Difference between revisions of "Web Service"

From Tardis
Jump to: navigation, search
Line 1: Line 1:
 +
[[Web Service/Admin|Admin Information]]
 +
 
The web service currently runs on [[davros]], which also hosts the disks with the web content.
 
The web service currently runs on [[davros]], which also hosts the disks with the web content.
  
== supported software ==
+
== Supported Software ==
 +
 
 +
=== PHP ===
 +
Tardis (grudgingly) runs php4/5, and we can install extensions if you require them.
 +
 
 +
=== Databases ===
 +
MySQL and PostgreSQL are available. See: [[Database Service]].
 +
 
 +
=== Web Applications  ===
 
Currently there are some packages which are installed site-wide on the webserver which you should be able
 
Currently there are some packages which are installed site-wide on the webserver which you should be able
 
to make use of. For these, see their individual pages for details. At the moment, only the installation of
 
to make use of. For these, see their individual pages for details. At the moment, only the installation of
Line 9: Line 19:
 
[[Blog_Service]]
 
[[Blog_Service]]
  
== mod_perl ==
+
==== Others ====
<tt>mod_perl</tt> has recently been disabled, because there was some suspicion it was what breaking the apache parent.
+
 
 +
There are other webapps we should try and manage globally, if possible. Principally gallery and maybe some sort of wiki.
 +
 
  
''We shall see...''
+
== Service Information ==
  
===Process===
+
Your web pages are located in
''(for the purposes of undoing the damage)''
+
  /tardis/www/users/&lt;user&gt;
<pre> apache-modconf apache disable mod_perl</pre>
 
Also, some lines were commented out in <tt>/etc/apache/conf.d/libhtml-mason-perl</tt>, because they were stopping apache from starting. I dont really know what they do, but if it comes round to bite me, I guess we'll find out :)
 
<pre>
 
...
 
<IfModule !mod_perl.c>
 
# No mod_perl available, just use CGI
 
#Action mason_example http://localhost/cgi-bin/mason_example.cgi
 
#<Directory /var/www/mason_example>
 
#SetHandler mason_example
 
#</Directory>
 
</IfModule>
 
...
 
</pre>
 
== Server config ==
 
<pre>
 
Server version: Apache/1.3.33 (Debian GNU/Linux)
 
Server built:  Dec 18 2004 11:28:47
 
Server's Module Magic Number: 19990320:16
 
Server compiled with....
 
-D EAPI
 
-D HAVE_MMAP
 
-D HAVE_SHMGET
 
-D USE_SHMGET_SCOREBOARD
 
-D USE_MMAP_FILES
 
-D HAVE_FCNTL_SERIALIZED_ACCEPT
 
-D HAVE_SYSVSEM_SERIALIZED_ACCEPT
 
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 
-D DYNAMIC_MODULE_LIMIT=64
 
-D HARD_SERVER_LIMIT=4096
 
-D HTTPD_ROOT="/usr"
 
-D SUEXEC_BIN="/usr/lib/apache/suexec"
 
-D DEFAULT_PIDLOG="/var/run/apache.pid"
 
-D DEFAULT_SCOREBOARD="/var/run/apache.scoreboard"
 
-D DEFAULT_LOCKFILE="/var/run/apache.lock"
 
-D DEFAULT_ERRORLOG="/var/log/apache/error.log"
 
-D TYPES_CONFIG_FILE="/etc/mime.types"
 
-D SERVER_CONFIG_FILE="/etc/apache/httpd.conf"
 
-D ACCESS_CONFIG_FILE="/etc/apache/access.conf"
 
-D RESOURCE_CONFIG_FILE="/etc/apache/srm.conf"
 
</pre>
 
  
== Tardisification stuff ==
+
=== Note on installing web applications ===
  
We've got a silly directory structure, so that we don't need users homedirs mounted on the webserver. Unfortunately this breaks the default debian way of doing things. To get round this we've our own apache package.
+
Tardis is frequently crawled by web-indexing services, and hence sites hosted on Tardis are very visible to the outside world, often unexpectedly. Unmaintained galleries, blogs, etc. are frequent targets for spammers.
  
