File:  [LON-CAPA] / doc / loncapafiles / webserver.piml
Revision 1.51: download - view: text, annotated - select for diffs
Sun Feb 16 21:57:59 2020 UTC (4 years, 8 months ago) by raeburn
Branches: MAIN
CVS tags: HEAD
- Accommodate Apache 2.4 updated to address CVE-2019-0220, in which
  multiple consecutive slashes are collapsed into a single slash.

<!DOCTYPE piml PUBLIC "-//TUX/DTD piml 1.0 Final//EN" 
	"http://lpml.sourceforge.net/DTD/piml.dtd">
<!-- webserver.piml -->

<!-- $Id: webserver.piml,v 1.51 2020/02/16 21:57:59 raeburn Exp $ -->

<!--

Copyright Michigan State University Board of Trustees

This file is part of the LearningOnline Network with CAPA (LON-CAPA).

LON-CAPA is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

LON-CAPA is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with LON-CAPA; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

/home/httpd/html/adm/gpl.txt

http://www.lon-capa.org/

-->

<!-- Default values must be defined before specific values. -->
<!-- If no 'dist' attribute is specified, then it is always installed. -->
<!-- If 'dist' attribute is set to  'default', then the specification. -->
<!-- is accepted if an alternative distribution is not requested or not -->
<!-- defined. -->

<piml>
<targetroot>/</targetroot>
<specialnotices>
<specialnotice>
</specialnotice>
</specialnotices>
<files>
<file>
<target dist='default'>/etc/httpd/conf/httpd.conf</target>
<target dist='suse9.2 suse9.3 sles9'>/etc/httpd/httpd.conf</target>
<target dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>/etc/apache2/default-server.conf</target>
<target dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>/etc/apache2/sites-available/loncapa</target>
<target dist='ubuntu14 ubuntu16 ubuntu18 ubuntu20'>/etc/apache2/conf-available/loncapa</target>
<note>This is for Apache 1.X for Red Hat 4ES, Fedora 2, 3 and 4, SusSE 9.2 and 9.3, and SLES 9 distributions. This is for Apache 2.X for Fedora 5, Red Hat 5, CentOS 5, Scientific Linux 5, Oracle Linux 5, SuSE 10.1, SLES 10, Debian 5, Ubuntu LTS 8 and later distributions</note>
<dependencies dist='default'>
/etc/httpd/conf/httpd.conf
</dependencies>
<dependencies dist='suse9.2 suse9.3 sles9'>
/etc/httpd/httpd.conf
</dependencies>
<dependencies dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>
/etc/apache2/sites-available/loncapa
</dependencies>
<dependencies dist='ubuntu14 ubuntu16 ubuntu18 ubuntu20'>
/etc/apache2/conf-available/loncapa
</dependencies>
<dependencies dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>
/etc/apache2/default-server.conf
</dependencies>
<perlscript mode='fg' dist="default">
# Generated from doc/loncapafiles/webserver.piml
use Socket;
use Sys::Hostname::FQDN();
unless (-e "<TARGET />") {
  print '**** ERROR! <TARGET /> should exist! Are you missing the Apache '.
    'software package?';
  exit(1);
}
else {
  # Append loncapa_apache.conf inclusion to httpd.conf 
  # (or sites-available/loncapa or conf-available/loncapa) if not present.
  $flag=0;
  open(IN,'&lt;<TARGET />');
  while (&lt;IN&gt;) { 
    if (/^\s*Include\s+conf\/loncapa_apache.conf/) {
      $flag=1; 
    }
  }
  close(IN);
  unless ($flag==1) {
    open(OUT,'&gt;&gt;<TARGET />');
    print(OUT 'Include conf/loncapa_apache.conf'."\n");
    close(OUT);
  }
  # Remove loncapa.conf inclusion from httpd.conf 
  # (or sites-available/loncapa or conf-available/loncapa) if present.
  $flag=0;
  open(IN,'&lt;<TARGET />');
  while (&lt;IN&gt;) {
    if (/^\s*Include\s+conf\/loncapa.conf/) {
      $flag=1;
    }
  }
  close(IN);
  $in='';
  if ($flag==1) {
    open(IN,'&lt;<TARGET />');
    while(&lt;IN&gt;) {
      $in.=$_ unless /^\s*Include\s+conf\/loncapa.conf/;
    }
    close(IN);
    open(OUT,'&gt;<TARGET />');
    print(OUT $in."\n");
    close(OUT);
  }

