<!DOCTYPE piml PUBLIC "-//TUX/DTD piml 1.0 Final//EN"
"http://lpml.sourceforge.net/DTD/piml.dtd">
<!-- webserver.piml -->
<!-- $Id: webserver.piml,v 1.62 2024/08/05 15:45:16 raeburn Exp $ -->
<!--
Copyright Michigan State University Board of Trustees
This file is part of the LearningOnline Network with CAPA (LON-CAPA).
LON-CAPA is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
LON-CAPA is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with LON-CAPA; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
/home/httpd/html/adm/gpl.txt
http://www.lon-capa.org/
-->
<!-- Default values must be defined before specific values. -->
<!-- If no 'dist' attribute is specified, then it is always installed. -->
<!-- If 'dist' attribute is set to 'default', then the specification. -->
<!-- is accepted if an alternative distribution is not requested or not -->
<!-- defined. -->
<piml>
<targetroot>/</targetroot>
<specialnotices>
<specialnotice>
</specialnotice>
</specialnotices>
<files>
<file>
<target dist='default'>/etc/httpd/conf/httpd.conf</target>
<target dist='suse9.2 suse9.3 sles9'>/etc/httpd/httpd.conf</target>
<target dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>/etc/apache2/default-server.conf</target>
<target dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>/etc/apache2/sites-available/loncapa</target>
<target dist='debian10 debian11 debian12 ubuntu14 ubuntu16 ubuntu18 ubuntu20 ubuntu22 ubuntu24'>/etc/apache2/conf-available/loncapa.conf</target>
<note>This is for Apache 1.X for Red Hat 4ES, Fedora 2, 3 and 4, SusSE 9.2 and 9.3, and SLES 9 distributions. This is for Apache 2.X for Fedora 5, Red Hat 5, CentOS 5, Scientific Linux 5, Oracle Linux 5, SuSE 10.1, SLES 10, Debian 5, Ubuntu LTS 8 and later distributions</note>
<dependencies dist='default'>
/etc/httpd/conf/httpd.conf
</dependencies>
<dependencies dist='suse9.2 suse9.3 sles9'>
/etc/httpd/httpd.conf
</dependencies>
<dependencies dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>
/etc/apache2/sites-available/loncapa
</dependencies>
<dependencies dist='debian10 debian11 debian12 ubuntu14 ubuntu16 ubuntu18 ubuntu20 ubuntu22 ubuntu24'>
/etc/apache2/conf-available/loncapa.conf
</dependencies>
<dependencies dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>
/etc/apache2/default-server.conf
</dependencies>
<perlscript mode='fg' dist="default">
# Generated from doc/loncapafiles/webserver.piml
use Socket;
use Sys::Hostname::FQDN();
use File::Spec;
use Cwd();
# For ubuntu 14 and later check for loncapa.conf in sites-available,
# and conf-available, and for symlinks in sites-enabled, and conf-enabled
if ('<DIST />' =~ /^ubuntu(\d+)$/) {
my $version = $1;
if ($version > 12) {
if (-l '/etc/apache2/conf-enabled/loncapa.conf') {
my $linkfname = readlink('/etc/apache2/conf-enabled/loncapa.conf');
if ($linkfname ne '') {
$linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,'/etc/apache2/conf-enabled'));
}
unless ($linkfname eq '/etc/apache2/conf-available/loncapa.conf') {
