Sysadmin Tips

Something I occasionally run into is 403 Forbidden errors on a website that should be totally accessible. After making sure it's not any of the typical issues like file permissions or an incorrect owner, it's usually SELinux that's the culprit. Even after years of administering Linux systems, I still don't have a great handle on how SELinux works, but I have come across a few useful commands that tend to help me move forward.

chcon -R -t httpd_sys_content_t /PATH/TO/ROOT/DIR
chcon -R -t httpd_sys_rw_content_t /PATH/TO/ROOT/DIR

These two commands will allow your web server to actually serve the files that you're hosting. The second one is only necessary if your server is doing any sort of read/write operations on its working directory.

Something I deal with pretty regularly is needing to open ports on a server, typically for HTTP, MySQL and other various services. In the past, IPTables was used to handle this, but on more recent versions of Centos and other Linux distros, FirewallD is the default.

Resisting my typical urge to keep using what I know, I've started using FirewallD for any new servers that I set up, but I can never seem to remember the commands I need to use , so I'm putting them here for my use, and for anybody else that may find this handy.

First, ensure that FirewallD is running and enabled on your server using systemctl enable firewalld and systemctl start firewalld.

Next, you need to create the rule for the port that you want to open:

firewall-cmd --zone=public --add-port=443/tcp --permanent

This command will open port 443 for TCP (change to udp if that's what you want and add the rule permanently (if you don't include this, a reboot will lose your rule)

Any time you make changes to the firewall rules, you need to make sure that you reload the set of rules.

firewall-cmd --reload

And that should do it!

Other useful commands

firewall-cmd --list-all Shows a list of all ports that have been opened

firewall-cmd --new-zone=office --permanent firewall-cmd --reload firewall-cmd --zone=office --add-source= --permanent firewall-cmd --zone=office --add-port=4567/tcp --permanent Adds a new zone and allows only a specific ip and port connection