# Checking for overlapping ScriptAlias and DocumentRoot definitions.
  $scriptalias_flag=0;
  $documentroot_flag=0;
  my $scriptalias;
  my $documentroot;
  open(IN,'&lt;<TARGET />');
  while (&lt;IN&gt;) {
    if (m!^\s*ScriptAlias\s+/cgi-bin/\s+(.*)$!) {
      $scriptalias = $1;
      if ($scriptalias !~ m!home/httpd/cgi-bin!) {
        $scriptalias_flag = 1;
      }
    }
    if (m!^\s*DocumentRoot\s+(.*)$!) {
      $documentroot = $1;
      if ($documentroot !~ m!home/httpd/html!) {
        $documentroot_flag = 1;
      }
    }
  }
  close(IN);
  if ($scriptalias_flag==1) {
      my $conffile = '/etc/httpd/conf/httpd.conf';
      if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3' 
          || '<DIST />' eq 'sles9') {
          $conffile =  '/etc/httpd/httpd.conf';
      } elsif ('<DIST />' =~ /^(suse|sles)/) {
          $conffile = '/etc/apache2/default-server.conf';
      } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
          $conffile = '/etc/apache2/sites-available/loncapa';
      }
      print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
            'ScriptAlias (it is incorrectly set to '.$scriptalias.').'."\n".
            'This conflicts with loncapa_apache.conf.'."\n");
  }
  if ($documentroot_flag==1) {
      print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
            'DocumentRoot (it is incorrectly set to '.$documentroot.').'."\n".
            'This conflicts with loncapa_apache.conf.'."\n");
  }

