TPR5: Custom Configurations: Unlock the Power of Apache

Download Report

Transcript TPR5: Custom Configurations: Unlock the Power of Apache

TPR5: Custom Configurations
TPR5: Custom Configurations: Unlock
the Power of Apache
Steven Lewis
Web Manager
SUNY Brockport
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem #1: Migrate from IIS to Apache
without Losing ASP
•
•
•
•
Inherited IIS from previous Webmaster
Crashes, Viruses
Unfamiliar
Challenge:
Case Awareness v. Case Sensitivity
• Major Obstacle:
Installed Base of ASP Apps
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution:
•
•
•
•
Build new Solaris/Apache server
Keep identical URLs
Same account/FTP access method
Keep NT server until ASP apps are moved
(renamed to nt.web.brockport.edu)
• Proxy ASP requests to existing IIS server
• Time to migrate ASP apps to new infrastructure
• mod_speling [sic]
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Code:
httpd.conf:
RewriteRule ^(.*\.[Aa][Ss][Pp])$ 
http://nt.web.brockport.edu$1 [P]
CheckSpelling On
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Notes on Security
• IIS machine can deny all requests not
coming from new Web server
Limits attack vectors to .asp requests
Reduced machine load; Improves stability
• (Please note: author does not recommend
running IIS under any circumstances, and
assumes no responsibility for any
consequences of your software decisions.)
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem #2: Security for Administrative Functions or Internal
Information over the Web
• https is set up as a mirror of http
• Certain tasks or information demand extra
security
Passwords, Home Addresses, etc.
• No robust institution-wide internal
document repository
• Need to restrict certain folders to
https-only
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution:
• Develop standard naming convention for
Web app administrative functions
…/admin/…
• Place internal information and documents
within one folder
/internal/…
• Add password restrictions to limit access
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Code:
httpd.conf:
# admin only
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*/admin/.*)$ 
https://www.brockport.edu$1 [R]
# admin and internal
RewriteCond %{SERVER_PORT} ^80$
RewriteRule 
^((.*/admin/.*)|(/internal.*))$ 
https://www.brockport.edu$1 [R]
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 3: Too Many Passwords, No LDAP
• Using old e-mail system, no LDAP in place
• Need a source of passwords people will
remember
• Debugging scenarios/special cases (e.g.
Emeriti)
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution:
• Mod_auth_external: run an arbitrary
program to do authentication
• Write a Perl script to make a POP
connection to server
• Write a program to do any check
conceivable
• Works with any Web page – httpd
authentication
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Code:
httpd.conf:
AddExternalAuth
/web/auth/po-pop
SetExternalAuthMethod
brockport-pop 
brockport-pop
pipe
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
More Code:
.htaccess:
AuthType Basic
AuthName "SUNY Brockport NetID Login"
AuthExternal brockport-pop
# do authorization in-program/any user OK
Require valid-user
# limit to these two users only
# Require user slewis jdoe
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Still More Code:
#!/usr/local/bin/perl
use strict;
use IO::Socket;
# Grab username and password as passed by STDIN
my $USER
= <>;
my $PASSWORD = <>;
chomp $USER;
chomp $PASSWORD;
## network connection
## or database query
## or anything else...
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 4: Preview/Test New SSI Templates
Before Rollout
• No Content Management System
• Use SSI templates for common code
• Need to test/debug template upgrade for
10,000s of pages
• Make changes to smooth transition
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution:
•
•
•
•
Solution:
Open new server port for test (e.g. 8080)
Use same configuration, files as site
Change only template folder with SSI data,
so:
http://www.brockport.edu:80/templates/
and
http://www.brockport.edu:8080/templates/
are the only differences.
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Code:
httpd.conf:
<VirtualHost __detault__:8080 >
#...
Alias /templates/ /web/live/wwwroot/templates2/
</VirtualHost>
