--- loncom/interface/domainprefs.pm 2020/12/23 21:39:23 1.374 +++ loncom/interface/domainprefs.pm 2021/08/01 19:28:10 1.384 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # Handler to set domain-wide configuration settings # -# $Id: domainprefs.pm,v 1.374 2020/12/23 21:39:23 raeburn Exp $ +# $Id: domainprefs.pm,v 1.384 2021/08/01 19:28:10 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -223,7 +223,7 @@ sub handler { 'ltitools','ssl','trust','lti','privacy','passwords', 'proctoring','wafproxy'],$dom); my %encconfig = - &Apache::lonnet::get_dom('encconfig',['ltitools','lti','proctoring'],$dom); + &Apache::lonnet::get_dom('encconfig',['ltitools','lti','proctoring'],$dom,undef,1); if (ref($domconfig{'ltitools'}) eq 'HASH') { if (ref($encconfig{'ltitools'}) eq 'HASH') { foreach my $id (keys(%{$domconfig{'ltitools'}})) { @@ -311,16 +311,16 @@ sub handler { print => \&print_defaults, modify => \&modify_defaults, }, - 'wafproxy' => - { text => 'Web Application Firewall/Reverse Proxy', + 'wafproxy' => + { text => 'Web Application Firewall/Reverse Proxy', help => 'Domain_Configuration_WAF_Proxy', - header => [{col1 => 'Domain server', - col2 => 'Alias for WAF/Reverse Proxy', + header => [{col1 => 'Domain(s)', + col2 => 'Servers and WAF/Reverse Proxy alias(es)', }, - {col1 => 'Setting', - col2 => 'Value',}], + {col1 => 'Domain(s)', + col2 => 'WAF Configuration',}], print => \&print_wafproxy, - modify => \&modify_wafproxy, + modify => \&modify_wafproxy, }, 'passwords' => { text => 'Passwords (Internal authentication)', @@ -855,6 +855,8 @@ sub print_config_box { $output .= <i_javascript($settings); } elsif ($action eq 'proctoring') { $output .= &proctoring_javascript($settings); + } elsif ($action eq 'wafproxy') { + $output .= &wafproxy_javascript($dom); } $output .= ' @@ -2844,6 +2846,121 @@ function toggleLTITools(form,setting,ite ENDSCRIPT } +sub wafproxy_javascript { + my ($dom) = @_; + return <<"ENDSCRIPT"; + + +ENDSCRIPT +} + sub proctoring_javascript { my ($settings) = @_; my (%ordered,$total,%jstext); @@ -3781,18 +3898,17 @@ sub print_contacts { \%choices,$rownum); $datatable .= $reports; } elsif ($position eq 'lower') { - $css_class = $rownum%2?' class="LC_odd_row"':''; - my ($threshold,$sysmail,%excluded,%weights); + my (%current,%excluded,%weights); my ($defaults,$names) = &Apache::loncommon::lon_status_items(); if ($lonstatus{'threshold'} =~ /^\d+$/) { - $threshold = $lonstatus{'threshold'}; + $current{'errorthreshold'} = $lonstatus{'threshold'}; } else { - $threshold = $defaults->{'threshold'}; + $current{'errorthreshold'} = $defaults->{'threshold'}; } if ($lonstatus{'sysmail'} =~ /^\d+$/) { - $sysmail = $lonstatus{'sysmail'}; + $current{'errorsysmail'} = $lonstatus{'sysmail'}; } else { - $sysmail = $defaults->{'sysmail'}; + $current{'errorsysmail'} = $defaults->{'sysmail'}; } if (ref($lonstatus{'weights'}) eq 'HASH') { foreach my $type ('E','W','N','U') { @@ -3812,13 +3928,16 @@ sub print_contacts { map {$excluded{$_} = 1; } @{$lonstatus{'excluded'}}; } } - $datatable .= ''. - ''; - $rownum ++; + foreach my $item ('errorthreshold','errorsysmail') { + $css_class = $rownum%2?' class="LC_odd_row"':''; + $datatable .= ''. + ''; + $rownum ++; + } $css_class = $rownum%2?' class="LC_odd_row"':''; $datatable .= ''. '
