TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations:...

TPR5: Custom Configurations

Steve Lewis, Web Manager, SUNY Brockport

TPR5: Custom Configurations: Unlock the Power of Apache

Steven Lewis

Web Manager

SUNY Brockport



Problem #1: Migrate from IIS to Apache without Losing ASP

• Inherited IIS from previous Webmaster

• Crashes, Viruses

• Unfamiliar

• Challenge: Case Awareness v. Case Sensitivity

• Major Obstacle:Installed Base of ASP Apps



Solution:

• Build new Solaris/Apache server• Keep identical URLs• Same account/FTP access method• Keep NT server until ASP apps are moved

(renamed to nt.web.brockport.edu)• Proxy ASP requests to existing IIS server• Time to migrate ASP apps to new infrastructure • mod_speling [sic]



Code:

httpd.conf:

RewriteRule ^(.*\.[Aa][Ss][Pp])$

http://nt.web.brockport.edu$1 [P]

CheckSpelling On



Notes on Security

• IIS machine can deny all requests not coming from new Web serverLimits attack vectors to .asp requestsReduced machine load; Improves stability

• (Please note: author does not recommend running IIS under any circumstances, and assumes no responsibility for any consequences of your software decisions.)



Problem #2: Security for Administrative Functions or Internal Information over the Web

• https is set up as a mirror of http

• Certain tasks or information demand extra securityPasswords, Home Addresses, etc.

• No robust institution-wide internal document repository

• Need to restrict certain folders to https-only



Solution:

• Develop standard naming convention for Web app administrative functions…/admin/…

• Place internal information and documents within one folder/internal/…

• Add password restrictions to limit access



Code:

httpd.conf:

# admin onlyRewriteCond %{SERVER_PORT} ^80$RewriteRule ^(.*/admin/.*)$ https://www.brockport.edu$1 [R]

# admin and internalRewriteCond %{SERVER_PORT} ^80$RewriteRule ^((.*/admin/.*)|(/internal.*))$ https://www.brockport.edu$1 [R]



Problem 3: Too Many Passwords, No LDAP

• Using old e-mail system, no LDAP in place

• Need a source of passwords people will remember

• Debugging scenarios/special cases (e.g. Emeriti)



Solution:

• Mod_auth_external: run an arbitrary program to do authentication

• Write a Perl script to make a POP connection to server

• Write a program to do any check conceivable

• Works with any Web page – httpd authentication



Code:

httpd.conf:AddExternalAuth brockport-pop

/web/auth/po-pop

SetExternalAuthMethod brockport-pop pipe



More Code:

.htaccess:AuthType Basic

AuthName "SUNY Brockport NetID Login"

AuthExternal brockport-pop

# do authorization in-program/any user OK

Require valid-user

# limit to these two users only

# Require user slewis jdoe



Still More Code:

#!/usr/local/bin/perluse strict;use IO::Socket;# Grab username and password as passed by STDINmy $USER = <>;my $PASSWORD = <>;chomp $USER;chomp $PASSWORD;## network connection## or database query## or anything else...



Problem 4: Preview/Test New SSI Templates Before Rollout

• No Content Management System

• Use SSI templates for common code

• Need to test/debug template upgrade for 10,000s of pages

• Make changes to smooth transition



Solution:

• Solution:• Open new server port for test (e.g. 8080)• Use same configuration, files as site• Change only template folder with SSI data,

so:http://www.brockport.edu:80/templates/ andhttp://www.brockport.edu:8080/templates/are the only differences.



Code:

httpd.conf:<VirtualHost __detault__:8080 >

#...

