New CentOS 7 install (Google Compute), can't add VirtualHost entries to /etc/httpd/conf.d/

Kenny Wyland asked:

I just did a base install and Apache 2.4 starts up just fine. I’m migrating from an old server which runs Apache 2.2.

When I put a file into /etc/httpd/conf.d that contains a VirtualHost definition and restart the server it crashes on startup. This VirtualHost definition is one I use from my previous server.

# systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
# systemctl -l status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2017-01-22 03:03:35 UTC; 10s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 20621 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 20620 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 20620 (code=exited, status=1/FAILURE)

Jan 22 03:03:35 production-frontend-0 systemd[1]: Starting The Apache HTTP Server...
Jan 22 03:03:35 production-frontend-0 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Jan 22 03:03:35 production-frontend-0 kill[20621]: kill: cannot find process ""
Jan 22 03:03:35 production-frontend-0 systemd[1]: httpd.service: control process exited, code=exited status=1
Jan 22 03:03:35 production-frontend-0 systemd[1]: Failed to start The Apache HTTP Server.
Jan 22 03:03:35 production-frontend-0 systemd[1]: Unit httpd.service entered failed state.
Jan 22 03:03:35 production-frontend-0 systemd[1]: httpd.service failed.
# 

Here is the contents of the conf file (with the domain name changed):

<VirtualHost *:80>
    ServerName mydomain.com
    ServerAlias www.mydomain.com
    <Directory /home/kenny/domains/mydomain.com/html>
        Options Indexes FollowSymLinks MultiViews ExecCGI Includes
        AllowOverride All
    </Directory>
    DocumentRoot /home/kenny/domains/mydomain.com/html
    CustomLog /home/kenny/domains/mydomain.com/logs/access.log combined
    ErrorLog /home/kenny/domains/mydomain.com/logs/error.log
    ScriptAlias /cgi-bin /home/kenny/domains/mydomain.com/cgi

    RewriteEngine on

    # Does the file exist?
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d 
    RewriteRule ^ http://mydomain.otherdomain.com [R,L]
</VirtualHost>

I’ve checked the file syntax:

# httpd -t
Syntax OK
#

If I remove the file and restart, then Apache starts up just fine. I’ve made sure that the permissions on my files match up with the existing conf files:

# ls -l
total 20
-rw-r--r--. 1 root root 2926 Nov 14 18:04 autoindex.conf
-rw-r--r--. 1 root root  366 Nov 14 18:05 README
-rw-r--r--. 1 root root 1252 Nov 14 16:53 userdir.conf
-rw-r--r--. 1 root root  674 Jan 22 03:03 vhost.mydomain.com.conf
-rw-r--r--. 1 root root  824 Nov 14 16:53 welcome.conf
#

Did something change in Apache 2.4 that is conflicting with my VirtualHost definition?

Are there some kind of security measures in place in a standard Google Compute instance that is rejecting my configuration?

Is there some configuration option that I tweaked years ago on my old server and I’ve just forgotten that I need to tweak on my Google Compute instance? 🙂

EDIT:

Found this in the error log:

Permission denied: AH00649: could not open transfer log file /home/kenny/domains/mydomain.com/logs/access.log.
AH00015: Unable to open logs

I checked httpd.conf and it says the server runs as User:Group apache:apache. So I did the following to ensure apache had permission to write those log files:

chgrp -R apache /home/kenny/domains
chmod g+w /home/kenny/domains/mydomain.com/logs

I still get the error. I even tried:

touch /home/kenny/domains/mydomain.com/logs/access.log
chown kenny:apache /home/kenny/domains/mydomain.com/logs/access.log
chmod g+w /home/kenny/domains/mydomain.com/logs/access.log

Still giving me the error. I ensured that the ancestor path is executable to apache as well.

/home/kenny is owned by kenny:kenny and is 755
/home/kenny/domains is owned by kenny:apache and is 755
/home/kenny/domains/mydomain.com is owned by kenny:apache and is 755
/home/kenny/domains/mydomain.com/logs is owned by kenny:apache and is 775
/home/kenny/domains/mydomain.com/logs/access.log is owned by kenny:apache and is 664

Contents of the audit.log:

type=AVC msg=audit(1485115416.525:2112): avc:  denied  { open } for  pid=25759 comm="httpd" path="/home/kenny/domains/mydomain.com/logs/access.log" dev="sda1" ino=36516072 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1485115416.525:2112): arch=c000003e syscall=2 success=no exit=-13 a0=7f6620cd15a8 a1=80441 a2=1b6 a3=ffffff00 items=0 ppid=1 pid=25759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=SERVICE_START msg=audit(1485115416.567:2113): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed

My answer:


You’re running CentOS 7, which has SELinux enabled by default.

When you try to start Apache, it tries to load files in a user’s home directory, which isn’t permitted by default.

You can allow Apache to read files in users’ home directories by setting the appropriate boolean, httpd_read_user_content. It would be a better idea to relocate the web content to somewhere more appropriate, such as under /srv/www or /var/www.

However, there is no SELinux boolean to allow the web server to write to user home directories, which of course is inherently dangerous. You really should move the log files elsewhere. The standard location is /var/log/httpd. If users need to be able to read them, you can set permissions for them to do so.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.