--- loncom/interface/domainprefs.pm 2020/12/23 21:39:23 1.374
+++ loncom/interface/domainprefs.pm 2021/08/01 19:28:10 1.384
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Handler to set domain-wide configuration settings
#
-# $Id: domainprefs.pm,v 1.374 2020/12/23 21:39:23 raeburn Exp $
+# $Id: domainprefs.pm,v 1.384 2021/08/01 19:28:10 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -223,7 +223,7 @@ sub handler {
'ltitools','ssl','trust','lti','privacy','passwords',
'proctoring','wafproxy'],$dom);
my %encconfig =
- &Apache::lonnet::get_dom('encconfig',['ltitools','lti','proctoring'],$dom);
+ &Apache::lonnet::get_dom('encconfig',['ltitools','lti','proctoring'],$dom,undef,1);
if (ref($domconfig{'ltitools'}) eq 'HASH') {
if (ref($encconfig{'ltitools'}) eq 'HASH') {
foreach my $id (keys(%{$domconfig{'ltitools'}})) {
@@ -311,16 +311,16 @@ sub handler {
print => \&print_defaults,
modify => \&modify_defaults,
},
- 'wafproxy' =>
- { text => 'Web Application Firewall/Reverse Proxy',
+ 'wafproxy' =>
+ { text => 'Web Application Firewall/Reverse Proxy',
help => 'Domain_Configuration_WAF_Proxy',
- header => [{col1 => 'Domain server',
- col2 => 'Alias for WAF/Reverse Proxy',
+ header => [{col1 => 'Domain(s)',
+ col2 => 'Servers and WAF/Reverse Proxy alias(es)',
},
- {col1 => 'Setting',
- col2 => 'Value',}],
+ {col1 => 'Domain(s)',
+ col2 => 'WAF Configuration',}],
print => \&print_wafproxy,
- modify => \&modify_wafproxy,
+ modify => \&modify_wafproxy,
},
'passwords' =>
{ text => 'Passwords (Internal authentication)',
@@ -855,6 +855,8 @@ sub print_config_box {
$output .= <i_javascript($settings);
} elsif ($action eq 'proctoring') {
$output .= &proctoring_javascript($settings);
+ } elsif ($action eq 'wafproxy') {
+ $output .= &wafproxy_javascript($dom);
}
$output .=
'
@@ -2844,6 +2846,121 @@ function toggleLTITools(form,setting,ite
ENDSCRIPT
}
+sub wafproxy_javascript {
+ my ($dom) = @_;
+ return <<"ENDSCRIPT";
+
+
+ENDSCRIPT
+}
+
sub proctoring_javascript {
my ($settings) = @_;
my (%ordered,$total,%jstext);
@@ -3781,18 +3898,17 @@ sub print_contacts {
\%choices,$rownum);
$datatable .= $reports;
} elsif ($position eq 'lower') {
- $css_class = $rownum%2?' class="LC_odd_row"':'';
- my ($threshold,$sysmail,%excluded,%weights);
+ my (%current,%excluded,%weights);
my ($defaults,$names) = &Apache::loncommon::lon_status_items();
if ($lonstatus{'threshold'} =~ /^\d+$/) {
- $threshold = $lonstatus{'threshold'};
+ $current{'errorthreshold'} = $lonstatus{'threshold'};
} else {
- $threshold = $defaults->{'threshold'};
+ $current{'errorthreshold'} = $defaults->{'threshold'};
}
if ($lonstatus{'sysmail'} =~ /^\d+$/) {
- $sysmail = $lonstatus{'sysmail'};
+ $current{'errorsysmail'} = $lonstatus{'sysmail'};
} else {
- $sysmail = $defaults->{'sysmail'};
+ $current{'errorsysmail'} = $defaults->{'sysmail'};
}
if (ref($lonstatus{'weights'}) eq 'HASH') {
foreach my $type ('E','W','N','U') {
@@ -3812,13 +3928,16 @@ sub print_contacts {
map {$excluded{$_} = 1; } @{$lonstatus{'excluded'}};
}
}
- $datatable .= ''.
- ''.
- $titles->{'errorthreshold'}.
- ' | '.
- ' |
';
- $rownum ++;
+ foreach my $item ('errorthreshold','errorsysmail') {
+ $css_class = $rownum%2?' class="LC_odd_row"':'';
+ $datatable .= ''.
+ ''.
+ $titles->{$item}.
