On-premises installation security
Security Enhanced Linux (SELinux) enables CentOS and Ubuntu administrators greater access control over their servers. If you are using SELinux and Apache must initiate a connection to another host, you must run the commands discussed in this section.
Suggestion for installing with Apache
If you choose to enable SELinux, you might have issues running the installer unless you change the security context of some directories as follows:
chcon -R --type httpd_sys_rw_content_t <magento_root>/app/etc
chcon -R --type httpd_sys_rw_content_t <magento_root>/var
chcon -R --type httpd_sys_rw_content_t <magento_root>/pub/media
chcon -R --type httpd_sys_rw_content_t <magento_root>/pub/static
chcon -R --type httpd_sys_rw_content_t <magento_root>/generated
The preceding commands work only with the Apache web server. Because of the variety of configurations and security requirements, we do not guarantee these commands work in all situations. For more information, see:
Enable inter-server communication
If Apache and the database server are on the same host, use the following command if you plan to use integrations that use curl (ex. Paypal and USPS).
To enable Apache to initiate a connection to another host with SELinux enabled:
-
To determine if SELinux is enabled, use the following command:
code language-bash getenforceEnforcingdisplays to confirm that SELinux is running.- CentOS:
setsebool -P httpd_can_network_connect=1 - Ubuntu:
setsebool -P apache2_can_network_connect=1
- CentOS:
Opening ports in your firewall
Depending on your security requirements, you might find it necessary to open port 80 and other ports in your firewall. Because of the sensitive nature of networking security, Adobe strongly recommends that you consult with your IT department before proceeding. Following are some suggested references:
- Ubuntu: Ubuntu documentation page
- CentOS: CentOS how-to.