Line 1: |
Line 1: |
| + | {{Level|Developer}} |
| =Generic Instructions for building a Web Application RPM= | | =Generic Instructions for building a Web Application RPM= |
| | | |
Line 152: |
Line 153: |
| ===Webserver templates=== | | ===Webserver templates=== |
| | | |
− | * The alias fragment tailored to suit the application
| + | ====Http Template 92Foo==== |
− | | + | The alias fragment tailored to suit the application |
| root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo | | root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| | | |
Line 233: |
Line 234: |
| $OUT .= " AuthName \"$name\"\n"; | | $OUT .= " AuthName \"$name\"\n"; |
| $OUT .= " AuthType Basic\n"; | | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| $OUT .= " AuthExternal pwauth\n"; | | $OUT .= " AuthExternal pwauth\n"; |
| $OUT .= " require valid-user\n"; | | $OUT .= " require valid-user\n"; |
Line 241: |
Line 243: |
| } | | } |
| | | |
− | * a hack to get https to work, a better solution is required, you can see [[Https_redirection]] | + | ====Apache Authentication==== |
| + | In the example above, all sme users can authenticate to the web folder /opt/foo, for an application with no matter in security, it is normal but in certain case it could be dangerous. |
| + | * All users of SME Server |
| + | The original template in /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | '''$OUT .= " require valid-user\n";''' |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | * one user or several users |
| + | Now you need to modify the 92foo template with these new lines |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | '''$OUT .= " require user admin pierre paul\n";''' |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | *one group or several groups with some specific users |
| + | |
| + | You have to download a plugin of pwauth to authenticate unix group in SME Server 8 : http://code.google.com/p/pwauth/ |
| + | For SME Server 9 a nfr is raised see [[bugzilla:3690]] |
| + | |
| + | wget http://pwauth.googlecode.com/files/pwauth-2.3.10.tar.gz |
| + | tar xvzf pwauth-2.3.10.tar.gz |
| + | cp pwauth-2.3.10/unixgroup /usr/lib/httpd/modules/ |
| + | chown root:www /usr/lib/httpd/modules/unixgroup |
| + | chmod 750 /usr/lib/httpd/modules/unixgroup |
| + | |
| + | We need to create a new fragment<br /> |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth |
| + | { |
| + | $OUT .= " AddExternalGroup unixgroup /usr/lib/httpd/modules/unixgroup\n"; |
| + | $OUT .= " SetExternalGroupMethod unixgroup environment\n"; |
| + | } |
| + | |
| + | Now you need to modify the 92foo template with these new lines |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | $OUT .= " GroupExternal unixgroup\n"; |
| + | $OUT .= " AuthzUserAuthoritative off\n"; |
| + | '''$OUT .= " require user admin pierre paul\n";''' |
| + | '''$OUT .= " require group virt\n";''' |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | |
| + | *DB command to choose groups and users |
| + | Above we have seen how to write name of groups or users directly in the template, but in the real life it is not enough good :)<br /> |
| + | |
| + | The purpose is to choose users or groups by command line. |
| + | |
| + | -In first you have to make other DB configuration as described [[Web_Application_RPM#db_defaults]] |
| + | echo "admin" > root/etc/e-smith/db/configuration/defaults/foo/User |
| + | echo "" > root/etc/e-smith/db/configuration/defaults/foo/Group |
| + | Only the user admin is set by default |
| + | |
| + | -You have to download a plugin of pwauth to authenticate unix group in SME Server 8 : http://code.google.com/p/pwauth/ |
| + | wget http://pwauth.googlecode.com/files/pwauth-2.3.10.tar.gz |
| + | tar xvzf pwauth-2.3.10.tar.gz |
| + | cp pwauth-2.3.10/unixgroup /usr/lib/httpd/modules/ |
| + | chown root:www /usr/lib/httpd/modules/unixgroup |
| + | chmod 750 /usr/lib/httpd/modules/unixgroup |
| + | We need to create a new fragment<br /> |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth |
| + | { |
| + | $OUT .= " AddExternalGroup unixgroup /usr/lib/httpd/modules/unixgroup\n"; |
| + | $OUT .= " SetExternalGroupMethod unixgroup environment\n"; |
| + | } |
| + | |
| + | |
| + | Now you need to modify the 92foo template with these new lines <br /> |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | $OUT .= " GroupExternal unixgroup\n"; |
| + | $OUT .= " AuthzUserAuthoritative off\n"; |
| + | $OUT .= " require user $foo{'User'}\n"; |
| + | $OUT .= " require group $foo{'Group'}\n"; |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | |
| + | -change groups and users allowed by CL |
| + | |
| + | config setprop foo User "admin toto" |
| + | config setprop foo Group "famille virt" |