'. - $titles->{'errorthreshold'}. - ''. - '
'. + $titles->{$item}. + ''. + '
'. @@ -3864,14 +3983,6 @@ sub print_contacts { } $datatable .= '
'; $rownum ++; - $css_class = $rownum%2?' class="LC_odd_row"':''; - $datatable .= ''. - ''. - $titles->{'errorsysmail'}. - ''. - ''; - $rownum ++; } elsif ($position eq 'bottom') { my ($othertitle,$usertypes,$types) = &Apache::loncommon::sorted_inst_types($dom); my (@posstypes,%usertypeshash); @@ -6161,7 +6272,7 @@ sub print_coursedefaults { my $currcanclone = 'none'; my $onclick; my @cloneoptions = ('none','domain'); - my %clonetitles = ( + my %clonetitles = &Apache::lonlocal::texthash ( none => 'No additional course requesters', domain => "Any course requester in course's domain", instcode => 'Course requests for official courses ...', @@ -7184,121 +7295,247 @@ sub print_wafproxy { my $itemcount = 0; my $datatable; my %servers = &Apache::lonnet::internet_dom_servers($dom); - my (%othercontrol,%otherdoms,%aliases,%values,$setdom); + my (%othercontrol,%otherdoms,%aliases,%values,$setdom,$showdom); my %lt = &wafproxy_titles(); foreach my $server (sort(keys(%servers))) { my $serverhome = &Apache::lonnet::get_server_homeID($servers{$server}); + next if ($serverhome eq ''); my $serverdom; if ($serverhome ne $server) { $serverdom = &Apache::lonnet::host_domain($serverhome); - $othercontrol{$server} = $serverdom; + if (($serverdom ne '') && (&Apache::lonnet::domain($serverdom) ne '')) { + $othercontrol{$server} = $serverdom; + } } else { $serverdom = &Apache::lonnet::host_domain($server); + next if (($serverdom eq '') || (&Apache::lonnet::domain($serverdom) eq '')); if ($serverdom ne $dom) { $othercontrol{$server} = $serverdom; } else { $setdom = 1; if (ref($settings) eq 'HASH') { - %{$values{$dom}} = (); if (ref($settings->{'alias'}) eq 'HASH') { $aliases{$dom} = $settings->{'alias'}; - } - foreach my $item ('ipheader','trusted','exempt') { - $values{$dom}{$item} = $settings->{$item}; + if ($aliases{$dom} ne '') { + $showdom = 1; + } } } } } } + if ($setdom) { + %{$values{$dom}} = (); + if (ref($settings) eq 'HASH') { + foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') { + $values{$dom}{$item} = $settings->{$item}; + } + } + } if (keys(%othercontrol)) { %otherdoms = reverse(%othercontrol); foreach my $domain (keys(%otherdoms)) { %{$values{$domain}} = (); my %config = &Apache::lonnet::get_dom('configuration',['wafproxy'],$domain); - if (ref($config{$domain}) eq 'HASH') { - if (ref($config{$domain}{'wafproxy'}) eq 'HASH') { - $aliases{$domain} = $config{$domain}{'wafproxy'}{'alias'}; - foreach my $item ('ipheader','trusted','exempt') { - $values{$domain}{$item} = $config{$domain}{'wafproxy'}{$item}; - } + if (ref($config{'wafproxy'}) eq 'HASH') { + $aliases{$domain} = $config{'wafproxy'}{'alias'}; + foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') { + $values{$domain}{$item} = $config{'wafproxy'}{$item}; } } } } if ($position eq 'top') { my %servers = &Apache::lonnet::internet_dom_servers($dom); + my %aliasinfo; foreach my $server (sort(keys(%servers))) { - $itemcount ++; - $css_class = $itemcount%2 ? ' class="LC_odd_row"' : ''; - $datatable .= ''. - ''.&mt('Hostname').': '. - &Apache::lonnet::hostname($server).''. - ''; + $itemcount ++; + my $dom_in_effect; + my $aliasrows = ''. + ''. + &mt('Hostname').': '. + ''.