+ ' | '.
+ ' |
';
+ $rownum ++;
+ }
$css_class = $rownum%2?' class="LC_odd_row"':'';
$datatable .= ''.
''.
@@ -3864,14 +3983,6 @@ sub print_contacts {
}
$datatable .= ' |
';
$rownum ++;
- $css_class = $rownum%2?' class="LC_odd_row"':'';
- $datatable .= ''.
- ''.
- $titles->{'errorsysmail'}.
- ' | '.
- ' |
';
- $rownum ++;
} elsif ($position eq 'bottom') {
my ($othertitle,$usertypes,$types) = &Apache::loncommon::sorted_inst_types($dom);
my (@posstypes,%usertypeshash);
@@ -6161,7 +6272,7 @@ sub print_coursedefaults {
my $currcanclone = 'none';
my $onclick;
my @cloneoptions = ('none','domain');
- my %clonetitles = (
+ my %clonetitles = &Apache::lonlocal::texthash (
none => 'No additional course requesters',
domain => "Any course requester in course's domain",
instcode => 'Course requests for official courses ...',
@@ -7184,121 +7295,247 @@ sub print_wafproxy {
my $itemcount = 0;
my $datatable;
my %servers = &Apache::lonnet::internet_dom_servers($dom);
- my (%othercontrol,%otherdoms,%aliases,%values,$setdom);
+ my (%othercontrol,%otherdoms,%aliases,%values,$setdom,$showdom);
my %lt = &wafproxy_titles();
foreach my $server (sort(keys(%servers))) {
my $serverhome = &Apache::lonnet::get_server_homeID($servers{$server});
+ next if ($serverhome eq '');
my $serverdom;
if ($serverhome ne $server) {
$serverdom = &Apache::lonnet::host_domain($serverhome);
- $othercontrol{$server} = $serverdom;
+ if (($serverdom ne '') && (&Apache::lonnet::domain($serverdom) ne '')) {
+ $othercontrol{$server} = $serverdom;
+ }
} else {
$serverdom = &Apache::lonnet::host_domain($server);
+ next if (($serverdom eq '') || (&Apache::lonnet::domain($serverdom) eq ''));
if ($serverdom ne $dom) {
$othercontrol{$server} = $serverdom;
} else {
$setdom = 1;
if (ref($settings) eq 'HASH') {
- %{$values{$dom}} = ();
if (ref($settings->{'alias'}) eq 'HASH') {
$aliases{$dom} = $settings->{'alias'};
- }
- foreach my $item ('ipheader','trusted','exempt') {
- $values{$dom}{$item} = $settings->{$item};
+ if ($aliases{$dom} ne '') {
+ $showdom = 1;
+ }
}
}
}
}
}
+ if ($setdom) {
+ %{$values{$dom}} = ();
+ if (ref($settings) eq 'HASH') {
+ foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') {
+ $values{$dom}{$item} = $settings->{$item};
+ }
+ }
+ }
if (keys(%othercontrol)) {
%otherdoms = reverse(%othercontrol);
foreach my $domain (keys(%otherdoms)) {
%{$values{$domain}} = ();
my %config = &Apache::lonnet::get_dom('configuration',['wafproxy'],$domain);
- if (ref($config{$domain}) eq 'HASH') {
- if (ref($config{$domain}{'wafproxy'}) eq 'HASH') {
- $aliases{$domain} = $config{$domain}{'wafproxy'}{'alias'};
- foreach my $item ('ipheader','trusted','exempt') {
- $values{$domain}{$item} = $config{$domain}{'wafproxy'}{$item};
- }
+ if (ref($config{'wafproxy'}) eq 'HASH') {
+ $aliases{$domain} = $config{'wafproxy'}{'alias'};
+ foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') {
+ $values{$domain}{$item} = $config{'wafproxy'}{$item};
}
}
}
}
if ($position eq 'top') {
my %servers = &Apache::lonnet::internet_dom_servers($dom);
+ my %aliasinfo;
foreach my $server (sort(keys(%servers))) {
- $itemcount ++;
- $css_class = $itemcount%2 ? ' class="LC_odd_row"' : '';
- $datatable .= ''.
- ''.&mt('Hostname').': '.
- &Apache::lonnet::hostname($server).' | '.
- '';
+ $itemcount ++;
+ my $dom_in_effect;
+ my $aliasrows = ' |
'.
+ ''.
