Download TPR5: Custom Configurations: Unlock the Power of Apache

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

URL redirection wikipedia , lookup

TPR5: Custom Configurations
TPR5: Custom Configurations: Unlock
the Power of Apache
Steven Lewis
Web Manager
SUNY Brockport
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem #1: Migrate from IIS to Apache
without Losing ASP
Inherited IIS from previous Webmaster
Crashes, Viruses
Case Awareness v. Case Sensitivity
• Major Obstacle:
Installed Base of ASP Apps
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Build new Solaris/Apache server
Keep identical URLs
Same account/FTP access method
Keep NT server until ASP apps are moved
(renamed to
• Proxy ASP requests to existing IIS server
• Time to migrate ASP apps to new infrastructure
• mod_speling [sic]
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
RewriteRule ^(.*\.[Aa][Ss][Pp])$ $1 [P]
CheckSpelling On
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Notes on Security
• IIS machine can deny all requests not
coming from new Web server
Limits attack vectors to .asp requests
Reduced machine load; Improves stability
• (Please note: author does not recommend
running IIS under any circumstances, and
assumes no responsibility for any
consequences of your software decisions.)
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem #2: Security for Administrative Functions or Internal
Information over the Web
• https is set up as a mirror of http
• Certain tasks or information demand extra
Passwords, Home Addresses, etc.
• No robust institution-wide internal
document repository
• Need to restrict certain folders to
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
• Develop standard naming convention for
Web app administrative functions
• Place internal information and documents
within one folder
• Add password restrictions to limit access
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
# admin only
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*/admin/.*)$ $1 [R]
# admin and internal
RewriteCond %{SERVER_PORT} ^80$
RewriteRule 
^((.*/admin/.*)|(/internal.*))$ $1 [R]
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 3: Too Many Passwords, No LDAP
• Using old e-mail system, no LDAP in place
• Need a source of passwords people will
• Debugging scenarios/special cases (e.g.
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
• Mod_auth_external: run an arbitrary
program to do authentication
• Write a Perl script to make a POP
connection to server
• Write a program to do any check
• Works with any Web page – httpd
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
brockport-pop 
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
More Code:
AuthType Basic
AuthName "SUNY Brockport NetID Login"
AuthExternal brockport-pop
# do authorization in-program/any user OK
Require valid-user
# limit to these two users only
# Require user slewis jdoe
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Still More Code:
use strict;
use IO::Socket;
# Grab username and password as passed by STDIN
my $USER
= <>;
my $PASSWORD = <>;
chomp $USER;
chomp $PASSWORD;
## network connection
## or database query
## or anything else...
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 4: Preview/Test New SSI Templates
Before Rollout
• No Content Management System
• Use SSI templates for common code
• Need to test/debug template upgrade for
10,000s of pages
• Make changes to smooth transition
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Open new server port for test (e.g. 8080)
Use same configuration, files as site
Change only template folder with SSI data,
are the only differences.
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
<VirtualHost __detault__:8080 >
Alias /templates/ /web/live/wwwroot/templates2/
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Lots of Problems
• Problem 5: Bad Links to First Web Server
• Problem 6: CGI Web Page Counter
• Problem 7: Web Reports’ HTML Code Like
SSI – Produces Errors
• Problem 8: No Copyright Notice in Pages
• Problem 9: Adding CSS for SSI Template
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Common Solution:
• Dynamic Recoding of Pages
• Requires: Perl, mod_perl, Apache::Filter
Perl module
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 5:
# change server references in HTML to www only:
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 6:
# change counter programs
while ( m|/counter/counts40\.exe?([^"]+)"|i ) {
#parameters of new counter
my ($STYLE, $LINK, $PARAM) =("A","sample.dat",$1);
my $URL = '/cgi-bin/counter/counter.cgi';
if ( $PARAM =~ m!style=([^"'|&]*)!i ) {
$STYLE = $1;
if ( $PARAM =~ m!link=([^"'|&]*)!i ) {
$LINK = $1;
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 7:
# certain HTML comments looked like SSI -- delete
if ( $ENV{ 'REQUEST_URI' } =~
m|^/its/web/reports/(\D+/)?\d+/| ) {
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 8:
# after loop through file content:
# print copyright notice in HTML comment
print "<!--(c) 2000-2006 SUNY Brockport-->\n";
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution Code to Problem 9:
my $cssdone = 0;
# allow bypass mechanism
if ( exists $ENV{SBT_VERSION} and $ENV{SBT_VERSION} == 2 )
$cssdone = 1;
my $REPLACE = qq|
<link href="/templates/css/main.css" rel="stylesheet"
type="text/css" />
<link href="/templates/css/print.css" rel="stylesheet"
type="text/css" media="
print" />
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 9 cont:
while (<$fh>) {
if ( $cssdone ) {
} elsif ( m|/templates/css/| ) {
$cssdone = 1;
} else {
if ( s|</head>|$REPLACE|i ) {
$cssdone = 1;
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Problem 10: Activate PHP…
but not for Everyone
• PHP is a server-wide technology
You either have it or not
• PHP is a programming language
Security risk by definition
• Installation without safeguards can expose
server to problems
• Desire to use same server (ASP solution
not viable)
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution #1: Hard-code directories in
• Constant changes, increases in PHP use
• Server resets to take effect
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution #2: Use an environment variable in
.htaccess files
• Directory-level control of .htaccess
no better than wide open
• Did not resolve in time to work
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Solution #3: Create a controlled file-system
“hack” to enable PHP
• Careful use of a specialized directory
prevents bypassing
• Configurable on-the-fly
Server stays online
• Invisible to the public
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Requirements and Code:
• Requires: mod_rewrite, mod_php,
UNIX/LINUX file system
RewriteRule ^(.*\.php)$
/php-bin$1 [PT]
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
How does it work?
• User requests /admissions/openhouse/register.php
• Will work if:
 /php-bin/admissions/openhouse/register.php is the real PHP file
 /php-bin/admissions/openhouse/register.php is a symbolic link to
the PHP file
 /php-bin/admissions/openhouse/ is a symbolic link to
/admissions/openhouse *
 /php-bin/admissions/ is a symbolic link to /admissions/ *
• User requesting /php-bin/* will not work unless you want
it to. It redirects internally to /php-bin/php-bin/
• * = presumes PHP file resides as “advertised”
Steve Lewis, Web Manager, SUNY Brockport
TPR5: Custom Configurations
Where to get software discussed:
• Apache Web Server:
• PHP:
• Mod_ssl:
• Mod_auth_external:
• Perl:
• Mod_perl:
• Apache::Filter:
Steve Lewis, Web Manager, SUNY Brockport