[LON-CAPA-cvs] cvs: doc(version_2_11_X) /loncapafiles webserver.piml

raeburn raeburn at source.lon-capa.org
Mon Jan 6 10:54:10 EST 2020


raeburn		Mon Jan  6 15:54:10 2020 EDT

  Modified files:              (Branch: version_2_11_X)
    /doc/loncapafiles	webserver.piml 
  Log:
  - For 2.11
    Backport 1.44, 1.46, 1.49, 1.50
  
  
-------------- next part --------------
Index: doc/loncapafiles/webserver.piml
diff -u doc/loncapafiles/webserver.piml:1.43.2.2 doc/loncapafiles/webserver.piml:1.43.2.3
--- doc/loncapafiles/webserver.piml:1.43.2.2	Sun Jul  7 18:39:39 2019
+++ doc/loncapafiles/webserver.piml	Mon Jan  6 15:54:10 2020
@@ -2,7 +2,7 @@
 	"http://lpml.sourceforge.net/DTD/piml.dtd">
 <!-- webserver.piml -->
 
-<!-- $Id: webserver.piml,v 1.43.2.2 2019/07/07 18:39:39 raeburn Exp $ -->
+<!-- $Id: webserver.piml,v 1.43.2.3 2020/01/06 15:54:10 raeburn Exp $ -->
 
