Web Server: Difference between revisions

From CNI Wiki
Jump to navigation Jump to search
← Older edit
imported>Lmperry
imported>Gsfr
Apache, etc.: switched apache from worker to prefork
imported>Lmperry
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
The web server is based on a [[FreeBSD|standard FreeBSD 8.2 installation]] with the following additional configuration.
The web server is based on a Ubuntu 12.04 server machine with the following additional configuration.
 


== Apache, etc. ==
== Apache, etc. ==
  portmaster devel/git                                # disable everything but ICONV, CURL
  ## Install packages
                                                    # ftp/curl: disable IPV6, PROXY
  apt-get install apache2 php5 libapache2-mod-wsgi libapache2-webauth mysql-server php5-mysql php5-gd
  portmaster net/rsync
   
   
  portmaster www/apache22                            # enable THREADS, SQLITE; disable IPV6, DAV, DAV_FS
  ## Configure
                                                    # for proxying: enable PROXY, PROXY_HTTP
                                                    # devel/apr1: enable SQLITE; disable IPV6, BDB, GDBM
                                                    # lang/python27: disable IPV6
portmaster www/mod_wsgi3
portmaster lang/php5-extensions                    # lang/php5: enable APACHE; disable IPV6
   
   
sed -E -i -e 's/(.*DirectoryIndex) (index.html)/\1 index.php \2/' /usr/local/etc/apache22/httpd.conf
cat << EOF >> /usr/local/etc/apache22/httpd.conf
<IfModule php5_module>
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
</IfModule>
EOF
## by hand:
  ## update AllowOverride for DocumentRoot to 'AllowOverride All'
  ## update AllowOverride for DocumentRoot to 'AllowOverride All'
  ## update Options for DocumentRoot to 'Options FollowSymLinks'
  ## update Options for DocumentRoot to 'Options FollowSymLinks'
vim /etc/apache2/sites-enabled/000-default
vim /etc/apache2/sites-enabled/default-ssl
   
   
echo 'apache22_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/apache22 start


== WebAuth ==
== WebAuth ==
  portmaster security/krb5                            # disable KRB5_DOC, WANT_HTML
 
  fetch -o /etc http://www.stanford.edu/dept/its/support/kerberos/dist/krb5.conf
  ## Apache config for webauth
  echo 'WebAuthLoginURL  https://weblogin.stanford.edu/login/' >> /etc/apache2/conf.d/webauth
portmaster net/openldap24-sasl-client
  echo 'WebAuthWebKdcURL https://weblogin.stanford.edu/webkdc-service/' >> /etc/apache2/conf.d/webauth
  fetch http://webauth.stanford.edu/dist/webauth-3.7.4.tar.gz
  echo 'WebAuthWebKdcPrincipal service/webkdc@stanford.edu' >> /etc/apache2/conf.d/webauth
tar xf webauth-3.7.4.tar.gz
a2enmod webauth
cd webauth-3.7.4
  service apache2 restart
./configure --with-krb5=/usr/local --with-ldap=/usr/local make
 
  make check                                          # krb5, wa_keyring, xmalloc skipped; krb5-tgt ABORTED
 
make install
cp conf/stanford-*.conf /usr/local/etc/apache22/Includes
   
  ## generate keytab on corn; http://webauth.stanford.edu/install-stanford.html
  ## generate keytab on corn; http://webauth.stanford.edu/install-stanford.html
  ssh gsfr@corn 'wallet -f keytab.cniwww get keytab webauth/cniwww.stanford.edu'
  ssh gsfr@corn 'wallet -f keytab.cniwww get keytab webauth/cniwww.stanford.edu'
  ## scp keytab to /usr/local/etc/apache22/conf/webauth/keytab (must create conf/webauth)
  ## scp keytab to /usr/local/etc/apache22/conf/webauth/keytab (must create conf/webauth)
  mkdir -p /usr/local/etc/apache22/conf/webauth
  mkdir -p /usr/local/etc/apache22/conf/webauth
  cd /usr/local/etc/apache22/conf/webauth
  chown www:www !$
  scp gsfr@corn:keytab.cniwww keytab
  scp gsfr@corn:keytabs/keytab.cniwww !$/keytab
chmod 640 !$
   
   
  cd /usr/local/etc/apache22
  cd /usr/local/etc/apache22
  openssl req -new -x509 -newkey rsa:2048 -nodes -days 3652 -keyout server.key -out server.crt    # self-signed cert; common name is FQDN
  openssl req -new -x509 -newkey rsa:2048 -nodes -days 3652 -keyout server.key -out server.crt    # self-signed cert; common name is FQDN
  openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr                    # cert signing request (not required)
  openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr                    # cert signing request (not required)
chmod 400 server.key
   