+ &mt('Hostname').': '.
+ ''.&Apache::lonnet::hostname($server).' | | ';
if ($othercontrol{$server}) {
+ $dom_in_effect = $othercontrol{$server};
my $current;
- if (ref($aliases{$othercontrol{$server}}) eq 'HASH') {
- $current = $aliases{$othercontrol{$server}{$server}};
+ if (ref($aliases{$dom_in_effect}) eq 'HASH') {
+ $current = $aliases{$dom_in_effect}{$server};
}
+ $aliasrows .= ''.
+ &mt('Alias').': ';
if ($current) {
- $datatable .= $current;
+ $aliasrows .= $current;
} else {
- $datatable .= &mt('None in effect');
+ $aliasrows .= &mt('None');
}
- $datatable .= ' ('.
- &mt('WAF/Reverse Proxy controlled by domain: [_1]',
- ''.$othercontrol{$server}.'').'';
+ $aliasrows .= ' ('.
+ &mt('controlled by domain: [_1]',
+ ''.$dom_in_effect.'').') | ';
} else {
+ $dom_in_effect = $dom;
my $current;
if (ref($aliases{$dom}) eq 'HASH') {
if ($aliases{$dom}{$server}) {
$current = $aliases{$dom}{$server};
}
}
- $datatable .= '';
+ $aliasrows .= ''.
+ &mt('Alias').': '.
+ ' | ';
+ }
+ $aliasrows .= '
';
+ $aliasinfo{$dom_in_effect} .= $aliasrows;
+ }
+ if ($aliasinfo{$dom}) {
+ my ($onclick,$wafon,$wafoff,$showtable);
+ $onclick = ' onclick="javascript:toggleWAF();"';
+ $wafoff = ' checked="checked"';
+ $showtable = ' style="display:none";';
+ if ($showdom) {
+ $wafon = $wafoff;
+ $wafoff = '';
+ $showtable = ' style="display:inline;"';
+ }
+ $css_class = $itemcount%2 ? ' class="LC_odd_row"' : '';
+ $datatable = ''.
+ ''.&mt('Domain: [_1]',''.$dom.'').' '.
+ ''.&mt('WAF in use?').' '.(' 'x2).' | '.
+ ''.
+ ' |
';
+ $itemcount++;
+ }
+ if (keys(%otherdoms)) {
+ foreach my $key (sort(keys(%otherdoms))) {
+ $css_class = $itemcount%2 ? ' class="LC_odd_row"' : '';
+ $datatable .= ''.
+ ''.&mt('Domain: [_1]',''.$key.'').' | '.
+ ' |
';
+ $itemcount++;
}
- $datatable .= '';
}
} else {
+ my %ip_methods = &remoteip_methods();
if ($setdom) {
$itemcount ++;
$css_class = $itemcount%2 ? ' class="LC_odd_row"' : '';
- $datatable .= ''.
+ my ($nowafstyle,$wafstyle,$curr_remotip,$currwafdisplay,$vpndircheck,$vpnaliascheck,
+ $currwafvpn,$wafrangestyle,$alltossl,$ssltossl);
+ $wafstyle = ' style="display:none;"';
+ $nowafstyle = ' style="display:table-row;"';
+ $currwafdisplay = ' style="display: none"';
+ $wafrangestyle = ' style="display: none"';
+ $curr_remotip = 'n';
+ $ssltossl = ' checked="checked"';
+ if ($showdom) {
+ $wafstyle = ' style="display:table-row;"';
+ $nowafstyle = ' style="display:none;"';
+ if (keys(%{$values{$dom}})) {
+ if ($values{$dom}{remoteip} =~ /^[nmh]$/) {
+ $curr_remotip = $values{$dom}{remoteip};
+ }
+ if ($curr_remotip eq 'h') {
+ $currwafdisplay = ' style="display:table-row"';
+ $wafrangestyle = ' style="display:inline-block;"';
+ }
+ if ($values{$dom}{'sslopt'}) {
+ $alltossl = ' checked="checked"';
+ $ssltossl = '';
+ }
+ }
+ if (($values{$dom}{'vpnint'} ne '') || ($values{$dom}{'vpnext'} ne '')) {
+ $vpndircheck = ' checked="checked"';
+ $currwafvpn = ' style="display:table-row;"';
+ $wafrangestyle = ' style="display:inline-block;"';
+ } else {
+ $vpnaliascheck = ' checked="checked"';
+ $currwafvpn = ' style="display:none;"';
+ }
+ }
+ $datatable .= '
'.
