Dre*_*rew 2 centos systemd apache-httpd
我可以通过 直接启动 apache httpd,但不能通过systemctl start httpd. 我更喜欢守护进程方法,这样我就可以让它自动启动。
有人遇到过这个问题吗?这是在一个新的 CentOS7 虚拟机上。
systemctl 启动 http
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
systemctl status httpd.service
? httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2018-03-20 17:20:54 EDT; 37s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 7025 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 7024 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 7024 (code=exited, status=1/FAILURE)
Mar 20 17:20:54 test.local.com systemd[1]: Starting The Apache HTTP Server...
Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 20 17:20:54 test.local.com kill[7025]: kill: cannot find process ""
Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 20 17:20:54 test.local.com systemd[1]: Failed to start The Apache HTTP Server.
Mar 20 17:20:54 test.local.com systemd[1]: Unit httpd.service entered failed state.
Mar 20 17:20:54 test.local.com systemd[1]: httpd.service failed.
journalctl -xe
/etc/httpd/logs/error_log
对默认配置所做的唯一更改:
/etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf
/etc/httpd/sites-enabled/local.com.conf
<VirtualHost *:80>
ServerName test.local.com
ServerAlias local.com
Redirect / https://local.com
</VirtualHost>
<VirtualHost _default_:443>
ServerName test.local.com
ServerAlias local.com
ServerAdmin testemail@local.com
DocumentRoot /var/www/local.com/public_html
ErrorLog /var/www/local.com/error.log
CustomLog /var/www/local.com/access.log common
SSLEngine On
SSLCertificateFile /etc/ssl/certs/www/local.com.crt
SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
</VirtualHost>
仅开放端口:
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-dmc --reload
这是我从全新 CentOS7 安装中完成的完整过程:
Fresh CentOS 7 installation (VM)
yum upgrade -y
yum search http
yum install -y httpd httpd-devel mod_ssl openssl
systemctl start httpd
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
Browse to 192.168.1.241
Apache is live!
yum search mariadb
yum install -y mariadb-server
systemctl start mariadb
mysql_secure_installation
mysql -uroot -p
Login to mysql server works!
yum search php
yum install -y php php-cli php-dba php-devel php-fpm php-mysql php-process php-pspell php-xml
systemctl restart httpd
Browse to 192.168.1.241/info.php
PHP is live!
mkdir /etc/httpd/sites-enabled
echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf
/etc/httpd/sites-enabled/local.com.conf
<VirtualHost *:80>
ServerName test.local.com
ServerAlias local.com
Redirect permenent / https://local.com
</VirtualHost>
<VirtualHost _default_:443>
ServerName test.local.com
ServerAlias local.com
ServerAdmin testemail@local.com
DocumentRoot /var/www/local.com/public_html
ErrorLog /var/www/local.com/error.log
CustomLog /var/www/local.com/access.log combined
SSLEngine On
SSLCertificateFile /etc/ssl/certs/www/local.com.crt
SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
</VirtualHost>
mkdir -p /var/www/local.com/public_html
chown -R apache:apache /var/www/local.com/public_html
chmod -R 755 /var/www
cd /etc/ssl/certs/www
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout local.com.key -out local.com.crt
Browse to 192.168.1.241
Unsecure service (self signed ssl) accept
Site is live!
I was redirected to https://local.com
NOTE: I added the following to my desktop's (separate PC) /etc/hosts
192.168.1.241 test.local.com local.com
This acts as a DNS record for my site
yum install -y epel-release
yum install -y phpmyadmin
edit /etc/httpd/conf.d/phpMyAdmin.conf
Add under any line with Require ip 127.0.0.1 with
Require ip 192.168.1.5
Add under any line with Allow from 127.0.0.1 with
Allow from 192.168.1.5
systemctl restart httpd # FAILS
kill pid for httpd
httpd # start httpd directly
Access https://local.com/phpMyAdmin
Now have access to phpMyAdmin
Login with root, 12345
And have mariadb access!
yum install -y awstats
edit /etc/httpd/conf.d/awstats.conf
Change Require ip and Allow ip same as phpMyAdmin
cp /etc/awstats/awstats.localhost.localdomain.conf /etc/awstats/awstats.local.com.conf
edit /etc/awstats/awstats.local.com.conf
LogFile="/var/log/httpd/access.log"
SiteDomain="www.local.com"
HostAliases="local.com 127.0.0.1"
echo "*/30 * * * * root /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=www.local.com -update" >> /etc/crontab
kill httpd pid
httpd
Browse to https://local.com/awstats/awstats.pl?config=local.com
Awstats is live!
您在使用 SELinux 时遇到了麻烦。
/var/www出于安全原因,CentOS 7 附带的规则将阻止 httpd 写入 下的文件。
您正在为 VirtualHost 配置日志文件,使其位于该目录下的某个位置:
ErrorLog /var/www/local.com/error.log
CustomLog /var/www/local.com/access.log combined
因此,当 httpd(由 systemd 启动)尝试写入这些日志文件时,SELinux 会阻止这种情况,最终导致 httpd 退出并显示错误退出代码。
您可以使用以下ausearch命令来确认,该命令会检查审核日志(存储在 下/var/log/audit/audit.log)中的条目:
$ sudo ausearch -m avc
type=AVC msg=audit(1234567890.123:234): avc: denied { write } for pid=12345 comm="httpd" name="local.com" dev="sda1" ino=12345678 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
在此消息中,您将看到写入的目标标有httpd_sys_content_t。如果您ls -Z在日志文件上使用,您会看到它们是这样标记的:
$ ls -Z /var/www/local.com/
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 access.log
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 error.log
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html
这仅影响由 systemd 启动的 httpd 而不是直接运行 httpd 的原因是您的 SSH 会话在“无限制”域中运行,因此在那里运行 httpd 不会触发任何 SELinux 转换......通过 systemd 启动时,它将在启动守护程序时应用正确的 SELinux 权限。
您可以通过使用chcon命令更改这些文件的 SELinux“类型”来临时解决这个问题:
$ sudo chcon -t httpd_log_t /var/www/local.com/*.log
$ ls -Z /var/www/local.com/
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 access.log
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error.log
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html
那时,通过 systemctl 启动 httpd 会正常工作...
但这不是一个很好的解决方案,因为如果重新创建这些文件(例如,在日志轮换期间)或者如果您的文件系统被重新标记,SELinux 类型将会丢失......
有一些方法可以使该类型更持久(例如,semanage fcontext命令),但是这个 SELinux 策略在这里尝试实施的是防止将 Web 内容与日志混淆,以防止意外提供日志文件或覆盖 Web 内容.
正确的答案是在/var/log/httpd, 或该目录的子目录下创建日志文件。如果你这样做,SELinux 类型从一开始就是正确的,在任何操作中都会保持正确,包括 SELinux 重新标记,一切都应该按预期工作。
所以,如果你可以把你的日志放在下面/var/log/httpd,那应该可以解决这个问题!
| 归档时间: |
|
| 查看次数: |
11452 次 |
| 最近记录: |