--- doc/loncapafiles/webserver.piml 2002/02/02 14:45:40 1.4 +++ doc/loncapafiles/webserver.piml 2020/09/06 18:13:11 1.53 @@ -1,7 +1,8 @@ + - - + -/abc/ +/ @@ -44,112 +45,274 @@ http://www.lon-capa.org/ /etc/httpd/conf/httpd.conf -This is always expected for any version of Apache +/etc/httpd/httpd.conf +/etc/apache2/default-server.conf +/etc/apache2/sites-available/loncapa +/etc/apache2/conf-available/loncapa +This is for Apache 1.X for Red Hat 4ES, Fedora 2, 3 and 4, SusSE 9.2 and 9.3, and SLES 9 distributions. This is for Apache 2.X for Fedora 5, Red Hat 5, CentOS 5, Scientific Linux 5, Oracle Linux 5, SuSE 10.1, SLES 10, Debian 5, Ubuntu LTS 8 and later distributions /etc/httpd/conf/httpd.conf - + +/etc/httpd/httpd.conf + + +/etc/apache2/sites-available/loncapa + + +/etc/apache2/conf-available/loncapa + + +/etc/apache2/default-server.conf + + +# Generated from doc/loncapafiles/webserver.piml +use Socket; +use Sys::Hostname::FQDN(); unless (-e "") { - print 'ERROR! httpd.conf should exist! Are you missing the Apache '. - 'software package'; + print '**** ERROR! should exist! Are you missing the Apache '. + 'software package?'; + exit(1); } else { + # Append loncapa_apache.conf inclusion to httpd.conf + # (or sites-available/loncapa or conf-available/loncapa) if not present. $flag=0; - open IN, "<"; - while (<IN>) { if (/^\s*Include\s+conf\/srm.conf/) { $flag=1; } } - close IN; - unless ($flag==0) { - open OUT,">>"; - print OUT 'Include conf/srm.conf'."\n"; - close OUT; + open(IN,'<'); + while (<IN>) { + if (/^\s*Include\s+conf\/loncapa_apache.conf/) { + $flag=1; + } } - $flag=0; - open IN, "<"; - while (<IN>) { if (/^\s*Include\s+conf\/access.conf/) { $flag=1; } } - close IN; - unless ($flag==0) { - open OUT,">>"; - print OUT 'Include conf/access.conf'."\n"; - close OUT; + close(IN); + unless ($flag==1) { + open(OUT,'>>'); + print(OUT 'Include conf/loncapa_apache.conf'."\n"); + close(OUT); } + # Remove loncapa.conf inclusion from httpd.conf + # (or sites-available/loncapa or conf-available/loncapa) if present. $flag=0; - my $eflag=0; - open IN, "<"; - while (<IN>) { + open(IN,'<'); + while (<IN>) { if (/^\s*Include\s+conf\/loncapa.conf/) { - $flag=1; + $flag=1; } } - close IN; - unless ($flag==0) { - open OUT,">>"; - print OUT 'Include conf/loncapa.conf'."\n"; - close OUT; + close(IN); + $in=''; + if ($flag==1) { + open(IN,'<'); + while(<IN>) { + $in.=$_ unless /^\s*Include\s+conf\/loncapa.conf/; + } + close(IN); + open(OUT,'>'); + print(OUT $in."\n"); + close(OUT); } -} - - - -/etc/httpd/conf/access.conf -This may or may not exist on a system depending on the version of -Apache - -/etc/httpd/conf/access.conf - - -unless (-e "") { - print <<; -WARNING! access.conf is not currently present on your system. -This is either due to -* you are missing the Apache software package, -* you have a newer version of Apache that does not - ordinarily install an access.conf -* configuration files are installed in a directory location - different than for -For backwards compatibility, - is being generated. -END -} -my $flag=0; -open IN, "<"; -while (<IN>) { if (/^\s*Include\s+conf\/loncapa.conf/) { $flag=1; } } -close IN; -unless ($flag==0) { -open OUT,">>"; -print OUT 'Include conf/loncapa.conf'."