Line 1: |
Line 1: |
| + | {{Level|Developer}} |
| =Generic Instructions for building a Web Application RPM= | | =Generic Instructions for building a Web Application RPM= |
| | | |
Line 8: |
Line 9: |
| | | |
| ===Local Server=== | | ===Local Server=== |
− | Create a build environment on your local server, refer to the SME Server Developer's Guide: [http://mirror.contribs.org/smeserver/contribs/gordonr/devguide/html/p1082.htm How to create a SME Server package - step by step] | + | Create a build environment on your local server, refer to the SME Server Developer's Guide: [[:SME_Server:Documentation:Developers_Manual#III._How_to_create_an_SME_Server_package_-_step_by_step | How to create a SME Server package - step by step]] |
| | | |
| ===SME Build Server=== | | ===SME Build Server=== |
Line 38: |
Line 39: |
| BuildArchitectures: noarch | | BuildArchitectures: noarch |
| BuildRoot: /var/tmp/%{name}-%{version} | | BuildRoot: /var/tmp/%{name}-%{version} |
| + | BuildRequires: e-smith-devtools |
| Requires: e-smith-release >= 7.0 | | Requires: e-smith-release >= 7.0 |
| AutoReqProv: no | | AutoReqProv: no |
Line 52: |
Line 54: |
| %prep | | %prep |
| %setup -c -n %{name} | | %setup -c -n %{name} |
| + | |
| %build | | %build |
| #drop in an unchanged .tgz, if required rename directory here, eg remove version number. | | #drop in an unchanged .tgz, if required rename directory here, eg remove version number. |
Line 69: |
Line 72: |
| cd .. | | cd .. |
| rm -rf %{name} | | rm -rf %{name} |
− |
| |
− | %pre
| |
− | %preun
| |
− | %post
| |
− | %postun
| |
| | | |
| %files -f %{name}-%{version}-filelist | | %files -f %{name}-%{version}-filelist |
Line 101: |
Line 99: |
| my $pw = $rec->prop('DbPassword'); | | my $pw = $rec->prop('DbPassword'); |
| return "" if $pw; | | return "" if $pw; |
− |
| + | $rec->set_prop('DbPassword', MIME::Base64::encode(int( (1000000000000000) * rand() ))); |
− | $rec->set_prop('DbPassword', sprintf("%15.0f", int( (1000000000000000) * rand() ))); | |
| } | | } |
| | | |
Line 134: |
Line 131: |
| | | |
| The %post section of the spec file run the commands to initialise db values and create the db structure | | The %post section of the spec file run the commands to initialise db values and create the db structure |
| + | |
| + | ===db defaults=== |
| + | Reserve the foo name in accounts and create default settings in configuration |
| + | |
| + | Create files in these locations, with default values |
| + | |
| + | root/etc/e-smith/db/accounts/defaults/foo |
| + | root/etc/e-smith/db/accounts/defaults/foo/type > reserved |
| + | |
| + | root/etc/e-smith/db/configuration/defaults/foo |
| + | root/etc/e-smith/db/configuration/defaults/foo/type > service |
| + | root/etc/e-smith/db/configuration/defaults/foo/Name > Helpdesk |
| + | root/etc/e-smith/db/configuration/defaults/foo/PublicAccess > global-pw-remote |
| + | root/etc/e-smith/db/configuration/defaults/foo/status > enabled |
| + | root/etc/e-smith/db/configuration/defaults/foo/DbName > foo |
| + | root/etc/e-smith/db/configuration/defaults/foo/DbUser > foo |
| + | |
| + | root/etc/e-smith/templates.metadata/etc/e-smith/sql/init |
| + | root/etc/e-smith/templates.metadata/etc/e-smith/sql/init/80foo > PERMS=0750 |
| | | |
| ===Webserver templates=== | | ===Webserver templates=== |
| | | |
− | * The alias fragment tailored to suit the application
| + | ====Http Template 92Foo==== |
− | | + | The alias fragment tailored to suit the application |
| root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo | | root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| | | |
Line 218: |
Line 234: |
| $OUT .= " AuthName \"$name\"\n"; | | $OUT .= " AuthName \"$name\"\n"; |
| $OUT .= " AuthType Basic\n"; | | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| $OUT .= " AuthExternal pwauth\n"; | | $OUT .= " AuthExternal pwauth\n"; |
