|
Size: 4121
Comment:
|
← Revision 33 as of 2018-09-13 05:48:45 ⇥
Size: 8440
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| <<TableOfContents(4)>> Described by KA on Nov 21st, 2017. (Ed on SSL: Sep 12, 2018) == OLD nodus etc / export == Backup of the old nodus configurations are found in {{{/cvs/cds/caltech/nodus_backup}}} . Some useful locations: Old apache configurations {{{ cd /cvs/cds/caltech/nodus_backup/etc/apache2 }}} == iptables == Firewall setting of nodus is now configured via '''shorewall'''. Shorewall produces the commands for iptables. Note: shorewall is a (sort of a) wapper for iptables, and is not a daemon. On May 31, 2018, Jonathan Hanks and Koji Arai setup shorewall to set the iptables automatically when the machine is booted (although this was not tested). The following command is to manually turn on the firewall settings {{{ sudo systemctl start shorewall }}} More info about [[NodusShorewallSetting|Shorewall on nodus]] |
|
| Line 3: | Line 36: |
| - I first tried a simplest setting as possible. I installed elinks, a text based browser, to test the local access to the web. And the server worked locally but not remotely. It seemed that the ports were not open. - A command "iptables" is the way to make specific ports available. - This required to specify correct interface name. This could be checked with "ifconfig -a". nodus has two ethernet I/Fs. i.e. enp1s0f0 and enp1s0f1 - Therefore the commands are like the following: {{{ iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT }}} - Check the iptable status. 5 to 0 are the new entries. NOTE that this modification is not permanent yet. We need to run the above commands everytime we reboot the host. {{{ # iptables -vnL INPUT --line Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination> 1 532K 1294M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 62 3808 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 3378K 1896M INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 4 3378K 1896M INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 6 8 512 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 7 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 8 5 320 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 9 3378K 1896M INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 10 113 4814 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 11 3273K 1869M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited }}} - Now I configured non-SSL version of 30889 server. This was done by /etc/httpd/sites-available/nodus30889_nosecure.conf and the symbolic link of it in /etc/httpd/sites-enabled. - I realized that we need php for dokuwikis. It was installed. Maybe we need more careful configuration of php later. > sudo yum -y install php - To work with the server daemon, use systemctl command. Currently the server is not running. > sudo systemctl (start|restart|stop|status) httpd |
=== Global settings === - To work with the server daemon, use systemctl command. {{{ sudo systemctl (start|restart|stop|status) httpd }}} - All apache setting can be found in {{{/etc/httpd}}} . - The main config file is {{{/etc/httpd/conf/}}} . This takes care the global setting of the web service. - PHP is required for dokuwikis. So it was installed. We need more careful investigation of the php configuration later. {{{ sudo yum -y install php }}} === SSL === - {{{/etc/httpd/conf.d/}}} has sub config files. Only ssl.conf was reviewed. This config has the following line. {{{ SSLPassPhraseDialog exec:/etc/httpd/passphrase.sh }}} And the corresponding file can be found as {{{/etc/httpd/passphrase.sh}}} . - SSL Certificates were copied from the old backup. They are located in {{{/etc/httpd/ssl}}}. So each '''https''' sites should have the following directives in each {{{VirtualHost}}}. {{{ SSLCertificateFile /etc/httpd/ssl/nodus.ligo.caltech.edu.crt SSLCertificateKeyFile /etc/httpd/ssl/nodus.ligo.caltech.edu.key }}} ==== Notes on Sep 12, 2018 (KA) ==== LIGO GC notified that nodus had SSL2.0 and SSL3.0 still available on the web servers. So the following line was added to {{{/etc/httpd/sites-available/elog.conf}}}, {{{/etc/httpd/sites-available/nodus30889_secure.conf}}}, and {{{/etc/httpd/conf.d/ssl.conf}}} {{{ SSLProtocol All -SSLv2 -SSLv3 }}} Then, the configuration symtax was checked by {{{ sudo apachectl configtest }}} and the apache was restarted by {{{ sudo apachectl restart }}} This change stopped the SSL 2.0/3.0 on the port 8081 and 30889. This can be confirmed by the following commands on a remote machine: {{{ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:8081 }}} ("8081" should be changed to a port number to test). '''The response before the modification''' {{{ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:30889 CONNECTED(00000003) depth=0 C = US, postalCode = 91125, ST = CA, L = Pasadena, street = 1200 E. California Blvd., O = California Institute of Technology, OU = Laser Interferometer Gravitational-Wave Observatory, CN = nodus.ligo.caltech.edu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, postalCode = 91125, ST = CA, L = Pasadena, street = 1200 E. California Blvd., O = California Institute of Technology, OU = Laser Interferometer Gravitational-Wave Observatory, CN = nodus.ligo.caltech.edu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/postalCode=91125/ST=CA/L=Pasadena/street=1200 E. California Blvd./O=California Institute of Technology/OU=Laser Interferometer Gravitational-Wave Observatory/CN=nodus.ligo.caltech.edu