Add the Web Gateway to a Locked-Down Apache Installation (UNIX®/Linux/macOS)
In some cases—most notably, Security Enhanced Linux (SELinux) on RHEL systems—the Apache web server is locked-down; it cannot access files outside of the Apache file system without additional configuration. Without this additional configuration, attempted Web Gateway connections result in an HTTP 403 Forbidden error.
If the installer automatically configured a web server connection for your InterSystems IRIS instance or your standalone Web Gateway, then the installer has already performed the additional configuration steps necessary to enable Web Gateway connections on SELinux systems. This page provides the instructions necessary to perform this additional configuration manually.
Two solutions are available:
-
Modify the security context for the Web Gateway’s home directory so that Apache can access files held in this location. This is often the most straightforward solution.
-
Move the Web Gateway’s home directory to a location under the Apache root file system (which is pre-configured to be accessible to Apache in the SELinux setup).
Modify the Security Context for the Web Gateway Files
First, modifying the SELinux security context for the Web Gateway’s home directory involves the following steps.
We use, as an example, a Web Gateway home directory of /opt/webgateway/bin, the InterSystems IRIS Superserver listening on port 1972 and InterSystems IRIS installed in /usr/iris/.
The chcon command sets file context and takes effect immediately.
sudo chcon -R -t httpd_sys_content_t /usr/iris/csp
sudo chcon -R -t httpd_sys_rw_content_t /opt/webgateway/conf/CSP.ini
sudo chcon -R -t httpd_sys_rw_content_t /opt/webgateway/conf/CSPRT.ini
sudo chcon -R -t httpd_sys_rw_content_t /opt/webgateway/logs/CSP.log
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa2.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa2Sys.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa22.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa22Sys.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa24.so
sudo chcon -t httpd_modules_t /opt/webgateway/bin/CSPa24Sys.so
However, changes made by the chcon command are lost after the next relabeling; therefore it is necessary use the semanage fcontext facility in addition to chcon. The following commands allow the Web Gateway to run when SELinux is enforced:
semanage fcontext -a -t lib_t "/opt/webgateway/bin/(.*\.so)?" 2> /dev/null
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/webgateway/bin/temp(/.*)?" 2> /dev/null
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/webgateway/bin/CSP(.*\.ini)?" 2> /dev/null
semanage fcontext -a -t httpd_sys_rw_content_t "/opt/webgateway/bin/CSP.log" 2> /dev/null
restorecon -vr /opt/webgateway/bin > /dev/null
Then use the commands shown below. Note that it is extremely important to properly set the context of the Superserver port (as shown in the last line); otherwise, the Web Gateway will not be able to access it, resulting in "Server unavailable" errors.
sudo /usr/sbin/semanage fcontext -a -t httpd_sys_content_t
"/usr/iris/csp(/.)?"
sudo /usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t
"/opt/webgateway/conf/CSP.ini"
sudo /usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t
"/opt/webgateway/conf/CSPRT.ini"
sudo /usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t
"/opt/webgateway/logs/CSP.log"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
"/opt/webgateway/bin/CSPa2.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
"/opt/webgateway/bin/CSPa2Sys.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
"/opt/webgateway/bin/CSPa22.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
"/opt/webgateway/bin/CSPa22Sys.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
"/opt/webgateway/bin/CSPa24.so"
sudo /usr/sbin/semanage fcontext -a -t httpd_modules_t
"/opt/webgateway/bin/CSPa24Sys.so"
sudo /usr/sbin/semanage port -a -t http_port_t -p tcp 51773
These are the basic steps for granting the Web Gateway (operating in the context of the hosting Apache server) access to files in its home directory.