Apache2 and PHP5: Difference between revisions
(→Configuring WebDAV and LDAP for your SSL-enabled Virtual Host: finished WebDAV section) |
|||
(5 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
===Installation of Apache2=== | ===Installation of Apache2=== | ||
Installation of Apache2 is quite simple: | |||
apt-get install apache2 | |||
This brings a slew of packages, a.o. ''apache2-mpm-worker'', ''apache2-utils'', ''libapr1'' et cetera. When you want a different worker (e.g. , you should use ''aptitude'' to select that different worker (prefork etc.). | |||
===Configuration of Apache2=== | ===Configuration of Apache2=== | ||
Once Apache2 is in place, you might want to [[Enabling SSL for Apache2 | enable SSL]] for it. | Once Apache2 is in place, you might want to [[Enabling SSL for Apache2 | enable SSL]] for it. And if you want to keep track of any visitor to your website(s), you might want to install [[Apache2 and Visitor|Visitor]]. | ||
Furthermore, you have to realise that mail sent by your webserver, or any PHP program running under it (e.g. MediaWiki) will have the envelope sender address of www-data@<your.maildomain>. To make sure that your maildomain is actually a real mail domain (necessary for reverse lookup, which is something that real mail servers do), you have to take care to put the right mail domain in ''/etc/mailname'' (e.g. "saruman.biz"). Furthermore, at the top of your Postfix ''main.cf'' you might like to add | |||
myorigin = /etc/mailname | |||
If you now restart Postfix, outgoing mail from user ''www-data'' will have an envelope sender address of ''www-data@saruman.biz'' | |||
==Installation of PHP5== | ==Installation of PHP5== | ||
Installing PHP5 is as easy as | |||
sudo apt-get install php5 php5-cli | |||
Note that if you had installed Apache2 module ''apache2-mpm-worker'', it will get replaced with ''apache2-mpm-prefork''. Furthermore, note that ''php5-cli'' is only needed if you want to run PHP commands at the prompt - but our guess is that you want it (e.g. to perform maintenance tasks for your [[Mediawiki_Installation|MediaWiki wikiserver]]. | |||
==Adding WebDAV to your Apache2== | ==Adding WebDAV to your Apache2== | ||
Line 50: | Line 58: | ||
</Location> | </Location> | ||
This last directive means that any user who has authenticated is granted access. Since only LDAP users can authenticate, this is just fine. | This last directive means that any user who has authenticated is granted access. Since only LDAP users can authenticate, this is just fine. | ||
If you want to autenticate against a ldap group "webdav" use the folowing | |||
Order deny,allow | |||
Deny from All | |||
AuthName "Enter your Saruman.biz login" | |||
AuthType Basic | |||
AuthBasicProvider ldap | |||
AuthzLDAPAuthoritative on | |||
AuthLDAPUrl ldap://myserver.saruman.biz/ou=people,dc=saruman,dc=biz?uid | |||
AuthLDAPBindDN "cn=admin,dc=saruman,dc=biz" | |||
AuthLDAPBindPassword "mypassword" | |||
AuthLDAPGroupAttribute memberUid | |||
AuthLDAPGroupAttributeIsDN off | |||
Require ldap-group cn=webdav,ou=groups,dc=saruman,dc=biz | |||
Require ldap-attribute gidNumber=420 | |||
Require ldap-attribute gidNumber=420 handles the primary users of group 420, the "webdav" group. Without this condition, primary users would be denied access. For multiple groups, add an additional directive for each. | |||
Next up, you need to create folder ''webdav'' under the root of your Virtual Host. Do not forget to make that folder owned by ''www-data:www-data'' and readable/writable only by that user: | Next up, you need to create folder ''webdav'' under the root of your Virtual Host. Do not forget to make that folder owned by ''www-data:www-data'' and readable/writable only by that user: | ||
Line 58: | Line 82: | ||
Now you can restart Apache2, see if it restarts ok, and then test your new WebDAV folder. | Now you can restart Apache2, see if it restarts ok, and then test your new WebDAV folder. | ||
===Testing WebDAV=== | |||
To test WebDAV, you can most easily install the ''cadaver'' WebDAV client: | |||
apt-get install cadaver | |||
After that, you can start cadaver, and have it write a file in your WebDAV environment: | |||
localhost:/data/wwwroot/yoursite/webdav# '''cadaver https://www.saruman.biz/webdav''' | |||
WARNING: Untrusted server certificate presented for `*.saruman.biz': | |||
Issued to: Internet Dept., Saruman.biz, Utrecht, NL | |||
Issued by: Saruman.biz, Utrecht, NL | |||
Certificate is valid from Tue, 28 Oct 2008 07:34:41 GMT to Mon, 02 Nov 2009 07:34:41 GMT | |||
Do you wish to accept the certificate? (y/n) y | |||
Authentication required for Enter your Saruman.biz login on server `www.saruman.biz': | |||
