[LON-CAPA-cvs] cvs: doc /install/linux install.pl loncapassl.conf
raeburn
raeburn at source.lon-capa.org
Tue Jul 10 21:58:42 EDT 2018
raeburn Wed Jul 11 01:58:42 2018 EDT
Added files:
/doc/install/linux loncapassl.conf
Modified files:
/doc/install/linux install.pl
Log:
- Add config file for Apache/SSL for use with SNI and SSL when replicating
content from /raw/.
- Installer script will copy/modify standard loncapassl.conf file.
-------------- next part --------------
Index: doc/install/linux/install.pl
diff -u doc/install/linux/install.pl:1.45 doc/install/linux/install.pl:1.46
--- doc/install/linux/install.pl:1.45 Wed Jun 20 12:12:39 2018
+++ doc/install/linux/install.pl Wed Jul 11 01:58:41 2018
@@ -26,6 +26,7 @@
use strict;
use File::Copy;
use Term::ReadKey;
+use Sys::Hostname::FQDN();
use DBI;
use Cwd();
use File::Basename();
@@ -75,7 +76,7 @@
&mt('Stopping execution.')."\n";
exit;
} else {
- print LOG '$Id: install.pl,v 1.45 2018/06/20 12:12:39 raeburn Exp $'."\n";
+ print LOG '$Id: install.pl,v 1.46 2018/07/11 01:58:41 raeburn Exp $'."\n";
}
#
@@ -280,6 +281,26 @@
return ($distro,$packagecmd,$updatecmd,$installnow);
}
+sub get_hostname {
+ my $hostname;
+ print &mt('Enter the hostname of this server, e.g., loncapa.somewhere.edu'."\n");
+ my $choice = <STDIN>;
+ chomp($choice);
+ $choice =~ s/(^\s+|\s+$)//g;
+ if ($choice eq '') {
+ print &mt("Hostname you entered was either blank or contanied only white space.\n");
+ } elsif ($choice =~ /^[\w\.\-]+$/) {
+ $hostname = $choice;
+ } else {
+ print &mt("Hostname you entered was invalid -- a hostname may only contain letters, numbers, - and .\n");
+ }
+ while ($hostname eq '') {
+ $hostname = &get_hostname();
+ }
+ print "\n";
+ return $hostname;
+}
+
sub check_prerequisites {
my ($packagecmd,$distro) = @_;
my $gotprereqs;
@@ -389,7 +410,8 @@
return ($distro,$gotprereqs,$localecmd);
}
my ($mysqlon,$mysqlsetup,$mysqlrestart,$dbh,$has_pass,$has_lcdb,%recommended,
- $downloadstatus,$filetouse,$production,$testing,$apachefw,$tostop,$uses_systemctl);
+ $downloadstatus,$filetouse,$production,$testing,$apachefw,$tostop,
+ $uses_systemctl,$hostname);
my $wwwuid = &uid_of_www();
my $wwwgid = getgrnam('www');
if (($wwwuid eq '') || ($wwwgid eq '')) {
@@ -398,6 +420,16 @@
unless( -e "/usr/local/sbin/pwauth") {
$recommended{'pwauth'} = 1;
}
+ my $hostname = Sys::Hostname::FQDN::fqdn();
+ if ($hostname eq '') {
+ $hostname =&get_hostname();
+ } else {
+ print &mt("Hostname detected: $hostname. Is that correct? ~[Y/n~]");
+ if (!&get_user_selection(1)) {
+ $hostname =&get_hostname();
+ }
+ }
+ print_and_log(&mt('Hostname is [_1]',$hostname)."\n");
$mysqlon = &check_mysql_running($distro);
if ($mysqlon) {
my $mysql_has_wwwuser = &check_mysql_wwwuser();
@@ -429,12 +461,13 @@
($recommended{'firewall'},$apachefw) = &chkfirewall($distro);
($recommended{'runlevels'},$tostop,$uses_systemctl) = &chkconfig($distro,$instdir);
$recommended{'apache'} = &chkapache($distro,$instdir);
+ $recommended{'apachessl'} = &chkapachessl($distro,$instdir,$hostname);
$recommended{'stopsrvcs'} = &chksrvcs($distro,$tostop);
($recommended{'download'},$downloadstatus,$filetouse,$production,$testing)
= &need_download();
return ($distro,$gotprereqs,$localecmd,$packagecmd,$updatecmd,$installnow,
$mysqlrestart,\%recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus,
- $filetouse,$production,$testing,$apachefw,$uses_systemctl);
+ $filetouse,$production,$testing,$apachefw,$uses_systemctl,$hostname);
}
sub check_mysql_running {
@@ -849,6 +882,44 @@
return $fixapache;
}
+sub chkapachessl {
+ my ($distro,$instdir,$hostname) = @_;
+ my $fixapachessl = 1;
+ my $stdconf = "$instdir/loncapassl.conf";
