Web Server: Difference between revisions

From CNI Wiki
Jump to navigation Jump to search
← Older editNewer edit →
imported>Gsfr
imported>Gsfr
No edit summary
imported>Gsfr
No edit summary
Line 13: Line 13:
   
   
   
   
  sed -E -i '' -e 's/(.*DirectoryIndex) (index.html)/\1 index.php \2/' /usr/local/etc/apache22/httpd.conf
  sed -E -i -e 's/(.*DirectoryIndex) (index.html)/\1 index.php \2/' /usr/local/etc/apache22/httpd.conf
   
   
  cat << EOF >> /usr/local/etc/apache22/httpd.conf
  cat << EOF >> /usr/local/etc/apache22/httpd.conf
Line 23: Line 23:
  EOF
  EOF
   
   
  ## by hand, update AllowOverride for DocumentRoot to 'AllowOverride Options AuthConfig'
  ## by hand:
## update AllowOverride for DocumentRoot to 'AllowOverride Options FileInfo AuthConfig'
## update Options for DocumentRoot to 'Options FollowSymLinks'




== WebAuth ==
== WebAuth ==
  portmaster security/krb5                            # disable KRB5_DOC, WANT_HTML
  portmaster security/krb5                            # disable KRB5_DOC, WANT_HTML
  fetch -o /etc/krb5.conf http://www.stanford.edu/dept/its/support/kerberos/dist/krb5.conf
  fetch -o /etc http://www.stanford.edu/dept/its/support/kerberos/dist/krb5.conf
   
   
  git clone git://git.eyrie.org/kerberos/webauth.git
  git clone git://git.eyrie.org/kerberos/webauth.git
Line 49: Line 51:
  openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr                    # cert signing request (not required)
  openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr                    # cert signing request (not required)
   
   
  sed -E -i '' -e 's!#(Include.*httpd-ssl.conf)!\1!' httpd.conf      # enable ssl for apache
  sed -E -i -e 's!#(Include.*httpd-ssl.conf)!\1!' httpd.conf      # enable ssl for apache
  sed -E -i '' -e 's!(WebAuth.* )(conf/webauth/[a-z_]+)!\1etc/apache22/\2!' Includes/stanford-webauth.conf
  sed -E -i -e 's!(WebAuth.* )(conf/webauth/[a-z_]+)!\1etc/apache22/\2!' Includes/stanford-webauth.conf
   
   
  /usr/local/etc/rc.d/apache22 start
  /usr/local/etc/rc.d/apache22 start
Line 68: Line 70:
  portmaster lang/php5-extensions
  portmaster lang/php5-extensions
   
   
  # place a recent copy of MediaWiki in /usr/local/www/apache22/data/cniwiki
  ## place a recent copy of MediaWiki in /usr/local/www/apache22/data/cniwiki
  # get Auth_remoteuser extension from http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER
  ## get Stanford Modern skin: http://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/Stanford_Modern_MediaWiki_Skin
# https://techcommons.stanford.edu/topics/mediawiki/mediawiki-installation-instructions
   
   
  cd /usr/local/www/apache22/data/cniwiki
  cd /usr/local/www/apache22/data/cniwiki
  cp ~/Auth_remoteuser/Auth_remoteuser.php extensions/
  fetch -o extensions http://svn.wikimedia.org/svnroot/mediawiki/trunk/extensions/Auth_remoteuser/Auth_remoteuser.php
  cp -R ~/MWSkin_StanfordModern/stanfordmodern1* skins/
  cp -a ~/MWSkin_StanfordModern/stanfordmodern1* skins/
  chown -R root:wheel .
  chown -R root:wheel .
  chmod a+w config
  chmod a+w config
   
   
  # set up wiki in browser; warning re session.save_path is fine
  ## set up wiki in browser; warning re session.save_path is fine
  mv config/LocalSettings.php .
  mv config/LocalSettings.php .
  chmod 600 LocalSettings.php
  chmod 600 LocalSettings.php
  rm -r config
  rm -r config
   
   
  sed -E -i '' -e 's/(^\$wgDefaultSkin =) .*/\1 "stanfordmodern1";/' LocalSettings.php
  sed -E -i -e 's/(^\$wgDefaultSkin =) .*/\1 "stanfordmodern1";/' LocalSettings.php
  sed -E -i '' -e 's/(\$wgAuthRemoteuserMailDomain =).*/\1 "stanford.edu";/' extensions/Auth_remoteuser.php
  sed -E -i -e 's/(\$wgAuthRemoteuserMailDomain =).*/\1 "stanford.edu";/' extensions/Auth_remoteuser.php
  sed -E -i '' -e 's/(.*)static( function getCanonicalName.*)/\1\2/' extensions/Auth_remoteuser.php
  sed -E -i -e 's/(.*)static( function getCanonicalName.*)/\1\2/' extensions/Auth_remoteuser.php