&Apache::lonnet::hostname($server).' '; if ($othercontrol{$server}) { + $dom_in_effect = $othercontrol{$server}; my $current; - if (ref($aliases{$othercontrol{$server}}) eq 'HASH') { - $current = $aliases{$othercontrol{$server}{$server}}; + if (ref($aliases{$dom_in_effect}) eq 'HASH') { + $current = $aliases{$dom_in_effect}{$server}; } + $aliasrows .= ''. + &mt('Alias').': '; if ($current) { - $datatable .= $current; + $aliasrows .= $current; } else { - $datatable .= &mt('None in effect'); + $aliasrows .= &mt('None'); } - $datatable .= '
('. - &mt('WAF/Reverse Proxy controlled by domain: [_1]', - ''.$othercontrol{$server}.'').''; + $aliasrows .= ' ('. + &mt('controlled by domain: [_1]', + ''.$dom_in_effect.'').')'; } else { + $dom_in_effect = $dom; my $current; if (ref($aliases{$dom}) eq 'HASH') { if ($aliases{$dom}{$server}) { $current = $aliases{$dom}{$server}; } } - $datatable .= ''; + $aliasrows .= ''. + &mt('Alias').': '. + ''; + } + $aliasrows .= ''; + $aliasinfo{$dom_in_effect} .= $aliasrows; + } + if ($aliasinfo{$dom}) { + my ($onclick,$wafon,$wafoff,$showtable); + $onclick = ' onclick="javascript:toggleWAF();"'; + $wafoff = ' checked="checked"'; + $showtable = ' style="display:none";'; + if ($showdom) { + $wafon = $wafoff; + $wafoff = ''; + $showtable = ' style="display:inline;"'; + } + $css_class = $itemcount%2 ? ' class="LC_odd_row"' : ''; + $datatable = ''. + ''.&mt('Domain: [_1]',''.$dom.'').'
'. + ''.&mt('WAF in use?').' '.(' 'x2).''. + ''. + ''.$aliasinfo{$dom}. + '
'; + $itemcount++; + } + if (keys(%otherdoms)) { + foreach my $key (sort(keys(%otherdoms))) { + $css_class = $itemcount%2 ? ' class="LC_odd_row"' : ''; + $datatable .= ''. + ''.&mt('Domain: [_1]',''.$key.'').''. + ''.$aliasinfo{$key}. + '
'; + $itemcount++; } - $datatable .= ''; } } else { + my %ip_methods = &remoteip_methods(); if ($setdom) { $itemcount ++; $css_class = $itemcount%2 ? ' class="LC_odd_row"' : ''; - $datatable .= ''. + my ($nowafstyle,$wafstyle,$curr_remotip,$currwafdisplay,$vpndircheck,$vpnaliascheck, + $currwafvpn,$wafrangestyle,$alltossl,$ssltossl); + $wafstyle = ' style="display:none;"'; + $nowafstyle = ' style="display:table-row;"'; + $currwafdisplay = ' style="display: none"'; + $wafrangestyle = ' style="display: none"'; + $curr_remotip = 'n'; + $ssltossl = ' checked="checked"'; + if ($showdom) { + $wafstyle = ' style="display:table-row;"'; + $nowafstyle = ' style="display:none;"'; + if (keys(%{$values{$dom}})) { + if ($values{$dom}{remoteip} =~ /^[nmh]$/) { + $curr_remotip = $values{$dom}{remoteip}; + } + if ($curr_remotip eq 'h') { + $currwafdisplay = ' style="display:table-row"'; + $wafrangestyle = ' style="display:inline-block;"'; + } + if ($values{$dom}{'sslopt'}) { + $alltossl = ' checked="checked"'; + $ssltossl = ''; + } + } + if (($values{$dom}{'vpnint'} ne '') || ($values{$dom}{'vpnext'} ne '')) { + $vpndircheck = ' checked="checked"'; + $currwafvpn = ' style="display:table-row;"'; + $wafrangestyle = ' style="display:inline-block;"'; + } else { + $vpnaliascheck = ' checked="checked"'; + $currwafvpn = ' style="display:none;"'; + } + } + $datatable .= ''. + ''.&mt('Domain: [_1]',''.$dom.'').''. + ''.&mt('WAF not in use, nothing to set').''. + ''. + ''. ''.&mt('Domain: [_1]',''.$dom.'').'

