LPI 202-450 Exam Dumps & Practice Test Questions
Question 1:
Which configuration directive in Apache HTTPD activates HTTPS support?
A. HTTPSEngine on
B. SSLEngine on
C. SSLEnable on
D. HTTPSEnable on
E. StartTLS on
Answer: B
Explanation:
In Apache HTTPD, the directive used to activate HTTPS support is SSLEngine on. This directive enables the SSL/TLS protocol for encrypted communication over HTTPS. Without this setting, the server will not use SSL/TLS and therefore will not support secure HTTPS connections.
Let’s look at each option:
A. HTTPSEngine on:
This is not a valid directive in Apache HTTPD. The SSLEngine directive is what activates HTTPS support.
B. SSLEngine on:
This is the correct directive. The SSLEngine directive enables SSL/TLS encryption for HTTP traffic, allowing the server to support HTTPS connections. When this directive is set to on, Apache will listen for secure connections and use SSL/TLS to encrypt data between the server and the client.
C. SSLEnable on:
This is not a valid directive in Apache HTTPD. The correct directive is SSLEngine on to enable SSL/TLS.
D. HTTPSEnable on:
This is not a valid directive in Apache HTTPD. HTTPS is enabled using the SSLEngine on directive, not HTTPSEnable.
E. StartTLS on:
This is also incorrect. StartTLS is a protocol used for upgrading plain text connections to encrypted ones, typically in email protocols like SMTP or IMAP, but it is not used in Apache HTTPD for enabling HTTPS.
Thus, the correct answer is B — SSLEngine on.
Question 2:
Regarding Apache HTTPD's Alias and Redirect directives, which of the following statements are correct? (Select two.)
A. Alias only applies to files within DocumentRoot
B. Redirect supports regular expressions
C. Redirect is processed on the client side
D. Alias is processed on the server side
E. Alias is not a recognized directive
Answer: C, D
Explanation:
The Alias and Redirect directives in Apache HTTPD serve different purposes, and it's important to understand how they function in the server configuration.
Let’s go over each statement:
A. Alias only applies to files within DocumentRoot:
This statement is incorrect. The Alias directive does not require the DocumentRoot to apply. It maps a URL path to a specific directory on the filesystem, and this can be outside the DocumentRoot. For example, it can map a URL like /images to a directory elsewhere on the system.
B. Redirect supports regular expressions:
This statement is incorrect. The Redirect directive in Apache does not support regular expressions. It supports simple URL redirection from one URL to another. For more complex URL matching or pattern matching, mod_rewrite should be used, which provides support for regular expressions.
C. Redirect is processed on the client side:
This is correct. The Redirect directive sends an HTTP 301 (permanent) or 302 (temporary) status code to the client, instructing it to perform the redirection. The client (browser or other HTTP client) then issues the request to the new URL. Therefore, the redirect happens on the client side.
D. Alias is processed on the server side:
This is correct. The Alias directive is processed on the server side. It maps a URL path to a specific directory on the server’s filesystem. When the server receives a request for a URL that matches the alias, it will serve the content from the corresponding filesystem path.
E. Alias is not a recognized directive:
This is incorrect. Alias is a valid and recognized directive in Apache HTTPD. It is used to map a URL to a directory or file on the server.
In conclusion, the correct answers are C and D. The Redirect directive is processed on the client side, and the Alias directive is processed on the server side.
Question 3:
In Squid, which http_access line allows users from the sales_net ACL to access the internet only during the time windows defined in the sales_time ACL?
A. http_access deny sales_time sales_net
B. http_access allow sales_net sales_time
C. http_access allow sales_net and sales_time
D. allow http_access sales_net sales_time
E. http_access sales_net sales_time
Answer: B
Explanation:
In Squid, access control is managed through the http_access directive in combination with Access Control Lists (ACLs). To allow or deny specific users or networks access to the internet under particular conditions (like time restrictions), Squid uses ACLs for both the source (like IP addresses or users) and conditions (like time).