i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFujCCBKKgAwIBAgIRAO52qPrXrjinkCIoR9oCkUkwDQYJKoZIhvcNAQELBQAw ... }}} '''The response after the modification''' {{{ --- ~$ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:8081 CONNECTED(00000003) 140736103068680:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 140736103068680:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: --- no peer certificate available --- No client certificate CA names sent .... ~$ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:30889 CONNECTED(00000003) 140736103068680:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 140736103068680:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: --- no peer certificate available --- No client certificate CA names sent }}} === Site files === - The actual web site settings are found in {{{/etc/httpd/site-enabled}}} . '''This folder should have symbolic links to the corresponding files in''' {{{site-available}}}. The important files are {{{elog.conf}}} and {{{nodus30889_secure.conf}}} for now. SVN setting should be added later. - The site on the port 30889 is configured by {{{nodus30889_secure.conf}}}. This is a normal web server looking at the files in {{{/export/home}}}, not in {{{/users/public_html}}}!. One who wants to add a folder to the web is to make a link to the folder in {{{/export/home}}} and add a corresponding {{{Directory}}} entry in {{{nodus30889_secure.conf}}}. - {{{elog.conf}}} takes care of redirecting and proxy of 8081 (https) to 8080. The line {{{Header add Strict-Transport-Security "max-age=0"}}} is important so that the client browsers '''does not''' remember 8080 as https. - {{{svn.conf}}} takes care of svn. In this file, the location of the authentication files are speficied. {{{ AuthUserFile /export/svn/.svn-auth-file AuthzSVNAccessFile /export/svn/svn.authz }}} These files are copied from the old svn backup. |
| Line 49: | Line 160: |
| - The new executable seemed installed at /usr/local/sbin. The setting files are in /export/elog. - The current (best) elog staring script is /export/elog/startELOGD.sh. - By disabling 8081 secure elog thing, the elog is running at the port 8080. However, the elogd does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as |
- The new executable was installed (via RPM by Rana) at /usr/local/sbin. The nominal setting files are in /export/elog/elog-common. - The current (best) elog staring script is /export/elog/startELOGD.sh. '''This does not kill running process. Some sophisticated mechanism (as before) will be useful. ''' ''Note that the 8080 port has to be opened manually for this to work - see iptables section above.'' - '''Riddle:''' {{{elogd}}} does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as {{{ |
| Line 55: | Line 168: |
| in /export/elog/elog-common/elogd.cfg - This is not the perfect solution but this allows us to use the elog. There is no true secure password for the elog, this is OK for today, I guess? We need more investigation on the theme and the SSL version of the elog (i.e. port 8081). cd /cvs/cds/caltech/nodus_backup/etc/apache2 ELOG CFG URL = https://nodus.ligo.caltech.edu:8081/ |
}}} in the main config file {{{/export/elog/elog-common/elogd.cfg}}}. |
| Line 68: | Line 174: |
| sudo yum install subversion | === Installation === SVN installation {{{ sudo yum install subversion mod_dav_svn }}} === Repository migration === To create a repository from an existing repository: We can't just copy the files. We need to use a dump file created by svnadmin. This can be done for an existing svn repository in the new system. '''Dumping''' {{{ cd /home/export/svn sudo svnadmin dump ./ > ../svndump }}} '''Create a new repository''' {{{ cd /home/export sudo mv svn svn_old sudo svnadmin create svn }}} '''Loading''' {{{ cd /home/export sudo svnadmin load ./svn < svndump }}} === Apache setting === - See above ([[https://wiki-40m.ligo.caltech.edu/NodusUpgradeNov2017#Site_files |Site files]]). === svn server daemon === We don't need to run "svnserve" to use WEBDAV interface. - --('''To launch svn server run the following command ''')-- --(sudo svnserve -d)-- --(This allows us to access to the usual svn command from remote and [[https://nodus.ligo.caltech.edu:30889/svn/]]. )-- === websvn === - Download the latest distribution {{{ cd /cvs/cds/caltech/users/public_html wget http://websvn.tigris.org/files/documents/1380/49056/websvn-2.3.3.tar.gz tar zxvf websvn-2.3.3.tar.gz }}} - Expose the downloaded file as "websvn" {{{ cd /export/home ln -s /cvs/cds/caltech/users/public_html/websvn-2.3.3 ./websvn }}} - Edit configuration to specify the location of the repository {{{ cd websvn/include mv distconfig.php config.php emacs -nw config.php }}} Add the following line right next to "// Local repositories (without and with optional group)" {{{ $config->addRepository('40m SVN', 'file:///export/svn/', NULL, 'svn40m', '0p2iCs'); }}} |
Contents
Described by KA on Nov 21st, 2017. (Ed on SSL: Sep 12, 2018)
OLD nodus etc / export
Backup of the old nodus configurations are found in /cvs/cds/caltech/nodus_backup .
Some useful locations:
Old apache configurations
cd /cvs/cds/caltech/nodus_backup/etc/apache2
iptables
Firewall setting of nodus is now configured via shorewall. Shorewall produces the commands for iptables. Note: shorewall is a (sort of a) wapper for iptables, and is not a daemon.
On May 31, 2018, Jonathan Hanks and Koji Arai setup shorewall to set the iptables automatically when the machine is booted (although this was not tested).
