Changes between Initial Version and Version 1 of ndg_security/Apache2/SUSE


Ignore:
Timestamp:
19/10/10 12:01:05 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ndg_security/Apache2/SUSE

    v1 v1  
     1[wiki: Security] / [wiki:ndg_security ndg_security] / [wiki:ndg_security/Apache2/ Apache2] / SUSE 
     2 
     3= Example Apache Configuration with SUSE = 
     4[[PageOutline]] 
     5This page gives details for Apache configuration for NDG Security with SUSE and the standard SUSE Apache2 distribution.  Details are given for 11.2  
     6The standard SUSE Apache2 package can be used.  There is no need to build from source.  Directory structure and file names don't need to be followed explicitly.  They are included for guidelines only. 
     7 
     8== Virtual Host ==  
     9 1. Create directories for the virtual host.  (<fqdn> = fully qualified domain name.  Replace with appropriate name). 
     10{{{ 
     11$ mkdir /srv/www/vhosts/ 
     12$ mkdir /srv/www/vhosts/<fqdn>/ 
     13$ mkdir /srv/www/vhosts/<fqdn>/htdocs 
     14$ mkdir /srv/www/vhosts/<fqdn>/wsgi-scripts 
     15$ mkdir /srv/www/vhosts/<fqdn>/cgi-bin 
     16}}} 
     17 1. Set-up virtual host files in `/etc/apache2/vhosts.d` 
     18{{{ 
     19$ cp vhost.template ip-based_vhosts.conf       
     20}}} 
     21    (`ip-based_vhosts.conf` actually generated from `yast2`). 
     22{{{ 
     23VirtualHost <fqdn>:80>                                                                                                          
     24 ServerAdmin <admin e-mail address>                                                                                               
     25 ServerName <fqdn>                                                                                                               
     26 
     27    # DocumentRoot: The directory out of which you will serve your 
     28    # documents. By default, all requests are taken from this directory, but 
     29    # symbolic links and aliases may be used to point to other locations.    
     30 DocumentRoot /srv/www/vhosts/<fqdn>/htdocs                              
     31 
     32    # if not specified, the global error log is used 
     33 ErrorLog /var/log/apache2/<fqdn>-error_log      
     34 CustomLog /var/log/apache2/<fqdn>-access_log combined 
     35 
     36    # don't loose time with IP address lookups 
     37 HostnameLookups Off                           
     38 
     39    # needed for named virtual hosts 
     40 UseCanonicalName Off                
     41 
     42    # configures the footer on server-generated documents 
     43 ServerSignature On                                       
     44 
     45    # Optionally, include *.conf files from /etc/apache2/conf.d/ 
     46    #                                                            
     47    # For example, to allow execution of PHP scripts:            
     48    #                                                            
     49    # Include /etc/apache2/conf.d/php5.conf                      
     50    #                                                            
     51    # or, to include all configuration snippets added by packages: 
     52    # Include /etc/apache2/conf.d/*.conf                           
     53 
     54    # ScriptAlias: This controls which directories contain server scripts. 
     55    # ScriptAliases are essentially the same as Aliases, except that       
     56    # documents in the realname directory are treated as applications and  
     57    # run by the server when requested rather than as documents sent to the client. 
     58    # The same rules about trailing "/" apply to ScriptAlias directives as to       
     59    # Alias.                                                                        
     60    #                                                                               
     61 ScriptAlias /cgi-bin/ "/srv/www/vhosts/<fqdn>/cgi-bin/"                        
     62 
     63    # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased 
     64    # CGI directory exists, if you have one, and where ScriptAlias points to. 
     65    # 
     66 <Directory "/srv/www/vhosts/<fqdn>/cgi-bin"> 
     67  AllowOverride None                              
     68  Options +ExecCGI -Includes                      
     69  Order allow,deny                                
     70  Allow from all                                  
     71 </Directory>                                     
     72 
     73    # UserDir: The name of the directory that is appended onto a user's home 
     74    # directory if a ~user request is received.                              
     75    # 
     76    # To disable it, simply remove userdir from the list of modules in APACHE_MODULES 
     77    # in /etc/sysconfig/apache2.                                                      
     78    # 
     79 <IfModule mod_userdir.c> 
     80        # Note that the name of the user directory ("public_html") cannot simply be 
     81        # changed here, since it is a compile time setting. The apache package      
     82        # would have to be rebuilt. You could work around by deleting               
     83        # /usr/sbin/suexec, but then all scripts from the directories would be      
     84        # executed with the UID of the webserver.                                   
