Skip to main content

Add the Web Gateway to a Locked-Down Apache Installation (UNIX®/Linux/macOS)

In some cases—most notably, Security Enhanced Linux (SELinux) on RHEL systems—the Apache web server is locked-down; it cannot access files outside of the Apache file system without additional configuration. Without this additional configuration, attempted Web Gateway connections result in an HTTP 403 Forbidden error.

If the installer automatically configured a web server connection for your InterSystems IRIS instance or your standalone Web Gateway, then the installer has already performed the additional configuration steps necessary to enable Web Gateway connections on SELinux systems. This page provides the instructions necessary to perform this additional configuration manually.

Two solutions are available:

  • Modify the security context for the Web Gateway’s home directory so that Apache can access files held in this location. This is often the most straightforward solution.

  • Move the Web Gateway’s home directory to a location under the Apache root file system (which is pre-configured to be accessible to Apache in the SELinux setup).

Modify the Security Context for the Web Gateway Files

First, modifying the SELinux security context for the Web Gateway’s home directory involves the following steps.

We use, as an example, a Web Gateway home directory of /opt/webgateway/bin, the InterSystems IRIS Superserver listening on port 1972 and InterSystems IRIS installed in /usr/iris/.

The chcon command sets file context and takes effect immediately.

sudo chcon -R -t httpd_sys_content_t /usr/iris/csp
sudo chcon -R -t httpd_sys_rw_content_t /opt/webgateway/conf/CSP.ini
sudo chcon -R -t httpd_sys_rw_content_t /opt/webgateway/conf/CSPRT.ini
sudo chcon -R -t httpd_sys_rw_content_t /opt/webgateway/logs/CSP.log
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa2.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa2Sys.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa22.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa22Sys.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa24.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa24Sys.so

However, changes made by the chcon command are lost after the next relabeling; therefore it is necessary use the semanage fcontext facility in addition to chcon. The following commands allow the Web Gateway to run when SELinux is enforced:

semanage fcontext -a -t lib_t "/opt/webgateway/bin/(.*\.so)?" 2> /dev/null
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/webgateway/bin/temp(/.*)?" 2> /dev/null
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/webgateway/bin/CSP(.*\.ini)?" 2> /dev/null
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/webgateway/bin/CSP.log" 2> /dev/null
restorecon -vr /opt/webgateway/bin > /dev/null

Then use the commands shown below. Note that it is extremely important to properly set the context of the Superserver port (as shown in the last line); otherwise, the Web Gateway will not be able to access it, resulting in "Server unavailable" errors.

sudo /usr/sbin/semanage fcontext -a -t httpd_sys_content_t
    "/usr/iris/csp(/.)?"
sudo /usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t
    "/opt/webgateway/conf/CSP.ini"
sudo /usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t
    "/opt/webgateway/conf/CSPRT.ini"
sudo /usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t
    "/opt/webgateway/logs/CSP.log"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
    "/opt/webgateway/bin/CSPa2.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
    "/opt/webgateway/bin/CSPa2Sys.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
    "/opt/webgateway/bin/CSPa22.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
   "/opt/webgateway/bin/CSPa22Sys.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
    "/opt/webgateway/bin/CSPa24.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
    "/opt/webgateway/bin/CSPa24Sys.so"
sudo /usr/sbin/semanage port -a -t http_port_t -p tcp 51773

These are the basic steps for granting the Web Gateway (operating in the context of the hosting Apache server) access to files in its home directory.

Move the Web Gateway Directory

An alternative approach (and the one that should be used if the method suggested above is not acceptable) is to configure the Web Gateway to work within the pre-configured directories provided by Apache. The following commands assume that Apache is installed in /usr/apache.

  • CGI modules should be copied to: /usr/apache/cgi-bin/

    cp /usr/iris/csp/bin/*cgi* /usr/apache/cgi-bin/
    
  • API modules should be copied to: /usr/apache/modules/

    cp /usr/iris/csp/bin/*.so /usr/apache/modules/
    
  • Static files should be copied to locations under: /usr/apache/htdocs/

    cp /usr/iris/csp/samples/* /usr/apache/htdocs/csp/samples/
    cp /usr/iris/csp/broker/* /usr/apache/htdocs/csp/broker/
    cp /usr/iris/csp/sys/* /usr/apache/htdocs/csp/sys/
    

    Also, copy any sub-directories held under the above locations.

Having moved the Web Gateway installation, the appropriate changes to the paths specified in the Apache configuration must be made.

The sections below provide examples Apache configuration directives to configure the Web Gateway for each deployment option. Note that these examples configure the Apache server to invoke the Web Gateway globally, but only for InterSystems file types; your configuration directives should invoke the Web Gateway to serve requests according to your organization’s needs.

Recommended Option: Apache API Modules (CSPa24.so)

LoadModule cspsys_module_sa /usr/apache/modules/CSPap24.so
CSPSYSModulePath /usr/apache/modules/
CSPFileTypes csp cls zen cxw

Alternative Option 1: Apache API Module with NSD (mod_csp.so)

LoadModule csp_module /usr/apache/modules/mod_csp.so
CSPFileTypes csp cls zen cxw 
ScriptAliasMatch /csp/bin/Systems/Module.cxw "/usr/apache/cgi-bin/nph-CSPcgiSys" 
ScriptAliasMatch /csp/bin/RunTime/Module.cxw "/usr/apache/cgi-bin/nph-CSPcgi"

Alternative Option 2: CGI Modules with NSD (nph-CSPcgi)

<LocationMatch "/*\.([Cc][Ss][Pp]|[Cc][Ll][Ss]|[Zz][En][Nn])$">
AllowOverride None
Options FollowSymLinks ExecCGI
Require all granted
</LocationMatch>
ScriptAliasMatch /csp/bin/Systems/Module.cxw "/usr/apache/cgi-bin/nph-CSPcgiSys" 
ScriptAliasMatch /csp/bin/RunTime/Module.cxw "/usr/apache/cgi-bin/nph-CSPcgi"
ScriptAliasMatch /*\.([Cc][Ss][Pp]|[Cc][Ll][Ss])$ "/usr/apache/cgi-bin/nph-CSPcgi"

Alternative Option 3: Built-in Apache API Module with NSD (mod_csp.c)

CSPFileTypes csp cls zen cxw 
ScriptAliasMatch /csp/bin/Systems/Module.cxw "/apache/cgi-bin/nph-CSPcgiSys" 
ScriptAliasMatch /csp/bin/RunTime/Module.cxw "/usr/apache/cgi-bin/nph-CSPcgi"
FeedbackOpens in a new tab