Annotation of doc/loncapafiles/webserver.piml, revision 1.55

1.8       harris41    1: <!DOCTYPE piml PUBLIC "-//TUX/DTD piml 1.0 Final//EN" 
                      2: 	"http://lpml.sourceforge.net/DTD/piml.dtd">
1.1       harris41    3: <!-- webserver.piml -->
                      4: 
1.55    ! raeburn     5: <!-- $Id: webserver.piml,v 1.54 2020/09/06 21:48:28 raeburn Exp $ -->
1.1       harris41    6: 
                      7: <!--
                      8: 
                      9: Copyright Michigan State University Board of Trustees
                     10: 
                     11: This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                     12: 
                     13: LON-CAPA is free software; you can redistribute it and/or modify
                     14: it under the terms of the GNU General Public License as published by
                     15: the Free Software Foundation; either version 2 of the License, or
                     16: (at your option) any later version.
                     17: 
                     18: LON-CAPA is distributed in the hope that it will be useful,
                     19: but WITHOUT ANY WARRANTY; without even the implied warranty of
                     20: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     21: GNU General Public License for more details.
                     22: 
                     23: You should have received a copy of the GNU General Public License
                     24: along with LON-CAPA; if not, write to the Free Software
                     25: Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     26: 
                     27: /home/httpd/html/adm/gpl.txt
                     28: 
                     29: http://www.lon-capa.org/
                     30: 
                     31: -->
                     32: 
                     33: <!-- Default values must be defined before specific values. -->
                     34: <!-- If no 'dist' attribute is specified, then it is always installed. -->
                     35: <!-- If 'dist' attribute is set to  'default', then the specification. -->
                     36: <!-- is accepted if an alternative distribution is not requested or not -->
                     37: <!-- defined. -->
                     38: 
                     39: <piml>
1.6       harris41   40: <targetroot>/</targetroot>
1.2       harris41   41: <specialnotices>
                     42: <specialnotice>
                     43: </specialnotice>
                     44: </specialnotices>
1.1       harris41   45: <files>
                     46: <file>
                     47: <target dist='default'>/etc/httpd/conf/httpd.conf</target>
1.20      raeburn    48: <target dist='suse9.2 suse9.3 sles9'>/etc/httpd/httpd.conf</target>
1.45      raeburn    49: <target dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>/etc/apache2/default-server.conf</target>
1.39      raeburn    50: <target dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>/etc/apache2/sites-available/loncapa</target>
1.55    ! raeburn    51: <target dist='ubuntu14 ubuntu16 ubuntu18 ubuntu20'>/etc/apache2/conf-available/loncapa.conf</target>
1.47      raeburn    52: <note>This is for Apache 1.X for Red Hat 4ES, Fedora 2, 3 and 4, SusSE 9.2 and 9.3, and SLES 9 distributions. This is for Apache 2.X for Fedora 5, Red Hat 5, CentOS 5, Scientific Linux 5, Oracle Linux 5, SuSE 10.1, SLES 10, Debian 5, Ubuntu LTS 8 and later distributions</note>
1.1       harris41   53: <dependencies dist='default'>
                     54: /etc/httpd/conf/httpd.conf
                     55: </dependencies>
1.20      raeburn    56: <dependencies dist='suse9.2 suse9.3 sles9'>
                     57: /etc/httpd/httpd.conf
                     58: </dependencies>
1.39      raeburn    59: <dependencies dist='debian5 debian6 ubuntu6 ubuntu8 ubuntu10 ubuntu12'>
1.25      raeburn    60: /etc/apache2/sites-available/loncapa
                     61: </dependencies>
1.48      raeburn    62: <dependencies dist='ubuntu14 ubuntu16 ubuntu18 ubuntu20'>
1.55    ! raeburn    63: /etc/apache2/conf-available/loncapa.conf
1.39      raeburn    64: </dependencies>
1.45      raeburn    65: <dependencies dist='sles10 sles11 sles12 sles15 suse10.1 suse10.2 suse10.3 suse11.1 suse11.2 suse11.3 suse11.4 suse12.1 suse12.2 suse12.3 suse13.1 suse13.2'>
1.20      raeburn    66: /etc/apache2/default-server.conf
                     67: </dependencies>
1.19      raeburn    68: <perlscript mode='fg' dist="default">