| + | then |
| + | signal-event console-save |
| + | |
| + | =====SME Server 9===== |
| + | The apache authentication is made by a new file named authnz_external_module instead of auth_external_module, therefore you need to slightly modify the code above. <br /> |
| + | If it is not done you can have this error in log file and you won't be authenticated |
| + | configuration error: couldn't check user. No user file?: |
| + | See this [http://code.google.com/p/mod-auth-external/wiki/ConfigApache22 howTo]. You need to verify if your /etc/httpd/conf/httpd.conf contain these lines |
| + | AddExternalGroup unixgroup /usr/bin/unixgroup |
| + | SetExternalGroupMethod unixgroup environment |
| + | |
| + | We are waiting the default use of authenticator unixgroup in sme9 (see [[bugzilla:8008]]). For now you need to make the relevant fragment template. |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth |
| + | { |
| + | $OUT .= " AddExternalGroup unixgroup /usr/bin/unixgroup\n"; |
| + | $OUT .= " SetExternalGroupMethod unixgroup environment\n"; |
| + | } |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " '''AuthBasicProvider external'''\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | $OUT .= " GroupExternal unixgroup\n"; |
| + | $OUT .= " AuthzUserAuthoritative off\n"; |
| + | $OUT .= " require user $foo{'User'}\n"; |
| + | $OUT .= " require group $foo{'Group'}\n"; |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | |
| + | -change groups and users allowed by CL |
| + | |
| + | config setprop foo User "admin toto" |
| + | config setprop foo Group "famille virt" |
| + | then |
| + | signal-event console-save |
| + | |
| + | ====Upload_tmp_dir==== |
| + | Since SME Server V8, you could have sometime an error is thrown by PHP and you will need to specify a temporary directory (e.g. upload_tmp_dir) which is not set in php.ini. see [[bugzilla:6650]] and [[bugzilla:7652]]. Many Php applications needs this setting, most of known are wordpress, roudcube, egroupware, etc. Symptoms are that you can't upload contents to the PHP application. |
| + | |
| + | An easy way is to make a Custom Template to resolve this issue. |
| + | |
| + | see [[Uploadtmpdir]] |
| + | |
| + | ====Https_redirection==== |
| + | *a hack to get https to work, a better solution is required, you can see [[Https_redirection]] |
| | | |
| root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30FooAlias | | root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30FooAlias |
Line 256: |
Line 405: |
| } | | } |
| | | |
− | or this solution which does the automatic redirection to https protocol, you have to choose either 30FooAlias or 60FooAlias but not both. | + | *or this solution which does the automatic redirection to https protocol, you have to choose either 30FooAlias or 60FooAlias but not both. |
| | | |
| root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/60FooAlias | | root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/60FooAlias |
| | | |
| { | | { |
− | my $status = $roundcube{'status'} || "disabled"; | + | my $status = $foo{'status'} || "disabled"; |
− | return " # roundcube is disabled in this VirtualHost" | + | return " # foo is disabled in this VirtualHost" |
| unless $status eq 'enabled'; | | unless $status eq 'enabled'; |
| | | |
Line 269: |
Line 418: |
| { | | { |
| $OUT .= <<'HERE'; | | $OUT .= <<'HERE'; |
− | ## Redirect roundcubeWeb Address to Secure Address | + | ## Redirect Web Address to Secure Address |
| RewriteEngine on | | RewriteEngine on |
− | RewriteRule ^/roundcube https://%{HTTP_HOST}/roundcube | + | RewriteRule ^/foo https://%{HTTP_HOST}/foo |
| | | |
| ## End Of Redirect | | ## End Of Redirect |
Line 279: |
Line 428: |
| | | |
| } | | } |
| + | |
| + | *To enforce the security you can decide to prohibit all connexions which are not https. You need to add "SSLRequireSSL" in the correct position of the 92foo template. |
| + | |
| + | $OUT .= "<Directory /opt/foo>\n"; |
| + | '''$OUT .= " SSLRequireSSL\n";''' |
| + | $OUT .= " AddType application/x-httpd-php .php\n"; |
| | | |
| ===System file templates=== | | ===System file templates=== |
Line 416: |
Line 571: |
| global-pw => Entire Internet(password required) | | global-pw => Entire Internet(password required) |
| global-pw-remote => Entire Internet(password required outside local network) | | global-pw-remote => Entire Internet(password required outside local network) |
| + | |
| + | *change groups and users allowed by CL |
| + | |
| + | config setprop foo User "admin toto" |
| + | config setprop foo Group "famille virt" |
| + | then |
| + | signal-event console-save |
| | | |
| * To add a different URL eg. yourserver.net/foo | | * To add a different URL eg. yourserver.net/foo |