Username: sixpacjo | |||
Password: | |||
dav:/webdav/> _ | |||
When presented with the cadaver prompt, you can use the following commands: | |||
* ''edit <filename>'': this causes cadaver to open an existing file named ''<filename>''; or, failing that, to create a new file. Your default text editor is used. | |||
* ''lock <filename>'' or ''unlock <filename>'': set or remove a lock on a WebDAV published file. He who owns the lock can edit the file, others can only read it. | |||
* ''discover <filename>'': see the lock status of the file | |||
* ''quit'': well that one's easy... | |||
Use ''man cadaver'' for the full description. | |||
Errors that might occur if you have a problem in your WebDAV setup include: | |||
* Lock problems: if you fail to provide a webserver-writable place for the lock file, you will encounter HTTP 500 errors. In ''cadaver'': | |||
dav:/webdav/> edit test.html | |||
Locking `test.html': failed: | |||
500 Internal Server Error | |||
dav:/webdav/> discover test.html | |||
Discovering locks on `test.html': no locks found. | |||
dav:/webdav/> |
Latest revision as of 14:25, 15 October 2010
Apache2
Installation of Apache2
Installation of Apache2 is quite simple:
apt-get install apache2
This brings a slew of packages, a.o. apache2-mpm-worker, apache2-utils, libapr1 et cetera. When you want a different worker (e.g. , you should use aptitude to select that different worker (prefork etc.).
Configuration of Apache2
Once Apache2 is in place, you might want to enable SSL for it. And if you want to keep track of any visitor to your website(s), you might want to install Visitor.
Furthermore, you have to realise that mail sent by your webserver, or any PHP program running under it (e.g. MediaWiki) will have the envelope sender address of www-data@<your.maildomain>. To make sure that your maildomain is actually a real mail domain (necessary for reverse lookup, which is something that real mail servers do), you have to take care to put the right mail domain in /etc/mailname (e.g. "saruman.biz"). Furthermore, at the top of your Postfix main.cf you might like to add
myorigin = /etc/mailname
If you now restart Postfix, outgoing mail from user www-data will have an envelope sender address of www-data@saruman.biz
Installation of PHP5
Installing PHP5 is as easy as
sudo apt-get install php5 php5-cli
Note that if you had installed Apache2 module apache2-mpm-worker, it will get replaced with apache2-mpm-prefork. Furthermore, note that php5-cli is only needed if you want to run PHP commands at the prompt - but our guess is that you want it (e.g. to perform maintenance tasks for your MediaWiki wikiserver.
Adding WebDAV to your Apache2
Thoughts about WebDAV and your configuration
Out of the box, your Debian Apache2 is prepared to start using WebDAV. All you need is to enable two modules: one for WebDAV itself, one for the authentication that you want to use. Since our server mainly uses LDAP, we'll describe WebDAV+LDAP here.
Furthermore, because WebDAV allows editing files on your server, security is paramount (well, it always is, of course. What we mean is that it's even more important now). The Apache project recommends:
The use of HTTP Basic Authentication is not recommended. You should use at least HTTP Digest Authentication, which is provided by the mod_auth_digest module. Nearly all WebDAV clients support this authentication method. An alternative is Basic Authentication over an SSL enabled connection.
Thus you should not using Basic Authentication (which is pretty simple to set up) unless you run it over SSL - so we do that as well. We choose the Virtual Host that defines our SSL-site, and extend it with WebDAV functionality. If this is not what you want, consider stepping your authentication up to Digest Authentication.
Configuring WebDAV and LDAP for your SSL-enabled Virtual Host
First, enable the WebDAV and authnz_ldap modules:
a2enmod dav a2enmod dav_fs a2enmod authnz_ldap
Do not restart Apache2 just yet, because we haven't configured either the WebDAV site or its authentication!
Furthermore, a location for the DAV lock database must be specified in the global section of your Apache2 configuration file using the DavLockDB directive. To this end, create a file under /etc/apache2/conf.d named webdav containing this single line:
DavLockDB /var/run/apache2/DavLock
This will act as the (global) lock database for WebDAV; we don't need to specify it in any other configuration file (like the Virtual Host configuration files). Of course, your server should have a directory /var/run/apache2, and it must be writable for the user www-data under which Apache2 runs.