=== configure [http://www.mediawiki.org/wiki/Manual:Short_URL short URLs] ===
=== configure [http://www.mediawiki.org/wiki/Manual:Short_URL short URLs] ===
Line 114: Line 115:


=== WebAuth for editing (OR see below) ===
=== WebAuth for editing (OR see below) ===
## https://techcommons.stanford.edu/topics/mediawiki/anonymous-read-webauth-editing-mediawiki
  fetch https://github.com/mistermarco/mediawiki-webauth/raw/master/login.php
  fetch https://github.com/mistermarco/mediawiki-webauth/raw/master/login.php
  fetch -o extensions/WebAuth.php https://github.com/mistermarco/mediawiki-webauth/raw/master/extensions/WebAuth.php
  fetch -o extensions/WebAuth.php https://github.com/mistermarco/mediawiki-webauth/raw/master/extensions/WebAuth.php
Line 129: Line 132:


=== WebAuth for viewing (OR see above) ===
=== WebAuth for viewing (OR see above) ===
## https://techcommons.stanford.edu/topics/mediawiki/mediawiki-installation-instructions
  echo "AuthType WebAuth" >> .htaccess
  echo "AuthType WebAuth" >> .htaccess
  echo "Require valid-user" >> .htaccess
  echo "Require valid-user" >> .htaccess

Revision as of 06:02, 21 April 2011

The web server is based on a standard FreeBSD 8.2 installation with the following additional configuration.

Apache, etc.

portmaster devel/git                                # disable everything but ICONV, CURL
                                                    # ftp/curl: disable IPV6, PROXY
portmaster net/rsync

portmaster www/apache22-worker-mpm                  # enable THREADS, SQLITE; disable IPV6, DAV, DAV_FS
                                                    # devel/apr1: enable SQLITE; disable IPV6, BDB, GDBM
                                                    # lang/python27: disable IPV6
portmaster www/mod_wsgi3
portmaster lang/php5-extensions                     # lang/php5: enable APACHE; disable IPV6


sed -E -i -e 's/(.*DirectoryIndex) (index.html)/\1 index.php \2/' /usr/local/etc/apache22/httpd.conf

cat << EOF >> /usr/local/etc/apache22/httpd.conf

<IfModule php5_module>
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
</IfModule>
EOF

## by hand:
## update AllowOverride for DocumentRoot to 'AllowOverride Options FileInfo AuthConfig'
## update Options for DocumentRoot to 'Options FollowSymLinks'


WebAuth

portmaster security/krb5                            # disable KRB5_DOC, WANT_HTML
fetch -o /etc http://www.stanford.edu/dept/its/support/kerberos/dist/krb5.conf

git clone git://git.eyrie.org/kerberos/webauth.git
cd webauth
./autogen
./configure --disable-mod_webauthldap --with-krb5=/usr/local
make
make check                                          # krb5, wa_keyring, xmalloc skipped; krb5-tgt ABORTED
make install
cp conf/stanford-webauth.conf /usr/local/etc/apache22/Includes

# generate keytab on corn; http://webauth.stanford.edu/install-stanford.html
ssh gsfr@corn 'wallet -f keytab.cniwww get keytab webauth/cniwww.stanford.edu'
# scp keytab to /usr/local/etc/apache22/conf/webauth/keytab (must create conf/webauth)
mkdir -p /usr/local/etc/apache22/conf/webauth; cd /usr/local/etc/apache22/conf/webauth
scp gsfr@corn:keytab.cniwww keytab

cd /usr/local/etc/apache22
openssl req -new -x509 -newkey rsa:2048 -nodes -days 3652 -keyout server.key -out server.crt    # self-signed cert; common name is FQDN
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr                     # cert signing request (not required)

sed -E -i -e 's!#(Include.*httpd-ssl.conf)!\1!' httpd.conf      # enable ssl for apache
sed -E -i -e 's!(WebAuth.* )(conf/webauth/[a-z_]+)!\1etc/apache22/\2!' Includes/stanford-webauth.conf

/usr/local/etc/rc.d/apache22 start

chgrp www conf/webauth
chmod 775 conf/webauth

chgrp www conf/webauth/keytab
chmod 640 conf/webauth/keytab

touch     conf/webauth/keyring
chgrp www conf/webauth/keyring
chmod 660 conf/webauth/keyring


MediaWiki

portmaster lang/php5-extensions

## place a recent copy of MediaWiki in /usr/local/www/apache22/data/cniwiki
## get Stanford Modern skin: http://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/Stanford_Modern_MediaWiki_Skin

cd /usr/local/www/apache22/data/cniwiki
fetch -o extensions http://svn.wikimedia.org/svnroot/mediawiki/trunk/extensions/Auth_remoteuser/Auth_remoteuser.php
cp -a ~/MWSkin_StanfordModern/stanfordmodern1* skins/
chown -R root:wheel .
chmod a+w config