<pre>
+
If you install a web-facing applicaions (eg. Gallery, etc), you '''MUST''':
apt-get update
 
mkdir /tmp/apachelol
 
cd /tmp/apachelol
 
apt-get build-dep apache
 
apt-get source apache
 
cd apache-<version>
 
vim debian/rules
 
</pre>
 
  
Then change the config args as follows (note the tardis bit, and the last line):
+
* Keep all web-facing applications on Tardis updated with the latest security patches. Subscribe to the relevant security mailing lists.
 +
* Disable anonymous user input or use effective CAPTCHAs, if such things exist.
  
<pre>
 
CONFARGS =      --target=apache --with-layout=Debian \
 
                --enable-suexec --suexec-caller=www-data \
 
                --suexec-docroot=/tardis/www --includedir=/$(inc) \
 
                --without-confadjust --without-execstrip \
 
                --enable-shared=max --enable-rule=SHARED_CHAIN \
 
                --enable-module=most --enable-module=status \
 
                --enable-module=auth_digest --enable-module=log_referer \
 
                --enable-module=log_agent --enable-module=auth_db \
 
                $(EXTRA_CONFARGS) \
 
                --activate-module=src/modules/extra/mod_macro.c \
 
                --suexec-userdir=cgi-bin
 
</pre>
 
Then:
 
<pre>
 
:wq
 
tardis-buildpkg publish all
 
tardis-buildrep
 
apt-get update
 
apt-get upgrade
 
</pre>
 
  
== Mutex-related crashes ==
+
While we will disable insecure applications if we find them, we cannot guarantee to. Security of Tardis services is the responsibility of '''all''' of the project members, and the existence of insecure applications may jeopordise the project's continued existence.
  
We kept seeing crashes where the master apache process would die.  The children would stay around answering requests for a while afterwards, making diagnosis more difficult.  From the logs, it would appear to be a problem with sysvsem mutexes and the log rollover.  We would get
 
<pre>
 
[Fri Feb  3 06:34:11 2006] [notice] SIGUSR1 received.  Doing graceful restart
 
accept_mutex_on: Identifier removed
 
</pre>
 
before the rollover, and
 
<pre>
 
[Fri Feb  3 06:34:14 2006] [error] (2)No such file or directory: mod_mime_magic: can't read magic file /etc/apache/share/magic
 
[Fri Feb  3 06:34:14 2006] [notice] Apache/1.3.33 configured -- resuming normal operations
 
[Fri Feb  3 06:34:14 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
 
[Fri Feb  3 06:34:14 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
 
[Fri Feb  3 06:34:14 2006] [alert] Child 15864 returned a Fatal error... \nApache is exiting!
 
</pre>
 
afterwards.  Googling showed that lots of people have had this problem in the past and noone has bothered finding the bug.  Switching to fcntl mutexes appears to have stopped this.
 
  
 
[[category:Services]]
 
[[category:Services]]
 
[[category:ExternalServices]]
 
[[category:ExternalServices]]
 +
[[category:User Documentation]]

Revision as of 13:31, 16 May 2007

Admin Information

The web service currently runs on davros, which also hosts the disks with the web content.

Supported Software

PHP

Tardis (grudgingly) runs php4/5, and we can install extensions if you require them.

Databases

MySQL and PostgreSQL are available. See: Database Service.

Web Applications

Currently there are some packages which are installed site-wide on the webserver which you should be able to make use of. For these, see their individual pages for details. At the moment, only the installation of wordpress is documented as I installed it, but there are definitely other bits of software on tardis which should be documented. This is a placeholder.

Blog_Service

Others

There are other webapps we should try and manage globally, if possible. Principally gallery and maybe some sort of wiki.


Service Information

Your web pages are located in

  /tardis/www/users/<user>

Note on installing web applications

Tardis is frequently crawled by web-indexing services, and hence sites hosted on Tardis are very visible to the outside world, often unexpectedly. Unmaintained galleries, blogs, etc. are frequent targets for spammers.

If you install a web-facing applicaions (eg. Gallery, etc), you MUST:

  • Keep all web-facing applications on Tardis updated with the latest security patches. Subscribe to the relevant security mailing lists.
  • Disable anonymous user input or use effective CAPTCHAs, if such things exist.


While we will disable insecure applications if we find them, we cannot guarantee to. Security of Tardis services is the responsibility of all of the project members, and the existence of insecure applications may jeopordise the project's continued existence.