     85UserDir public_html                                                                 
     86        # The actual configuration of the directory is in                           
     87        # /etc/apache2/mod_userdir.conf.                                            
     88Include /etc/apache2/mod_userdir.conf                                               
     89 </IfModule> 
     90 
     91    # 
     92    # Applications running under mod_wsgi - these are to be protected by NDG Security filters 
     93    # 
     94 <Directory /srv/www/vhosts/<fqdn>/wsgi-scripts> 
     95 Order allow,deny                                    
     96 Allow from all                                      
     97 </Directory>                                        
     98 
     99Include /etc/apache2/services/services.conf 
     100 
     101    # 
     102    # This should be changed to whatever you set DocumentRoot to. 
     103    # 
     104 <Directory "/srv/www/vhosts/<fqdn>/htdocs"> 
     105         
     106        # 
     107        # Possible values for the Options directive are "None", "All", 
     108        # or any combination of:                                       
     109        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews 
     110        # 
     111        # Note that "MultiViews" must be named *explicitly* --- "Options All" 
     112        # doesn't give it to you. 
     113        # 
     114        # The Options directive is both complicated and important.  Please see 
     115        # http://httpd.apache.org/docs-2.2/mod/core.html#options 
     116        # for more information. 
     117        # 
     118Options Indexes FollowSymLinks 
     119 
     120        # 
     121        # AllowOverride controls what directives may be placed in .htaccess files. 
     122        # It can be "All", "None", or any combination of the keywords: 
     123        #   Options FileInfo AuthConfig Limit 
     124        # 
     125AllowOverride None 
     126 
     127        # 
     128        # Controls who can get stuff from this server. 
     129        # 
     130Order allow,deny 
     131  Allow from all 
     132 </Directory> 
     133</VirtualHost> 
     134}}} 
     135    * A virtual host has been set up for <fqdn>. 
     136    * The virtual host has its own directory structure for scripts and static content `/srv/www/vhosts/<fqdn>` 
     137    * A Directory directive has been set up for WSGI scripts. 
     138    * WSGI scripts themselves are declared in the file `/etc/apache2/services/services.conf` included within the virtual host. 
     139 1. Create the services file: 
     140{{{ 
     141$ cat > /etc/apache2/services/services.conf 
     142 
     143# WSGI services 
     144WSGIDaemonProcess my-services processes=2 threads=15 display-name=%{GROUP} 
     145 
     146WSGIProcessGroup my-services 
     147WSGIScriptAlias /myapp1 "/srv/www/vhosts/<fqdn>/wsgi-scripts/myapp1.wsgi" 
     148 
     149WSGIProcessGroup my-services 
     150WSGIScriptAlias /myapp2 "/srv/www/vhosts/<fqdn>/wsgi-scripts/myapp2.wsgi" 
     151}}} 
     152 
     153== SSL == 
     154 1. Enable SSL (Ref: http://en.opensuse.org/Apache_Howto_SSL): 
     155{{{ 
     156$ a2enmod ssl 
     157$ a2enflag SSL 
     158}}} 
     159 1. Copy the SSL certificate and key into the correct locations.  (The default is: `/etc/apache2/ssl.crt` and `/etc/apache2/ssl.key` directories for the  certificate and private key files respectively).  Set `600` permissions on the private key.  Avoid keeping duplicate copies of the key on the file system. 
     160 
     161 1. Copy from the template: 
     162{{{ 
     163$ cp vhost-ssl.template vhost-ssl.conf 
     164}}} 
     165    This can be done from `yast2` but it will remove any existing conf files you have placed there(!).   
     166 1. Set the virtual host IP, `DocumentRoot`, `ServerName`, `ServerAdmin`, log paths: 
     167{{{ 
     168<VirtualHost 130.246.191.53:443> 
     169 
     170        #  General setup for the virtual host 
     171        DocumentRoot "/srv/www/vhosts/<fqdn>/htdocs" 
     172        ServerName <fqdn>:443 
     173        ServerAdmin <admin e-mail address> 
     174        ErrorLog /var/log/apache2/<fqdn>-ssl_error_log 
     175        TransferLog /var/log/apache2/<fqdn>-ssl_access_log 
     176 
     177}}} 
     178 1. Make a `Directory` directive for the WSGI scripts for this virtual host: 
     179{{{ 
     180        # 
     181        # SSL Services including NDG Security 
     182        # 
     183        <Directory /srv/www/vhosts/<fqdn>/wsgi-scripts> 
     184            # Special settings enable NDG Security middleware to apply client 
     185            # authentication where necessary 
     186            SSLVerifyClient optional_no_ca 
     187            SSLVerifyDepth  10 
     188            SSLOptions +StdEnvVars +ExportCertData 
     189 
     190            Order allow,deny 
     191            Allow from all 
     192        </Directory> 
     193 
     194        Include /etc/apache2/services/ssl_services.conf 
     195}}} 
     196 1. Ensure the `SSLCertificateFile` and `SSLCertificateKeyFile` directives are set correctly for the respective certificate and private key file paths. 
