Contents

  1. OLD nodus etc / export
  2. iptables
  3. Apache
    1. Global settings
    2. SSL
      1. Notes on Sep 12, 2018 (KA)
    3. Site files
  4. elogd
  5. SVN
    1. Installation
    2. Repository migration
    3. Apache setting
    4. svn server daemon
    5. websvn

Described by KA on Nov 21st, 2017. (Ed on SSL: Sep 12, 2018)

OLD nodus etc / export

Backup of the old nodus configurations are found in /cvs/cds/caltech/nodus_backup .

Some useful locations:

Old apache configurations 

cd /cvs/cds/caltech/nodus_backup/etc/apache2

iptables

Firewall setting of nodus is now configured via shorewall. Shorewall produces the commands for iptables. Note: shorewall is a (sort of a) wapper for iptables, and is not a daemon.

On May 31, 2018, Jonathan Hanks and Koji Arai setup shorewall to set the iptables automatically when the machine is booted (although this was not tested).

The following command is to manually turn on the firewall settings 

sudo systemctl start shorewall

More info about Shorewall on nodus

Apache

Global settings

- To work with the server daemon, use systemctl command. 

sudo systemctl (start|restart|stop|status) httpd

- All apache setting can be found in /etc/httpd .

- The main config file is /etc/httpd/conf/ . This takes care the global setting of the web service.

- PHP is required for dokuwikis. So it was installed. We need more careful investigation of the php configuration later. 

sudo yum -y install php

SSL

- /etc/httpd/conf.d/ has sub config files. Only ssl.conf was reviewed. This config has the following line. 

SSLPassPhraseDialog exec:/etc/httpd/passphrase.sh

And the corresponding file can be found as /etc/httpd/passphrase.sh .

- SSL Certificates were copied from the old backup. They are located in /etc/httpd/ssl. So each https sites should have the following directives in each VirtualHost. 

SSLCertificateFile /etc/httpd/ssl/nodus.ligo.caltech.edu.crt
SSLCertificateKeyFile /etc/httpd/ssl/nodus.ligo.caltech.edu.key

Notes on Sep 12, 2018 (KA)

LIGO GC notified that nodus had SSL2.0 and SSL3.0 still available on the web servers. So the following line was added to /etc/httpd/sites-available/elog.conf, /etc/httpd/sites-available/nodus30889_secure.conf, and /etc/httpd/conf.d/ssl.conf 

SSLProtocol All -SSLv2 -SSLv3

Then, the configuration symtax was checked by 

sudo apachectl configtest

and the apache was restarted by 

sudo apachectl restart

This change stopped the SSL 2.0/3.0 on the port 8081 and 30889. This can be confirmed by the following commands on a remote machine: 

echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:8081

("8081" should be changed to a port number to test).

The response before the modification 

echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:30889
CONNECTED(00000003)
depth=0 C = US, postalCode = 91125, ST = CA, L = Pasadena, street = 1200 E. California Blvd., O = California Institute of Technology, OU = Laser Interferometer Gravitational-Wave Observatory, CN = nodus.ligo.caltech.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, postalCode = 91125, ST = CA, L = Pasadena, street = 1200 E. California Blvd., O = California Institute of Technology, OU = Laser Interferometer Gravitational-Wave Observatory, CN = nodus.ligo.caltech.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/postalCode=91125/ST=CA/L=Pasadena/street=1200 E. California Blvd./O=California Institute of Technology/OU=Laser Interferometer Gravitational-Wave Observatory/CN=nodus.ligo.caltech.edu
   i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFujCCBKKgAwIBAgIRAO52qPrXrjinkCIoR9oCkUkwDQYJKoZIhvcNAQELBQAw
...

The response after the modification 

---
~$ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:8081
CONNECTED(00000003)
140736103068680:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
140736103068680:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
....


~$ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:30889
CONNECTED(00000003)
140736103068680:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
140736103068680:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent

Site files

- The actual web site settings are found in /etc/httpd/site-enabled . This folder should have symbolic links to the corresponding files in site-available. The important files are elog.conf and nodus30889_secure.conf for now. SVN setting should be added later.

- The site on the port 30889 is configured by nodus30889_secure.conf. This is a normal web server looking at the files in /export/home, not in /users/public_html!. One who wants to add a folder to the web is to make a link to the folder in /export/home and add a corresponding Directory entry in nodus30889_secure.conf.

- elog.conf takes care of redirecting and proxy of 8081 (https) to 8080. The line Header add Strict-Transport-Security "max-age=0" is important so that the client browsers does not remember 8080 as https.

- svn.conf takes care of svn. In this file, the location of the authentication files are speficied. 

    AuthUserFile /export/svn/.svn-auth-file
    AuthzSVNAccessFile /export/svn/svn.authz

These files are copied from the old svn backup.

elogd

- The new executable was installed (via RPM by Rana) at /usr/local/sbin. The nominal setting files are in /export/elog/elog-common.

- The current (best) elog staring script is /export/elog/startELOGD.sh. This does not kill running process. Some sophisticated mechanism (as before) will be useful. Note that the 8080 port has to be opened manually for this to work - see iptables section above.

- Riddle: elogd does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as 

Resource dir = /usr/local/elog

in the main config file /export/elog/elog-common/elogd.cfg.

SVN

Installation

SVN installation 

sudo yum install subversion mod_dav_svn

Repository migration

To create a repository from an existing repository: We can't just copy the files. We need to use a dump file created by svnadmin. This can be done for an existing svn repository in the new system.

Dumping 

cd /home/export/svn
sudo svnadmin dump ./ > ../svndump

Create a new repository 

cd /home/export
sudo mv svn svn_old
sudo svnadmin create svn

Loading 

cd /home/export
sudo svnadmin load ./svn < svndump

Apache setting

- See above (Site files).

svn server daemon

We don't need to run "svnserve" to use WEBDAV interface.

- To launch svn server run the following command

sudo svnserve -d

This allows us to access to the usual svn command from remote and https://nodus.ligo.caltech.edu:30889/svn/.

websvn

- Download the latest distribution 

cd /cvs/cds/caltech/users/public_html
wget http://websvn.tigris.org/files/documents/1380/49056/websvn-2.3.3.tar.gz
tar zxvf websvn-2.3.3.tar.gz

- Expose the downloaded file as "websvn" 

cd /export/home
ln -s /cvs/cds/caltech/users/public_html/websvn-2.3.3 ./websvn

- Edit configuration to specify the location of the repository 

cd websvn/include
mv distconfig.php config.php
emacs -nw config.php

Add the following line right next to "// Local repositories (without and with optional group)" 

$config->addRepository('40m SVN', 'file:///export/svn/', NULL, 'svn40m', '0p2iCs');

NodusUpgradeNov2017 (last edited 2018-09-13 05:48:45 by KojiaraiATligoDOTorg)