Alias /templates/ /web/live/wwwroot/templates2/

</VirtualHost>



Lots of Problems

• Problem 5: Bad Links to First Web Server

• Problem 6: CGI Web Page Counter Upgrade

• Problem 7: Web Reports’ HTML Code Like SSI – Produces Errors

• Problem 8: No Copyright Notice in Pages

• Problem 9: Adding CSS for SSI Template Upgrade



Common Solution:

• Dynamic Recoding of Pages

• Requires: Perl, mod_perl, Apache::Filter Perl module



Solution Code to Problem 5:

# change server references in HTML to www only:

s{http://cc\.brockport\.edu}

{http://www.brockport.edu}ig;

s{http://zathras\.web\.brockport\.edu}

{http://www.brockport.edu}ig;




# change counter programswhile ( m|/counter/counts40\.exe?([^"]+)"|i ) { #parameters of new counter my ($STYLE, $LINK, $PARAM) =("A","sample.dat",$1); my $URL = '/cgi-bin/counter/counter.cgi'; if ( $PARAM =~ m!style=([^"'|&]*)!i ) { $STYLE = $1; } if ( $PARAM =~ m!link=([^"'|&]*)!i ) { $LINK = $1; } s{/counter/counts40\.exe?([^"]+)"} {$URL?ft=0&pad=N&df=$LINK&dd=$STYLE"}i;}




# certain HTML comments looked like SSI -- delete

if ( $ENV{ 'REQUEST_URI' } =~ m|^/its/web/reports/(\D+/)?\d+/| ) {

s|||;

}




# after loop through file content:

# print copyright notice in HTML comment

print "\n";




my $cssdone = 0;

# allow bypass mechanismif ( exists $ENV{SBT_VERSION} and $ENV{SBT_VERSION} == 2 )

{ $cssdone = 1; }

my $REPLACE = qq| <link href="/templates/css/main.css" rel="stylesheet"

type="text/css" /> <link href="/templates/css/print.css" rel="stylesheet"

type="text/css" media="print" /> </head>|;



Problem 9 cont:

while (<$fh>) { if ( $cssdone ) { #s|(href="?http://www\.brockport\.edu)/|$1:8080/|igs; print; } elsif ( m|/templates/css/| ) { $cssdone = 1; print; } else { if ( s|</head>|$REPLACE|i ) { $cssdone = 1; } print; }}



Problem 10: Activate PHP…but not for Everyone

• PHP is a server-wide technologyYou either have it or not

• PHP is a programming languageSecurity risk by definition

• Installation without safeguards can expose server to problems

• Desire to use same server (ASP solution not viable)



Solution #1: Hard-code directories in httpd.conf

• Constant changes, increases in PHP use

• Server resets to take effect



Solution #2: Use an environment variable in .htaccess files

• Directory-level control of .htaccessno better than wide open

• Did not resolve in time to work



Solution #3: Create a controlled file-system “hack” to enable PHP

• Careful use of a specialized directory prevents bypassing

• Configurable on-the-flyServer stays online

• Invisible to the public



Requirements and Code:

• Requires: mod_rewrite, mod_php, UNIX/LINUX file system

RewriteRule ^(.*\.php)$ /php-bin$1 [PT]



How does it work?

• User requests /admissions/openhouse/register.php• Will work if:

/php-bin/admissions/openhouse/register.php is the real PHP file /php-bin/admissions/openhouse/register.php is a symbolic link to

the PHP file /php-bin/admissions/openhouse/ is a symbolic link to

/admissions/openhouse * /php-bin/admissions/ is a symbolic link to /admissions/ *

• User requesting /php-bin/* will not work unless you want it to. It redirects internally to /php-bin/php-bin/

• * = presumes PHP file resides as “advertised”



Where to get software discussed:

• Apache Web Server: http://httpd.apache.org/download.cgi

• PHP: http://www.php.net/downloads.php• Mod_ssl: http://www.modssl.org/• Mod_auth_external: http://

www.unixpapa.com/mod_auth_external.html• Perl: http://www.perl.com/download.csp• Mod_perl: http://perl.apache.org/download/index.html• Apache::Filter:

http://search.cpan.org/~kwilliams/Apache-Filter-1.024/

Date post:	31-Dec-2015
Category:	Documents
Upload:	roger-owens
View:	215 times
Download:	1 times

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations:...

Documents