## set up wiki in browser; warning re session.save_path is fine
mv config/LocalSettings.php .
chmod 600 LocalSettings.php
rm -r config

sed -E -i -e 's/(^\$wgDefaultSkin =) .*/\1 "stanfordmodern1";/' LocalSettings.php
sed -E -i -e 's/(\$wgAuthRemoteuserMailDomain =).*/\1 "stanford.edu";/' extensions/Auth_remoteuser.php
sed -E -i -e 's/(.*)static( function getCanonicalName.*)/\1\2/' extensions/Auth_remoteuser.php

configure short URLs

## add these lines to LocalSettings.php below $wgScriptPath
$wgArticlePath      = "/wiki/$1";
$wgUsePathInfo      = true;

echo "Alias /wiki /usr/local/www/apache22/data/cniwiki/index.php" > /usr/local/etc/apache22/Includes/mediawiki.conf
/usr/local/etc/rc.d/apache22 graceful

cat << EOF >> /usr/local/www/apache22/data/robots.txt
User-agent: *
Disallow: /cniwiki/
Disallow: /wiki/Special:Search
Disallow: /wiki/Special:Random
EOF

set default timezone

echo >> LocalSettings.php
echo "## Set Default Timezone" >> LocalSettings.php
echo "\$wgLocaltimezone = \"America/Los_Angeles\";" >> LocalSettings.php
echo "\$oldtz = getenv(\"TZ\");" >> LocalSettings.php
echo "putenv(\"TZ=\$wgLocaltimezone\");" >> LocalSettings.php
echo "# Versions before 1.7.0 used \$wgLocalTZoffset as hours." >> LocalSettings.php
echo "# After 1.7.0 offset as minutes" >> LocalSettings.php
echo "\$wgLocalTZoffset = date(\"Z\") / 60;" >> LocalSettings.php
echo "putenv(\"TZ=\$oldtz\");" >> LocalSettings.php

WebAuth for editing (OR see below)

## https://techcommons.stanford.edu/topics/mediawiki/anonymous-read-webauth-editing-mediawiki

fetch https://github.com/mistermarco/mediawiki-webauth/raw/master/login.php
fetch -o extensions/WebAuth.php https://github.com/mistermarco/mediawiki-webauth/raw/master/extensions/WebAuth.php

## comment lines 3-5 in login.php related to Stanford's common code base

echo "<Files login.php>" >> .htaccess
echo "AuthType WebAuth" >> .htaccess
echo "Require valid-user" >> .htaccess
echo "</Files>" >> .htaccess

echo >> LocalSettings.php
echo "## Require WebAuth login for editing" >> LocalSettings.php
echo "require_once('extensions/WebAuth.php');" >> LocalSettings.php

WebAuth for viewing (OR see above)

## https://techcommons.stanford.edu/topics/mediawiki/mediawiki-installation-instructions

echo "AuthType WebAuth" >> .htaccess
echo "Require valid-user" >> .htaccess

echo >> LocalSettings.php
echo "## Require WebAuth login for viewing" >> LocalSettings.php
echo "\$wgGroupPermissions['*']['createaccount']   = false;" >> LocalSettings.php
echo "\$wgGroupPermissions['*']['read']            = false;" >> LocalSettings.php
echo "\$wgGroupPermissions['*']['edit']            = false;" >> LocalSettings.php
echo "require_once('extensions/Auth_remoteuser.php');" >> LocalSettings.php
echo "\$wgAuth = new Auth_remoteuser();" >> LocalSettings.php

make one WebAuth login a wiki admin

## log into wiki to trigger account creation
sqlite3 -header data/wikidb.sqlite
SELECT * FROM user;                                 # find user_id of intended admin (probably 2)
SELECT * FROM user_groups;
UPDATE user_groups SET ug_user=2 WHERE ug_user=1;
SELECT * FROM user_groups;                          # double-check on wiki user list in browser
DELETE FROM user WHERE user_id=1;                   # delete "WikiSysop" user
.quit

upgrading MediaWiki

tar xvzf ~/mediawiki-1.16.4.tar.gz -C /usr/local/www/apache22/data/cniwiki --strip-components=1
cd /usr/local/www/apache22/data/cniwiki/maintenance/
php update.php

cd /usr/local/www/apache22/data/cniwiki/
chown -R root:wheel .
chown www LocalSettings.php
chown -R www:www data
chown -R www:www images 
chown root:wheel images/.htaccess images/README
Retrieved from "http://cni.su.domains/wiki/index.php?title=Web_Server&oldid=1097"