'. - &mt('Format for comma separated IP blocks').':
'. - &mt('A.B.C.D/N or A.B.C.D - E.F.G.H').''. - ''; - foreach my $item ('ipheader','trusted','exempt') { - $datatable .= ''. - ''; - } - $datatable .= '
'.$lt{$item}.': '; - if ($item eq 'ipheader') { - $datatable .= ''; - - } else { - $datatable .= ''; - } - $datatable .= '
'; + '
'.&mt('Format for comma separated IP ranges').':
'. + &mt('A.B.C.D/N or A.B.C.D-E.F.G.H').'
'. + ''. + ''. + ''."\n". + ''."\n". + ''."\n". + ''."\n". + ''. + ''; + foreach my $item ('vpnint','vpnext') { + $datatable .= ''. + ''."\n"; + } + $datatable .= ''."\n". + ''. + ''."\n". + '
'.$lt{'remoteip'}.': '. + '
'. + $lt{'ipheader'}.': '. + ''. + '
'. + $lt{'trusted'}.':
'. + ''. + '

'.$lt{'vpnaccess'}.':
'. + ''.(' 'x2). + '
'.$lt{$item}.':
'. + ''. + '

'.$lt{'sslopt'}.':
'. + ''.(' 'x2). + '
'; } if (keys(%otherdoms)) { foreach my $domain (sort(keys(%otherdoms))) { $itemcount ++; $css_class = $itemcount%2 ? ' class="LC_odd_row"' : ''; $datatable .= ''. - ''.&mt('Domain: [_1]',$domain).''. + ''.&mt('Domain: [_1]',''.$domain.'').''. ''; - foreach my $item ('ipheader','trusted','exempt') { + foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') { my $showval = &mt('None'); + if ($item eq 'ssl') { + $showval = $lt{'ssltossl'}; + } if ($values{$domain}{$item}) { - $showval = $values{$domain}{$item}; + $showval = $values{$domain}{$item}; + if ($item eq 'ssl') { + $showval = $lt{'alltossl'}; + } elsif ($item eq 'remoteip') { + $showval = $ip_methods{$values{$domain}{$item}}; + } } $datatable .= ''. ''; } - $datatable .= '
'.$lt{$item}.': '.$showval.'
'; + $datatable .= ''; } } } @@ -7308,9 +7545,25 @@ sub print_wafproxy { sub wafproxy_titles { return &Apache::lonlocal::texthash( - exempt => 'Exempt IP range(s)', - trusted => 'Trusted IP range(s)', - ipheader => 'Custom request header', + remoteip => "Method for determining user's IP", + ipheader => 'Request header containing remote IP', + trusted => 'Trusted IP range(s)', + vpnaccess => 'Access from institutional VPN', + vpndirect => 'via regular hostname (no WAF)', + vpnaliased => 'via aliased hostname (WAF)', + vpnint => 'Internal IP Range(s) for VPN sessions', + vpnext => 'IP Range(s) for backend WAF connections', + sslopt => 'Forwarding http/https', + alltossl => 'WAF forwards both http and https requests to https', + ssltossl => 'WAF forwards http requests to http and https to https', + ); +} + +sub remoteip_methods { + return &Apache::lonlocal::texthash( + m => 'Use Apache mod_remoteip', + h => 'Use headers parsed by LON-CAPA', + n => 'Not in use', ); } @@ -8349,8 +8602,8 @@ sub contact_titles { 'updatesmail' => 'E-mail from nightly check of LON-CAPA module integrity/updates', 'idconflictsmail' => 'E-mail from bi-nightly check for multiple users sharing same student/employee ID', 'hostipmail' => 'E-mail from nightly check of hostname/IP network changes', - 'errorthreshold' => 'Error/warning threshold for status e-mail', - 'errorsysmail' => 'Error threshold for e-mail to core group', + 'errorthreshold' => 'Error count threshold for status e-mail to admin(s)', + 'errorsysmail' => 'Error count threshold for e-mail to developer group', 'errorweights' => 'Weights used to compute error count', 'errorexcluded' => 'Servers with unsent updates excluded from count', ); @@ -9400,7 +9653,7 @@ sub print_defaults { $datatable .= ' '.&mt('Internal ID:').' '.$item.' '. ''. &mt('delete').''. - ''.&mt('Name displayed:'). + ''.