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Lots of Problems
• Problem 5: Bad Links to First Web Server
• Problem 6: CGI Web Page Counter
Upgrade
• Problem 7: Web Reports’ HTML Code Like
SSI – Produces Errors
• Problem 8: No Copyright Notice in Pages
• Problem 9: Adding CSS for SSI Template
Upgrade
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Common Solution:
• Dynamic Recoding of Pages
• Requires: Perl, mod_perl, Apache::Filter
Perl module
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 5:
# change server references in HTML to www only:
s{http://cc\.brockport\.edu}
{http://www.brockport.edu}ig;
s{http://zathras\.web\.brockport\.edu}
{http://www.brockport.edu}ig;
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 6:
# change counter programs
while ( m|/counter/counts40\.exe?([^"]+)"|i ) {
#parameters of new counter
my ($STYLE, $LINK, $PARAM) =("A","sample.dat",$1);
my $URL = '/cgi-bin/counter/counter.cgi';
if ( $PARAM =~ m!style=([^"'|&]*)!i ) {
$STYLE = $1;
}
if ( $PARAM =~ m!link=([^"'|&]*)!i ) {
$LINK = $1;
}
s{/counter/counts40\.exe?([^"]+)"}
{$URL?ft=0&pad=N&df=$LINK&dd=$STYLE"}i;
}
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 7:
# certain HTML comments looked like SSI -- delete
if ( $ENV{ 'REQUEST_URI' } =~
m|^/its/web/reports/(\D+/)?\d+/| ) {
s|<!--.*-->||;
}
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 8:
# after loop through file content:
# print copyright notice in HTML comment
print "<!--(c) 2000-2006 SUNY Brockport-->\n";
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 9:
my $cssdone = 0;
# allow bypass mechanism
if ( exists $ENV{SBT_VERSION} and $ENV{SBT_VERSION} == 2 )
{
$cssdone = 1;
}
my $REPLACE = qq|
<link href="/templates/css/main.css" rel="stylesheet"
type="text/css" />
<link href="/templates/css/print.css" rel="stylesheet"
type="text/css" media="
print" />
</head>
|;
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 9 cont:
while (<$fh>) {
if ( $cssdone ) {
#s|(href="?http://www\.brockport\.edu)/|$1:8080/|igs;
print;
} elsif ( m|/templates/css/| ) {
$cssdone = 1;
print;
} else {
if ( s|</head>|$REPLACE|i ) {
$cssdone = 1;
}
print;
}
}
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 10: Activate PHP…
but not for Everyone
• PHP is a server-wide technology
You either have it or not
• PHP is a programming language
Security risk by definition
• Installation without safeguards can expose
server to problems
• Desire to use same server (ASP solution
not viable)
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution #1: Hard-code directories in
httpd.conf
• Constant changes, increases in PHP use
• Server resets to take effect
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution #2: Use an environment variable in
.htaccess files
• Directory-level control of .htaccess
no better than wide open
• Did not resolve in time to work
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution #3: Create a controlled file-system
“hack” to enable PHP
• Careful use of a specialized directory
prevents bypassing
• Configurable on-the-fly
Server stays online
• Invisible to the public
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Requirements and Code:
• Requires: mod_rewrite, mod_php,
UNIX/LINUX file system
RewriteRule ^(.*\.php)$
/php-bin$1 [PT]
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
How does it work?
• User requests /admissions/openhouse/register.php
• Will work if:
 /php-bin/admissions/openhouse/register.php is the real PHP file
 /php-bin/admissions/openhouse/register.php is a symbolic link to
the PHP file
 /php-bin/admissions/openhouse/ is a symbolic link to
/admissions/openhouse *
 /php-bin/admissions/ is a symbolic link to /admissions/ *
• User requesting /php-bin/* will not work unless you want
it to. It redirects internally to /php-bin/php-bin/
• * = presumes PHP file resides as “advertised”
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Where to get software discussed:
• Apache Web Server:
http://httpd.apache.org/download.cgi
• PHP: http://www.php.net/downloads.php
• Mod_ssl: http://www.modssl.org/
• Mod_auth_external:
http://www.unixpapa.com/mod_auth_external.html
• Perl: http://www.perl.com/download.csp
• Mod_perl: http://perl.apache.org/download/index.html
• Apache::Filter: http://search.cpan.org/~kwilliams/ApacheFilter-1.024/
Steve Lewis, Web Manager, SUNY Brockport