unlink('/etc/apache2/conf-enabled/loncapa.conf');
}
}
if (-e '/etc/apache2/conf-available/loncapa') {
system('mv /etc/apache2/conf-available/loncapa /etc/apache2/conf-available/loncapa.conf');
}
unless (-l '/etc/apache2/conf-enabled/loncapa.conf') {
if (-e '/etc/apache2/conf-available/loncapa.conf') {
my $currdir = Cwd::getcwd();
if ($currdir ne '') {
chdir('/etc/apache2/conf-enabled');
symlink('../conf-available/loncapa.conf','loncapa.conf');
chdir($currdir);
}
}
}
if (-l '/etc/apache2/sites-enabled/000-default.conf') {
my $linkfname = readlink('/etc/apache2/sites-enabled/000-default.conf');
if ($linkfname ne '') {
$linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,'/etc/apache2/sites-enabled'));
}
if (($linkfname eq '/etc/apache2/sites-available/loncapa') ||
($linkfname eq '/etc/apache2/sites-available/000-default.conf')) {
unlink('/etc/apache2/sites-enabled/000-default.conf');
}
}
if (-e '/etc/apache2/sites-available/loncapa') {
system('mv /etc/apache2/sites-available/loncapa /etc/apache2/sites-available/loncapa.conf');
}
if (-l '/etc/apache2/sites-enabled/loncapa.conf') {
my $linkfname = readlink('/etc/apache2/sites-enabled/loncapa.conf');
if ($linkfname ne '') {
$linkfname = Cwd::abs_path(File::Spec->rel2abs($linkfname,'/etc/apache2/sites-enabled'));
}
unless ($linkfname eq '/etc/apache2/sites-available/loncapa.conf') {
unlink('/etc/apache2/sites-enabled/loncapa.conf');
}
}
unless (-l '/etc/apache2/sites-enabled/loncapa.conf') {
if (-e '/etc/apache2/sites-available/loncapa.conf') {
my $currdir = Cwd::getcwd();
if ($currdir ne '') {
chdir('/etc/apache2/sites-enabled');
symlink('../sites-available/loncapa.conf','loncapa.conf');
chdir($currdir);
}
}
}
}
}
unless (-e "<TARGET />") {
print '**** ERROR! <TARGET /> should exist! Are you missing the Apache '.
'software package?';
exit(1);
}
else {
# Append loncapa_apache.conf inclusion to httpd.conf
# (or sites-available/loncapa or conf-available/loncapa.conf) if not present.
my $absolute_link;
if ('<DIST />' =~ /^sles(\d+)$/) {
my $version = $1;
if ($version > 11) {
$absolute_link = 1;
}
}
if ($absolute_link) {
# For SuSE and SLES /etc/apache2/default-server.conf needs to include:
# Include /etc/apache2/loncapa_apache.conf
# instead of:
# Include conf/loncapa_apache.conf
my $delflag=0;
my $addflag=1;
open(IN,'<<TARGET />');
while (<IN>) {
if (/^\s*Include\s+conf\/loncapa_apache.conf/) {
$delflag=1;
}
if (/^\s*Include\s+\/etc\/apache2\/loncapa_apache.conf/) {
$addflag = 0;
}
}
close(IN);
if ($addflag) {
open(OUT,'>><TARGET />');
print(OUT 'Include /etc/apache2/loncapa_apache.conf'."\n");
close(OUT);
}
if ($delflag==1) {
my $in='';
open(IN,'<<TARGET />');
while(<IN>) {
$in.=$_ unless /^\s*Include\s+conf\/loncapa_apache.conf/;
}
close(IN);
open(OUT,'><TARGET />');
print(OUT $in);
close(OUT);
}
} else {
$flag=0;
open(IN,'<<TARGET />');
while (<IN>) {
if (/^\s*Include\s+conf\/loncapa_apache.conf/) {
$flag=1;
}
}
close(IN);
unless ($flag==1) {
open(OUT,'>><TARGET />');
print(OUT 'Include conf/loncapa_apache.conf'."\n");
close(OUT);