+ if (!-e $stdconf) {
+ $fixapachessl = 0;
+ print &mt('Warning: No LON-CAPA SSL Apache configuration file found for installation check.')."\n";
+ } else {
+ my $sslfile;
+ if ($distro =~ /^(debian|ubuntu)(\d+)$/) {
+ $sslfile = '/etc/apache2/sites-available/loncapassl.conf';
+ } elsif ($distro =~ /(suse|sles)/) {
+ $sslfile = '/etc/apache2/vhosts.d/loncapassl.conf';
+ } else {
+ $sslfile = '/etc/httpd/conf.d/loncapassl.conf';
+ }
+ if ((-e $sslfile) && (-e $stdconf)) {
+ if (open(PIPE, "diff -y -bi --suppress-common-lines $stdconf $sslfile |")) {
+ my $diffres = <PIPE>;
+ close(PIPE);
+ chomp($diffres);
+ if ($diffres =~ /^\QServerName internal-{[[[[Hostname]]]]}\E\s+\|\s+\QServerName internal-\E$hostname$/) {
+ $fixapachessl = 0;
+ }
+ }
+ }
+ unless ($fixapachessl) {
+ if ($distro =~ /^(debian|ubuntu)(\d+)$/) {
+ unless ((-l '/etc/apache2/sites-enabled/loncapassl.conf') &&
+ (readlink('/etc/apache2/sites-enabled/loncapassl.conf') eq '/etc/apache2/sites-available/loncapassl.conf')) {
+ print_and_log(&mt("Warning, use: 'sudo a2ensite loncapassl.conf' to activate LON-CAPA SSL Apache config\n"));
+ }
+ }
+ }
+ }
+ return $fixapachessl;
+}
+
sub chksrvcs {
my ($distro,$tostop) = @_;
my %stopsrvcs;
@@ -1240,11 +1311,12 @@
".&mt('3.')." ".&mt('Set-up the MySQL database.')."
".&mt('4.')." ".&mt('Set-up MySQL permissions.')."
".&mt('5.')." ".&mt('Configure Apache web server.')."
-".&mt('6.')." ".&mt('Configure start-up of services.')."
-".&mt('7.')." ".&mt('Check firewall settings.')."
-".&mt('8.')." ".&mt('Stop services not used by LON-CAPA,')."
+".&mt('6.')." ".&mt('Configure SSL for Apache web server.')."
+".&mt('7.')." ".&mt('Configure start-up of services.')."
+".&mt('8.')." ".&mt('Check firewall settings.')."
+".&mt('9.')." ".&mt('Stop services not used by LON-CAPA,')."
".&mt('i.e., services for a print server: [_1] daemon.',"'cups'")."
-".&mt('9.')." ".&mt('Download LON-CAPA source code in readiness for installation.')."
+".&mt('10.')." ".&mt('Download LON-CAPA source code in readiness for installation.')."
".&mt('Typically, you will run this script only once, when you first install LON-CAPA.')."
@@ -1274,25 +1346,26 @@
my %callsub;
my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache',
- 'runlevels','firewall','stopsrvcs','download');
+ 'apachessl','runlevels','firewall','stopsrvcs','download');
my %prompts = &texthash(
wwwuser => "Create the 'www' user?",
pwauth => 'Install the package LON-CAPA uses to authenticate users?',
mysql => 'Set-up the MySQL database?',
mysqlperms => 'Set-up MySQL permissions?',
apache => 'Configure Apache web server?',
+ apachessl => 'Configure SSL for Apache web server?',
runlevels => 'Set overrides for start-up order of services?',
firewall => 'Configure firewall settings for Apache',
stopsrvcs => 'Stop extra services not required on a LON-CAPA server?',
download => 'Download LON-CAPA source code in readiness for installation?',
);
-print "\n".&mt('Checking system status ...')."\n";
+print "\n".&mt('Checking system status ...')."\n\n";
my $dsn = "DBI:mysql:database=mysql";
my ($distro,$gotprereqs,$localecmd,$packagecmd,$updatecmd,$installnow,$mysqlrestart,
$recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus,$filetouse,$production,
- $testing,$apachefw,$uses_systemctl) = &check_required($instdir,$dsn);
+ $testing,$apachefw,$uses_systemctl,$hostname) = &check_required($instdir,$dsn);
if ($distro eq '') {
print "\n".&mt('Linux distribution could not be verified as a supported distribution.')."\n".
&mt('The following are supported: [_1].',
@@ -1320,7 +1393,6 @@
&mt('The following command can be used to install the package (and dependencies):')."\n\n".
