[LON-CAPA-admin] lon-capa ports

Raeburn, Stuart raeburn at msu.edu
Mon May 2 13:37:14 EDT 2022


Paul,

Port 8080 can be closed.
It ceased being used by LON-CAPA several years ago, starting with version 2.8.0 (January 2009). From the 2.8.0 release notes:
"- The lightweight webserver run on port 8080 (lonhttpd) formerly used to serve icons has been eliminated because of issues with institutional firewalls.

Port 5663 is used by LON-CAPA, and needs to be accessible to other LON-CAPA servers in the network.
Port 443 is used by LON-CAPA, and needs to be open if running Apache with SSL/TLS (i.e., https).

Access to port 80 (for http) has been retained for LON-CAPA to support specific types of functionality.  You may, of course, decide that specific functionality is unimportant to you, in which case you can block port 80, while leaving port 443 unblocked (for https).

2.11.3 (released March 2021) included the following changes from 2.11.2 relating to the use of iframes for external resources:

- For servers using Apache/SSL where External Resource points at http : // URL, or syllabus is configured to use an external http : // URL, query string for links contains usehttp=1, unless server has Strict-Transport-Security set for Apache (with max-age > 0).
- External resource(s) in a composite page will be displayed as a link, not iframe if URL is http, but LON-CAPA page is served https.

The changes for 2.11.3 also include:

- Use of 'secure' attribute for session cookie on servers using Apache/SSL.
- On, servers using Apache/SSL, a separate ('insecure) cookie (with only limited session capabilities) is set  for use when serving LON-CAPA pages via http : // in order to include: (i) external resource(s) and (ii) syllabus(es) from external URL(s) , for external site(s) that use http : // in an iframe.

Starting with LON-CAPA 2.10 (released May 2011), a config file containing rewrite
rules -- loncapa_rewrite.conf -- is added to /etc/httpd/conf.  By default, rewrites are set to off (using RewriteEngine off).

If you are using mod_ssl with Apache, and would like requests to http : //<yourserver> /
to be rewritten to https : //<yourserver> /, you could copy
/etc/httpd/conf./rewrites/loncapa_rewrite_on.conf
to
/etc/httpd/conf./loncapa_rewrite.conf
to enable this.

The rules in loncapa_rewrite.conf which permit http requests to be retained for specific types of request support the following:

(a) allow internal HEAD requests to /cgi-bin/mimetex.cgi to be served http : //, in order to support vertical alignment of mimetex images (one of the options for rendering Math content).

(b) allow display of certain URLs (external resource, annotations, and syllabus) in an iframe which would otherwise result in browser blocking of mixed active content when the URL is http, but the LON-CAPA page is served https.

The contents of the loncapa_rewrite.conf file was updated in 2.11.3 (released March 2021).
The changes include addition of this condition in a couple of places:

RewriteCond %{QUERY_STRING} (^|&(amp;|))usehttp=1($|&)

See: mail.lon-capa.org/pipermail/lon-capa-announce/2021/000106.html
for the 2.11.3 release notes from March 2021.

I released 2.11.4 in February 2022.
See: mail.lon-capa.org/pipermail/lon-capa-announce/2022/000107.html

See item 8 in the release notes (and also in the README included in the downloaded, and uncompressed loncapa-X.Y.Z directory, which begins:

8) If your Apache web server has been configured to use SSL ....

See also section 2.22 "Encrypting server traffic with SSL" in the domain coordination manual.
e.g., lon-capa.bsu.edu/adm/help/domain.manual.pdf

If your Apache configuration includes Strict-Transport-Security with max-age > 0, then http to https rewrites will apply for all URLs,  so vertical alignment of mimetex images will not be supported, and browsers will block mixed active content for external resources and/or an external syllabus that use http within an iframe on an https page.

Stuart Raeburn
LON-CAPA Academic Consortium
________________________________________
From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Neubauer, Paul R. via LON-CAPA-admin <lon-capa-admin at mail.lon-capa.org>
Sent: Monday, May 2, 2022 1:01 PM
To: list about administration and system updating(lon-capa-admin at mail.lon-capa.org)
Subject: [LON-CAPA-admin] lon-capa ports

Hello,

Our security team is auditing our network connectivity and asked me about the firewall openings for lon-capa. We currently have openings for ports 80, 443, 5663, and 8080.

Now, I sort of know what most of these are doing (including 5663), but I’m hazy on 80 and 443. I would normally expect a webserver to open 80 OR 443, but why do we have 80 AND 443. The access-log in /var/log/httpd looks like lon-capa is serving something over port 80, not just redirecting to 443. Or am I misreading it? And what about 8080? The only (more or less) relevant hits I get off a google search on “lon-capa port 8080" appear to indicate that 8080 is no longer used. Is it safe to close that firewall opening?

Thanks,
Paul


More information about the LON-CAPA-admin mailing list