}
}
# Remove loncapa.conf inclusion from httpd.conf
# (or sites-available/loncapa or conf-available/loncapa.conf) if present.
$flag=0;
open(IN,'<<TARGET />');
while (<IN>) {
if (/^\s*Include\s+conf\/loncapa.conf/) {
$flag=1;
}
}
close(IN);
$in='';
if ($flag==1) {
open(IN,'<<TARGET />');
while(<IN>) {
$in.=$_ unless /^\s*Include\s+conf\/loncapa.conf/;
}
close(IN);
open(OUT,'><TARGET />');
print(OUT $in."\n");
close(OUT);
}
# Checking for overlapping ScriptAlias and DocumentRoot definitions.
$scriptalias_flag=0;
$documentroot_flag=0;
my $scriptalias;
my $documentroot;
open(IN,'<<TARGET />');
while (<IN>) {
if (m!^\s*ScriptAlias\s+/cgi-bin/\s+(.*)$!) {
$scriptalias = $1;
if ($scriptalias !~ m!home/httpd/cgi-bin!) {
$scriptalias_flag = 1;
}
}
if (m!^\s*DocumentRoot\s+(.*)$!) {
$documentroot = $1;
if ($documentroot !~ m!home/httpd/html!) {
$documentroot_flag = 1;
}
}
}
close(IN);
if ($scriptalias_flag==1) {
my $conffile = '/etc/httpd/conf/httpd.conf';
if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
|| '<DIST />' eq 'sles9') {
$conffile = '/etc/httpd/httpd.conf';
} elsif ('<DIST />' =~ /^(suse|sles)/) {
$conffile = '/etc/apache2/default-server.conf';
} elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
$conffile = '/etc/apache2/sites-available/loncapa';
if ('<DIST />' =~ /^ubuntu(\d+)$/) {
my $version = $1;
if ($version > 12) {
$conffile = '/etc/apache2/conf-available/loncapa.conf';
}
}
}
print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
'ScriptAlias (it is incorrectly set to '.$scriptalias.').'."\n".
'This conflicts with loncapa_apache.conf.'."\n");
}
if ($documentroot_flag==1) {
print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
'DocumentRoot (it is incorrectly set to '.$documentroot.').'."\n".
'This conflicts with loncapa_apache.conf.'."\n");
}
# Checking for rewrites of http:// to https://
my $rewrite_dir = '/etc/httpd/conf/rewrites';
my $curr_rewrite = '/etc/httpd/conf/loncapa_rewrite.conf';
if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
|| '<DIST />' eq 'sles9') {
$rewrite_dir = '/etc/httpd/rewrites/';
$curr_rewrite = '/etc/httpd/loncapa_rewrite.conf';
} elsif ('<DIST />' =~ /^(suse|sles|debian|ubuntu)/) {
$rewrite_dir = '/etc/apache2/rewrites';
$curr_rewrite = '/etc/apache2/loncapa_rewrite.conf';
}
my $rewrite_off = $rewrite_dir.'/loncapa_rewrite_off.conf';
my $rewrite_on = $rewrite_dir.'/loncapa_rewrite_on.conf';
if (!-e $curr_rewrite) {
system("cp $rewrite_off $curr_rewrite");
chmod(0644, $curr_rewrite);
} else {
my ($not_rewrite_on,$not_rewrite_off,$rewrite_state);
if (open(PIPE, "diff --brief $rewrite_off $curr_rewrite |")) {
my $diffres = <PIPE> ;
close(PIPE);
chomp($diffres);
if ($diffres) {
$not_rewrite_off = 1;
} else {
$rewrite_state = 'off';
}
}
if (open(PIPE, "diff --brief $rewrite_on $curr_rewrite |")) {
my $diffres = <PIPE> ;
close(PIPE);
chomp($diffres);
if ($diffres) {
$not_rewrite_on = 1;
} else {
$rewrite_state = 'on';
}
}
if ($not_rewrite_off && $not_rewrite_on) {
print('**** WARNING **** '."\n".$curr_rewrite.' does not match '.
'either:'."\n".$rewrite_on.' - the file used to enable rewriting '.
'of requests for http:// to https:// '."\n".'or:'."\n".$rewrite_off.
' - the file used to disable such rewriting'."\n\n".
'This may be because '. $curr_rewrite.' has been '.