+ ''.&mt('Domain: [_1]',''.$dom.'').' | '.
+ ''.&mt('WAF not in use, nothing to set').' | '.
+ '
'.
+ ''.
''.&mt('Domain: [_1]',''.$dom.'').'
'.
- &mt('Format for comma separated IP blocks').': '.
- &mt('A.B.C.D/N or A.B.C.D - E.F.G.H').' | '.
- ' |
';
+ ''.&mt('Format for comma separated IP ranges').':
'.
+ &mt('A.B.C.D/N or A.B.C.D-E.F.G.H').'
'.
+ ' | ';
}
if (keys(%otherdoms)) {
foreach my $domain (sort(keys(%otherdoms))) {
$itemcount ++;
$css_class = $itemcount%2 ? ' class="LC_odd_row"' : '';
$datatable .= ''.
- ''.&mt('Domain: [_1]',$domain).' | '.
+ ''.&mt('Domain: [_1]',''.$domain.'').' | '.
'';
- foreach my $item ('ipheader','trusted','exempt') {
+ foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
my $showval = &mt('None');
+ if ($item eq 'ssl') {
+ $showval = $lt{'ssltossl'};
+ }
if ($values{$domain}{$item}) {
- $showval = $values{$domain}{$item};
+ $showval = $values{$domain}{$item};
+ if ($item eq 'ssl') {
+ $showval = $lt{'alltossl'};
+ } elsif ($item eq 'remoteip') {
+ $showval = $ip_methods{$values{$domain}{$item}};
+ }
}
$datatable .= ''.
''.$lt{$item}.': '.$showval.' | ';
}
- $datatable .= ' |
';
+ $datatable .= '';
}
}
}
@@ -7308,9 +7545,25 @@ sub print_wafproxy {
sub wafproxy_titles {
return &Apache::lonlocal::texthash(
- exempt => 'Exempt IP range(s)',
- trusted => 'Trusted IP range(s)',
- ipheader => 'Custom request header',
+ remoteip => "Method for determining user's IP",
+ ipheader => 'Request header containing remote IP',
+ trusted => 'Trusted IP range(s)',
+ vpnaccess => 'Access from institutional VPN',
+ vpndirect => 'via regular hostname (no WAF)',
+ vpnaliased => 'via aliased hostname (WAF)',
+ vpnint => 'Internal IP Range(s) for VPN sessions',
+ vpnext => 'IP Range(s) for backend WAF connections',
+ sslopt => 'Forwarding http/https',
+ alltossl => 'WAF forwards both http and https requests to https',
+ ssltossl => 'WAF forwards http requests to http and https to https',
+ );
+}
+
+sub remoteip_methods {
+ return &Apache::lonlocal::texthash(
+ m => 'Use Apache mod_remoteip',
+ h => 'Use headers parsed by LON-CAPA',
+ n => 'Not in use',
);
}
@@ -8349,8 +8602,8 @@ sub contact_titles {
'updatesmail' => 'E-mail from nightly check of LON-CAPA module integrity/updates',
'idconflictsmail' => 'E-mail from bi-nightly check for multiple users sharing same student/employee ID',
'hostipmail' => 'E-mail from nightly check of hostname/IP network changes',
- 'errorthreshold' => 'Error/warning threshold for status e-mail',
- 'errorsysmail' => 'Error threshold for e-mail to core group',
+ 'errorthreshold' => 'Error count threshold for status e-mail to admin(s)',
+ 'errorsysmail' => 'Error count threshold for e-mail to developer group',
'errorweights' => 'Weights used to compute error count',
'errorexcluded' => 'Servers with unsent updates excluded from count',
);
@@ -9400,7 +9653,7 @@ sub print_defaults {
$datatable .= ' '.&mt('Internal ID:').' '.$item.' '.
''.
&mt('delete').''.
- ''.&mt('Name displayed:').
+ ' | '.&mt('Name displayed').':'.
''.
' | ';
}
@@ -9420,7 +9673,7 @@ sub print_defaults {
''.
' '.&mt('(new)').
''.
- &mt('Name displayed:').
+ &mt('Name displayed').':'.
' | '.