1.11      harris41   69: # Generated from doc/loncapafiles/webserver.piml
1.44      raeburn    70: use Socket;
                     71: use Sys::Hostname::FQDN();
1.55    ! raeburn    72: 
        !            73: # For ubuntu 14 and later check for loncapa.conf in sites-available,
        !            74: # and conf-available, and for symlinks in sites-enabled, and conf-enabled
        !            75: if ('<DIST />' =~ /^ubuntu(\d+)$/) {
        !            76:     my $version = $1;
        !            77:     if ($version &gt; 12) {
        !            78:         if (-l '/etc/apache2/conf-enabled/loncapa.conf') {
        !            79:             my $linkfname = readlink('/etc/apache2/conf-enabled/loncapa.conf');
        !            80:             unless ($linkfname eq '/etc/apache2/conf-available/loncapa.conf') {
        !            81:                 unlink('/etc/apache2/conf-enabled/loncapa.conf');
        !            82:             }
        !            83:         }
        !            84:         if (-e '/etc/apache2/conf-available/loncapa') {
        !            85:             system('mv /etc/apache2/conf-available/loncapa /etc/apache2/conf-available/loncapa.conf');
        !            86:         }
        !            87:         unless (-l '/etc/apache2/conf-enabled/loncapa.conf') {
        !            88:             if (-e '/etc/apache2/conf-available/loncapa.conf') {
        !            89:                 symlink('/etc/apache2/conf-available/loncapa.conf','/etc/apache2/conf-enabled/loncapa.conf');
        !            90:             }
        !            91:         }
        !            92:         if (-l '/etc/apache2/sites-enabled/000-default.conf') {
        !            93:             my $linkfname = readlink('/etc/apache2/sites-enabled/000-default.conf');
        !            94:             if ($linkfname eq '/etc/apache2/sites-available/loncapa') {
        !            95:                 unlink('/etc/apache2/sites-enabled/000-default.conf');
        !            96:             }
        !            97:         }
        !            98:         if (-e '/etc/apache2/sites-available/loncapa') {
        !            99:             system('mv /etc/apache2/sites-available/loncapa /etc/apache2/sites-available/loncapa.conf');
        !           100:         }
        !           101:         if (-l '/etc/apache2/sites-enabled/loncapa.conf') {
        !           102:             my $linkfname = readlink('/etc/apache2/sites-enabled/loncapa.conf');
        !           103:             unless ($linkfname eq '/etc/apache2/sites-available/loncapa.conf') {
        !           104:                 unlink('/etc/apache2/sites-enabled/loncapa.conf');
        !           105:             }
        !           106:         }
        !           107:         unless (-l '/etc/apache2/sites-enabled/loncapa.conf') {
        !           108:             if (-e '/etc/apache2/sites-available/loncapa.conf') {
        !           109:                 symlink('/etc/apache2/sites-available/loncapa.conf','/etc/apache2/sites-enabled/loncapa.conf');
        !           110:             }
        !           111:         }
        !           112:     }
        !           113: }
        !           114: 
1.1       harris41  115: unless (-e "<TARGET />") {
1.20      raeburn   116:   print '**** ERROR! <TARGET /> should exist! Are you missing the Apache '.
1.13      harris41  117:     'software package?';
1.11      harris41  118:   exit(1);
1.1       harris41  119: }
                    120: else {
1.32      raeburn   121:   # Append loncapa_apache.conf inclusion to httpd.conf 
1.55    ! raeburn   122:   # (or sites-available/loncapa or conf-available/loncapa.conf) if not present.
1.9       harris41  123:   $flag=0;
1.11      harris41  124:   open(IN,'&lt;<TARGET />');
1.9       harris41  125:   while (&lt;IN&gt;) { 
                    126:     if (/^\s*Include\s+conf\/loncapa_apache.conf/) {
                    127:       $flag=1; 
                    128:     }
                    129:   }
1.11      harris41  130:   close(IN);
1.9       harris41  131:   unless ($flag==1) {
1.11      harris41  132:     open(OUT,'&gt;&gt;<TARGET />');
                    133:     print(OUT 'Include conf/loncapa_apache.conf'."\n");
                    134:     close(OUT);
1.9       harris41  135:   }
1.39      raeburn   136:   # Remove loncapa.conf inclusion from httpd.conf 
1.55    ! raeburn   137:   # (or sites-available/loncapa or conf-available/loncapa.conf) if present.