# Checking for rewrites of http:// to https://
    my $rewrite_dir = '/etc/httpd/conf/rewrites';
    my $curr_rewrite = '/etc/httpd/conf/loncapa_rewrite.conf';
    if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
        || '<DIST />' eq 'sles9') {
        $rewrite_dir = '/etc/httpd/rewrites/';
        $curr_rewrite = '/etc/httpd/loncapa_rewrite.conf';
    } elsif ('<DIST />' =~ /^(suse|sles|debian|ubuntu)/) {
        $rewrite_dir = '/etc/apache2/rewrites';
        $curr_rewrite = '/etc/apache2/loncapa_rewrite.conf';
    }
    my $rewrite_off = $rewrite_dir.'/loncapa_rewrite_off.conf';
    my $rewrite_on = $rewrite_dir.'/loncapa_rewrite_on.conf';
    if (!-e $curr_rewrite) { 
        system("cp $rewrite_off $curr_rewrite");
        chmod(0644, $curr_rewrite);
    } else {
        my ($not_rewrite_on,$not_rewrite_off,$rewrite_state);
        if (open(PIPE, "diff --brief $rewrite_off $curr_rewrite |")) {
            my $diffres = &lt;PIPE&gt; ;
            close(PIPE);
            chomp($diffres);
            if ($diffres) {
                $not_rewrite_off = 1;
            } else {
                $rewrite_state = 'off';
            }
        }
        if (open(PIPE, "diff --brief $rewrite_on $curr_rewrite |")) {
            my $diffres = &lt;PIPE&gt; ;
            close(PIPE);
            chomp($diffres);
            if ($diffres) {
                $not_rewrite_on = 1;
            } else {
                $rewrite_state = 'on';
            }
        }
        if ($not_rewrite_off && $not_rewrite_on) {
            print('**** WARNING **** '."\n".$curr_rewrite.' does not match '.
            'either:'."\n".$rewrite_on.' - the file used to enable rewriting '.
            'of requests for http:// to https:// '."\n".'or:'."\n".$rewrite_off.
            ' - the file used to disable such rewriting'."\n\n".
            'This may be because '. $curr_rewrite.' has been '. 
            'previously customized,'."\n".'or it may be because of a change '.  
            'to the files in '.$rewrite_dir."\n");
            if (open(my $fh,'&lt;',$curr_rewrite)) {
                while(&lt;$fh&gt;) {
                    if (/^\s*RewriteEngine\s+(on|off)\s*$/i) {
                        if ($1 eq 'on') {
                            $rewrite_state = 'on';
                        } else {
                            $rewrite_state = 'off';
                        }
                        last;
                    }
                }
            }
        }
        if ($rewrite_state eq 'on') {
        # Checking for rewrites of https:// to http://
            my ($gotrules,$rulestr,$ssldir);
            if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
                || '<DIST />' eq 'sles9') {
                $ssldir = '/etc/apache/vhosts.d';
            } elsif ('<DIST />' =~ /^(suse|sles)/) {
                $ssldir = '/etc/apache2/vhosts.d';
            } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
                $ssldir = '/etc/apache2/sites-available';
            } else {
                $ssldir = '/etc/httpd/conf.d';
            }
            my $hostname = Sys::Hostname::FQDN::fqdn();
            my $hostip = Socket::inet_ntoa(scalar(gethostbyname($hostname)) || 'localhost');
            my @expected = ('RewriteCond %{REQUEST_URI} ^/adm/wrapper/ext/(?!https:)',
                            'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
                            'RewriteRule ^/adm/wrapper/ext/(?!https:\/\/) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]',
                            'RewriteCond %{REMOTE_ADDR} 127.0.0.1',
                            'RewriteRule (.*) - [L]');
            if (($hostip ne '') && ($hostip ne '127.0.0.1')) {
                push(@expected,('RewriteCond %{REMOTE_ADDR} '.$hostip,
                                'RewriteRule (.*) - [L]'));
            }
            push(@expected,('RewriteCond %{REQUEST_URI} ^/public/.*/syllabus$',
                            'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
                            'RewriteRule ^/public/.*/syllabus$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]'));
            if (-d $ssldir) {
                my @rewrites;
                if (opendir(my $dir,$ssldir)) {
                    my @sslconf_files;
                    foreach my $file (!grep(/^\.$/,readdir($dir))) {
                        if (open(my $fh,'&lt;',"$ssldir/$file")) {
                            while (&lt;$fh&gt;) {
                                if (/^\s*&lt;VirtualHost\s+[^:]*\:443&gt;\s*$/) {
                                    push(@sslconf_files,$file);
                                    last;
                                }
                            }
                            close($fh);
                        }
                    }
                    if (@sslconf_files) {
                        my @rewrites;
                        foreach my $file (@sslconf_files) {
                            if (open(my $fh,'&lt;',"$ssldir/$file")) {
                                my ($rewrite,$num) = (0,0);
                                while (&lt;$fh&gt;) {
                                    if ($rewrite) {
                                        if (/\s*&lt;\/IfModule&gt;/) {
                                            $rewrite = 0;
                                            $num ++;
                                        } else {
                                            chomp();
                                            s/^(\s+|\s+)$//g;
                                            push(@{$rewrites[$num]},$_);
                                        }
                                    } elsif (/^\s*&lt;IfModule\s+mod_rewrite.c&gt;/) {
                                        $rewrite = 1;
                                    }
                                }
                                close($fh);
                            }
                        }
                    }
                    closedir($dir);
                }
                if (@rewrites) {
                    foreach my $item (@rewrites) {
                        if (ref($item) eq 'ARRAY') {
                            my $found = 0;
                            foreach my $item (@rewrites) {
                                foreach my $match (@expected) {
                                    if ($match eq $item) {
                                        $found ++;
                                        last;
                                    }
                                }
                            }
                            if ($found &gt;= @expected) {
                                $gotrules = 1;
                            }
                        }
                    }
                }
            }
            unless ($gotrules) {
                print('**** WARNING **** '."\n".$curr_rewrite.' is currently set so rewrites '.
                      'of http to https are enabled for most URLs.'."\n".
                      'Unless your Apache configuration includes Strict-Transport-Security '.
                      '(with max-age > 0), it is recommended to also set rewrites from https to http '.
                      'for specific URLs in a file in '.$ssldir.' by including the following:'."\n".
                      "&lt;IfModule mod_rewrite.c&gt;\n".'  '.
                      join("\n  ",@expected)."\n".
                      "&lt;/IfModule&gt;\n");
            }
        }
    }
}
</perlscript>
</file>
</files>
</piml>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>