''."\n";
$rownum ++;
@@ -10429,7 +10682,7 @@ ENDSCRIPT
sub initialize_categories {
my ($itemcount) = @_;
my ($datatable,$css_class,$chgstr);
- my %default_names = (
+ my %default_names = &Apache::lonlocal::texthash (
instcode => 'Official courses (with institutional codes)',
communities => 'Communities',
placement => 'Placement Tests',
@@ -13274,7 +13527,7 @@ sub modify_ltitools {
my %ltienchash = (
$action => { %encconfig }
);
- &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom);
+ &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom,undef,1);
if (keys(%changes) > 0) {
my $cachetime = 24*60*60;
my %ltiall = %confhash;
@@ -13848,7 +14101,7 @@ sub modify_proctoring {
my %proc_enchash = (
$action => { %encconfhash }
);
- &Apache::lonnet::put_dom('encconfig',\%proc_enchash,$dom);
+ &Apache::lonnet::put_dom('encconfig',\%proc_enchash,$dom,undef,1);
if (keys(%changes) > 0) {
my $cachetime = 24*60*60;
my %procall = %confhash;
@@ -14340,7 +14593,7 @@ sub modify_lti {
my %ltienchash = (
$action => { %encconfig }
);
- &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom);
+ &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom,undef,1);
if (keys(%changes) > 0) {
my $cachetime = 24*60*60;
my %ltiall = %confhash;
@@ -15204,7 +15457,7 @@ sub modify_contacts {
$contacts_hash{'contacts'}{'lonstatus'}{$item} = \@excluded;
}
} elsif ($item eq 'weights') {
- foreach my $type ('E','W','N') {
+ foreach my $type ('E','W','N','U') {
$env{'form.error'.$item.'_'.$type} =~ s/^\s+|\s+$//g;
if ($env{'form.error'.$item.'_'.$type} =~ /^\d+$/) {
unless ($env{'form.error'.$item.'_'.$type} == $lonstatus_defs->{$type}) {
@@ -16371,7 +16624,7 @@ sub modify_passwords {
$resulttext .= ''.&mt('E-mail address(es) in LON-CAPA used for verification will include: [_1]',join(', ',map { $titles{$_}; } @{$staticdefaults{'resetemail'}})).'';
}
} else {
- $resulttext .= ''.&mt('E-mail address(es) in LON-CAPA usedfor verification will include: [_1]',join(', ',map { $titles{$_}; } @{$staticdefaults{'resetemail'}})).'';
+ $resulttext .= ''.&mt('E-mail address(es) in LON-CAPA used for verification will include: [_1]',join(', ',map { $titles{$_}; } @{$staticdefaults{'resetemail'}})).'';
}
if ($confighash{'passwords'}{'resetremove'}) {
$resulttext .= ''.&mt('Preamble to "Forgot Password" web form not shown').'';
@@ -19587,26 +19840,33 @@ sub modify_wafproxy {
my $serverdom = &Apache::lonnet::host_domain($server);
if ($serverdom eq $dom) {
$canset{$server} = 1;
- if (ref($domconfig{'wafproxy'}) eq 'HASH') {
- %{$values{$dom}} = ();
- if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') {
- %curralias = %{$domconfig{'wafproxy'}{'alias'}};
- }
- foreach my $item ('ipheader','trusted','exempt') {
- $currvalue{$item} = $domconfig{'wafproxy'}{$item};
- }
- }
}
}
}
+ if (ref($domconfig{'wafproxy'}) eq 'HASH') {
+ %{$values{$dom}} = ();
+ if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') {
+ %curralias = %{$domconfig{'wafproxy'}{'alias'}};
+ }
+ foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
+ $currvalue{$item} = $domconfig{'wafproxy'}{$item};
+ }
+ }
my $output;
if (keys(%canset)) {
%{$wafproxy{'alias'}} = ();
foreach my $key (sort(keys(%canset))) {
- $wafproxy{'alias'}{$key} = $env{'form.wafproxy_alias_'.$key};
- $wafproxy{'alias'}{$key} =~ s/^\s+|\s+$//g;
- if ($wafproxy{'alias'}{$key} ne $curralias{$key}) {
- $changes{'alias'} = 1;
+ if ($env{'form.wafproxy_'.$dom}) {
+ $wafproxy{'alias'}{$key} = $env{'form.wafproxy_alias_'.$key};
+ $wafproxy{'alias'}{$key} =~ s/^\s+|\s+$//g;
+ if ($wafproxy{'alias'}{$key} ne $curralias{$key}) {
+ $changes{'alias'} = 1;
+ }
+ } else {
+ $wafproxy{'alias'}{$key} = '';
+ if ($curralias{$key}) {
+ $changes{'alias'} = 1;