     197 1. Create the SSL services file: 
     198{{{ 
     199$ cat > /etc/apache2/services/ssl_services.conf 
     200# 
     201# Configuration of SSL Services 
     202# 
     203 
     204# NDG Security Applications 
     205WSGIDaemonProcess ndg-security processes=2 threads=15 display-name=%{GROUP} 
     206 
     207WSGIProcessGroup ndg-security 
     208WSGIScriptAlias / "/srv/www/vhosts/<fqdn>/wsgi-scripts/ndgsecurity.wsgi" 
     209}}} 
     210=== Troubleshooting SSL === 
     211 1. Start up fails with: 
     212{{{ 
     213$ /etc/init.d/apache2 start 
     214Starting httpd2 (prefork) (98)Address already in use: make_sock: could not bind to address [::]:443 
     215}}} 
     216    Check for duplicate `Listen 443` directives in `/etc/apache2/listen.conf` and/or other conf files.  Remove duplicates and retry.  To check to see if there really is another service using that port: 
     217{{{ 
     218$ netstat -pan |grep ":443" 
     219}}} 
     220 1. `yast2` has an interface to make Apache settings including virtual hosts and SSL but this can delete existing custom config files created. 
     221 
     222 
     223=== Troubleshooting === 
     224 1. Shared library not found: 
     225{{{ 
     226$ /usr/local/bin/python 
     227/usr/local/bin/python: error while loading shared libraries: libpython2.5.so.1.0: cannot open shared object file: No such file or directory 
     228}}} 
     229 1. Run `ldconfig` to update the shared library paths: 
     230{{{ 
     231$ ldconfig 
     232}}} 
     233    Rerun Python to make sure the changes have taken effect. 
     234 
     235=== Module build and installation === 
     236 1. Download and unpack the latest (verison 3.1 as of 01/03/2010) source: 
     237    {{{ 
     238$ wget http://modwsgi.googlecode.com/files/mod_wsgi-3.1.tar.gz 
     239$ tar zxvf mod_wsgi-3.1.tar.gz 
     240    }}} 
     241 1. Configure and build making sure to link against the Apache installation just completed.  '''If building against Apache built from source use, `/usr/local/apache2/bin/apxs` (SUSE 10.3), if using Apache SUSE built package (SUSE 11.2) use, `/usr/sbin/apxs-prefork`''': 
     242    {{{ 
     243$ cd mod_wsgi-3.1 
     244$ ./configure --with-apxs=/usr/local/apache2/bin/apxs 
     245$ make 
     246$ sudo make install 
     247$ make clean 
     248    }}} 
     249    Note the configure call defaults to the current python executable in the `PATH`.  In this case `/usr/bin/python`: 
     250    {{{ 
     251$ /usr/bin/python -V 
     252Python 2.5.1 
     253    }}} 
     254==== Troubleshooting ==== 
     255 1. `mpm.h` not found with SUSE build: 
     256{{{ 
     257/usr/include/apache2/mpm_common.h:46:17: error: mpm.h: No such file or directory  
     258}}} 
     259    Make sure to use `apxs-prefork` or `apxs-worker`: 
     260{{{ 
     261$ ./configure --with-apxs=/usr/sbin/apxs2-prefork --with-python=/usr/local/bin/python 
     262}}} 
     263    Ref: http://code.google.com/p/modwsgi/wiki/QuickInstallationGuide 
     264 1. Apache can't find 64 bit Python shared object.  make fails with this or something similar: 
     265{{{ 
     266/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o mod_wsgi.la  -rpath /usr/lib64/apache2-prefork -module -avoid-version    mod_wsgi.lo -L/usr/local/lib -L/usr/local/lib/python2.5/config -lpython2.5 -lpthread -ldl -lutil -lm                                        
     267/usr/lib64/gcc/x86_64-suse-linux/4.4/../../../../x86_64-suse-linux/bin/ld: /usr/local/lib/python2.5/config/libpython2.5.a(abstract.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC                        
     268/usr/local/lib/python2.5/config/libpython2.5.a: could not read symbols: Bad value 
     269}}}        
     270    Rebuild Python with shared object option: 
     271{{{ 
     272$ ./configure --enable-shared 
     273}}} 
     274    See: http://code.google.com/p/modwsgi/wiki/QuickInstallationGuide 
     275                                        
     276=== Configuration === 
     277 1. Add the WSGI module to the configuration.  This varies with different distributions.  with SUSE, the `a2enmod` script can be used: 