&mt('Name displayed').':'. ''. ''; } @@ -9420,7 +9673,7 @@ sub print_defaults { ''. ' '.&mt('(new)'). ''. - &mt('Name displayed:'). + &mt('Name displayed').':'. ''. ''."\n"; $rownum ++; @@ -10429,7 +10682,7 @@ ENDSCRIPT sub initialize_categories { my ($itemcount) = @_; my ($datatable,$css_class,$chgstr); - my %default_names = ( + my %default_names = &Apache::lonlocal::texthash ( instcode => 'Official courses (with institutional codes)', communities => 'Communities', placement => 'Placement Tests', @@ -13274,7 +13527,7 @@ sub modify_ltitools { my %ltienchash = ( $action => { %encconfig } ); - &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom); + &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom,undef,1); if (keys(%changes) > 0) { my $cachetime = 24*60*60; my %ltiall = %confhash; @@ -13848,7 +14101,7 @@ sub modify_proctoring { my %proc_enchash = ( $action => { %encconfhash } ); - &Apache::lonnet::put_dom('encconfig',\%proc_enchash,$dom); + &Apache::lonnet::put_dom('encconfig',\%proc_enchash,$dom,undef,1); if (keys(%changes) > 0) { my $cachetime = 24*60*60; my %procall = %confhash; @@ -14340,7 +14593,7 @@ sub modify_lti { my %ltienchash = ( $action => { %encconfig } ); - &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom); + &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom,undef,1); if (keys(%changes) > 0) { my $cachetime = 24*60*60; my %ltiall = %confhash; @@ -15204,7 +15457,7 @@ sub modify_contacts { $contacts_hash{'contacts'}{'lonstatus'}{$item} = \@excluded; } } elsif ($item eq 'weights') { - foreach my $type ('E','W','N') { + foreach my $type ('E','W','N','U') { $env{'form.error'.$item.'_'.$type} =~ s/^\s+|\s+$//g; if ($env{'form.error'.$item.'_'.$type} =~ /^\d+$/) { unless ($env{'form.error'.$item.'_'.$type} == $lonstatus_defs->{$type}) { @@ -16371,7 +16624,7 @@ sub modify_passwords { $resulttext .= '
  • '.&mt('E-mail address(es) in LON-CAPA used for verification will include: [_1]',join(', ',map { $titles{$_}; } @{$staticdefaults{'resetemail'}})).'
  • '; } } else { - $resulttext .= '
  • '.&mt('E-mail address(es) in LON-CAPA usedfor verification will include: [_1]',join(', ',map { $titles{$_}; } @{$staticdefaults{'resetemail'}})).'
  • '; + $resulttext .= '
  • '.&mt('E-mail address(es) in LON-CAPA used for verification will include: [_1]',join(', ',map { $titles{$_}; } @{$staticdefaults{'resetemail'}})).'
  • '; } if ($confighash{'passwords'}{'resetremove'}) { $resulttext .= '
  • '.&mt('Preamble to "Forgot Password" web form not shown').'
  • '; @@ -19587,26 +19840,33 @@ sub modify_wafproxy { my $serverdom = &Apache::lonnet::host_domain($server); if ($serverdom eq $dom) { $canset{$server} = 1; - if (ref($domconfig{'wafproxy'}) eq 'HASH') { - %{$values{$dom}} = (); - if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') { - %curralias = %{$domconfig{'wafproxy'}{'alias'}}; - } - foreach my $item ('ipheader','trusted','exempt') { - $currvalue{$item} = $domconfig{'wafproxy'}{$item}; - } - } } } } + if (ref($domconfig{'wafproxy'}) eq 'HASH') { + %{$values{$dom}} = (); + if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') { + %curralias = %{$domconfig{'wafproxy'}{'alias'}}; + } + foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') { + $currvalue{$item} = $domconfig{'wafproxy'}{$item}; + } + } my $output; if (keys(%canset)) { %{$wafproxy{'alias'}} = (); foreach my $key (sort(keys(%canset))) { - $wafproxy{'alias'}{$key} = $env{'form.wafproxy_alias_'.$key}; - $wafproxy{'alias'}{$key} =~ s/^\s+|\s+$//g; - if ($wafproxy{'alias'}{$key} ne $curralias{$key}) { - $changes{'alias'} = 1; + if ($env{'form.wafproxy_'.