\n"; -close OUT; -} - - - -/etc/httpd/conf/srm.conf -This may or may not exist on a system depending on the version of -Apache - -/etc/httpd/conf/srm.conf - - -unless (-e "") { - print <<; -WARNING! srm.conf is not currently present on your system. -This is either due to -* you are missing the Apache software package, -* you have a newer version of Apache that does not - ordinarily install an srm.conf -* configuration files are installed in a directory location - different than for -For backwards compatibility, - is being generated. -END -} -my $flag=0; -open IN, "<"; -while (<IN>) { if (/^\s*Include\s+conf\/loncapa.conf/) { $flag=1; } } -close IN; -unless ($flag==0) { -open OUT,">>"; -print OUT 'Include conf/loncapa.conf'."\n"; -close OUT; + +# Checking for overlapping ScriptAlias and DocumentRoot definitions. + $scriptalias_flag=0; + $documentroot_flag=0; + my $scriptalias; + my $documentroot; + open(IN,'<'); + while (<IN>) { + if (m!^\s*ScriptAlias\s+/cgi-bin/\s+(.*)$!) { + $scriptalias = $1; + if ($scriptalias !~ m!home/httpd/cgi-bin!) { + $scriptalias_flag = 1; + } + } + if (m!^\s*DocumentRoot\s+(.*)$!) { + $documentroot = $1; + if ($documentroot !~ m!home/httpd/html!) { + $documentroot_flag = 1; + } + } + } + close(IN); + if ($scriptalias_flag==1) { + my $conffile = '/etc/httpd/conf/httpd.conf'; + if ('' eq 'suse9.2' || '' eq 'suse9.3' + || '' eq 'sles9') { + $conffile = '/etc/httpd/httpd.conf'; + } elsif ('' =~ /^(suse|sles)/) { + $conffile = '/etc/apache2/default-server.conf'; + } elsif ('' =~ /^(debian|ubuntu)/) { + $conffile = '/etc/apache2/sites-available/loncapa'; + } + print('**** ERROR **** '.$conffile.' has an overlapping definition of '. + 'ScriptAlias (it is incorrectly set to '.$scriptalias.').'."\n". + 'This conflicts with loncapa_apache.conf.'."\n"); + } + if ($documentroot_flag==1) { + print('**** ERROR **** '.$conffile.' has an overlapping definition of '. + 'DocumentRoot (it is incorrectly set to '.$documentroot.').'."\n". + 'This conflicts with loncapa_apache.conf.'."\n"); + } + +# Checking for rewrites of http:// to https:// + my $rewrite_dir = '/etc/httpd/conf/rewrites'; + my $curr_rewrite = '/etc/httpd/conf/loncapa_rewrite.conf'; + if ('' eq 'suse9.2' || '' eq 'suse9.3' + || '' eq 'sles9') { + $rewrite_dir = '/etc/httpd/rewrites/'; + $curr_rewrite = '/etc/httpd/loncapa_rewrite.conf'; + } elsif ('' =~ /^(suse|sles|debian|ubuntu)/) { + $rewrite_dir = '/etc/apache2/rewrites'; + $curr_rewrite = '/etc/apache2/loncapa_rewrite.conf'; + } + my $rewrite_off = $rewrite_dir.'/loncapa_rewrite_off.conf'; + my $rewrite_on = $rewrite_dir.'/loncapa_rewrite_on.conf'; + if (!-e $curr_rewrite) { + system("cp $rewrite_off $curr_rewrite"); + chmod(0644, $curr_rewrite); + } else { + my ($not_rewrite_on,$not_rewrite_off,$rewrite_state); + if (open(PIPE, "diff --brief $rewrite_off $curr_rewrite |")) { + my $diffres = <PIPE> ; + close(PIPE); + chomp($diffres); + if ($diffres) { + $not_rewrite_off = 1; + } else { + $rewrite_state = 'off'; + } + } + if (open(PIPE, "diff --brief $rewrite_on $curr_rewrite |")) { + my $diffres = <PIPE> ; + close(PIPE); + chomp($diffres); + if ($diffres) { + $not_rewrite_on = 1; + } else { + $rewrite_state = 'on'; + } + } + if ($not_rewrite_off && $not_rewrite_on) { + print('**** WARNING **** '."\n".$curr_rewrite.' does not match '. + 'either:'."\n".$rewrite_on.' - the file used to enable rewriting '. + 'of requests for http:// to https:// '."