1.11      harris41  138:   $flag=0;
                    139:   open(IN,'&lt;<TARGET />');
                    140:   while (&lt;IN&gt;) {
                    141:     if (/^\s*Include\s+conf\/loncapa.conf/) {
                    142:       $flag=1;
                    143:     }
                    144:   }
                    145:   close(IN);
                    146:   $in='';
                    147:   if ($flag==1) {
                    148:     open(IN,'&lt;<TARGET />');
                    149:     while(&lt;IN&gt;) {
                    150:       $in.=$_ unless /^\s*Include\s+conf\/loncapa.conf/;
                    151:     }
                    152:     close(IN);
                    153:     open(OUT,'&gt;<TARGET />');
                    154:     print(OUT $in."\n");
                    155:     close(OUT);
1.13      harris41  156:   }
1.18      raeburn   157: 
                    158: # Checking for overlapping ScriptAlias and DocumentRoot definitions.
                    159:   $scriptalias_flag=0;
                    160:   $documentroot_flag=0;
                    161:   my $scriptalias;
                    162:   my $documentroot;
                    163:   open(IN,'&lt;<TARGET />');
                    164:   while (&lt;IN&gt;) {
                    165:     if (m!^\s*ScriptAlias\s+/cgi-bin/\s+(.*)$!) {
                    166:       $scriptalias = $1;
                    167:       if ($scriptalias !~ m!home/httpd/cgi-bin!) {
                    168:         $scriptalias_flag = 1;
                    169:       }
                    170:     }
                    171:     if (m!^\s*DocumentRoot\s+(.*)$!) {
                    172:       $documentroot = $1;
                    173:       if ($documentroot !~ m!home/httpd/html!) {
                    174:         $documentroot_flag = 1;
                    175:       }
                    176:     }
                    177:   }
                    178:   close(IN);
                    179:   if ($scriptalias_flag==1) {
1.32      raeburn   180:       my $conffile = '/etc/httpd/conf/httpd.conf';
                    181:       if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3' 
                    182:           || '<DIST />' eq 'sles9') {
                    183:           $conffile =  '/etc/httpd/httpd.conf';
                    184:       } elsif ('<DIST />' =~ /^(suse|sles)/) {
                    185:           $conffile = '/etc/apache2/default-server.conf';
                    186:       } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
                    187:           $conffile = '/etc/apache2/sites-available/loncapa';
1.55    ! raeburn   188:           if ('<DIST />' =~ /^ubuntu(\d+)$/) {
        !           189:               my $version = $1;
        !           190:               if ($version &gt; 12) {
        !           191:                   $conffile = '/etc/apache2/conf-available/loncapa.conf';
        !           192:               }
        !           193:           }
1.32      raeburn   194:       }
                    195:       print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
                    196:             'ScriptAlias (it is incorrectly set to '.$scriptalias.').'."\n".
                    197:             'This conflicts with loncapa_apache.conf.'."\n");
1.18      raeburn   198:   }
                    199:   if ($documentroot_flag==1) {
1.32      raeburn   200:       print('**** ERROR **** '.$conffile.' has an overlapping definition of '.
                    201:             'DocumentRoot (it is incorrectly set to '.$documentroot.').'."\n".