+ }
}
if ($wafproxy{'alias'}{$key} eq '') {
if ($curralias{$key}) {
@@ -19621,21 +19881,43 @@ sub modify_wafproxy {
# Localization for values in %warn occus in &mt() calls separately.
my %warn = (
trusted => 'trusted IP range(s)',
- exempt => 'exempt IP range(s)',
+ vpnint => 'internal IP range(s) for VPN sessions(s)',
+ vpnext => 'IP range(s) for backend WAF connections',
);
- foreach my $item ('ipheader','trusted','exempt') {
+ foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
my $possible = $env{'form.wafproxy_'.$item};
$possible =~ s/^\s+|\s+$//g;
if ($possible ne '') {
- if ($item eq 'ipheader') {
- $wafproxy{$item} = $possible;
+ if ($item eq 'remoteip') {
+ if ($possible =~ /^[mhn]$/) {
+ $wafproxy{$item} = $possible;
+ }
+ } elsif ($item eq 'ipheader') {
+ if ($wafproxy{'remoteip'} eq 'h') {
+ $wafproxy{$item} = $possible;
+ }
+ } elsif ($item eq 'sslopt') {
+ if ($possible =~ /^0|1$/) {
+ $wafproxy{$item} = $possible;
+ }
} else {
my (@ok,$count);
- $possible =~ s/[\r\n]+/\s/g;
- $possible =~ s/\s*-\s*/-/g;
- $possible =~ s/\s+/,/g;
+ if (($item eq 'vpnint') || ($item eq 'vpnext')) {
+ unless ($env{'form.wafproxy_vpnaccess'}) {
+ $possible = '';
+ }
+ } elsif ($item eq 'trusted') {
+ unless ($wafproxy{'remoteip'} eq 'h') {
+ $possible = '';
+ }
+ }
+ unless ($possible eq '') {
+ $possible =~ s/[\r\n]+/\s/g;
+ $possible =~ s/\s*-\s*/-/g;
+ $possible =~ s/\s+/,/g;
+ }
$count = 0;
- if ($possible) {
+ if ($possible ne '') {
foreach my $poss (split(/\,/,$possible)) {
$count ++;
if (&validate_ip_pattern($poss)) {
@@ -19652,15 +19934,22 @@ sub modify_wafproxy {
$diff,$warn{$item}).
'');
}
- if ($wafproxy{$item} ne $currvalue{$item}) {
- $changes{$item} = 1;
- }
}
}
- } else {
- if ($currvalue{$item}) {
+ if ($wafproxy{$item} ne $currvalue{$item}) {
$changes{$item} = 1;
}
+ } elsif ($currvalue{$item}) {
+ $changes{$item} = 1;
+ }
+ }
+ } else {
+ if (keys(%curralias)) {
+ $changes{'alias'} = 1;
+ }
+ if (keys(%currvalue)) {
+ foreach my $key (keys(%currvalue)) {
+ $changes{$key} = 1;
}
}
}
@@ -19673,7 +19962,7 @@ sub modify_wafproxy {
if ($putresult eq 'ok') {
my $cachetime = 24*60*60;
my (%domdefaults,$updatedomdefs);
- foreach my $item ('ipheader','trusted','exempt') {
+ foreach my $item ('ipheader','trusted','vpnint','vpnext','sslopt') {
if ($changes{$item}) {
unless ($updatedomdefs) {
%domdefaults = &Apache::lonnet::get_domain_defaults($dom);
@@ -19710,7 +19999,7 @@ sub modify_wafproxy {
}
}
$output = &mt('Changes were made to Web Application Firewall/Reverse Proxy').'';
- foreach my $item ('alias','ipheader','trusted','exempt') {
+ foreach my $item ('alias','remoteip','ipheader','trusted','vpnint','vpnext','sslopt') {
if ($changes{$item}) {
if ($item eq 'alias') {
my $numaliased = 0;
@@ -19733,26 +20022,52 @@ sub modify_wafproxy {
$output .= '- '.&mt('Aliases deleted for hostnames').'
';
}
} else {
- if ($item eq 'ipheader') {
+ if ($item eq 'remoteip') {
+ my %ip_methods = &remoteip_methods();
+ if ($wafproxy{$item} =~ /^[mh]$/) {
+ $output .= '- '.&mt("Method for determining user's IP set to: [_1]",
+ $ip_methods{$wafproxy{$item}}).'
