TPR5: Custom Configurations TPR5: Custom Configurations: Unlock the Power of Apache Steven Lewis Web Manager SUNY Brockport Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Problem #1: Migrate from IIS to Apache without Losing ASP • • • • Inherited IIS from previous Webmaster Crashes, Viruses Unfamiliar Challenge: Case Awareness v. Case Sensitivity • Major Obstacle: Installed Base of ASP Apps Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution: • • • • Build new Solaris/Apache server Keep identical URLs Same account/FTP access method Keep NT server until ASP apps are moved (renamed to nt.web.brockport.edu) • Proxy ASP requests to existing IIS server • Time to migrate ASP apps to new infrastructure • mod_speling [sic] Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Code: httpd.conf: RewriteRule ^(.*\.[Aa][Ss][Pp])$ http://nt.web.brockport.edu$1 [P] CheckSpelling On Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Notes on Security • IIS machine can deny all requests not coming from new Web server Limits attack vectors to .asp requests Reduced machine load; Improves stability • (Please note: author does not recommend running IIS under any circumstances, and assumes no responsibility for any consequences of your software decisions.) Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Problem #2: Security for Administrative Functions or Internal Information over the Web • https is set up as a mirror of http • Certain tasks or information demand extra security Passwords, Home Addresses, etc. • No robust institution-wide internal document repository • Need to restrict certain folders to https-only Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution: • Develop standard naming convention for Web app administrative functions …/admin/… • Place internal information and documents within one folder /internal/… • Add password restrictions to limit access Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Code: httpd.conf: # admin only RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^(.*/admin/.*)$ https://www.brockport.edu$1 [R] # admin and internal RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^((.*/admin/.*)|(/internal.*))$ https://www.brockport.edu$1 [R] Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Problem 3: Too Many Passwords, No LDAP • Using old e-mail system, no LDAP in place • Need a source of passwords people will remember • Debugging scenarios/special cases (e.g. Emeriti) Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution: • Mod_auth_external: run an arbitrary program to do authentication • Write a Perl script to make a POP connection to server • Write a program to do any check conceivable • Works with any Web page – httpd authentication Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Code: httpd.conf: AddExternalAuth /web/auth/po-pop SetExternalAuthMethod brockport-pop brockport-pop pipe Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations More Code: .htaccess: AuthType Basic AuthName "SUNY Brockport NetID Login" AuthExternal brockport-pop # do authorization in-program/any user OK Require valid-user # limit to these two users only # Require user slewis jdoe Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Still More Code: #!/usr/local/bin/perl use strict; use IO::Socket; # Grab username and password as passed by STDIN my $USER = <>; my $PASSWORD = <>; chomp $USER; chomp $PASSWORD; ## network connection ## or database query ## or anything else... Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Problem 4: Preview/Test New SSI Templates Before Rollout • No Content Management System • Use SSI templates for common code • Need to test/debug template upgrade for 10,000s of pages • Make changes to smooth transition Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution: • • • • Solution: Open new server port for test (e.g. 8080) Use same configuration, files as site Change only template folder with SSI data, so: http://www.brockport.edu:80/templates/ and http://www.brockport.edu:8080/templates/ are the only differences. Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Code: httpd.conf: <VirtualHost __detault__:8080 > #... Alias /templates/ /web/live/wwwroot/templates2/ </VirtualHost> Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Lots of Problems • Problem 5: Bad Links to First Web Server • Problem 6: CGI Web Page Counter Upgrade • Problem 7: Web Reports’ HTML Code Like SSI – Produces Errors • Problem 8: No Copyright Notice in Pages • Problem 9: Adding CSS for SSI Template Upgrade Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Common Solution: • Dynamic Recoding of Pages • Requires: Perl, mod_perl, Apache::Filter Perl module Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution Code to Problem 5: # change server references in HTML to www only: s{http://cc\.brockport\.edu} {http://www.brockport.edu}ig; s{http://zathras\.web\.brockport\.edu} {http://www.brockport.edu}ig; Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution Code to Problem 6: # change counter programs while ( m|/counter/counts40\.exe?([^"]+)"|i ) { #parameters of new counter my ($STYLE, $LINK, $PARAM) =("A","sample.dat",$1); my $URL = '/cgi-bin/counter/counter.cgi'; if ( $PARAM =~ m!style=([^"'|&]*)!i ) { $STYLE = $1; } if ( $PARAM =~ m!link=([^"'|&]*)!i ) { $LINK = $1; } s{/counter/counts40\.exe?([^"]+)"} {$URL?ft=0&pad=N&df=$LINK&dd=$STYLE"}i; } Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution Code to Problem 7: # certain HTML comments looked like SSI -- delete if ( $ENV{ 'REQUEST_URI' } =~ m|^/its/web/reports/(\D+/)?\d+/| ) { s|<!--.*-->||; } Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution Code to Problem 8: # after loop through file content: # print copyright notice in HTML comment print "<!--(c) 2000-2006 SUNY Brockport-->\n"; Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution Code to Problem 9: my $cssdone = 0; # allow bypass mechanism if ( exists $ENV{SBT_VERSION} and $ENV{SBT_VERSION} == 2 ) { $cssdone = 1; } my $REPLACE = qq| <link href="/templates/css/main.css" rel="stylesheet" type="text/css" /> <link href="/templates/css/print.css" rel="stylesheet" type="text/css" media=" print" /> </head> |; Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Problem 9 cont: while (<$fh>) { if ( $cssdone ) { #s|(href="?http://www\.brockport\.edu)/|$1:8080/|igs; print; } elsif ( m|/templates/css/| ) { $cssdone = 1; print; } else { if ( s|</head>|$REPLACE|i ) { $cssdone = 1; } print; } } Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Problem 10: Activate PHP… but not for Everyone • PHP is a server-wide technology You either have it or not • PHP is a programming language Security risk by definition • Installation without safeguards can expose server to problems • Desire to use same server (ASP solution not viable) Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution #1: Hard-code directories in httpd.conf • Constant changes, increases in PHP use • Server resets to take effect Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution #2: Use an environment variable in .htaccess files • Directory-level control of .htaccess no better than wide open • Did not resolve in time to work Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Solution #3: Create a controlled file-system “hack” to enable PHP • Careful use of a specialized directory prevents bypassing • Configurable on-the-fly Server stays online • Invisible to the public Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Requirements and Code: • Requires: mod_rewrite, mod_php, UNIX/LINUX file system RewriteRule ^(.*\.php)$ /php-bin$1 [PT] Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations How does it work? • User requests /admissions/openhouse/register.php • Will work if: /php-bin/admissions/openhouse/register.php is the real PHP file /php-bin/admissions/openhouse/register.php is a symbolic link to the PHP file /php-bin/admissions/openhouse/ is a symbolic link to /admissions/openhouse * /php-bin/admissions/ is a symbolic link to /admissions/ * • User requesting /php-bin/* will not work unless you want it to. It redirects internally to /php-bin/php-bin/ • * = presumes PHP file resides as “advertised” Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations Where to get software discussed: • Apache Web Server: http://httpd.apache.org/download.cgi • PHP: http://www.php.net/downloads.php • Mod_ssl: http://www.modssl.org/ • Mod_auth_external: http://www.unixpapa.com/mod_auth_external.html • Perl: http://www.perl.com/download.csp • Mod_perl: http://perl.apache.org/download/index.html • Apache::Filter: http://search.cpan.org/~kwilliams/ApacheFilter-1.024/ Steve Lewis, Web Manager, SUNY Brockport