$updatecmd."\n\n";
if ($installnow eq '') {
- print &mt('Stopping execution.')."\n";
exit;
} else {
print &mt('Run command? ~[Y/n~]');
@@ -1460,16 +1532,36 @@
if ($callsub{'apache'}) {
if ($distro =~ /^(suse|sles)/) {
- ©_apache2_suseconf($instdir);
+ ©_apache2_suseconf($instdir,$hostname);
} elsif ($distro =~ /^(debian|ubuntu)/) {
- ©_apache2_debconf($instdir,$distro);
+ ©_apache2_debconf($instdir,$distro,$hostname);
} else {
- ©_httpd_conf($instdir,$distro);
+ ©_httpd_conf($instdir,$distro,$hostname);
}
} else {
print_and_log(&mt('Skipping configuration of Apache web server.')."\n");
}
+if ($callsub{'apachessl'}) {
+ if ($distro =~ /^(suse|sles)/) {
+ ©_apache_sslconf_file($instdir,'/etc/apache2/vhosts.d',$hostname);
+ } elsif ($distro =~ /^(debian|ubuntu)/) {
+ my $apache2_sites_available_dir = '/etc/apache2/sites-available';
+ if (©_apache_sslconf_file($instdir,$apache2_sites_available_dir,$hostname)) {
+ my $apache2_sites_enabled_dir = '/etc/apache2/sites-enabled';
+ my $made_symlink = eval { symlink("$apache2_sites_available_dir/loncapassl.conf","$apache2_sites_enabled_dir/loncapassl.conf"); 1 };
+ if ($made_symlink) {
+ print_and_log(&mt('Enabling "[_1]" Apache SSL configuration.','loncapassl.conf')."\n");
+ }
+ }
+ } else {
+ ©_apache_sslconf_file($instdir,'/etc/httpd/conf.d',$hostname);
+ }
+ print_and_log("\n");
+} else {
+ print_and_log(&mt('Skipping configuration of SSL for Apache web server.')."\n");
+}
+
if ($callsub{'runlevels'}) {
my $count = 0;
if (ref($recommended) eq 'HASH') {
@@ -1944,7 +2036,7 @@
###########################################################
sub copy_httpd_conf {
- my ($instdir,$distro) = @_;
+ my ($instdir,$distro,$hostname) = @_;
my $configfile = 'httpd.conf';
if ($distro =~ /^(?:centos|rhes|scientific)(\d+)$/) {
if ($1 >= 7) {
@@ -1967,6 +2059,47 @@
print_and_log("\n");
}
+###############################################
+##
+## Copy/Modify loncapassl.conf
+##
+###############################################
+
+sub copy_apache_sslconf_file {
+ my ($instdir,$targetdir,$hostname) = @_;
+ my ($success,$error);
+ if (-e "$instdir/loncapassl.conf") {
+ if (open(my $fh,'<',"$instdir/loncapassl.conf")) {
+ if (open(my $out,'>',"$targetdir/loncapassl.conf")) {
+ while (<$fh>) {
+ if (/^\QServerName internal-\E/) {
+ chomp();
+ s/^(\QServerName internal-\E)(.*)$/$1$hostname\n/;
+ }
+ print $out $_;
+ }
+ $success = 1;
+ } else {
+ $error = "Could not write to $targetdir/loncapassl.conf";
+ }
+ } else {
+ $error = "Could not read from $instdir/loncapassl.conf";
+ }
+ } else {
+ $error = "File to copy from: $instdir/loncapassl.conf does not exist";
+ }
+ if ($success) {
+ print_and_log(&mt('Successfully copied [_1] to [_2].',"'loncapassl.conf'","'$targetdir/loncapassl.conf'")."\n");
+ chmod(0444,"$targetdir/loncapassl.conf");
+ } else {
+ print_and_log(&mt('Failed to copy [_1] to [_2].',"'loncapassl.conf'","'$targetdir/loncapassl.conf'")."\n");
+ if ($error) {
+ print_and_log("$error\n");
+ }
+ }
+ return $success;
+}
+
#########################################################
##
## Ubuntu/Debian -- copy our loncapa configuration file to
@@ -1975,7 +2108,7 @@
#########################################################
sub copy_apache2_debconf {
- my ($instdir,$distro) = @_;
+ my ($instdir,$distro,$hostname) = @_;
my $apache2_mods_enabled_dir = '/etc/apache2/mods-enabled';
my $apache2_mods_available_dir = '/etc/apache2/mods-available';
foreach my $module ('headers.load','expires.load') {
@@ -2037,7 +2170,7 @@
###########################################################
sub copy_apache2_suseconf {
- my ($instdir) = @_;
+ my ($instdir,$hostname) = @_;
print_and_log(&mt('Copying the LON-CAPA [_1] to [_2].',
"'default-server.conf'",
"'/etc/apache2/default-server.conf'")."\n");
Index: doc/install/linux/loncapassl.conf
+++ doc/install/linux/loncapassl.conf
<VirtualHost *:443>
ServerName internal-{[[[[Hostname]]]]}
DocumentRoot "/home/httpd/html"
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /home/httpd/lonCerts/lonhostnamecert.pem
SSLCertificateKeyFile /home/httpd/lonCerts/lonKey.pem
SSLCACertificateFile /home/httpd/lonCerts/loncapaCA.pem
SSLCARevocationFile /home/httpd/lonCerts/loncapaCAcrl.pem
SSLCARevocationCheck chain
ErrorLog logs/ssl_LCerror_log
TransferLog logs/ssl_LCaccess_log
LogLevel warn
CustomLog logs/ssl_LCrequest_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/raw/ [NC]
RewriteCond %{HTTP_HOST} ^internal\-(.+) [NC]
RewriteRule (.*) https://%1$1 [R=302,L,QSA]
<LocationMatch "^/+raw/.*">
PerlAccessHandler Apache::lonracc
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
</LocationMatch>
</VirtualHost>
More information about the LON-CAPA-cvs
mailing list