$dom}) { + $wafproxy{'alias'}{$key} = $env{'form.wafproxy_alias_'.$key}; + $wafproxy{'alias'}{$key} =~ s/^\s+|\s+$//g; + if ($wafproxy{'alias'}{$key} ne $curralias{$key}) { + $changes{'alias'} = 1; + } + } else { + $wafproxy{'alias'}{$key} = ''; + if ($curralias{$key}) { + $changes{'alias'} = 1; + } } if ($wafproxy{'alias'}{$key} eq '') { if ($curralias{$key}) { @@ -19621,21 +19881,43 @@ sub modify_wafproxy { # Localization for values in %warn occus in &mt() calls separately. my %warn = ( trusted => 'trusted IP range(s)', - exempt => 'exempt IP range(s)', + vpnint => 'internal IP range(s) for VPN sessions(s)', + vpnext => 'IP range(s) for backend WAF connections', ); - foreach my $item ('ipheader','trusted','exempt') { + foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') { my $possible = $env{'form.wafproxy_'.$item}; $possible =~ s/^\s+|\s+$//g; if ($possible ne '') { - if ($item eq 'ipheader') { - $wafproxy{$item} = $possible; + if ($item eq 'remoteip') { + if ($possible =~ /^[mhn]$/) { + $wafproxy{$item} = $possible; + } + } elsif ($item eq 'ipheader') { + if ($wafproxy{'remoteip'} eq 'h') { + $wafproxy{$item} = $possible; + } + } elsif ($item eq 'sslopt') { + if ($possible =~ /^0|1$/) { + $wafproxy{$item} = $possible; + } } else { my (@ok,$count); - $possible =~ s/[\r\n]+/\s/g; - $possible =~ s/\s*-\s*/-/g; - $possible =~ s/\s+/,/g; + if (($item eq 'vpnint') || ($item eq 'vpnext')) { + unless ($env{'form.wafproxy_vpnaccess'}) { + $possible = ''; + } + } elsif ($item eq 'trusted') { + unless ($wafproxy{'remoteip'} eq 'h') { + $possible = ''; + } + } + unless ($possible eq '') { + $possible =~ s/[\r\n]+/\s/g; + $possible =~ s/\s*-\s*/-/g; + $possible =~ s/\s+/,/g; + } $count = 0; - if ($possible) { + if ($possible ne '') { foreach my $poss (split(/\,/,$possible)) { $count ++; if (&validate_ip_pattern($poss)) { @@ -19652,15 +19934,22 @@ sub modify_wafproxy { $diff,$warn{$item}). ''); } - if ($wafproxy{$item} ne $currvalue{$item}) { - $changes{$item} = 1; - } } } - } else { - if ($currvalue{$item}) { + if ($wafproxy{$item} ne $currvalue{$item}) { $changes{$item} = 1; } + } elsif ($currvalue{$item}) { + $changes{$item} = 1; + } + } + } else { + if (keys(%curralias)) { + $changes{'alias'} = 1; + } + if (keys(%currvalue)) { + foreach my $key (keys(%currvalue)) { + $changes{$key} = 1; } } } @@ -19673,7 +19962,7 @@ sub modify_wafproxy { if ($putresult eq 'ok') { my $cachetime = 24*60*60; my (%domdefaults,$updatedomdefs); - foreach my $item ('ipheader','trusted','exempt') { + foreach my $item ('ipheader','trusted','vpnint','vpnext','sslopt') { if ($changes{$item}) { unless ($updatedomdefs) { %domdefaults = &Apache::lonnet::get_domain_defaults($dom); @@ -19710,7 +19999,7 @@ sub modify_wafproxy { } } $output = &mt('Changes were made to Web Application Firewall/Reverse Proxy').'
      '; - foreach my $item ('alias','ipheader','trusted','exempt') { + foreach my $item ('alias','remoteip','ipheader','trusted','vpnint','vpnext','sslopt') { if ($changes{$item}) { if ($item eq 'alias') { my $numaliased = 0; @@ -19733,26 +20022,52 @@ sub modify_wafproxy { $output .= '
    • '.&mt('Aliases deleted for hostnames').'
    • '; } } else { - if ($item eq 'ipheader') { + if ($item eq 'remoteip') { + my %ip_methods = &remoteip_methods(); + if ($wafproxy{$item} =~ /^[mh]$/) { + $output .= '
    • '.&mt("Method for determining user's IP set to: [_1]", + $ip_methods{$wafproxy{$item}}).'