';
+ } else {
+ if (($env{'form.wafproxy_'.$dom}) && (ref($wafproxy{'alias'}) eq 'HASH')) {
+ $output .= '- '.&mt("No method in use to get user's real IP (will report IP used by WAF).").
+ '
';
+ } else {
+ $output .= '- '.&mt('WAF/Reverse Proxy not in use').'
';
+ }
+ }
+ } elsif ($item eq 'ipheader') {
if ($wafproxy{$item}) {
- $output .= '- '.&mt('Custom request header set to [_1]',
+ $output .= '
- '.&mt('Request header with remote IP set to: [_1]',
$wafproxy{$item}).'
';
} else {
- $output .= '- '.&mt('Custom request header deleted').'
';
+ $output .= '- '.&mt('Request header with remote IP deleted').'
';
}
} elsif ($item eq 'trusted') {
if ($wafproxy{$item}) {
- $output .= '- '.&mt('Trusted IP range(s) set to [_1]',
+ $output .= '
- '.&mt('Trusted IP range(s) set to: [_1]',
$wafproxy{$item}).'
';
} else {
$output .= '- '.&mt('Trusted IP range(s) deleted').'
';
}
- } elsif ($item eq 'exempt') {
+ } elsif ($item eq 'vpnint') {
if ($wafproxy{$item}) {
- $output .= '- '.&mt('Exempt IP range(s) set to [_1]',
+ $output .= '
- '.&mt('Internal IP Range(s) for VPN sessions set to: [_1]',
$wafproxy{$item}).'
';
} else {
- $output .= '- '.&mt('Exempt IP range(s) deleted').'
';
+ $output .= '- '.&mt('Internal IP Range(s) for VPN sessions deleted').'
';
+ }
+ } elsif ($item eq 'vpnext') {
+ if ($wafproxy{$item}) {
+ $output .= '- '.&mt('IP Range(s) for backend WAF connections set to: [_1]',
+ $wafproxy{$item}).'
';
+ } else {
+ $output .= '- '.&mt('IP Range(s) for backend WAF connections deleted').'
';
+ }
+ } elsif ($item eq 'sslopt') {
+ if ($wafproxy{$item}) {
+ $output .= '- '.&mt('WAF/Reverse Proxy expected to forward requests to https on LON-CAPA node, regardless of original protocol in web browser (http or https).').'
';
+ } else {
+ $output .= '- '.&mt('WAF/Reverse Proxy expected to preserve original protocol in web browser (either http or https) when forwarding to LON-CAPA node.').'
';
}
}
}
@@ -20721,24 +21036,24 @@ sub modify_loadbalancing {
$resulttext .= '- '.&mt('Load Balancer: [_1] -- cookie use enabled',
$balancer).'
';
}
- if (keys(%toupdate)) {
- my %thismachine;
- my $updatedhere;
- my $cachetime = 60*60*24;
- map { $thismachine{$_} = 1; } &Apache::lonnet::current_machine_ids();
- foreach my $lonhost (keys(%toupdate)) {
- if ($thismachine{$lonhost}) {
- unless ($updatedhere) {
- &Apache::lonnet::do_cache_new('loadbalancing',$dom,
- $defaultshash{'loadbalancing'},
- $cachetime);
- $updatedhere = 1;
- }
- } else {
- my $cachekey = &escape('loadbalancing').':'.&escape($dom);
- &Apache::lonnet::remote_devalidate_cache($lonhost,[$cachekey]);
- }
+ }
+ }
+ if (keys(%toupdate)) {
+ my %thismachine;
+ my $updatedhere;
+ my $cachetime = 60*60*24;
+ map { $thismachine{$_} = 1; } &Apache::lonnet::current_machine_ids();
+ foreach my $lonhost (keys(%toupdate)) {
+ if ($thismachine{$lonhost}) {
+ unless ($updatedhere) {
+ &Apache::lonnet::do_cache_new('loadbalancing',$dom,
+ $defaultshash{'loadbalancing'},
+ $cachetime);
+ $updatedhere = 1;
}
+ } else {
+ my $cachekey = &escape('loadbalancing').':'.&escape($dom);
+ &Apache::lonnet::remote_devalidate_cache($lonhost,[$cachekey]);
}
}
}