 <!--
 
@@ -67,6 +67,8 @@
 </dependencies>
 <perlscript mode='fg' dist="default">
 # Generated from doc/loncapafiles/webserver.piml
+use Socket;
+use Sys::Hostname::FQDN();
 unless (-e "<TARGET />") {
   print '**** ERROR! <TARGET /> should exist! Are you missing the Apache '.
     'software package?';
@@ -168,13 +170,15 @@
         system("cp $rewrite_off $curr_rewrite");
         chmod(0644, $curr_rewrite);
     } else {
-        my ($not_rewrite_on,$not_rewrite_off);
+        my ($not_rewrite_on,$not_rewrite_off,$rewrite_state);
         if (open(PIPE, "diff --brief $rewrite_off $curr_rewrite |")) {
             my $diffres = <PIPE> ;
             close(PIPE);
             chomp($diffres);
             if ($diffres) {
                 $not_rewrite_off = 1;
+            } else {
+                $rewrite_state = 'off';
             }
         }
         if (open(PIPE, "diff --brief $rewrite_on $curr_rewrite |")) {
@@ -183,16 +187,127 @@
             chomp($diffres);
             if ($diffres) {
                 $not_rewrite_on = 1;
+            } else {
+                $rewrite_state = 'on';
             }
         }
-        unless ($not_rewrite_off || $not_rewrite_on) {
-            print('**** WARNING **** '.$curr_rewrite.' does not match '.
-            'either: '.$rewrite_on.' - the file used to enable rewriting '.
-            'of requests for http:// to https:// or: '.$rewrite_off.
+        if ($not_rewrite_off && $not_rewrite_on) {
+            print('**** WARNING **** '."\n".$curr_rewrite.' does not match '.
+            'either:'."\n".$rewrite_on.' - the file used to enable rewriting '.
+            'of requests for http:// to https:// '."\n".'or:'."\n".$rewrite_off.
             ' - the file used to disable such rewriting'."\n\n".
             'This may be because '. $curr_rewrite.' has been '. 
-            'previously customized, or it may be because of a change '.  
+            'previously customized,'."\n".'or it may be because of a change '.  
             'to the files in '.$rewrite_dir."\n");
+            if (open(my $fh,'<',$curr_rewrite)) {
+                while(<$fh>) {
+                    if (/^\s*RewriteEngine\s+(on|off)\s*$/i) {
+                        if ($1 eq 'on') {
+                            $rewrite_state = 'on';
+                        } else {
+                            $rewrite_state = 'off';
+                        }
+                        last;
+                    }
+                }
+            }
+        }
+        if ($rewrite_state eq 'on') {
+        # Checking for rewrites of https:// to http://
+            my ($gotrules,$rulestr,$ssldir);
+            if ('<DIST />' eq 'suse9.2' || '<DIST />' eq 'suse9.3'
+                || '<DIST />' eq 'sles9') {
+                $ssldir = '/etc/apache/vhosts.d';
+            } elsif ('<DIST />' =~ /^(suse|sles)/) {
+                $ssldir = '/etc/apache2/vhosts.d';
+            } elsif ('<DIST />' =~ /^(debian|ubuntu)/) {
+                $ssldir = '/etc/apache2/sites-available';
+            } else {
+                $ssldir = '/etc/httpd/conf.d';
+            }
+            my $hostname = Sys::Hostname::FQDN::fqdn();
+            my $hostip = Socket::inet_ntoa(scalar(gethostbyname($hostname)) || 'localhost');
+            my @expected = ('RewriteCond %{REQUEST_URI} ^/adm/wrapper/ext/(?!https:\/\/)',
+                            'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
+                            'RewriteRule ^/adm/wrapper/ext/(?!https:\/\/) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]',
+                            'RewriteCond %{REMOTE_ADDR} 127.0.0.1',
+                            'RewriteRule (.*) - [L]');
+            if (($hostip ne '') && ($hostip ne '127.0.0.1')) {
+                push(@expected,('RewriteCond %{REMOTE_ADDR} '.$hostip,
+                                'RewriteRule (.*) - [L]'));
+            }
+            push(@expected,('RewriteCond %{REQUEST_URI} ^/public/.*/syllabus$',
+                            'RewriteCond %{QUERY_STRING} (^|&(|amp;))usehttp=1($|&)',
+                            'RewriteRule ^/public/.*/syllabus$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]'));
+            if (-d $ssldir) {
+                my @rewrites;
+                if (opendir(my $dir,$ssldir)) {
+                    my @sslconf_files;
+                    foreach my $file (!grep(/^\.$/,readdir($dir))) {
+                        if (open(my $fh,'<',"$ssldir/$file")) {
+                            while (<$fh>) {
+                                if (/^\s*<VirtualHost\s+[^:]*\:443>\s*$/) {
+                                    push(@sslconf_files,$file);
+                                    last;
+                                }
+                            }
+                            close($fh);
+                        }
+                    }
+                    if (@sslconf_files) {
+                        my @rewrites;
+                        foreach my $file (@sslconf_files) {
+                            if (open(my $fh,'<',"$ssldir/$file")) {
+                                my ($rewrite,$num) = (0,0);
+                                while (<$fh>) {
+                                    if ($rewrite) {
+                                        if (/\s*<\/IfModule>/) {
+                                            $rewrite = 0;
+                                            $num ++;
+                                        } else {
+                                            chomp();
+                                            s/^(\s+|\s+)$//g;
+                                            push(@{$rewrites[$num]},$_);
+                                        }
+                                    } elsif (/^\s*<IfModule\s+mod_rewrite.c>/) {
+                                        $rewrite = 1;
+                                    }
+                                }
+                                close($fh);
+                            }
+                        }
+                    }
+                    closedir($dir);
+                }
+                if (@rewrites) {
+                    foreach my $item (@rewrites) {
+                        if (ref($item) eq 'ARRAY') {
+                            my $found = 0;
+                            foreach my $item (@rewrites) {
+                                foreach my $match (@expected) {
+                                    if ($match eq $item) {
+                                        $found ++;
+                                        last;
+                                    }
+                                }
+                            }
+                            if ($found >= @expected) {
+                                $gotrules = 1;
+                            }
+                        }
+                    }
+                }
+            }
+            unless ($gotrules) {
+                print('**** WARNING **** '."\n".$curr_rewrite.' is currently set so rewrites '.
+                      'of http to https are enabled for most URLs.'."\n".
+                      'Unless your Apache configuration includes Strict-Transport-Security '.
+                      '(with max-age > 0), it is recommended to also set rewrites from https to http '.
+                      'for specific URLs in a file in '.$ssldir.' by including the following:'."\n".
+                      "<IfModule mod_rewrite.c>\n".'  '.
+                      join("\n  ", at expected)."\n".
+                      "</IfModule>\n");
+            }
         }
     }
 }


More information about the LON-CAPA-cvs mailing list