In this case:
sales_net is assumed to be an ACL defining a group of users or IP ranges.
sales_time is another ACL that defines a time period during which access should be granted.
The correct syntax for http_access in this scenario should follow the standard structure:
http_access allow <source_acl> <time_acl>
Here’s how the options compare:
Option A is incorrect: This denies access when both sales_net and sales_time match, which is the opposite of the desired behavior.
Option B is correct: It allows access only when both sales_net (source) and sales_time (time constraint) match. This is the intended logic—to grant access to sales_net users only during sales_time.
Option C is incorrect: The use of and is not valid syntax in Squid ACL rules. ACLs are listed in order and evaluated accordingly.
Option D is invalid syntax: allow http_access is not a valid Squid directive.
Option E is incomplete and improperly structured: There is no allow or deny action defined, so it's syntactically invalid.
Therefore, the correct access rule is:
http_access allow sales_net sales_time
This configuration allows users in sales_net to access the internet, but only during the time window defined in sales_time, making Option B the correct choice.
Question 4:
Which global directive in the squid.conf file sets the port(s) on which Squid listens for client requests?
A. port
B. client_port
C. http_port
D. server_port
E. squid_port
Answer: C
Explanation:
In Squid’s configuration file (squid.conf), the directive used to specify which TCP port(s) Squid listens on for incoming HTTP client requests is:
http_port
This directive configures the port or ports that the Squid proxy server uses to accept requests from client devices, such as web browsers. For example:
http_port 3128
is a common configuration line that tells Squid to listen on port 3128, which is one of the standard ports for HTTP proxy servers.
Let’s evaluate the other options:
Option A (port): This is too generic and not a valid directive in Squid. There is no directive simply named port.
Option B (client_port): Not a valid directive in Squid configuration. The port used by clients to communicate with Squid is defined using http_port.
Option C (http_port): This is correct. It defines the port or interface Squid listens on for client HTTP requests.
Option D (server_port): Not a valid directive in Squid. Squid doesn’t use a server_port directive to define any client-facing or upstream server behavior.
Option E (squid_port): This is not a recognized Squid directive and does not exist in official configuration options.
Additionally, http_port can also accept more advanced options, such as specifying IP addresses, SSL options, or interception modes, depending on the deployment scenario.
Therefore, Option C is correct, as http_port is the standard directive to configure the listening ports for Squid client requests.
Question 5:
When configuring Apache HTTPD’s mod_authz_core, which of the following arguments are valid for use with the Require directive? (Select three.)
A. method
B. all
C. regex
D. header
E. expr
Answer: B, D, E
Explanation:
The Require directive in Apache HTTPD’s mod_authz_core module controls access based on various conditions. It's used to specify what is required to allow access to a resource. There are several valid arguments that can be used with the Require directive. Let’s go over each option:
A. method:
This is not a valid argument for the Require directive. The method argument is not part of mod_authz_core's accepted syntax. The Require directive typically works with access conditions such as all, header, expr, or user (among others).
B. all:
This is a valid argument for the Require directive. Require all is used to allow access to everyone without restriction. It is often used to grant general access to a resource, and can be part of a larger set of access rules.
C. regex:
While regex might seem plausible, it is not valid as a standalone argument for the Require directive. If you wish to use regular expressions in Apache's access control, you'd typically use mod_rewrite or other modules specifically supporting regex matching. The Require directive does not directly accept regex as a keyword.
D. header:
This is a valid argument for the Require directive. Require header allows access based on HTTP headers. For example, you can restrict access based on the presence or value of a particular HTTP header. This is useful for more granular access control using information passed with HTTP requests.
E. expr:
This is another valid argument for the Require directive. Require expr allows using Boolean expressions to determine access control. This is a powerful feature, enabling complex access conditions based on various server variables, request attributes, and custom logic.
Thus, the correct answers are B, D, and E. These are the valid arguments that can be used with the Require directive in mod_authz_core to control access in Apache HTTPD.
Question 6:
Which utility is used to create a Certificate Signing Request (CSR) for enabling HTTPS on Apache HTTPD?
