[LON-CAPA-cvs] cvs: doc(version_2_11_X) /loncapafiles webserver.piml
raeburn
raeburn at source.lon-capa.org
Mon Jan 6 10:54:10 EST 2020
raeburn Mon Jan 6 15:54:10 2020 EDT
Modified files: (Branch: version_2_11_X)
/doc/loncapafiles webserver.piml
Log:
- For 2.11
Backport 1.44, 1.46, 1.49, 1.50
-------------- next part --------------
Index: doc/loncapafiles/webserver.piml
diff -u doc/loncapafiles/webserver.piml:1.43.2.2 doc/loncapafiles/webserver.piml:1.43.2.3
--- doc/loncapafiles/webserver.piml:1.43.2.2 Sun Jul 7 18:39:39 2019
+++ doc/loncapafiles/webserver.piml Mon Jan 6 15:54:10 2020
@@ -2,7 +2,7 @@
"http://lpml.sourceforge.net/DTD/piml.dtd">
<!-- webserver.piml -->
-<!-- $Id: webserver.piml,v 1.43.2.2 2019/07/07 18:39:39 raeburn Exp $ -->
+<!-- $Id: webserver.piml,v 1.43.2.3 2020/01/06 15:54:10 raeburn Exp $ -->
<!--
@@ -67,6 +67,8 @@
</dependencies>
<perlscript mode='fg' dist="default">
# Generated from doc/loncapafiles/webserver.piml
+use Socket;
+use Sys::Hostname::FQDN();
unless (-e "<TARGET />") {
print '**** ERROR! <TARGET /> should exist! Are you missing the Apache '.
'software package?';
@@ -168,13 +170,15 @@
system("cp $rewrite_off $curr_rewrite");
chmod(0644, $curr_rewrite);
} else {
- my ($not_rewrite_on,$not_rewrite_off);
+ my ($not_rewrite_on,$not_rewrite_off,$rewrite_state);
if (open(PIPE, "diff --brief $rewrite_off $curr_rewrite |")) {
my $diffres = <PIPE> ;
close(PIPE);
chomp($diffres);
if ($diffres) {
$not_rewrite_off = 1;
+ } else {
+ $rewrite_state = 'off';
}
}
if (open(PIPE, "diff --brief $rewrite_on $curr_rewrite |")) {
@@ -183,16 +187,127 @@
chomp($diffres);
if ($diffres) {
$not_rewrite_on = 1;
+ } else {
+ $rewrite_state = 'on';
}
}
- unless ($not_rewrite_off || $not_rewrite_on) {
- print('**** WARNING **** '.$curr_rewrite.' does not match '.
- 'either: '.$rewrite_on.' - the file used to enable rewriting '.
- 'of requests for http:// to https:// or: '.$rewrite_off.
+ if ($not_rewrite_off && $not_rewrite_on) {
+ print('**** WARNING **** '."\n".$curr_rewrite.' does not match '.
+ 'either:'."\n".$rewrite_on.' - the file used to enable rewriting '.
+ 'of requests for http:// to https:// '."\n".'or:'."\n".$rewrite_off.
' - the file used to disable such rewriting'."\n\n".
'This may be because '. $curr_rewrite.' has been '.
- 'previously customized, or it may be because of a change '.
+ 'previously customized,'."\n".'or it may be because of a change '.
'to the files in '.$rewrite_dir."\n");
+ if (open(my $fh,'<',$curr_rewrite)) {
+ while(<$fh>) {
+ if (/^\s*RewriteEngine\s+(on|off)\s*$/i) {
+ if ($1 eq 'on') {
+ $rewrite_state = 'on';
+ } else {
+ $rewrite_state = 'off';
+ }
+ last;
+ }
+ }
+ }
+ }
+ if ($rewrite_state eq 'on') {
+ # Checking for rewrites of https:// to http://
+ my ($gotrules,$rulestr,$ssldir);
+ if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
+ || '<DIST />' eq 'sles9') {
+ $ssldir = '/etc/apache/vhosts.d';
+ } elsif ('<DIST />' =~ /^(suse|sles)/) {
+ $ssldir = '/etc/apache2/vhosts.d';
+ } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
+ $ssldir = '/etc/apache2/sites-available';
+ } else {
+ $ssldir = '/etc/httpd/conf.d';
+ }
+ my $hostname = Sys::Hostname::FQDN::fqdn();
+ my $hostip = Socket::inet_ntoa(scalar(gethostbyname($hostname)) || 'localhost');
+ my @expected = ('RewriteCond %{REQUEST_URI} ^/adm/wrapper/ext/(?!https:\/\/)',
+ 'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
+ 'RewriteRule ^/adm/wrapper/ext/(?!https:\/\/) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]',
+ 'RewriteCond %{REMOTE_ADDR} 127.0.0.1',
+ 'RewriteRule (.*) - [L]');
+ if (($hostip ne '') && ($hostip ne '127.0.0.1')) {
+ push(@expected,('RewriteCond %{REMOTE_ADDR} '.$hostip,
+ 'RewriteRule (.*) - [L]'));
+ }
+ push(@expected,('RewriteCond %{REQUEST_URI} ^/public/.*/syllabus$',
+ 'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
+ 'RewriteRule ^/public/.*/syllabus$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]'));
+ if (-d $ssldir) {
+ my @rewrites;
+ if (opendir(my $dir,$ssldir)) {
+ my @sslconf_files;
+ foreach my $file (!grep(/^\.$/,readdir($dir))) {
+ if (open(my $fh,'<',"$ssldir/$file")) {
+ while (<$fh>) {
+ if (/^\s*<VirtualHost\s+[^:]*\:443>\s*$/) {
+ push(@sslconf_files,$file);
+ last;
+ }
+ }
+ close($fh);
+ }
+ }
+ if (@sslconf_files) {
+ my @rewrites;
+ foreach my $file (@sslconf_files) {
+ if (open(my $fh,'<',"$ssldir/$file")) {
+ my ($rewrite,$num) = (0,0);
+ while (<$fh>) {
+ if ($rewrite) {
+ if (/\s*<\/IfModule>/) {
+ $rewrite = 0;
+ $num ++;
+ } else {
+ chomp();
+ s/^(\s+|\s+)$//g;
+ push(@{$rewrites[$num]},$_);
+ }
+ } elsif (/^\s*<IfModule\s+mod_rewrite.c>/) {
+ $rewrite = 1;
+ }
+ }
+ close($fh);
+ }
+ }
+ }
+ closedir($dir);
+ }
+ if (@rewrites) {
+ foreach my $item (@rewrites) {
+ if (ref($item) eq 'ARRAY') {
+ my $found = 0;
+ foreach my $item (@rewrites) {
+ foreach my $match (@expected) {
+ if ($match eq $item) {
+ $found ++;
+ last;
+ }
+ }
+ }
+ if ($found >= @expected) {
+ $gotrules = 1;
+ }
+ }
+ }
+ }
+ }
+ unless ($gotrules) {
+ print('**** WARNING **** '."\n".$curr_rewrite.' is currently set so rewrites '.
+ 'of http to https are enabled for most URLs.'."\n".
+ 'Unless your Apache configuration includes Strict-Transport-Security '.
+ '(with max-age > 0), it is recommended to also set rewrites from https to http '.
+ 'for specific URLs in a file in '.$ssldir.' by including the following:'."\n".
+ "<IfModule mod_rewrite.c>\n".' '.
+ join("\n ", at expected)."\n".
+ "</IfModule>\n");
+ }
}
}
}
More information about the LON-CAPA-cvs
mailing list