tpr5: custom configurations steve lewis, web manager, suny brockport tpr5: custom configurations:...
TRANSCRIPT
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations: Unlock the Power of Apache
Steven Lewis
Web Manager
SUNY Brockport
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Problem #1: Migrate from IIS to Apache without Losing ASP
• Inherited IIS from previous Webmaster
• Crashes, Viruses
• Unfamiliar
• Challenge: Case Awareness v. Case Sensitivity
• Major Obstacle:Installed Base of ASP Apps
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution:
• Build new Solaris/Apache server• Keep identical URLs• Same account/FTP access method• Keep NT server until ASP apps are moved
(renamed to nt.web.brockport.edu)• Proxy ASP requests to existing IIS server• Time to migrate ASP apps to new infrastructure • mod_speling [sic]
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Code:
httpd.conf:
RewriteRule ^(.*\.[Aa][Ss][Pp])$
http://nt.web.brockport.edu$1 [P]
CheckSpelling On
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Notes on Security
• IIS machine can deny all requests not coming from new Web serverLimits attack vectors to .asp requestsReduced machine load; Improves stability
• (Please note: author does not recommend running IIS under any circumstances, and assumes no responsibility for any consequences of your software decisions.)
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Problem #2: Security for Administrative Functions or Internal Information over the Web
• https is set up as a mirror of http
• Certain tasks or information demand extra securityPasswords, Home Addresses, etc.
• No robust institution-wide internal document repository
• Need to restrict certain folders to https-only
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution:
• Develop standard naming convention for Web app administrative functions…/admin/…
• Place internal information and documents within one folder/internal/…
• Add password restrictions to limit access
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Code:
httpd.conf:
# admin onlyRewriteCond %{SERVER_PORT} ^80$RewriteRule ^(.*/admin/.*)$ https://www.brockport.edu$1 [R]
# admin and internalRewriteCond %{SERVER_PORT} ^80$RewriteRule ^((.*/admin/.*)|(/internal.*))$ https://www.brockport.edu$1 [R]
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Problem 3: Too Many Passwords, No LDAP
• Using old e-mail system, no LDAP in place
• Need a source of passwords people will remember
• Debugging scenarios/special cases (e.g. Emeriti)
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution:
• Mod_auth_external: run an arbitrary program to do authentication
• Write a Perl script to make a POP connection to server
• Write a program to do any check conceivable
• Works with any Web page – httpd authentication
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Code:
httpd.conf:AddExternalAuth brockport-pop
/web/auth/po-pop
SetExternalAuthMethod brockport-pop pipe
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
More Code:
.htaccess:AuthType Basic
AuthName "SUNY Brockport NetID Login"
AuthExternal brockport-pop
# do authorization in-program/any user OK
Require valid-user
# limit to these two users only
# Require user slewis jdoe
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Still More Code:
#!/usr/local/bin/perluse strict;use IO::Socket;# Grab username and password as passed by STDINmy $USER = <>;my $PASSWORD = <>;chomp $USER;chomp $PASSWORD;## network connection## or database query## or anything else...
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Problem 4: Preview/Test New SSI Templates Before Rollout
• No Content Management System
• Use SSI templates for common code
• Need to test/debug template upgrade for 10,000s of pages
• Make changes to smooth transition
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution:
• Solution:• Open new server port for test (e.g. 8080)• Use same configuration, files as site• Change only template folder with SSI data,
so:http://www.brockport.edu:80/templates/ andhttp://www.brockport.edu:8080/templates/are the only differences.
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Code:
httpd.conf:<VirtualHost __detault__:8080 >
#...