Next, adapt the virtual host that may employ WebDAV and LDAP authentication. The virtual host file needs a section that enables WebDAV (using the directive Dav On), and some directives on how to authorize users within this section. Suppose we want to enable WebDAV only for subdirectory webdav within virtual host http://www.saruman.biz/. Then in the correspondig Virtual Host file (something like /etc/apache2/sites-available/000-saruman.biz) we need to include the following section:
<Location /webdav> Order Allow,Deny Allow from all Dav On
These lines turn on WebDAV for the location /webdav. This of course means that there should be a directory in your server's filesystem named webdav and located under the root of this virtual host, e.g. /var/www/saruman.biz/webdav
AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative On
This section sets up the authentication as HTTP Basic, with LDAP as the provider, and NOT allowing the authorization phase to fall back to other providers if LDAP cannot provide the required answer. If you want to use "require" statements from some other authorization provider, then you must set AuthzLDAPAuthoritative to "off".
AuthName "Enter your Saruman.biz login" AuthLDAPURL "ldap://myserver.saruman.biz/ou=people,dc=saruman,dc=biz?mail" NONE AuthLDAPBindDN "cn=admin,dc=saruman,dc=biz" AuthLDAPBindPassword "mypassword"
The AuthName directive "sets the name of the authorization realm". The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
The AuthLDAPURL should point to your server, and the word behind the question mark should be the LDAP field that you want to use as login. We use mail so that we can log in with our mail address.
The AuthLDAPBindDN should be of a user with the right to view the passwords of the users that will be using the WebDAV server, and the AuthLDAPBindPassword should be that user's password.
require valid-user </Location>
This last directive means that any user who has authenticated is granted access. Since only LDAP users can authenticate, this is just fine. If you want to autenticate against a ldap group "webdav" use the folowing
Order deny,allow Deny from All AuthName "Enter your Saruman.biz login" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPUrl ldap://myserver.saruman.biz/ou=people,dc=saruman,dc=biz?uid AuthLDAPBindDN "cn=admin,dc=saruman,dc=biz" AuthLDAPBindPassword "mypassword" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=webdav,ou=groups,dc=saruman,dc=biz Require ldap-attribute gidNumber=420
Require ldap-attribute gidNumber=420 handles the primary users of group 420, the "webdav" group. Without this condition, primary users would be denied access. For multiple groups, add an additional directive for each.
Next up, you need to create folder webdav under the root of your Virtual Host. Do not forget to make that folder owned by www-data:www-data and readable/writable only by that user:
cd /data/wwwroot/yoursite mkdir webdav chown www-data:www-data webdav chmod 660 webdav
Now you can restart Apache2, see if it restarts ok, and then test your new WebDAV folder.
Testing WebDAV
To test WebDAV, you can most easily install the cadaver WebDAV client:
apt-get install cadaver
After that, you can start cadaver, and have it write a file in your WebDAV environment:
localhost:/data/wwwroot/yoursite/webdav# cadaver https://www.saruman.biz/webdav WARNING: Untrusted server certificate presented for `*.saruman.biz': Issued to: Internet Dept., Saruman.biz, Utrecht, NL Issued by: Saruman.biz, Utrecht, NL Certificate is valid from Tue, 28 Oct 2008 07:34:41 GMT to Mon, 02 Nov 2009 07:34:41 GMT Do you wish to accept the certificate? (y/n) y Authentication required for Enter your Saruman.biz login on server `www.saruman.biz': Username: sixpacjo Password: dav:/webdav/> _
When presented with the cadaver prompt, you can use the following commands:
- edit <filename>: this causes cadaver to open an existing file named <filename>; or, failing that, to create a new file. Your default text editor is used.
- lock <filename> or unlock <filename>: set or remove a lock on a WebDAV published file. He who owns the lock can edit the file, others can only read it.
- discover <filename>: see the lock status of the file
- quit: well that one's easy...
Use man cadaver for the full description.
Errors that might occur if you have a problem in your WebDAV setup include:
- Lock problems: if you fail to provide a webserver-writable place for the lock file, you will encounter HTTP 500 errors. In cadaver:
dav:/webdav/> edit test.html Locking `test.html': failed: 500 Internal Server Error dav:/webdav/> discover test.html Discovering locks on `test.html': no locks found. dav:/webdav/>