   
  sed -E -i "" -e 's!#(Include.*httpd-ssl.conf)!\1!' httpd.conf
  sed -E -i "" -e 's!#(Include.*httpd-ssl.conf)!\1!' httpd.conf
Line 59: Line 42:
  sed -E -i "" -e 's!(WebAuth.* )(conf/webauth/[a-z_]+)!\1etc/apache22/\2!' Includes/stanford-ldap.conf
  sed -E -i "" -e 's!(WebAuth.* )(conf/webauth/[a-z_]+)!\1etc/apache22/\2!' Includes/stanford-ldap.conf
   
   
  /usr/local/etc/rc.d/apache22 graceful
  service apache2 restart
chgrp www conf/webauth
chmod 775 conf/webauth
chgrp www conf/webauth/keytab
chmod 640 conf/webauth/keytab
touch    conf/webauth/keyring
chgrp www conf/webauth/keyring
chmod 660 conf/webauth/keyring
## enable WebAuthDebug and /webauth-status in Includes/stanford-webauth.conf, then
/usr/local/etc/rc.d/apache22 graceful
## visit /webauth-status in browser and ensure all check are ok
## disable WebAuthDebug and /webauth-status in Includes/stanford-webauth.conf, then
/usr/local/etc/rc.d/apache22 graceful


== MediaWiki ==
== MediaWiki (OLD) ==
  portmaster lang/php5-extensions
  portmaster lang/php5-extensions
   
   

Latest revision as of 20:47, 15 January 2014

The web server is based on a Ubuntu 12.04 server machine with the following additional configuration.


Apache, etc.

## Install packages
apt-get install apache2 php5 libapache2-mod-wsgi libapache2-webauth mysql-server php5-mysql php5-gd 

## Configure

## update AllowOverride for DocumentRoot to 'AllowOverride All'
## update Options for DocumentRoot to 'Options FollowSymLinks'
vim /etc/apache2/sites-enabled/000-default
vim /etc/apache2/sites-enabled/default-ssl

WebAuth

## Apache config for webauth
echo 'WebAuthLoginURL  https://weblogin.stanford.edu/login/' >> /etc/apache2/conf.d/webauth
echo 'WebAuthWebKdcURL https://weblogin.stanford.edu/webkdc-service/' >> /etc/apache2/conf.d/webauth
echo 'WebAuthWebKdcPrincipal service/webkdc@stanford.edu' >> /etc/apache2/conf.d/webauth
a2enmod webauth
service apache2 restart



## generate keytab on corn; http://webauth.stanford.edu/install-stanford.html
ssh gsfr@corn 'wallet -f keytab.cniwww get keytab webauth/cniwww.stanford.edu'

## scp keytab to /usr/local/etc/apache22/conf/webauth/keytab (must create conf/webauth)
mkdir -p /usr/local/etc/apache22/conf/webauth
chown www:www !$
scp gsfr@corn:keytabs/keytab.cniwww !$/keytab
chmod 640 !$

cd /usr/local/etc/apache22
openssl req -new -x509 -newkey rsa:2048 -nodes -days 3652 -keyout server.key -out server.crt    # self-signed cert; common name is FQDN
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr                     # cert signing request (not required)
chmod 400 server.key

sed -E -i "" -e 's!#(Include.*httpd-ssl.conf)!\1!' httpd.conf
sed -E -i "" -e 's!(WebAuth.* )(conf/webauth/[a-z_]+)!\1etc/apache22/\2!' Includes/stanford-webauth.conf
sed -E -i "" -e 's!(WebAuth.* )(conf/webauth/[a-z_]+)!\1etc/apache22/\2!' Includes/stanford-ldap.conf

service apache2 restart

MediaWiki (OLD)

portmaster lang/php5-extensions

## place a recent copy of MediaWiki in /usr/local/www/apache22/data/cniwiki
## get Stanford Modern skin: http://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/Stanford_Modern_MediaWiki_Skin

cd /usr/local/www/apache22/data/cniwiki
fetch -o extensions http://svn.wikimedia.org/svnroot/mediawiki/trunk/extensions/Auth_remoteuser/Auth_remoteuser.php
cp -a ~/MWSkin_StanfordModern/stanfordmodern1* skins/
chown -R root:wheel .
chmod a+w config