A. apachect1
B. certgen
C. cartool
D. httpsgen
E. openssl
Answer: E
Explanation:
The openssl utility is used to generate a Certificate Signing Request (CSR), which is a crucial part of enabling HTTPS on Apache HTTPD (or any web server). A CSR is required when requesting a digital certificate from a Certificate Authority (CA). The openssl tool is widely used for working with SSL/TLS certificates, including CSR generation, private key creation, certificate signing, and verification.
Let’s break down each option:
A. apachect1:
This is not a recognized utility in the Apache HTTPD ecosystem. It seems to be a typo or incorrect option.
B. certgen:
certgen is not a standard Apache HTTPD utility for creating a CSR. It might refer to a tool used in some contexts, but it's not used for creating CSRs in Apache HTTPD.
C. cartool:
cartool is not a standard tool used for creating CSRs either. It is not associated with Apache HTTPD or SSL/TLS certificate management.
D. httpsgen:
httpsgen is not a standard utility for generating CSRs. While it might sound relevant, it’s not the tool commonly used for this task.
E. openssl:
This is the correct tool. openssl is the standard utility used for generating CSRs and managing SSL/TLS certificates. To generate a CSR, you typically use a command like:
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
This command creates a CSR (myserver.csr) and a corresponding private key (myserver.key), which can be submitted to a Certificate Authority (CA) to request an SSL certificate for HTTPS.
Thus, the correct answer is E — openssl.
Question 7:
If a Certificate Authority (CA) provides both a server certificate and an intermediate certificate, what should be done with the intermediate certificate when configuring Apache HTTPD?
A. Combine it with the server certificate and specify it using SSLCertificateFile
B. Use it for verification purposes only and delete it afterward
C. Store it separately and reference it via SSLCACertificateFile
D. Import it into the browser's certificate store for testing
E. Archive it and send it back to the CA for renewal
Answer: C
Explanation:
When setting up Apache HTTPD to support SSL/TLS using certificates provided by a Certificate Authority (CA), you often receive a server certificate (specific to your domain) and one or more intermediate certificates. Intermediate certificates form a chain of trust between your server’s certificate and the CA’s root certificate. For the SSL certificate to be trusted by clients (like web browsers), this chain must be properly established and delivered during the TLS handshake.
The Apache HTTP Server uses the SSLCertificateFile directive for the server’s certificate and the SSLCACertificateFile directive to specify one or more intermediate certificates.
Option A is incorrect: The SSLCertificateFile should contain only the server certificate. Although in some setups you might see the intermediate certificate concatenated with the server certificate in a single file, this is not the recommended practice for Apache HTTPD and can cause issues with some clients.
Option B is incorrect: Intermediate certificates must be presented to clients during the TLS handshake. Simply using them for local verification and deleting them afterward would break the certificate chain for client connections.
Option C is correct: The intermediate certificate should be stored in a separate file and referenced using the SSLCACertificateFile directive in your Apache configuration. This ensures that the full certificate chain is sent to clients, allowing them to validate the server certificate correctly.
Option D is incorrect: While importing the intermediate certificate into the browser might help on a test machine, this is not scalable or proper server configuration. The server must be responsible for presenting the full chain.
Option E is incorrect: The intermediate certificate is not something you "send back" to the CA for renewal—it is issued by the CA and used until expiration.
In summary, Apache requires a properly configured certificate chain, and this is done by using SSLCertificateFile for the server certificate and SSLCACertificateFile for the intermediate certificate(s). This makes Option C the correct answer.
Question 8:
In OpenLDAP, what happens if rootdn and rootpw are omitted from the slapd.conf file?
A. The admin account defaults to "admin" with password "admin"
B. The admin account is determined by an ACL
C. The default admin account is used with no password
D. The admin account is specified in /etc/ldap.secret
E. The admin account is defined in /etc/ldap.root.conf
Answer: B
Explanation:
In OpenLDAP, the rootdn directive in the slapd.conf file specifies the Distinguished Name (DN) of the superuser for the LDAP directory. This account bypasses normal Access Control Lists (ACLs) and has full administrative rights. The rootpw defines the password associated with this superuser.
