TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations: Unlock the Power of Apache Steven Lewis Web Manager SUNY Brockport

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Problem #1: Migrate from IIS to Apache without Losing ASP Inherited IIS from previous Webmaster Crashes, Viruses Unfamiliar Challenge: Case Awareness v. Case Sensitivity Major Obstacle: Installed Base of ASP Apps

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution: Build new Solaris/Apache server Keep identical URLs Same account/FTP access method Keep NT server until ASP apps are moved (renamed to nt.web.brockport.edu) Proxy ASP requests to existing IIS server Time to migrate ASP apps to new infrastructure mod_speling [sic]

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Code: httpd.conf: RewriteRule ^(.*\.[Aa][Ss][Pp])$  [P] CheckSpelling On

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Notes on Security IIS machine can deny all requests not coming from new Web server  Limits attack vectors to.asp requests  Reduced machine load; Improves stability (Please note: author does not recommend running IIS under any circumstances, and assumes no responsibility for any consequences of your software decisions.)

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Problem #2: Security for Administrative Functions or Internal Information over the Web https is set up as a mirror of http Certain tasks or information demand extra security  Passwords, Home Addresses, etc. No robust institution-wide internal document repository Need to restrict certain folders to https-only

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution: Develop standard naming convention for Web app administrative functions  …/admin/… Place internal information and documents within one folder  /internal/… Add password restrictions to limit access

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Code: httpd.conf: # admin only RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^(.*/admin/.*)$  [R] # admin and internal RewriteCond %{SERVER_PORT} ^80$ RewriteRule  ^((.*/admin/.*)|(/internal.*))$  [R]

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Problem 3: Too Many Passwords, No LDAP Using old system, no LDAP in place Need a source of passwords people will remember Debugging scenarios/special cases (e.g. Emeriti)

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution: Mod_auth_external: run an arbitrary program to do authentication Write a Perl script to make a POP connection to server Write a program to do any check conceivable Works with any Web page – httpd authentication

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Code: httpd.conf: AddExternalAuth brockport-pop  /web/auth/po-pop SetExternalAuthMethod brockport-pop pipe

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport More Code:.htaccess: AuthType Basic AuthName "SUNY Brockport NetID Login" AuthExternal brockport-pop # do authorization in-program/any user OK Require valid-user # limit to these two users only # Require user slewis jdoe

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Still More Code: #!/usr/local/bin/perl use strict; use IO::Socket; # Grab username and password as passed by STDIN my $USER = <>; my $PASSWORD = <>; chomp $USER; chomp $PASSWORD; ## network connection ## or database query ## or anything else...

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Problem 4: Preview/Test New SSI Templates Before Rollout No Content Management System Use SSI templates for common code Need to test/debug template upgrade for 10,000s of pages Make changes to smooth transition

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution: Open new server port for test (e.g. 8080) Use same configuration, files as site Change only template folder with SSI data, so: and are the only differences.

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Code: httpd.conf: #... Alias /templates/ /web/live/wwwroot/templates2/

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Lots of Problems Problem 5: Bad Links to First Web Server Problem 6: CGI Web Page Counter Upgrade Problem 7: Web Reports’ HTML Code Like SSI – Produces Errors Problem 8: No Copyright Notice in Pages Problem 9: Adding CSS for SSI Template Upgrade

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Common Solution: Dynamic Recoding of Pages Requires: Perl, mod_perl, Apache::Filter Perl module

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution Code to Problem 5: # change server references in HTML to www only: s{ { s{ {

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution Code to Problem 6: # change counter programs while ( m|/counter/counts40\.exe?([^"]+)"|i ) { #parameters of new counter my ($STYLE, $LINK, $PARAM) =("A","sample.dat",$1); my $URL = '/cgi-bin/counter/counter.cgi'; if ( $PARAM =~ m!style=([^"'|&]*)!i ) { $STYLE = $1; } if ( $PARAM =~ m!link=([^"'|&]*)!i ) { $LINK = $1; } s{/counter/counts40\.exe?([^"]+)"} {$URL?ft=0&pad=N&df=$LINK&dd=$STYLE"}i; }

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution Code to Problem 7: # certain HTML comments looked like SSI -- delete if ( $ENV{ 'REQUEST_URI' } =~ m|^/its/web/reports/(\D+/)?\d+/| ) { s| ||; }

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution Code to Problem 8: # after loop through file content: # print copyright notice in HTML comment print " \n";

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution Code to Problem 9: my $cssdone = 0; # allow bypass mechanism if ( exists $ENV{SBT_VERSION} and $ENV{SBT_VERSION} == 2 ) { $cssdone = 1; } my $REPLACE = qq| <link href="/templates/css/print.css" rel="stylesheet" type="text/css" media=" print" /> |;

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Problem 9 cont: while ( ) { if ( $cssdone ) { #s|(href="? print; } elsif ( m|/templates/css/| ) { $cssdone = 1; print; } else { if ( s| |$REPLACE|i ) { $cssdone = 1; } print; }

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Problem 10: Activate PHP… but not for Everyone PHP is a server-wide technology  You either have it or not PHP is a programming language  Security risk by definition Installation without safeguards can expose server to problems Desire to use same server (ASP solution not viable)

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution #1: Hard-code directories in httpd.conf Constant changes, increases in PHP use Server resets to take effect

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution #2: Use an environment variable in.htaccess files Directory-level control of.htaccess  no better than wide open Did not resolve in time to work

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Solution #3: Create a controlled file-system “hack” to enable PHP Careful use of a specialized directory prevents bypassing Configurable on-the-fly  Server stays online Invisible to the public

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Requirements and Code: Requires: mod_rewrite, mod_php, UNIX/LINUX file system RewriteRule ^(.*\.php)$ /php-bin$1 [PT]

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport How does it work? User requests /admissions/openhouse/register.php Will work if:  /php-bin/admissions/openhouse/register.php is the real PHP file  /php-bin/admissions/openhouse/register.php is a symbolic link to the PHP file  /php-bin/admissions/openhouse/ is a symbolic link to /admissions/openhouse *  /php-bin/admissions/ is a symbolic link to /admissions/ * User requesting /php-bin/* will not work unless you want it to. It redirects internally to /php-bin/php-bin/ * = presumes PHP file resides as “advertised”

TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport Where to get software discussed: Apache Web Server: PHP: Mod_ssl: Mod_auth_external: Perl: Mod_perl: Apache::Filter: Filter-1.024/ Filter-1.024/