Annotation of doc/loncapafiles/webserver.piml, revision 1.51

1.8       harris41    1: <!DOCTYPE piml PUBLIC "-//TUX/DTD piml 1.0 Final//EN" 
                      2: 	"http://lpml.sourceforge.net/DTD/piml.dtd">
1.1       harris41    3: <!-- webserver.piml -->
                      4: 
1.51    ! raeburn     5: <!-- $Id: webserver.piml,v 1.50 2020/01/06 15:47:10 raeburn Exp $ -->
1.1       harris41    6: 
                      7: <!--
                      8: 
                      9: Copyright Michigan State University Board of Trustees
                     10: 
                     11: This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                     12: 
                     13: LON-CAPA is free software; you can redistribute it and/or modify
                     14: it under the terms of the GNU General Public License as published by
                     15: the Free Software Foundation; either version 2 of the License, or
                     16: (at your option) any later version.
                     17: 
                     18: LON-CAPA is distributed in the hope that it will be useful,
                     19: but WITHOUT ANY WARRANTY; without even the implied warranty of
                     20: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     21: GNU General Public License for more details.
                     22: 
                     23: You should have received a copy of the GNU General Public License
                     24: along with LON-CAPA; if not, write to the Free Software
                     25: Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     26: 
                     27: /home/httpd/html/adm/gpl.txt
                     28: 
                     29: http://www.lon-capa.org/
                     30: 
                     31: -->
                     32: 
                     33: <!-- Default values must be defined before specific values. -->
                     34: <!-- If no 'dist' attribute is specified, then it is always installed. -->
                     35: <!-- If 'dist' attribute is set to  'default', then the specification. -->
                     36: <!-- is accepted if an alternative distribution is not requested or not -->
                     37: <!-- defined. -->
                     38: 
                     39: <piml>
1.6       harris41   40: <targetroot>/</targetroot>
1.2       harris41   41: <specialnotices>
                     42: <specialnotice>
                     43: </specialnotice>
                     44: </specialnotices>
1.1       harris41   45: <files>
                     46: <file>
                     47: <target dist='default'>/etc/httpd/conf/httpd.conf</target>
1.20      raeburn    48: <target dist='suse9.2 suse9.3 sles9'>/etc/httpd/httpd.conf</target>
1.45      raeburn    49: <target dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>/etc/apache2/default-server.conf</target>
1.39      raeburn    50: <target dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>/etc/apache2/sites-available/loncapa</target>
1.48      raeburn    51: <target dist='ubuntu14 ubuntu16 ubuntu18 ubuntu20'>/etc/apache2/conf-available/loncapa</target>
1.47      raeburn    52: <note>This is for Apache 1.X for Red Hat 4ES, Fedora 2, 3 and 4, SusSE 9.2 and 9.3, and SLES 9 distributions. This is for Apache 2.X for Fedora 5, Red Hat 5, CentOS 5, Scientific Linux 5, Oracle Linux 5, SuSE 10.1, SLES 10, Debian 5, Ubuntu LTS 8 and later distributions</note>
1.1       harris41   53: <dependencies dist='default'>
                     54: /etc/httpd/conf/httpd.conf
                     55: </dependencies>
1.20      raeburn    56: <dependencies dist='suse9.2 suse9.3 sles9'>
                     57: /etc/httpd/httpd.conf
                     58: </dependencies>
1.39      raeburn    59: <dependencies dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>
1.25      raeburn    60: /etc/apache2/sites-available/loncapa
                     61: </dependencies>
1.48      raeburn    62: <dependencies dist='ubuntu14 ubuntu16 ubuntu18 ubuntu20'>
1.39      raeburn    63: /etc/apache2/conf-available/loncapa
                     64: </dependencies>
1.45      raeburn    65: <dependencies dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>
1.20      raeburn    66: /etc/apache2/default-server.conf
                     67: </dependencies>
1.19      raeburn    68: <perlscript mode='fg' dist="default">
1.11      harris41   69: # Generated from doc/loncapafiles/webserver.piml
1.44      raeburn    70: use Socket;
                     71: use Sys::Hostname::FQDN();
1.1       harris41   72: unless (-e "<TARGET />") {
1.20      raeburn    73:   print '**** ERROR! <TARGET /> should exist! Are you missing the Apache '.