\n".'or:'."\n".$rewrite_off. + ' - the file used to disable such rewriting'."\n\n". + 'This may be because '. $curr_rewrite.' has been '. + 'previously customized,'."\n".'or it may be because of a change '. + 'to the files in '.$rewrite_dir."\n"); + if (open(my $fh,'<',$curr_rewrite)) { + while(<$fh>) { + if (/^\s*RewriteEngine\s+(on|off)\s*$/i) { + if ($1 eq 'on') { + $rewrite_state = 'on'; + } else { + $rewrite_state = 'off'; + } + last; + } + } + } + } + if ($rewrite_state eq 'on') { + # Checking for rewrites of https:// to http:// + my ($gotrules,$rulestr,$ssldir); + if ('' eq 'suse9.2' || '' eq 'suse9.3' + || '' eq 'sles9') { + $ssldir = '/etc/apache/vhosts.d'; + } elsif ('' =~ /^(suse|sles)/) { + $ssldir = '/etc/apache2/vhosts.d'; + } elsif ('' =~ /^(debian|ubuntu)/) { + $ssldir = '/etc/apache2/sites-available'; + } else { + $ssldir = '/etc/httpd/conf.d'; + } + my $hostname = Sys::Hostname::FQDN::fqdn(); + my $hostip = Socket::inet_ntoa(scalar(gethostbyname($hostname)) || 'localhost'); + my @expected = ('RewriteEngine on', + 'RewriteCond %{HTTPS} =on', + 'RewriteCond %{REQUEST_URI} ^/adm/wrapper/ext/(?!https:)', + 'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)', + 'RewriteRule ^/adm/wrapper/ext/(?!https:) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]', + 'RewriteCond %{REMOTE_ADDR} 127.0.0.1', + 'RewriteRule (.*) - [L]'); + if (($hostip ne '') && ($hostip ne '127.0.0.1')) { + push(@expected,('RewriteCond %{REMOTE_ADDR} '.$hostip, + 'RewriteRule (.*) - [L]')); + } + push(@expected,('RewriteCond %{REQUEST_URI} ^/public/.*/syllabus$', + 'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)', + 'RewriteRule ^/public/.*/syllabus$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]')); + if (-d $ssldir) { + my @rewrites; + if (opendir(my $dir,$ssldir)) { + my @sslconf_files; + foreach my $file (!grep(/^\.$/,readdir($dir))) { + if (open(my $fh,'<',"$ssldir/$file")) { + while (<$fh>) { + if (/^\s*<VirtualHost\s+[^:]*\:443>\s*$/) { + push(@sslconf_files,$file); + last; + } + } + close($fh); + } + } + if (@sslconf_files) { + my @rewrites; + foreach my $file (@sslconf_files) { + if (open(my $fh,'<',"$ssldir/$file")) { + my ($rewrite,$num) = (0,0); + while (<$fh>) { + if ($rewrite) { + if (/\s*<\/IfModule>/) { + $rewrite = 0; + $num ++; + } else { + chomp(); + s/^(\s+|\s+)$//g; + push(@{$rewrites[$num]},$_); + } + } elsif (/^\s*<IfModule\s+mod_rewrite.c>/) { + $rewrite = 1; + } + } + close($fh); + } + } + } + closedir($dir); + } + if (@rewrites) { + foreach my $item (@rewrites) { + if (ref($item) eq 'ARRAY') { + my $found = 0; + foreach my $line (@{$item}) { + foreach my $match (@expected) { + if ($match eq $line) { + $found ++; + last; + } + } + } + if ($found >= @expected) { + $gotrules = 1; + last; + } + } + } + } + } + unless ($gotrules) { + print('**** WARNING **** '."\n".$curr_rewrite.' is currently set so rewrites '. + 'of http to https are enabled for most URLs.'."\n". + 'Unless your Apache configuration includes Strict-Transport-Security '. + '(with max-age > 0), it is recommended to also set rewrites from https to http '. + 'for specific URLs in a file in '.$ssldir.' by including the following:'."\n". + "<IfModule mod_rewrite.c>\n".' '. + join("\n ",@expected)."\n". + "</IfModule>\n"); + } + } + } }