| $OUT .= " require valid-user\n"; | | $OUT .= " require valid-user\n"; |
Line 226: |
Line 243: |
| } | | } |
| | | |
− | * a hack to get https to work, a better solution is required | + | ====Apache Authentication==== |
| + | In the example above, all sme users can authenticate to the web folder /opt/foo, for an application with no matter in security, it is normal but in certain case it could be dangerous. |
| + | * All users of SME Server |
| + | The original template in /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | '''$OUT .= " require valid-user\n";''' |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | * one user or several users |
| + | Now you need to modify the 92foo template with these new lines |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | '''$OUT .= " require user admin pierre paul\n";''' |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | *one group or several groups with some specific users |
| + | |
| + | You have to download a plugin of pwauth to authenticate unix group in SME Server 8 : http://code.google.com/p/pwauth/ |
| + | For SME Server 9 a nfr is raised see [[bugzilla:3690]] |
| + | |
| + | wget http://pwauth.googlecode.com/files/pwauth-2.3.10.tar.gz |
| + | tar xvzf pwauth-2.3.10.tar.gz |
| + | cp pwauth-2.3.10/unixgroup /usr/lib/httpd/modules/ |
| + | chown root:www /usr/lib/httpd/modules/unixgroup |
| + | chmod 750 /usr/lib/httpd/modules/unixgroup |
| + | |
| + | We need to create a new fragment<br /> |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth |
| + | { |
| + | $OUT .= " AddExternalGroup unixgroup /usr/lib/httpd/modules/unixgroup\n"; |
| + | $OUT .= " SetExternalGroupMethod unixgroup environment\n"; |
| + | } |
| + | |
| + | Now you need to modify the 92foo template with these new lines |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthBasicProvider external\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | $OUT .= " GroupExternal unixgroup\n"; |
| + | $OUT .= " AuthzUserAuthoritative off\n"; |
| + | '''$OUT .= " require user admin pierre paul\n";''' |
| + | '''$OUT .= " require group virt\n";''' |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | |
| + | *DB command to choose groups and users |
| + | Above we have seen how to write name of groups or users directly in the template, but in the real life it is not enough good :)<br /> |
| + | |
| + | The purpose is to choose users or groups by command line. |
| + | |
| + | -In first you have to make other DB configuration as described [[Web_Application_RPM#db_defaults]] |
| + | echo "admin" > root/etc/e-smith/db/configuration/defaults/foo/User |
| + | echo "" > root/etc/e-smith/db/configuration/defaults/foo/Group |
| + | Only the user admin is set by default |
| + | |
| + | -You have to download a plugin of pwauth to authenticate unix group in SME Server 8 : http://code.google.com/p/pwauth/ |
| + | wget http://pwauth.googlecode.com/files/pwauth-2.3.10.tar.gz |
| + | tar xvzf pwauth-2.3.10.tar.gz |
| + | cp pwauth-2.3.10/unixgroup /usr/lib/httpd/modules/ |
| + | chown root:www /usr/lib/httpd/modules/unixgroup |
| + | chmod 750 /usr/lib/httpd/modules/unixgroup |
| + | We need to create a new fragment<br /> |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth |
| + | { |
| + | $OUT .= " AddExternalGroup unixgroup /usr/lib/httpd/modules/unixgroup\n"; |
| + | $OUT .= " SetExternalGroupMethod unixgroup environment\n"; |
| + | } |
| + | |
| + | |
| + | Now you need to modify the 92foo template with these new lines <br /> |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | $OUT .= " GroupExternal unixgroup\n"; |
| + | $OUT .= " AuthzUserAuthoritative off\n"; |
| + | $OUT .= " require user $foo{'User'}\n"; |
| + | $OUT .= " require group $foo{'Group'}\n"; |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | |
| + | -change groups and users allowed by CL |
| + | |
| + | config setprop foo User "admin toto" |
| + | config setprop foo Group "famille virt" |
| + | then |
| + | signal-event console-save |
| + | |
| + | =====SME Server 9===== |
| + | The apache authentication is made by a new file named authnz_external_module instead of auth_external_module, therefore you need to slightly modify the code above. <br /> |
| + | If it is not done you can have this error in log file and you won't be authenticated |
| + | configuration error: couldn't check user. No user file?: |
| + | See this [http://code.google.com/p/mod-auth-external/wiki/ConfigApache22 howTo]. You need to verify if your /etc/httpd/conf/httpd.conf contain these lines |
| + | AddExternalGroup unixgroup /usr/bin/unixgroup |
| + | SetExternalGroupMethod unixgroup environment |
| + | |
| + | We are waiting the default use of authenticator unixgroup in sme9 (see [[bugzilla:8008]]). For now you need to make the relevant fragment template. |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth |
| + | { |
| + | $OUT .= " AddExternalGroup unixgroup /usr/bin/unixgroup\n"; |
| + | $OUT .= " SetExternalGroupMethod unixgroup environment\n"; |
| + | } |
| + | |
| + | nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/92foo |
| + | |
| + | { |
| + | $OUT .= " AuthName \"$name\"\n"; |
| + | $OUT .= " '''AuthBasicProvider external'''\n"; |
| + | $OUT .= " AuthType Basic\n"; |
| + | $OUT .= " AuthExternal pwauth\n"; |
| + | $OUT .= " GroupExternal unixgroup\n"; |
| + | $OUT .= " AuthzUserAuthoritative off\n"; |
| + | $OUT .= " require user $foo{'User'}\n"; |
| + | $OUT .= " require group $foo{'Group'}\n"; |
| + | $OUT .= " Satisfy $satisfy\n"; |
| + | } |
| + | |
| + | -change groups and users allowed by CL |
| + | |
| + | config setprop foo User "admin toto" |
| + | config setprop foo Group "famille virt" |
| + | then |
| + | signal-event console-save |
| + | |
| + | ====Upload_tmp_dir==== |
| + | Since SME Server V8, you could have sometime an error is thrown by PHP and you will need to specify a temporary directory (e.g. upload_tmp_dir) which is not set in php.ini. see [[bugzilla:6650]] and [[bugzilla:7652]]. Many Php applications needs this setting, most of known are wordpress, roudcube, egroupware, etc. Symptoms are that you can't upload contents to the PHP application. |
| + | |
| + | An easy way is to make a Custom Template to resolve this issue. |
| + | |
| + | see [[Uploadtmpdir]] |
| + | |
| + | ====Https_redirection==== |
| + | *a hack to get https to work, a better solution is required, you can see [[Https_redirection]] |
| | | |
| root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30FooAlias | | root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30FooAlias |
Line 240: |
Line 404: |
| } | | } |
| } | | } |
| + | |
| + | *or this solution which does the automatic redirection to https protocol, you have to choose either 30FooAlias or 60FooAlias but not both. |
| + | |
| + | root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/60FooAlias |
| + | |
| + | { |
| + | my $status = $foo{'status'} || "disabled"; |
| + | return " # foo is disabled in this VirtualHost" |
| + | unless $status eq 'enabled'; |
| + | |
| + | { |
| + | if ($port ne "443") |
| + | { |
| + | $OUT .= <<'HERE'; |
| + | ## Redirect Web Address to Secure Address |
| + | RewriteEngine on |
| + | RewriteRule ^/foo https://%{HTTP_HOST}/foo |
| + | |
| + | ## End Of Redirect |
| + | HERE |
| + | } |
| + | } |
| + | |
| + | } |
| + | |
| + | *To enforce the security you can decide to prohibit all connexions which are not https. You need to add "SSLRequireSSL" in the correct position of the 92foo template. |
| + | |
| + | $OUT .= "<Directory /opt/foo>\n"; |
| + | '''$OUT .= " SSLRequireSSL\n";''' |