'previously customized,'."\n".'or it may be because of a change '.
'to the files in '.$rewrite_dir."\n");
if (open(my $fh,'<',$curr_rewrite)) {
while(<$fh>) {
if (/^\s*RewriteEngine\s+(on|off)\s*$/i) {
if ($1 eq 'on') {
$rewrite_state = 'on';
} else {
$rewrite_state = 'off';
}
last;
}
}
}
}
if ($rewrite_state eq 'on') {
# Checking for rewrites of https:// to http://
my ($gotrules,$rulestr,$ssldir);
if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
|| '<DIST />' eq 'sles9') {
$ssldir = '/etc/apache/vhosts.d';
} elsif ('<DIST />' =~ /^(suse|sles)/) {
$ssldir = '/etc/apache2/vhosts.d';
} elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
$ssldir = '/etc/apache2/sites-available';
} else {
$ssldir = '/etc/httpd/conf.d';
}
my $hostname = Sys::Hostname::FQDN::fqdn();
my $hostip = Socket::inet_ntoa(scalar(gethostbyname($hostname)) || 'localhost');
my @expected = ('RewriteEngine on',
'RewriteCond %{HTTPS} =on',
'RewriteCond %{REQUEST_URI} ^/adm/wrapper/ext/(?!https:)',
'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
'RewriteRule ^/adm/wrapper/ext/(?!https:) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]',
'RewriteCond %{REMOTE_ADDR} 127.0.0.1',
'RewriteRule (.*) - [L]');
if (($hostip ne '') && ($hostip ne '127.0.0.1')) {
push(@expected,('RewriteCond %{REMOTE_ADDR} '.$hostip,
'RewriteRule (.*) - [L]'));
}
push(@expected,('RewriteCond %{REQUEST_URI} ^/public/.*/syllabus$',
'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
'RewriteRule ^/public/.*/syllabus$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]'));
if (-d $ssldir) {
my @rewrites;
if (opendir(my $dir,$ssldir)) {
my @sslconf_files;
foreach my $file (grep(!/^\./,readdir($dir))) {
next if ($file =~ /\.rpmnew$/);
if (open(my $fh,'<',"$ssldir/$file")) {
while (<$fh>) {
if (/^\s*<VirtualHost\s+[^:]*\:443>\s*$/) {
push(@sslconf_files,$file);
last;
}
}
close($fh);
}
}
if (@sslconf_files) {
foreach my $file (@sslconf_files) {
if (open(my $fh,'<',"$ssldir/$file")) {
my ($rewrite,$num) = (0,0);
while (<$fh>) {
if ($rewrite) {
if (/^\s*<\/IfModule>/) {
$rewrite = 0;
$num ++;
} else {
chomp();
s/^\s+|\s+$//g;
push(@{$rewrites[$num]},$_);
}
} elsif (/^\s*<IfModule\s+mod_rewrite.c>/) {
$rewrite = 1;
}
}
close($fh);
}
}
}
closedir($dir);
}
if (@rewrites) {
foreach my $item (@rewrites) {
if (ref($item) eq 'ARRAY') {
my $found = 0;
foreach my $line (@{$item}) {
foreach my $match (@expected) {
if ($match eq $line) {
$found ++;
last;
}
}
}
if ($found >= scalar(@expected)) {
$gotrules = 1;
last;
}
}
}
}
}
unless ($gotrules) {
print('**** WARNING **** '."\n".$curr_rewrite.' is currently set so rewrites '.
'of http to https are enabled for most URLs.'."\n".
'Unless your Apache configuration includes Strict-Transport-Security '.
'(with max-age > 0), it is recommended to also set rewrites from https to http '.
'for specific URLs in a file in '.$ssldir.' by including the following:'."\n".
"<IfModule mod_rewrite.c>\n".' '.
join("\n ",@expected)."\n".
"</IfModule>\n");
}
}
}
}
</perlscript>
</file>
</files>
</piml>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>