1.13      harris41   74:     'software package?';
1.11      harris41   75:   exit(1);
1.1       harris41   76: }
                     77: else {
1.32      raeburn    78:   # Append loncapa_apache.conf inclusion to httpd.conf 
1.39      raeburn    79:   # (or sites-available/loncapa or conf-available/loncapa) if not present.
1.9       harris41   80:   $flag=0;
1.11      harris41   81:   open(IN,'&lt;<TARGET />');
1.9       harris41   82:   while (&lt;IN&gt;) { 
                     83:     if (/^\s*Include\s+conf\/loncapa_apache.conf/) {
                     84:       $flag=1; 
                     85:     }
                     86:   }
1.11      harris41   87:   close(IN);
1.9       harris41   88:   unless ($flag==1) {
1.11      harris41   89:     open(OUT,'&gt;&gt;<TARGET />');
                     90:     print(OUT 'Include conf/loncapa_apache.conf'."\n");
                     91:     close(OUT);
1.9       harris41   92:   }
1.39      raeburn    93:   # Remove loncapa.conf inclusion from httpd.conf 
                     94:   # (or sites-available/loncapa or conf-available/loncapa) if present.
1.11      harris41   95:   $flag=0;
                     96:   open(IN,'&lt;<TARGET />');
                     97:   while (&lt;IN&gt;) {
                     98:     if (/^\s*Include\s+conf\/loncapa.conf/) {
                     99:       $flag=1;
                    100:     }
                    101:   }
                    102:   close(IN);
                    103:   $in='';
                    104:   if ($flag==1) {
                    105:     open(IN,'&lt;<TARGET />');
                    106:     while(&lt;IN&gt;) {
                    107:       $in.=$_ unless /^\s*Include\s+conf\/loncapa.conf/;
                    108:     }
                    109:     close(IN);
                    110:     open(OUT,'&gt;<TARGET />');
                    111:     print(OUT $in."\n");
                    112:     close(OUT);
1.13      harris41  113:   }
1.18      raeburn   114: 
                    115: # Checking for overlapping ScriptAlias and DocumentRoot definitions.
                    116:   $scriptalias_flag=0;
                    117:   $documentroot_flag=0;
                    118:   my $scriptalias;
                    119:   my $documentroot;
                    120:   open(IN,'&lt;<TARGET />');
                    121:   while (&lt;IN&gt;) {
                    122:     if (m!^\s*ScriptAlias\s+/cgi-bin/\s+(.*)$!) {
                    123:       $scriptalias = $1;
                    124:       if ($scriptalias !~ m!home/httpd/cgi-bin!) {
                    125:         $scriptalias_flag = 1;
                    126:       }
                    127:     }
                    128:     if (m!^\s*DocumentRoot\s+(.*)$!) {
                    129:       $documentroot = $1;
                    130:       if ($documentroot !~ m!home/httpd/html!) {
                    131:         $documentroot_flag = 1;
                    132:       }
                    133:     }
                    134:   }
                    135:   close(IN);
                    136:   if ($scriptalias_flag==1) {
1.32      raeburn   137:       my $conffile = '/etc/httpd/conf/httpd.conf';
                    138:       if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3' 
                    139:           || '<DIST />' eq 'sles9') {
                    140:           $conffile =  '/etc/httpd/httpd.conf';
                    141:       } elsif ('<DIST />' =~ /^(suse|sles)/) {
                    142:           $conffile = '/etc/apache2/default-server.conf';
                    143:       } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
                    144:           $conffile = '/etc/apache2/sites-available/loncapa';
                    145:       }
                    146:       print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
                    147:             'ScriptAlias (it is incorrectly set to '.$scriptalias.').'."\n".
                    148:             'This conflicts with loncapa_apache.conf.'."\n");
1.18      raeburn   149:   }
                    150:   if ($documentroot_flag==1) {
1.32      raeburn   151:       print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
                    152:             'DocumentRoot (it is incorrectly set to '.$documentroot.').'."\n".