## set up wiki in browser; warning re session.save_path is fine
mv config/LocalSettings.php .
chmod 600 LocalSettings.php
rm -r config

sed -E -i -e 's/(^\$wgDefaultSkin =) .*/\1 "stanfordmodern1";/' LocalSettings.php
sed -E -i -e 's/(\$wgAuthRemoteuserMailDomain =).*/\1 "stanford.edu";/' extensions/Auth_remoteuser.php
sed -E -i -e 's/(.*)static( function getCanonicalName.*)/\1\2/' extensions/Auth_remoteuser.php

## update stanfordmodern1: monospace code; slightly darker box background
sed -E -i -e $'s!code {!& \\\n\tfont-family: monospace;!' skins/stanfordmodern1/main.css
sed -E -i -e 's/f9f9f9/e5e5e5/g' skins/stanfordmodern1/main.css

configure short URLs

## add these lines to LocalSettings.php below $wgScriptPath
$wgArticlePath      = "/wiki/$1";
$wgUsePathInfo      = true;

echo "Alias /wiki /usr/local/www/apache22/data/cniwiki/index.php" > /usr/local/etc/apache22/Includes/mediawiki.conf
/usr/local/etc/rc.d/apache22 graceful

cat << EOF >> /usr/local/www/apache22/data/robots.txt
User-agent: *
Disallow: /cniwiki/
Disallow: /wiki/Special:Search
Disallow: /wiki/Special:Random
EOF

set default timezone

echo >> LocalSettings.php
echo "## Set Default Timezone" >> LocalSettings.php
echo "\$wgLocaltimezone = \"America/Los_Angeles\";" >> LocalSettings.php
echo "\$oldtz = getenv(\"TZ\");" >> LocalSettings.php
echo "putenv(\"TZ=\$wgLocaltimezone\");" >> LocalSettings.php
echo "# Versions before 1.7.0 used \$wgLocalTZoffset as hours." >> LocalSettings.php
echo "# After 1.7.0 offset as minutes" >> LocalSettings.php
echo "\$wgLocalTZoffset = date(\"Z\") / 60;" >> LocalSettings.php
echo "putenv(\"TZ=\$oldtz\");" >> LocalSettings.php

WebAuth for editing (OR see below)

## https://techcommons.stanford.edu/topics/mediawiki/anonymous-read-webauth-editing-mediawiki

fetch https://github.com/mistermarco/mediawiki-webauth/raw/master/login.php
fetch -o extensions/WebAuth.php https://github.com/mistermarco/mediawiki-webauth/raw/master/extensions/WebAuth.php

## comment lines 3-5 in login.php related to Stanford's common code base

echo "<Files login.php>" >> .htaccess
echo "AuthType WebAuth" >> .htaccess
echo "Require valid-user" >> .htaccess
echo "</Files>" >> .htaccess

echo >> LocalSettings.php
echo "## Require WebAuth login for editing" >> LocalSettings.php
echo "require_once('extensions/WebAuth.php');" >> LocalSettings.php

WebAuth for viewing (OR see above)

## https://techcommons.stanford.edu/topics/mediawiki/mediawiki-installation-instructions

echo "AuthType WebAuth" >> .htaccess
echo "Require valid-user" >> .htaccess

echo >> LocalSettings.php
echo "## Require WebAuth login for viewing" >> LocalSettings.php
echo "\$wgGroupPermissions['*']['createaccount']   = false;" >> LocalSettings.php
echo "\$wgGroupPermissions['*']['read']            = false;" >> LocalSettings.php
echo "\$wgGroupPermissions['*']['edit']            = false;" >> LocalSettings.php
echo "require_once('extensions/Auth_remoteuser.php');" >> LocalSettings.php
echo "\$wgAuth = new Auth_remoteuser();" >> LocalSettings.php

make one WebAuth login a wiki admin

## log into wiki to trigger account creation
sqlite3 -header data/wikidb.sqlite
SELECT * FROM user;                                 # find user_id of intended admin (probably 2)
SELECT * FROM user_groups;
UPDATE user_groups SET ug_user=2 WHERE ug_user=1;
SELECT * FROM user_groups;                          # double-check on wiki user list in browser
DELETE FROM user WHERE user_id=1;                   # delete "WikiSysop" user
.quit

upgrading MediaWiki

tar xvzf ~/mediawiki-1.16.4.tar.gz -C /usr/local/www/apache22/data/cniwiki --strip-components=1
cd /usr/local/www/apache22/data/cniwiki/maintenance/
php update.php

cd /usr/local/www/apache22/data/cniwiki/
chown -R root:wheel .
chown www LocalSettings.php
chown -R www:www data
chown -R www:www images 
chown root:wheel images/.htaccess images/README
Retrieved from "http://cni.su.domains/wiki/index.php?title=Web_Server&oldid=1106"