Alias /templates/ /web/live/wwwroot/templates2/
</VirtualHost>
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Lots of Problems
• Problem 5: Bad Links to First Web Server
• Problem 6: CGI Web Page Counter Upgrade
• Problem 7: Web Reports’ HTML Code Like SSI – Produces Errors
• Problem 8: No Copyright Notice in Pages
• Problem 9: Adding CSS for SSI Template Upgrade
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Common Solution:
• Dynamic Recoding of Pages
• Requires: Perl, mod_perl, Apache::Filter Perl module
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution Code to Problem 5:
# change server references in HTML to www only:
s{http://cc\.brockport\.edu}
{http://www.brockport.edu}ig;
s{http://zathras\.web\.brockport\.edu}
{http://www.brockport.edu}ig;
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution Code to Problem 6:
# change counter programswhile ( m|/counter/counts40\.exe?([^"]+)"|i ) { #parameters of new counter my ($STYLE, $LINK, $PARAM) =("A","sample.dat",$1); my $URL = '/cgi-bin/counter/counter.cgi'; if ( $PARAM =~ m!style=([^"'|&]*)!i ) { $STYLE = $1; } if ( $PARAM =~ m!link=([^"'|&]*)!i ) { $LINK = $1; } s{/counter/counts40\.exe?([^"]+)"} {$URL?ft=0&pad=N&df=$LINK&dd=$STYLE"}i;}
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution Code to Problem 7:
# certain HTML comments looked like SSI -- delete
if ( $ENV{ 'REQUEST_URI' } =~ m|^/its/web/reports/(\D+/)?\d+/| ) {
s|<!--.*-->||;
}
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution Code to Problem 8:
# after loop through file content:
# print copyright notice in HTML comment
print "<!--(c) 2000-2006 SUNY Brockport-->\n";
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution Code to Problem 9:
my $cssdone = 0;
# allow bypass mechanismif ( exists $ENV{SBT_VERSION} and $ENV{SBT_VERSION} == 2 )
{ $cssdone = 1; }
my $REPLACE = qq| <link href="/templates/css/main.css" rel="stylesheet"
type="text/css" /> <link href="/templates/css/print.css" rel="stylesheet"
type="text/css" media="print" /> </head>|;
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Problem 9 cont:
while (<$fh>) { if ( $cssdone ) { #s|(href="?http://www\.brockport\.edu)/|$1:8080/|igs; print; } elsif ( m|/templates/css/| ) { $cssdone = 1; print; } else { if ( s|</head>|$REPLACE|i ) { $cssdone = 1; } print; }}
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Problem 10: Activate PHP…but not for Everyone
• PHP is a server-wide technologyYou either have it or not
• PHP is a programming languageSecurity risk by definition
• Installation without safeguards can expose server to problems
• Desire to use same server (ASP solution not viable)
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution #1: Hard-code directories in httpd.conf
• Constant changes, increases in PHP use
• Server resets to take effect
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution #2: Use an environment variable in .htaccess files
• Directory-level control of .htaccessno better than wide open
• Did not resolve in time to work
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Solution #3: Create a controlled file-system “hack” to enable PHP
• Careful use of a specialized directory prevents bypassing
• Configurable on-the-flyServer stays online
• Invisible to the public
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Requirements and Code:
• Requires: mod_rewrite, mod_php, UNIX/LINUX file system
RewriteRule ^(.*\.php)$ /php-bin$1 [PT]
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
How does it work?
• User requests /admissions/openhouse/register.php• Will work if:
/php-bin/admissions/openhouse/register.php is the real PHP file /php-bin/admissions/openhouse/register.php is a symbolic link to
the PHP file /php-bin/admissions/openhouse/ is a symbolic link to
/admissions/openhouse * /php-bin/admissions/ is a symbolic link to /admissions/ *
• User requesting /php-bin/* will not work unless you want it to. It redirects internally to /php-bin/php-bin/
• * = presumes PHP file resides as “advertised”
TPR5: Custom Configurations
Steve Lewis, Web Manager, SUNY Brockport
Where to get software discussed:
• Apache Web Server: http://httpd.apache.org/download.cgi
• PHP: http://www.php.net/downloads.php• Mod_ssl: http://www.modssl.org/• Mod_auth_external: http://
www.unixpapa.com/mod_auth_external.html• Perl: http://www.perl.com/download.csp• Mod_perl: http://perl.apache.org/download/index.html• Apache::Filter:
http://search.cpan.org/~kwilliams/Apache-Filter-1.024/