| + | $OUT .= " AddType application/x-httpd-php .php\n"; |
| | | |
| ===System file templates=== | | ===System file templates=== |
Line 245: |
Line 439: |
| You may need to create a fragment for a system file such as crontab. | | You may need to create a fragment for a system file such as crontab. |
| | | |
− | http://mirror.contribs.org/smeserver/contribs/gordonr/devguide/html/c610.htm | + | http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual |
| | | |
| ===Application templates=== | | ===Application templates=== |
| | | |
− | Include the original application config file in the templates directory, <br>
| + | Preferably include the original application config file in the templates directory, <br> |
| then overwrite key values, some of which we keep in SME DB's | | then overwrite key values, some of which we keep in SME DB's |
| | | |
| + | This is not always possible, eg your application modifies the config file <br> |
| + | in this case leave the config file untemplated and advise the user how to configure manually. |
| | | |
| eg . root\etc\template\opt\foo\config.php | | eg . root\etc\template\opt\foo\config.php |
Line 286: |
Line 482: |
| // SME Server Settings | | // SME Server Settings |
| { | | { |
− | $OUT .= "\$CFG->dbname = \'$foo{DbName}\'\; \n";
| + | $OUT .= "\$CFG->dbname = ini_get\(\'mysql.default_host\'\)\; \n"; |
− | $OUT .= "\$CFG->dbuser = \'$foo{DbUser}\'\; \n";
| + | $OUT .= "\$CFG->dbuser = ini_get\(\'mysql.default_user\'\)\; \n"; |
− | $OUT .= "\$CFG->dbpass = \'$foo{DbPassword}\'\; \n";
| + | $OUT .= "\$CFG->dbpass = ini_get\(\'mysql.default_password\'\)\; \n"; |
− | $OUT .= "\$CFG->dirroot = \'/opt/foo'\; \n";
| + | $OUT .= "\$CFG->dirroot = \'/opt/foo'\; \n"; |
| } | | } |
| | | |
Line 327: |
Line 523: |
| | | |
| %build | | %build |
− | mkdir -p root/etc/e-smith/db/accounts/defaults/foo
| |
− | echo "reserved" > root/etc/e-smith/db/accounts/defaults/foo/type
| |
− |
| |
− | mkdir -p root/etc/e-smith/db/configuration/defaults/foo
| |
− | echo "service" > root/etc/e-smith/db/configuration/defaults/foo/type
| |
− | echo "Helpdesk" > root/etc/e-smith/db/configuration/defaults/foo/Name
| |
− | echo "global-pw-remote" > root/etc/e-smith/db/configuration/defaults/foo/PublicAccess
| |
− | echo "enabled" > root/etc/e-smith/db/configuration/defaults/foo/status
| |
− | echo "foo" > root/etc/e-smith/db/configuration/defaults/foo/DbName
| |
− | echo "foo" > root/etc/e-smith/db/configuration/defaults/foo/DbUser
| |
− |
| |
− | mkdir -p root/etc/e-smith/templates.metadata/etc/e-smith/sql/init
| |
− | echo "PERMS=0750" > root/etc/e-smith/templates.metadata/etc/e-smith/sql/init/80foo
| |
| | | |
| %install | | %install |
Line 355: |
Line 538: |
| %preun | | %preun |
| %post | | %post |
− | /etc/e-smith/events/actions/initialize-default-databases
| |
− | /sbin/e-smith/expand-template /etc/e-smith/sql/init/80foo
| |
− | /etc/rc.d/init.d/mysql.init start
| |
− | /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
| |
− | /usr/bin/sv h /service/httpd-e-smith
| |
− | /sbin/e-smith/expand-template /opt/foo/config.php
| |
− | /sbin/e-smith/expand-template /etc/crontab
| |
− |
| |
− | echo ""
| |
− | echo "see http://wiki.contribs.org/foo"
| |
| | | |
| %postun | | %postun |
Line 398: |
Line 571: |
| global-pw => Entire Internet(password required) | | global-pw => Entire Internet(password required) |
| global-pw-remote => Entire Internet(password required outside local network) | | global-pw-remote => Entire Internet(password required outside local network) |
| + | |
| + | *change groups and users allowed by CL |
| + | |
| + | config setprop foo User "admin toto" |
| + | config setprop foo Group "famille virt" |
| + | then |
| + | signal-event console-save |
| | | |
| * To add a different URL eg. yourserver.net/foo | | * To add a different URL eg. yourserver.net/foo |