    • '; + } else { + if (($env{'form.wafproxy_'.$dom}) && (ref($wafproxy{'alias'}) eq 'HASH')) { + $output .= '
    • '.&mt("No method in use to get user's real IP (will report IP used by WAF)."). + '
    • '; + } else { + $output .= '
    • '.&mt('WAF/Reverse Proxy not in use').'
    • '; + } + } + } elsif ($item eq 'ipheader') { if ($wafproxy{$item}) { - $output .= '
    • '.&mt('Custom request header set to [_1]', + $output .= '
    • '.&mt('Request header with remote IP set to: [_1]', $wafproxy{$item}).'
    • '; } else { - $output .= '
    • '.&mt('Custom request header deleted').'
    • '; + $output .= '
    • '.&mt('Request header with remote IP deleted').'
    • '; } } elsif ($item eq 'trusted') { if ($wafproxy{$item}) { - $output .= '
    • '.&mt('Trusted IP range(s) set to [_1]', + $output .= '
    • '.&mt('Trusted IP range(s) set to: [_1]', $wafproxy{$item}).'
    • '; } else { $output .= '
    • '.&mt('Trusted IP range(s) deleted').'
    • '; } - } elsif ($item eq 'exempt') { + } elsif ($item eq 'vpnint') { if ($wafproxy{$item}) { - $output .= '
    • '.&mt('Exempt IP range(s) set to [_1]', + $output .= '
    • '.&mt('Internal IP Range(s) for VPN sessions set to: [_1]', $wafproxy{$item}).'
    • '; } else { - $output .= '
    • '.&mt('Exempt IP range(s) deleted').'
    • '; + $output .= '
    • '.&mt('Internal IP Range(s) for VPN sessions deleted').'
    • '; + } + } elsif ($item eq 'vpnext') { + if ($wafproxy{$item}) { + $output .= '
    • '.&mt('IP Range(s) for backend WAF connections set to: [_1]', + $wafproxy{$item}).'
    • '; + } else { + $output .= '
    • '.&mt('IP Range(s) for backend WAF connections deleted').'
    • '; + } + } elsif ($item eq 'sslopt') { + if ($wafproxy{$item}) { + $output .= '
    • '.&mt('WAF/Reverse Proxy expected to forward requests to https on LON-CAPA node, regardless of original protocol in web browser (http or https).').'
    • '; + } else { + $output .= '
    • '.&mt('WAF/Reverse Proxy expected to preserve original protocol in web browser (either http or https) when forwarding to LON-CAPA node.').'
    • '; } } } @@ -20721,24 +21036,24 @@ sub modify_loadbalancing { $resulttext .= '
    • '.&mt('Load Balancer: [_1] -- cookie use enabled', $balancer).'
    • '; } - if (keys(%toupdate)) { - my %thismachine; - my $updatedhere; - my $cachetime = 60*60*24; - map { $thismachine{$_} = 1; } &Apache::lonnet::current_machine_ids(); - foreach my $lonhost (keys(%toupdate)) { - if ($thismachine{$lonhost}) { - unless ($updatedhere) { - &Apache::lonnet::do_cache_new('loadbalancing',$dom, - $defaultshash{'loadbalancing'}, - $cachetime); - $updatedhere = 1; - } - } else { - my $cachekey = &escape('loadbalancing').':'.&escape($dom); - &Apache::lonnet::remote_devalidate_cache($lonhost,[$cachekey]); - } + } + } + if (keys(%toupdate)) { + my %thismachine; + my $updatedhere; + my $cachetime = 60*60*24; + map { $thismachine{$_} = 1; } &Apache::lonnet::current_machine_ids(); + foreach my $lonhost (keys(%toupdate)) { + if ($thismachine{$lonhost}) { + unless ($updatedhere) { + &Apache::lonnet::do_cache_new('loadbalancing',$dom, + $defaultshash{'loadbalancing'}, + $cachetime); + $updatedhere = 1; } + } else { + my $cachekey = &escape('loadbalancing').':'.&escape($dom); + &Apache::lonnet::remote_devalidate_cache($lonhost,[$cachekey]); } } }