ /secureshare

drwxr-xr-x. root root unconfined_u:object_r:public_content_rw_t:s0 /secureshare

Setting up Link Aggregation - Network Teaming

• nmcli con show
• nmcli con add type team con-name Team1 ifname Team1 config '{"runner": {"name": "activebackup"}}'
• nmcli con mod Team1 ipv4.addresses 192.168.23.141/24
• nmcli con mod Team1 ipv4.method manual
• nmcli con add type team-slave con-name Team1-slave1 ifname eno50332208 master Team1
• nmcli con add type team-slave con-name Team1-slave2 ifname eno33554984 master Team1
• nmcli con up Team1
• nmcli con up Team1-slave1
• nmcli con up Team1-slave2
• Checking
• teamdctl Team1 state
• nmcli dev dis eno33554984 

• Show available connections

[root@server3 ~]# nmcli con show
NAME                UUID                                  TYPE            DEVICE
virbr0              bc621dfb-648e-4f0a-871e-0d0f70c2fbe9  bridge          virbr0
Wired connection 1  56c2cc26-fe98-47a8-82eb-2225adcd6cdd  802-3-ethernet  --
eno16777736         423c7642-7a55-4f61-a74e-bafefe737cfa  802-3-ethernet  eno16777736
Wired connection 3  1f615a9a-cb8d-4b39-9aab-63d5ee8c7020  802-3-ethernet  eno50332208
Wired connection 2  d03b442f-9615-4488-98d3-5b58416076df  802-3-ethernet  eno33554984

• Create a Team connection name with corresponding mode
• man nmcli-examples <-- look for the example 7

[root@server3 ~]# nmcli con add type team con-name Team1 ifname Team1 config '{"runner": {"name": "activebackup"}}'

Connection 'Team1' (5d14181d-e320-48a1-9dbb-98ff1623180d) successfully added.

• Add IP Address

[root@server3 ~]# nmcli con mod Team1 ipv4.addresses 192.168.23.141/24

• Create a Team Slave
• eno50332208 <-- 1st available connection 
• from the result of nmcli con show 
• Wired connection 3  1f615a9a-cb8d-4b39-9aab-63d5ee8c7020  802-3-ethernet  eno50332208
• eno33554984 - 2nd available connection
• from the result of nmcli con show 
• Wired connection 2  d03b442f-9615-4488-98d3-5b58416076df  802-3-ethernet  eno33554984

[root@server3 ~]# nmcli con add type team-slave con-name Team1-slave1 ifname eno50332208 master Team1

Connection 'Team1-slave1' (a8bac96b-874d-434f-8753-062ba06af7a7) successfully added.

[root@server3 ~]# nmcli con add type team-slave con-name Team1-slave2 ifname eno33554984 master Team1

Connection 'Team1-slave2' (ffc1d64c-a3ed-458b-b218-00595cd723e8) successfully added.

• Start the team connection

[root@server3 ~]# nmcli con up Team1

Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)

[root@server3 ~]# nmcli con up Team1-slave1

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/14)

[root@server3 ~]# nmcli con up Team1-slave2

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15)

• Checking

[root@server3 ~]# teamdctl Team1 state

setup:

  runner: activebackup

ports:

  eno33554984

    link watches:

      link summary: up

      instance[link_watch_0]:

        name: ethtool

        link: up

        down count: 0

  eno50332208

    link watches:

      link summary: up

      instance[link_watch_0]:

        name: ethtool

        link: up

        down count: 0

runner:

  active port: eno50332208

Setting up Simple NFS Server

• Creating a simple NFS accessible to all.
• vim /etc/exports
• /share *(rw,all_squash) <--all users will be match to nfsnobody user.
• mkdir /share
• chown nfsnobody /share <-- changed user ownership to nfsnobody upon using all_squash
• systemctl enable nfs-server
• systemctl start nfs-server
• exportfs -r         <--export only new configuration.
• showmount -e localhost
• firewall-cmd --permanent --add-service=nfs
• firewall-cmd --reload
• Mounting shared NFS 
• mount server2:/share /nfs

[root@server3 ~]# mount |grep nfs

sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)

nfsd on /proc/fs/nfsd type nfsd (rw,relatime)

server2:/share on /nfs type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.23.133,local_lock=none,addr=192.168.23.132)

Setting up a Cache-only DNS Nameserver

• Different DNS Server Roles
• Primary (master) Nameserver
• Secondary (slave) Nameserver
• Cache only Nameserver
• Resource Records
• A: name to IP address
• AAAA: name to IPV6 address
• CNAME: Canonical Name; Alias
• PTR: Reverse DNS Resolution
• NS: Name Server; which name server is authoritative
• SOA: Start of authority; generic information about a domain
• MX: Mail Exchange that is responsible for this domain
• TXT: Supplies additional data, such as data that is used by sender policy framework networks and related
• SRV: Hosts that provide a specific service

• Setting up a Cache-only DNS Nameserver
• yum -y install unbound
• systemctl enable unbound
• systemctl start unbound
• vim /etc/unbound/unbound.conf
•  interface: 0.0.0.0        <-- allow all interface
•  access-control: 0.0.0.0/0 allow <-- allow everybody to queries
• forward-zone:
• name: "."   <-- forward zone for root
• forward-addr: 8.8.8.8. <-- DNS forward server
• Check config
• unbound-checkconf <-- check for syntax error only.

