Apache2 and PHP5: Difference between revisions

From SaruWiki
Jump to navigation Jump to search
m (added link to Visitor)
 
Line 58: Line 58:
  </Location>
  </Location>
This last directive means that any user who has authenticated is granted access. Since only LDAP users can authenticate, this is just fine.
This last directive means that any user who has authenticated is granted access. Since only LDAP users can authenticate, this is just fine.
If you want to autenticate against a ldap group "webdav" use the folowing
Order deny,allow
Deny from All
AuthName "Enter your Saruman.biz login"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://myserver.saruman.biz/ou=people,dc=saruman,dc=biz?uid
AuthLDAPBindDN "cn=admin,dc=saruman,dc=biz"
AuthLDAPBindPassword "mypassword"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=webdav,ou=groups,dc=saruman,dc=biz
Require ldap-attribute gidNumber=420
Require ldap-attribute gidNumber=420 handles the primary users of group 420, the "webdav" group. Without this condition, primary users would be denied access. For multiple groups, add an additional directive for each.


Next up, you need to create folder ''webdav'' under the root of your Virtual Host. Do not forget to make that folder owned by ''www-data:www-data'' and readable/writable only by that user:
Next up, you need to create folder ''webdav'' under the root of your Virtual Host. Do not forget to make that folder owned by ''www-data:www-data'' and readable/writable only by that user:

Latest revision as of 14:25, 15 October 2010

Apache2

Installation of Apache2

Installation of Apache2 is quite simple:

apt-get install apache2

This brings a slew of packages, a.o. apache2-mpm-worker, apache2-utils, libapr1 et cetera. When you want a different worker (e.g. , you should use aptitude to select that different worker (prefork etc.).

Configuration of Apache2

Once Apache2 is in place, you might want to enable SSL for it. And if you want to keep track of any visitor to your website(s), you might want to install Visitor.

Furthermore, you have to realise that mail sent by your webserver, or any PHP program running under it (e.g. MediaWiki) will have the envelope sender address of www-data@<your.maildomain>. To make sure that your maildomain is actually a real mail domain (necessary for reverse lookup, which is something that real mail servers do), you have to take care to put the right mail domain in /etc/mailname (e.g. "saruman.biz"). Furthermore, at the top of your Postfix main.cf you might like to add

myorigin = /etc/mailname

If you now restart Postfix, outgoing mail from user www-data will have an envelope sender address of www-data@saruman.biz

Installation of PHP5

Installing PHP5 is as easy as

sudo apt-get install php5 php5-cli

Note that if you had installed Apache2 module apache2-mpm-worker, it will get replaced with apache2-mpm-prefork. Furthermore, note that php5-cli is only needed if you want to run PHP commands at the prompt - but our guess is that you want it (e.g. to perform maintenance tasks for your MediaWiki wikiserver.

Adding WebDAV to your Apache2

Thoughts about WebDAV and your configuration

Out of the box, your Debian Apache2 is prepared to start using WebDAV. All you need is to enable two modules: one for WebDAV itself, one for the authentication that you want to use. Since our server mainly uses LDAP, we'll describe WebDAV+LDAP here.

Furthermore, because WebDAV allows editing files on your server, security is paramount (well, it always is, of course. What we mean is that it's even more important now). The Apache project recommends:
The use of HTTP Basic Authentication is not recommended. You should use at least HTTP Digest Authentication, which is provided by the mod_auth_digest module. Nearly all WebDAV clients support this authentication method. An alternative is Basic Authentication over an SSL enabled connection.
Thus you should not using Basic Authentication (which is pretty simple to set up) unless you run it over SSL - so we do that as well. We choose the Virtual Host that defines our SSL-site, and extend it with WebDAV functionality. If this is not what you want, consider stepping your authentication up to Digest Authentication.

Configuring WebDAV and LDAP for your SSL-enabled Virtual Host

First, enable the WebDAV and authnz_ldap modules:

a2enmod dav
a2enmod dav_fs
a2enmod authnz_ldap

Do not restart Apache2 just yet, because we haven't configured either the WebDAV site or its authentication!

Furthermore, a location for the DAV lock database must be specified in the global section of your Apache2 configuration file using the DavLockDB directive. To this end, create a file under /etc/apache2/conf.d named webdav containing this single line:

DavLockDB /var/run/apache2/DavLock

This will act as the (global) lock database for WebDAV; we don't need to specify it in any other configuration file (like the Virtual Host configuration files). Of course, your server should have a directory /var/run/apache2, and it must be writable for the user www-data under which Apache2 runs.