     278    {{{ 
     279$ a2enmod wsgi 
     280    }}} 
     281 1. Ensure Python 2.5 library paths are picked up.  Although `mod_wsgi` has been built against Python 2.5 it may still be necessary to force it to pick up the Python 2.5 library paths.  The `WSGIPythonHome` directive sets the Python prefix to enable this to be enforced.  This should be placed outside a `VirtualHost` entry e.g. in `/etc/apache/httpd.conf`: 
     282    {{{ 
     283WSGIPythonHome /usr/local 
     284    }}} 
     285 1. Set `Directory` directive for WSGI scripts directory in the <fqdn> virtual host section in `/etc/apache2/vhosts.d/ip-based_vhosts.conf`: 
     286    {{{ 
     287    # Public area for placing WSGI scripts to be exposed outside 
     288    <Directory /srv/www/vhosts/<fqdn>/wsgi-scripts> 
     289        Order allow,deny 
     290        Allow from all 
     291    </Directory> 
     292    }}} 
     293 1. Run mod_wsgi in Daemon mode to enable separate processes and threads: 
     294    {{{ 
     295    WSGIDaemonProcess my-services processes=2 threads=15 display-name=%{GROUP} 
     296    WSGIProcessGroup my-services 
     297 
     298    # Test WSGI App 
     299    WSGIScriptAlias /hello /srv/www/vhosts/<fqdn>/wsgi-scripts/test.wsgi 
     300</VirtualHost> 
     301    }}} 
     302 1. Make a WSGI scripts directory as referred to in the above: 
     303    {{{ 
     304$ mkdir /srv/www/vhosts/<fqdn>/wsgi-scripts 
     305    }}} 
     306 1. Make a test application to try it all out: 
     307    {{{ 
     308$ cat > /srv/www/vhosts/<fqdn>/wsgi-scripts/test.wsgi 
     309def application(environ, start_response): 
     310    import sys 
     311    print >>sys.stderr, "Python sys.prefix=%s" % sys.prefix 
     312 
     313    status = '200 OK' 
     314    output = 'Hello World!' 
     315 
     316    response_headers = [('Content-type', 'text/plain'), 
     317                        ('Content-Length', str(len(output)))] 
     318    start_response(status, response_headers) 
     319 
     320    return [output] 
     321    }}} 
     322    Nb. the print statement enables checking in the system log that the `WSGIPythonHome` setting has worked and that the value really is `/usr/local`.  IF not the application will load the WRONG Python libraries. 
     323 1. Set execute permissions: 
     324    {{{ 
     325$ chmod 755 /srv/www/vhosts/<fqdn>/wsgi-scripts/test.wsgi 
     326    }}} 
     327 1. Restart Apache 
     328    {{{ 
     329$ /etc/init.d/apache2 restart 
     330    }}} 
     331 1. Try out the script in a browser typing in the URL: http://<fqdn>/hello.  `Hello World!` should be output on the browser page. 
     332 1. Remove the entry from the conf file and restart Apache once testing is complete. 
     333 
     334=== Services Configuration === 
     335Separate service configuration files provide a convenient means to manage the services being deployed. 
     336 1. Create a separate user account for running services: 
     337    {{{ 
     338$ groupadd wsgi-apache 
     339$ useradd -c "mod_wsgi user" -g wsgi-apache wsgi-apache 
     340    }}} 
     341 1. Create service configuration.   
     342    {{{ 
     343$ mkdir /etc/apache/services 
     344$ cat > /etc/apache/services/services.conf 
     345 
     346# Applications to be protected by NDG Security 
     347WSGIDaemonProcess my-services processes=2 threads=15 display-name=%{GROUP} python-eggs=/srv/www/vhosts/<fqdn>/wsgi-scripts/.python-eggs user=wsgi-a 
     348pache group=wsgi-apache 
     349 
     350WSGIProcessGroup my-services 
     351WSGIScriptAlias /myapp1 "/srv/www/vhosts/<fqdn>/wsgi-scripts/myapp1.wsgi" 
     352 
     353WSGIProcessGroup my-services 
     354WSGIScriptAlias /myapp2 "/srv/www/vhosts/<fqdn>/wsgi-scripts/myapp2.wsgi" 
     355    }}} 
     356    Nb. each service will need the necessary script set up and configuration.  Configuration files will need to be readable by the `wsgi-apache` user. 
     357 1. Add to `/etc/apache2/vhosts.d/ip-based_vhosts.conf`: 
     358    {{{ 
     359Include /etc/apache2/services/services.conf 
     360    }}} 
     361