Web The webserver is running a custom install of Apache 1.3.33 in /services/web running on port 80 of orac. SSL is provided on port 443. The web adminsistration ID is a local account on orac called webadm, group web. The standard modules are statically compiled in while custom modules are installed as DSO's using apxs. These modules are: mod_rewrite PHP 4.3.10 mod_perl 1.27 mod_ssl 2.8.26
1. Configuration files
There are 2 main web configuration files - httpd.conf and vhosts.conf, both of which are in the /services/web/conf directory. vhosts.conf holds all information and configuration about the virtual hosts on the server. It is called from the main configuration file, httpd.conf and is quite well annotated. The docs are at http://httpd.apache.org/docs srm.conf and access.conf are empty. Copies are also in CVS.
2. Starting the webserver
The webserver is controlled by /services/web/bin/apachectl. root owned and needs to be exectuted as root to bind to port 80 (and 443 for SSL). webadm has sudo rights on this application.
/services/web/bin/apachectl stop is using to stop the webserver
/services/web/bin/apachectl startssl is used to start the webserver with SSL enabled (normal running)
/services/web/bin/apachectl start is used when specfically DO NOT want SSL enabled (very rare)
/services/web/bin/apachectl restart is not used as it often fails to reload the SSL module correctly.
The main web content is held in /services/web/htdocs At the time of writing, a site update was being constructed and was due by March 2003. The main website is www.csn.ul.ie and www.skynet.ie is setup as a virtual host. The current site uses webmake in /services/web/local/bin/webmake but webmake is currently dead and it's revival depends on requirement in the new site.
The webserver hosts a number of HTTP mirrors, but they were removed when we had to lifeboat to the elsevier server. These are
apache.csn.ul.ie Apache mirror
ldp.csn.ul.ie Linux Documentation Project mirror
qmail.csn.ul.ie qmail mirror
modssl.csn.ul.ie modssl mirror
openssl.csn.ul.ie OpenSSL? mirror
Each is setup as a virtual host in both the .csn.ul.ie and .skynet.ie domains. All mirrors are held in /services/mirrors - however, due to the size of the apache mirror, this may be split from the rest. They are updated by cron scripts running rsync every night. They are timed to run early in the morning when bandwidth usage is low both here and at the master mirror. All these scripts are cron'd as webadm and are in /services/web/webscripts/mirrors
User pages are enabled on skynet by NFS mounting /home. The webserver is setup to allow CGI execution in /home/*/public_html/cgi-bin. Other directories may be given CGI execution rights in the httpd.conf
All logs are in /services/web/logs, the two main logs being access_log and error_log. They are set to rotate each morning once they are over 15MB. 5 weeks of logs are kept. All controls are /etc/logrotate.conf. For security reasons, all SSL and suexec logs are root owned, but are subject to the same rotation. PHP is set to log to /services/logs/php/php.log but logs to the error_log instead for some reason. PHP is set to log PHP notices, which is not default.
Each virtual host has it's own logs in /services/web/logs/virtual These logs are set to rotate at 5MB.
Stats are provided by webalizer, which is on apt. To install, just apt-get install webalizer. There were two versions, the second in /services/web/webscripts/stats/webalizer/webalizer but that has now been removed and linked instead to /usr/bin/webalizer to ensure that nothing will break.
The script to generate the stats runs every night before the log rotate. /services/web/webscripts/stats/webalizer/webal copies the neccesary logs and passes the neccesary options to webalizer. The stats are hosted at http://www.csn.ul.ie/stats.
8. Search engine
The search engine used is perlfect, cron'd to update every Wednesday and Thursday via /services/web/cgi-bin/perlfect/indexer.pl. However, the reliability of the results needs to be investigated and possibly a better search engine installed.
SSL connection is provided by modssl compiled against the OpenSSL? libraries, which are installed in /services/openssl. The certs are signed by our own generated CA for 10 years. They are not included in CVS for obvious reasons! All material to do with SSL is root owned, though the certs aren't encrypted. The certs, CSR's CA's etc are all subdirectories of /services/web/conf/. The SSL site is https://www.csn.ul.ie, not https://www.skynet.ie - no SSL virtual hosts are possible due to the nature in which the virtual host handshake is conducted. User pages may use SSL if they want.
Webmail is provided by SquirrelMail? (www.squirrelmail.org) and is a opensource PHP project, which has proved to be stable and secure both here and in more general use. It does not put any noticeable strain on the webserver. The main directory that provides all functionalality (src/), and in particular authentication, is set in the main server httpd.conf to be only available by SSL. However, the 403 Forbidden error should not be encountered unless a specific unsecure page is requested. This will redirect to a custom page (again specified in the httpd.conf) explaining the error and providing a link to the secure site.
SquirrelMail resides in /services/web/mail/ Each version has it's own subdirectory. One or two previous versions are retained as backup. The current distribution is linked from /services/web/htdocs/mail In order to safeguard user data as much as possible the data subdirectory of the SquirrelMail distribution is chowned to nobody.nogroup and chmoded 700 so that only the webserver has access. Also, the temporary attachments directory is customly specified as a subdirectory of data called attachments. This is also chowned nobody.nogroup and chmoded 700 for security.
All configuration of SquirrelMail is done using the configure script in the root of the distribution.
Plugins have been added to SquirrelMail to increase it's functionality. While some are standard, others have been added, such as the spelling module, address book import/export, MS TNEF attachment decoding, quicksave, delete-move-next, calendar, notes and autocomplete. The plugins are in CVS but automatic installation still has to be incorporated.
SquirrelMail will take the INBOX from the IMAP server in our configuration and, by default, all other folders are taken from the authenticated users home directory. Also by default, it will not use the mail/ subdirectory for mail folders that pine uses, however this is easy for the user to change in the general settings. The folders it will display are listed in a file in the root of the user's home directory called .mailboxlist
SquirrelMail is in CVS. Just set your CVS root and cvs co webmail then ./make-skynet.sh.
Unpack the source in /services/web/mail
Check the versions of config.php in the conf directories of the old and new distributions
If they match, copy the config.php over
If they don't run the configure script from the unpacked directory and configure
Run the configure script and go to General Options
Set the data directory to ../data/
Set the attachments directory to $data_dir/attachments/
Make the attachements directory in data
chown nobody.nogroup attachements and chmod 700 attachments
chown nobody.nogroup data and chmod 700 data
Kill the webserver
Copy over (cp -p) data/* from the old version
Start the webserver and check everything!
The apache is in CVS - just set your CVSROOT and cvs co web. However, beware where you run the script from - it will set the prefix to the directory that you are in. To do it correctly with the current setup, do the co from /services.
The latest SRC's are included, but can be replaced/added to as described in the README. If a httpd.conf is found, a backup copy will be created. There are currently problems with the script installing updated binaries. Check $PREFIX/bin and $PREFIX/php/bin and make sure that the bin's are new. This will be investigated once I get the time.
Non standard modules will be compiled as DSO's.
While root is not technically needed to build the webserver, the permissions of current stuff (like the bin's being owned by root) the requirement to setuid on suexec mean that it effectively required. Ability to do as much as possible without root will be written into the script once I get the time.
Apart from that, the installation should be automatic.