                    202:             'This conflicts with loncapa_apache.conf.'."\n");
1.18      raeburn   203:   }
1.32      raeburn   204: 
                    205: # Checking for rewrites of http:// to https://
                    206:     my $rewrite_dir = '/etc/httpd/conf/rewrites';
                    207:     my $curr_rewrite = '/etc/httpd/conf/loncapa_rewrite.conf';
                    208:     if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
                    209:         || '<DIST />' eq 'sles9') {
                    210:         $rewrite_dir = '/etc/httpd/rewrites/';
                    211:         $curr_rewrite = '/etc/httpd/loncapa_rewrite.conf';
                    212:     } elsif ('<DIST />' =~ /^(suse|sles|debian|ubuntu)/) {
                    213:         $rewrite_dir = '/etc/apache2/rewrites';
                    214:         $curr_rewrite = '/etc/apache2/loncapa_rewrite.conf';
                    215:     }
                    216:     my $rewrite_off = $rewrite_dir.'/loncapa_rewrite_off.conf';
                    217:     my $rewrite_on = $rewrite_dir.'/loncapa_rewrite_on.conf';
                    218:     if (!-e $curr_rewrite) { 
                    219:         system("cp $rewrite_off $curr_rewrite");
                    220:         chmod(0644, $curr_rewrite);
                    221:     } else {
1.44      raeburn   222:         my ($not_rewrite_on,$not_rewrite_off,$rewrite_state);
1.32      raeburn   223:         if (open(PIPE, "diff --brief $rewrite_off $curr_rewrite |")) {
                    224:             my $diffres = &lt;PIPE&gt; ;
                    225:             close(PIPE);
                    226:             chomp($diffres);
                    227:             if ($diffres) {
                    228:                 $not_rewrite_off = 1;
1.44      raeburn   229:             } else {
                    230:                 $rewrite_state = 'off';
1.32      raeburn   231:             }
                    232:         }
                    233:         if (open(PIPE, "diff --brief $rewrite_on $curr_rewrite |")) {
                    234:             my $diffres = &lt;PIPE&gt; ;
                    235:             close(PIPE);
                    236:             chomp($diffres);
                    237:             if ($diffres) {
                    238:                 $not_rewrite_on = 1;
1.44      raeburn   239:             } else {
                    240:                 $rewrite_state = 'on';
1.32      raeburn   241:             }
                    242:         }
1.44      raeburn   243:         if ($not_rewrite_off && $not_rewrite_on) {
                    244:             print('**** WARNING **** '."\n".$curr_rewrite.' does not match '.
                    245:             'either:'."\n".$rewrite_on.' - the file used to enable rewriting '.
                    246:             'of requests for http:// to https:// '."\n".'or:'."\n".$rewrite_off.
1.32      raeburn   247:             ' - the file used to disable such rewriting'."\n\n".
                    248:             'This may be because '. $curr_rewrite.' has been '. 
1.49      raeburn   249:             'previously customized,'."\n".'or it may be because of a change '.  
1.32      raeburn   250:             'to the files in '.$rewrite_dir."\n");
1.44      raeburn   251:             if (open(my $fh,'&lt;',$curr_rewrite)) {
                    252:                 while(&lt;$fh&gt;) {
                    253:                     if (/^\s*RewriteEngine\s+(on|off)\s*$/i) {
                    254:                         if ($1 eq 'on') {
                    255:                             $rewrite_state = 'on';
                    256:                         } else {
                    257:                             $rewrite_state = 'off';
                    258:                         }
                    259:                         last;
                    260:                     }
                    261:                 }
                    262:             }
                    263:         }
                    264:         if ($rewrite_state eq 'on') {
                    265:         # Checking for rewrites of https:// to http://
                    266:             my ($gotrules,$rulestr,$ssldir);
                    267:             if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
                    268:                 || '<DIST />' eq 'sles9') {
                    269:                 $ssldir = '/etc/apache/vhosts.d';
                    270:             } elsif ('<DIST />' =~ /^(suse|sles)/) {
1.50      raeburn   271:                 $ssldir = '/etc/apache2/vhosts.d';
1.44      raeburn   272:             } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
                    273:                 $ssldir = '/etc/apache2/sites-available';
                    274:             } else {
                    275:                 $ssldir = '/etc/httpd/conf.d';
                    276:             }
                    277:             my $hostname = Sys::Hostname::FQDN::fqdn();
                    278:             my $hostip = Socket::inet_ntoa(scalar(gethostbyname($hostname)) || 'localhost');
1.53      raeburn   279:             my @expected = ('RewriteEngine on',
                    280:                             'RewriteCond %{HTTPS} =on',
                    281:                             'RewriteCond %{REQUEST_URI} ^/adm/wrapper/ext/(?!https:)',
1.46      raeburn   282:                             'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
1.52      raeburn   283:                             'RewriteRule ^/adm/wrapper/ext/(?!https:) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]',
1.44      raeburn   284:                             'RewriteCond %{REMOTE_ADDR} 127.0.0.1',
                    285:                             'RewriteRule (.*) - [L]');
                    286:             if (($hostip ne '') && ($hostip ne '127.0.0.1')) {