[root@server1 ~]# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf

• restart unbound
• systemctl restart unbound
• check status
• systemctl status -l unbound
• Add DNS to firewalld
• firewall-cmd --permanent --add-service=dns
• firewall-cmd --reload

Setting up Authenticated Web Servers

• install a manual for examples and syntax
• yum install -y httpd-manual
• httpd://localhost/manual
• Set up Basic Authentication
• htpasswd -c /etc/httpd/htpasswd erick
• type the passwword
• Create directory
• mkdir -p /srv/web/restricted
• Change the selinux security label of DocumentRoot.
• semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
• restorecon -R -v /srv/web
• Create index.html
• vim /srv/web/restricted/index.html
• Create virtual host
• vim /etc/httpd/conf.d/restricted.conf

<Directory /srv/web/restricted>

    AuthType Basic

    AuthName "Restricted Files"

    AuthBasicProvider file

    AuthUserFile /etc/httpd/htpasswd

    Require user erick

</Directory>

<VirtualHost *:80>

    ServerAdmin root@restricted.example.com

    DocumentRoot "/srv/web/restricted"

    ServerName restricted.example.com

    ServerAlias www.restricted.example.com

    ErrorLog "logs/restricted-error_log"

    CustomLog "logs/restricted-access_log" combined

</VirtualHost>

• Restart httpd
• systemctl restart httpd

Configuring a Simple Web Server

• Creating a Web Server using default configuration.
• yum install -y httpd httpd-manual
• systemctl enable httpd
• systemctl start httpd
• firewall-cmd --permanent --add-service=http --add-service=https
• firewall-cmd --reload
• cd /var/www/html
• vim index.html
• Welcome to simple web server
• to test install elinks
• yum -y install elinks
• elinks http://localhost
• Creating a Web Server using  different DocumentRoot.
• yum install -y httpd httpd-manual
• systemctl enable httpd
• systemctl start httpd
• firewall-cmd --permanent --add-service=http --add-service=https
• firewall-cmd --reload
• mkdir /web
• vim /web/index.html
• Welcome to simple web server
• vim /etc/httpd/conf/httpd.conf
• Change value of DocumentRoot.
• DocumentRoot "/web"
• Change value of Directory.
• <Directory "/web">
• Change the selinux security label of DocumentRoot /web.
• semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
• restorecon -R -v /web

[root@server1 ~]# ls -Zd /web

drwxrwxr-x+ root root unconfined_u:object_r:httpd_sys_content_t:s0 /web

• restart httpd
• systemctl restart httpd
• test
• elinks http://localhost

Setting up TLS Protected Web Sites

• Generating Certificates.

• yum -y install crypto-utils mod_ssl
• genkey server1.example.com
• it will generate .key and .crt
• /etc/pki/tls/certs/server1.example.com.crt
• /etc/pki/tls/private/server1.example.com.key
• click next
• select recommended security
• 2048 (medium-security, medium speed) [RECOMMENDED]
• Would you like to send a Certificate Request (CSR) to a Certificate Authority (CA)?
• YES - if you will send it to external certificate authority. 
• NO - use in testing  (self signed certificate).
• select NO for testing purpose.
• Encrypt the private key
• enabling this feature will create a passphrase and will prompt every start of SSL server.
• leave it blank and click next.
• Enter details for your certificate
• Common name [fully qualified domain name] make sure the hostname is correct this is the most important entry.
• server1.example.com
• check if the file has the correct selinux type.

[root@server1 ~]# ls -Z /etc/pki/tls/private/
-rw-------. root root unconfined_u:object_r:cert_t:s0  localhost.key

-r--------. root root unconfined_u:object_r:cert_t:s0  server1.example.com.key

[root@server1 ~]# ls -Z /etc/pki/tls/certs/
-rw-------. root root unconfined_u:object_r:cert_t:s0  localhost.crt
-rw-r-----. root root unconfined_u:object_r:cert_t:s0  server1.example.com.crt

• Create a virtual host.

[root@server1 ~]# cd /etc/httpd/conf.d/
[root@server1 conf.d]# vim server1.conf
<Directory "/web/server1">
    AllowOverride none
    Require all granted
</Directory>

<VirtualHost *:443>
    ServerAdmin root@server1.example.com
    DocumentRoot "/web/server1"
    ServerName "server1.example.com"
    ErrorLog "logs/server1_error_log"
    CustomLog "logs/server1_access_log" combined

   SSLEngine on
   SSLCertificateKeyFile /etc/pki/tls/private/server1.example.com.key
   SSLCertificateFile /etc/pki/tls/certs/server1.example.com.crt
</VirtualHost>

• vim /web/server1/index.html
• Welcome, this website is using TLS (Transport layer Security)
• make sure that the file context for selinux is applied to DocumentRoot
• semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
• restorecon -R -v /web

• Restart httpd

• [root@server1 conf.d]# systemctl restart httpd

• Add https service in firewalld

• [root@server1 conf.d]# firewall-cmd --permanent --add-service=https
• [root@server1 conf.d]# firewall-cmd --reload
• [root@server1 conf.d]# firewall-cmd --list-all
• https should be added in services.
• services: dhcpv6-client http https myservice samba ssh

• Add server1.example.com in /etc/hosts if DNS is not available.

• Browse the website.
• https://server1.example.com