                    153:             'This conflicts with loncapa_apache.conf.'."\n");
1.18      raeburn   154:   }
1.32      raeburn   155: 
                    156: # Checking for rewrites of http:// to https://
                    157:     my $rewrite_dir = '/etc/httpd/conf/rewrites';
                    158:     my $curr_rewrite = '/etc/httpd/conf/loncapa_rewrite.conf';
                    159:     if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
                    160:         || '<DIST />' eq 'sles9') {
                    161:         $rewrite_dir = '/etc/httpd/rewrites/';
                    162:         $curr_rewrite = '/etc/httpd/loncapa_rewrite.conf';
                    163:     } elsif ('<DIST />' =~ /^(suse|sles|debian|ubuntu)/) {
                    164:         $rewrite_dir = '/etc/apache2/rewrites';
                    165:         $curr_rewrite = '/etc/apache2/loncapa_rewrite.conf';
                    166:     }
                    167:     my $rewrite_off = $rewrite_dir.'/loncapa_rewrite_off.conf';
                    168:     my $rewrite_on = $rewrite_dir.'/loncapa_rewrite_on.conf';
                    169:     if (!-e $curr_rewrite) { 
                    170:         system("cp $rewrite_off $curr_rewrite");
                    171:         chmod(0644, $curr_rewrite);
                    172:     } else {
1.44      raeburn   173:         my ($not_rewrite_on,$not_rewrite_off,$rewrite_state);
1.32      raeburn   174:         if (open(PIPE, "diff --brief $rewrite_off $curr_rewrite |")) {
                    175:             my $diffres = &lt;PIPE&gt; ;
                    176:             close(PIPE);
                    177:             chomp($diffres);
                    178:             if ($diffres) {
                    179:                 $not_rewrite_off = 1;
1.44      raeburn   180:             } else {
                    181:                 $rewrite_state = 'off';
1.32      raeburn   182:             }
                    183:         }
                    184:         if (open(PIPE, "diff --brief $rewrite_on $curr_rewrite |")) {
                    185:             my $diffres = &lt;PIPE&gt; ;
                    186:             close(PIPE);
                    187:             chomp($diffres);
                    188:             if ($diffres) {
                    189:                 $not_rewrite_on = 1;
1.44      raeburn   190:             } else {
                    191:                 $rewrite_state = 'on';
1.32      raeburn   192:             }
                    193:         }
1.44      raeburn   194:         if ($not_rewrite_off && $not_rewrite_on) {
                    195:             print('**** WARNING **** '."\n".$curr_rewrite.' does not match '.
                    196:             'either:'."\n".$rewrite_on.' - the file used to enable rewriting '.
                    197:             'of requests for http:// to https:// '."\n".'or:'."\n".$rewrite_off.
1.32      raeburn   198:             ' - the file used to disable such rewriting'."\n\n".
                    199:             'This may be because '. $curr_rewrite.' has been '. 
1.49      raeburn   200:             'previously customized,'."\n".'or it may be because of a change '.  
1.32      raeburn   201:             'to the files in '.$rewrite_dir."\n");
1.44      raeburn   202:             if (open(my $fh,'&lt;',$curr_rewrite)) {
                    203:                 while(&lt;$fh&gt;) {
                    204:                     if (/^\s*RewriteEngine\s+(on|off)\s*$/i) {
                    205:                         if ($1 eq 'on') {
                    206:                             $rewrite_state = 'on';
                    207:                         } else {
                    208:                             $rewrite_state = 'off';
                    209:                         }
                    210:                         last;
                    211:                     }
                    212:                 }
                    213:             }
                    214:         }
                    215:         if ($rewrite_state eq 'on') {
                    216:         # Checking for rewrites of https:// to http://
                    217:             my ($gotrules,$rulestr,$ssldir);
                    218:             if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
                    219:                 || '<DIST />' eq 'sles9') {
                    220:                 $ssldir = '/etc/apache/vhosts.d';
                    221:             } elsif ('<DIST />' =~ /^(suse|sles)/) {
1.50      raeburn   222:                 $ssldir = '/etc/apache2/vhosts.d';
1.44      raeburn   223:             } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
                    224:                 $ssldir = '/etc/apache2/sites-available';
                    225:             } else {
                    226:                 $ssldir = '/etc/httpd/conf.d';
                    227:             }
                    228:             my $hostname = Sys::Hostname::FQDN::fqdn();
                    229:             my $hostip = Socket::inet_ntoa(scalar(gethostbyname($hostname)) || 'localhost');
1.51    ! raeburn   230:             my @expected = ('RewriteCond %{REQUEST_URI} ^/adm/wrapper/ext/(?!https:)',
1.46      raeburn   231:                             'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
                    232:                             'RewriteRule ^/adm/wrapper/ext/(?!https:\/\/) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]',
1.44      raeburn   233:                             'RewriteCond %{REMOTE_ADDR} 127.0.0.1',
                    234:                             'RewriteRule (.*) - [L]');
                    235:             if (($hostip ne '') && ($hostip ne '127.0.0.1')) {