                    287:                 push(@expected,('RewriteCond %{REMOTE_ADDR} '.$hostip,
                    288:                                 'RewriteRule (.*) - [L]'));
                    289:             }
                    290:             push(@expected,('RewriteCond %{REQUEST_URI} ^/public/.*/syllabus$',
1.46      raeburn   291:                             'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
1.44      raeburn   292:                             'RewriteRule ^/public/.*/syllabus$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]'));
                    293:             if (-d $ssldir) {
                    294:                 my @rewrites;
                    295:                 if (opendir(my $dir,$ssldir)) {
                    296:                     my @sslconf_files;
1.54      raeburn   297:                     foreach my $file (grep(!/^\./,readdir($dir))) {
                    298:                         next if ($file =~ /\.rpmnew$/);
1.44      raeburn   299:                         if (open(my $fh,'&lt;',"$ssldir/$file")) {
                    300:                             while (&lt;$fh&gt;) {
                    301:                                 if (/^\s*&lt;VirtualHost\s+[^:]*\:443&gt;\s*$/) {
                    302:                                     push(@sslconf_files,$file);
                    303:                                     last;
                    304:                                 }
                    305:                             }
                    306:                             close($fh);
                    307:                         }
                    308:                     }
                    309:                     if (@sslconf_files) {
                    310:                         foreach my $file (@sslconf_files) {
                    311:                             if (open(my $fh,'&lt;',"$ssldir/$file")) {
                    312:                                 my ($rewrite,$num) = (0,0);
                    313:                                 while (&lt;$fh&gt;) {
                    314:                                     if ($rewrite) {
1.54      raeburn   315:                                         if (/^\s*&lt;\/IfModule&gt;/) {
1.44      raeburn   316:                                             $rewrite = 0;
                    317:                                             $num ++;
                    318:                                         } else {
                    319:                                             chomp();
1.54      raeburn   320:                                             s/^\s+|\s+$//g;
1.50      raeburn   321:                                             push(@{$rewrites[$num]},$_);
1.44      raeburn   322:                                         }
                    323:                                     } elsif (/^\s*&lt;IfModule\s+mod_rewrite.c&gt;/) {
                    324:                                         $rewrite = 1;
                    325:                                     }
                    326:                                 }
                    327:                                 close($fh);
                    328:                             }
                    329:                         }
                    330:                     }
                    331:                     closedir($dir);
                    332:                 }
                    333:                 if (@rewrites) {
                    334:                     foreach my $item (@rewrites) {
                    335:                         if (ref($item) eq 'ARRAY') {
                    336:                             my $found = 0;
1.53      raeburn   337:                             foreach my $line (@{$item}) {
1.44      raeburn   338:                                 foreach my $match (@expected) {
1.53      raeburn   339:                                     if ($match eq $line) {
1.44      raeburn   340:                                         $found ++;
                    341:                                         last;
                    342:                                     }
                    343:                                 }
                    344:                             }
1.54      raeburn   345:                             if ($found &gt;= scalar(@expected)) {
1.50      raeburn   346:                                 $gotrules = 1;
1.53      raeburn   347:                                 last;
1.44      raeburn   348:                             }
                    349:                         }
                    350:                     }
                    351:                 }
                    352:             }
                    353:             unless ($gotrules) {
1.49      raeburn   354:                 print('**** WARNING **** '."\n".$curr_rewrite.' is currently set so rewrites '.
1.44      raeburn   355:                       'of http to https are enabled for most URLs.'."\n".
1.49      raeburn   356:                       'Unless your Apache configuration includes Strict-Transport-Security '.
                    357:                       '(with max-age > 0), it is recommended to also set rewrites from https to http '.
                    358:                       'for specific URLs in a file in '.$ssldir.' by including the following:'."\n".
1.44      raeburn   359:                       "&lt;IfModule mod_rewrite.c&gt;\n".'  '.
                    360:                       join("\n  ",@expected)."\n".
                    361:                       "&lt;/IfModule&gt;\n");
                    362:             }
1.32      raeburn   363:         }
                    364:     }
1.13      harris41  365: }
                    366: </perlscript>
1.1       harris41  367: </file>
                    368: </files>
                    369: </piml>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>