Next, adapt the virtual host that may employ WebDAV and LDAP authentication. The virtual host file needs a section that enables WebDAV (using the directive Dav On), and some directives on how to authorize users within this section. Suppose we want to enable WebDAV only for subdirectory webdav within virtual host http://www.saruman.biz/. Then in the correspondig Virtual Host file (something like /etc/apache2/sites-available/000-saruman.biz) we need to include the following section:

<Location /webdav>
   Order Allow,Deny
   Allow from all
   Dav On

These lines turn on WebDAV for the location /webdav. This of course means that there should be a directory in your server's filesystem named webdav and located under the root of this virtual host, e.g. /var/www/saruman.biz/webdav

   AuthType Basic
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative On

This section sets up the authentication as HTTP Basic, with LDAP as the provider, and NOT allowing the authorization phase to fall back to other providers if LDAP cannot provide the required answer. If you want to use "require" statements from some other authorization provider, then you must set AuthzLDAPAuthoritative to "off".

   AuthName "Enter your Saruman.biz login"
   AuthLDAPURL "ldap://myserver.saruman.biz/ou=people,dc=saruman,dc=biz?mail" NONE
   AuthLDAPBindDN "cn=admin,dc=saruman,dc=biz"
   AuthLDAPBindPassword "mypassword"

The AuthName directive "sets the name of the authorization realm". The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
The AuthLDAPURL should point to your server, and the word behind the question mark should be the LDAP field that you want to use as login. We use mail so that we can log in with our mail address.
The AuthLDAPBindDN should be of a user with the right to view the passwords of the users that will be using the WebDAV server, and the AuthLDAPBindPassword should be that user's password.

   require valid-user
</Location>

This last directive means that any user who has authenticated is granted access. Since only LDAP users can authenticate, this is just fine. If you want to autenticate against a ldap group "webdav" use the folowing

Order deny,allow
Deny from All
AuthName "Enter your Saruman.biz login"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://myserver.saruman.biz/ou=people,dc=saruman,dc=biz?uid
AuthLDAPBindDN "cn=admin,dc=saruman,dc=biz"
AuthLDAPBindPassword "mypassword"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=webdav,ou=groups,dc=saruman,dc=biz
Require ldap-attribute gidNumber=420

Require ldap-attribute gidNumber=420 handles the primary users of group 420, the "webdav" group. Without this condition, primary users would be denied access. For multiple groups, add an additional directive for each.

Next up, you need to create folder webdav under the root of your Virtual Host. Do not forget to make that folder owned by www-data:www-data and readable/writable only by that user:

cd /data/wwwroot/yoursite
mkdir webdav
chown www-data:www-data webdav
chmod 660 webdav

Now you can restart Apache2, see if it restarts ok, and then test your new WebDAV folder.

Testing WebDAV

To test WebDAV, you can most easily install the cadaver WebDAV client:

apt-get install cadaver

After that, you can start cadaver, and have it write a file in your WebDAV environment:

localhost:/data/wwwroot/yoursite/webdav# cadaver https://www.saruman.biz/webdav
WARNING: Untrusted server certificate presented for `*.saruman.biz':
Issued to: Internet Dept., Saruman.biz, Utrecht, NL
Issued by: Saruman.biz, Utrecht, NL
Certificate is valid from Tue, 28 Oct 2008 07:34:41 GMT to Mon, 02 Nov 2009 07:34:41 GMT
Do you wish to accept the certificate? (y/n) y
Authentication required for Enter your Saruman.biz login on server `www.saruman.biz':
Username: sixpacjo
Password:
dav:/webdav/> _

When presented with the cadaver prompt, you can use the following commands:

  • edit <filename>: this causes cadaver to open an existing file named <filename>; or, failing that, to create a new file. Your default text editor is used.
  • lock <filename> or unlock <filename>: set or remove a lock on a WebDAV published file. He who owns the lock can edit the file, others can only read it.
  • discover <filename>: see the lock status of the file
  • quit: well that one's easy...

Use man cadaver for the full description.

Errors that might occur if you have a problem in your WebDAV setup include:

  • Lock problems: if you fail to provide a webserver-writable place for the lock file, you will encounter HTTP 500 errors. In cadaver:
dav:/webdav/> edit test.html
Locking `test.html': failed:
500 Internal Server Error
dav:/webdav/> discover test.html
Discovering locks on `test.html': no locks found.
dav:/webdav/>