                    236:                 push(@expected,('RewriteCond %{REMOTE_ADDR} '.$hostip,
                    237:                                 'RewriteRule (.*) - [L]'));
                    238:             }
                    239:             push(@expected,('RewriteCond %{REQUEST_URI} ^/public/.*/syllabus$',
1.46      raeburn   240:                             'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
1.44      raeburn   241:                             'RewriteRule ^/public/.*/syllabus$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]'));
                    242:             if (-d $ssldir) {
                    243:                 my @rewrites;
                    244:                 if (opendir(my $dir,$ssldir)) {
                    245:                     my @sslconf_files;
                    246:                     foreach my $file (!grep(/^\.$/,readdir($dir))) {
                    247:                         if (open(my $fh,'&lt;',"$ssldir/$file")) {
                    248:                             while (&lt;$fh&gt;) {
                    249:                                 if (/^\s*&lt;VirtualHost\s+[^:]*\:443&gt;\s*$/) {
                    250:                                     push(@sslconf_files,$file);
                    251:                                     last;
                    252:                                 }
                    253:                             }
                    254:                             close($fh);
                    255:                         }
                    256:                     }
                    257:                     if (@sslconf_files) {
                    258:                         my @rewrites;
                    259:                         foreach my $file (@sslconf_files) {
                    260:                             if (open(my $fh,'&lt;',"$ssldir/$file")) {
                    261:                                 my ($rewrite,$num) = (0,0);
                    262:                                 while (&lt;$fh&gt;) {
                    263:                                     if ($rewrite) {
                    264:                                         if (/\s*&lt;\/IfModule&gt;/) {
                    265:                                             $rewrite = 0;
                    266:                                             $num ++;
                    267:                                         } else {
                    268:                                             chomp();
                    269:                                             s/^(\s+|\s+)$//g;
1.50      raeburn   270:                                             push(@{$rewrites[$num]},$_);
1.44      raeburn   271:                                         }
                    272:                                     } elsif (/^\s*&lt;IfModule\s+mod_rewrite.c&gt;/) {
                    273:                                         $rewrite = 1;
                    274:                                     }
                    275:                                 }
                    276:                                 close($fh);
                    277:                             }
                    278:                         }
                    279:                     }
                    280:                     closedir($dir);
                    281:                 }
                    282:                 if (@rewrites) {
                    283:                     foreach my $item (@rewrites) {
                    284:                         if (ref($item) eq 'ARRAY') {
                    285:                             my $found = 0;
                    286:                             foreach my $item (@rewrites) {
                    287:                                 foreach my $match (@expected) {
                    288:                                     if ($match eq $item) {
                    289:                                         $found ++;
                    290:                                         last;
                    291:                                     }
                    292:                                 }
                    293:                             }
                    294:                             if ($found &gt;= @expected) {
1.50      raeburn   295:                                 $gotrules = 1;
1.44      raeburn   296:                             }
                    297:                         }
                    298:                     }
                    299:                 }
                    300:             }
                    301:             unless ($gotrules) {
1.49      raeburn   302:                 print('**** WARNING **** '."\n".$curr_rewrite.' is currently set so rewrites '.
1.44      raeburn   303:                       'of http to https are enabled for most URLs.'."\n".
1.49      raeburn   304:                       'Unless your Apache configuration includes Strict-Transport-Security '.
                    305:                       '(with max-age > 0), it is recommended to also set rewrites from https to http '.
                    306:                       'for specific URLs in a file in '.$ssldir.' by including the following:'."\n".
1.44      raeburn   307:                       "&lt;IfModule mod_rewrite.c&gt;\n".'  '.
                    308:                       join("\n  ",@expected)."\n".
                    309:                       "&lt;/IfModule&gt;\n");
                    310:             }
1.32      raeburn   311:         }
                    312:     }
1.13      harris41  313: }
                    314: </perlscript>
1.1       harris41  315: </file>
                    316: </files>
                    317: </piml>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>