However, if both rootdn and rootpw are omitted, OpenLDAP does not default to any pre-set administrative account. Instead, authorization is governed entirely by the configured ACLs, meaning that administrative access is not granted unless explicitly defined.
Option A is incorrect: OpenLDAP does not assign a default “admin/admin” credential. Such behavior would be a severe security flaw.
Option B is correct: Without rootdn, OpenLDAP falls back on the ACLs to determine access privileges. That means any administrative actions, including adding, modifying, or deleting entries, must be permitted by the Access Control Lists already defined in the configuration.
Option C is incorrect: There is no default admin with no password unless explicitly configured. OpenLDAP enforces access controls rigorously.
Option D is incorrect: The /etc/ldap.secret file may contain credentials for LDAP clients but is not used by the server to define administrative accounts.
Option E is also incorrect: There is no default file named /etc/ldap.root.conf used by OpenLDAP for this purpose.
When rootdn and rootpw are not defined, OpenLDAP relies on existing directory entries and ACL rules to determine who has access. Therefore, administrative capabilities must be granted through appropriate ACLs to specific DNs.
In conclusion, the absence of rootdn and rootpw means administrative access is managed through ACLs, making Option B the correct choice.
Question 9:
Which Apache HTTPD directive is used to specify the location of the server's SSL certificate file?
A. SSLCertificatePath
B. SSLCertificateFile
C. SSLKeyFile
D. SSLChainFile
E. SSLCertificateSource
Answer: B
Explanation:
In Apache HTTPD, the directive used to specify the location of the server's SSL certificate file is SSLCertificateFile. This directive tells Apache where to find the SSL certificate that will be used for securing HTTPS traffic.
Let’s look at each option:
A. SSLCertificatePath:
This directive is used to specify the directory where Apache can find multiple certificate files, rather than a single file. This is not the correct directive for specifying the SSL certificate itself.
B. SSLCertificateFile:
This is the correct directive. SSLCertificateFile specifies the file path of the server's SSL certificate. This file is typically provided by a Certificate Authority (CA) after the Certificate Signing Request (CSR) has been processed.
C. SSLKeyFile:
This directive is used to specify the location of the private key file, not the SSL certificate. The private key is a critical part of the SSL/TLS process, but it's not the certificate itself.
D. SSLChainFile:
The SSLChainFile directive is used to specify the location of the intermediate certificate chain provided by the CA, not the server's main SSL certificate.
E. SSLCertificateSource:
This is not a valid directive in Apache HTTPD. The correct directive for specifying the SSL certificate file is SSLCertificateFile.
Therefore, the correct answer is B — SSLCertificateFile.
Question 10:
In Squid, which directive is used to define a set of IP addresses or subnets for access control?
A. allow_ip_range
B. src_acl
C. acl
D. ip_access
E. http_acl
Answer: C
Explanation:
In Squid, the directive used to define a set of IP addresses or subnets for access control is acl. Squid’s Access Control List (ACL) directives are used to define rules that specify which clients or servers are allowed or denied access to the Squid proxy server.
Let’s look at each option:
A. allow_ip_range:
This is not a valid directive in Squid. To define IP ranges or subnets, you should use acl with the appropriate conditions.
B. src_acl:
While Squid does have an ACL condition called src to define source IP addresses, src_acl itself is not a valid directive. The correct directive would be acl followed by the src condition.
C. acl:
This is the correct directive. The acl directive in Squid is used to define access control lists, which can specify IP addresses, networks, and other parameters. For example, you can define an ACL to allow access only from certain IP addresses or subnets.
D. ip_access:
This is not a valid directive in Squid. IP address restrictions are handled by the acl directive in Squid, not by ip_access.
E. http_acl:
This is not a valid directive in Squid. Squid’s ACL directives are not prefixed with http_acl.
Thus, the correct answer is C — acl.