The following command is to manually turn on the firewall settings
sudo systemctl start shorewall
More info about Shorewall on nodus
Apache
Global settings
- To work with the server daemon, use systemctl command.
sudo systemctl (start|restart|stop|status) httpd
- All apache setting can be found in /etc/httpd .
- The main config file is /etc/httpd/conf/ . This takes care the global setting of the web service.
- PHP is required for dokuwikis. So it was installed. We need more careful investigation of the php configuration later.
sudo yum -y install php
SSL
- /etc/httpd/conf.d/ has sub config files. Only ssl.conf was reviewed. This config has the following line.
SSLPassPhraseDialog exec:/etc/httpd/passphrase.sh
And the corresponding file can be found as /etc/httpd/passphrase.sh .
- SSL Certificates were copied from the old backup. They are located in /etc/httpd/ssl. So each https sites should have the following directives in each VirtualHost.
SSLCertificateFile /etc/httpd/ssl/nodus.ligo.caltech.edu.crt SSLCertificateKeyFile /etc/httpd/ssl/nodus.ligo.caltech.edu.key
Notes on Sep 12, 2018 (KA)
LIGO GC notified that nodus had SSL2.0 and SSL3.0 still available on the web servers. So the following line was added to /etc/httpd/sites-available/elog.conf, /etc/httpd/sites-available/nodus30889_secure.conf, and /etc/httpd/conf.d/ssl.conf
SSLProtocol All -SSLv2 -SSLv3
Then, the configuration symtax was checked by
sudo apachectl configtest
and the apache was restarted by
sudo apachectl restart
This change stopped the SSL 2.0/3.0 on the port 8081 and 30889. This can be confirmed by the following commands on a remote machine:
echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:8081
("8081" should be changed to a port number to test).
The response before the modification
echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:30889 CONNECTED(00000003) depth=0 C = US, postalCode = 91125, ST = CA, L = Pasadena, street = 1200 E. California Blvd., O = California Institute of Technology, OU = Laser Interferometer Gravitational-Wave Observatory, CN = nodus.ligo.caltech.edu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, postalCode = 91125, ST = CA, L = Pasadena, street = 1200 E. California Blvd., O = California Institute of Technology, OU = Laser Interferometer Gravitational-Wave Observatory, CN = nodus.ligo.caltech.edu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/postalCode=91125/ST=CA/L=Pasadena/street=1200 E. California Blvd./O=California Institute of Technology/OU=Laser Interferometer Gravitational-Wave Observatory/CN=nodus.ligo.caltech.edu i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFujCCBKKgAwIBAgIRAO52qPrXrjinkCIoR9oCkUkwDQYJKoZIhvcNAQELBQAw ...
The response after the modification
--- ~$ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:8081 CONNECTED(00000003) 140736103068680:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 140736103068680:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: --- no peer certificate available --- No client certificate CA names sent .... ~$ echo x | openssl s_client -ssl3 -connect nodus.ligo.caltech.edu:30889 CONNECTED(00000003) 140736103068680:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 140736103068680:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: --- no peer certificate available --- No client certificate CA names sent
Site files
- The actual web site settings are found in /etc/httpd/site-enabled . This folder should have symbolic links to the corresponding files in site-available. The important files are elog.conf and nodus30889_secure.conf for now. SVN setting should be added later.
- The site on the port 30889 is configured by nodus30889_secure.conf. This is a normal web server looking at the files in /export/home, not in /users/public_html!. One who wants to add a folder to the web is to make a link to the folder in /export/home and add a corresponding Directory entry in nodus30889_secure.conf.
- elog.conf takes care of redirecting and proxy of 8081 (https) to 8080. The line Header add Strict-Transport-Security "max-age=0" is important so that the client browsers does not remember 8080 as https.
- svn.conf takes care of svn. In this file, the location of the authentication files are speficied.
AuthUserFile /export/svn/.svn-auth-file
AuthzSVNAccessFile /export/svn/svn.authzThese files are copied from the old svn backup.
elogd
- The new executable was installed (via RPM by Rana) at /usr/local/sbin. The nominal setting files are in /export/elog/elog-common.
- The current (best) elog staring script is /export/elog/startELOGD.sh. This does not kill running process. Some sophisticated mechanism (as before) will be useful. Note that the 8080 port has to be opened manually for this to work - see iptables section above.
- Riddle: elogd does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as
Resource dir = /usr/local/elog
in the main config file /export/elog/elog-common/elogd.cfg.
SVN
Installation
SVN installation
sudo yum install subversion mod_dav_svn
Repository migration
To create a repository from an existing repository: We can't just copy the files. We need to use a dump file created by svnadmin. This can be done for an existing svn repository in the new system.
Dumping
cd /home/export/svn sudo svnadmin dump ./ > ../svndump
Create a new repository
cd /home/export sudo mv svn svn_old sudo svnadmin create svn
Loading
cd /home/export sudo svnadmin load ./svn < svndump
Apache setting
- See above (Site files).
svn server daemon
We don't need to run "svnserve" to use WEBDAV interface.
- To launch svn server run the following command
sudo svnserve -d
This allows us to access to the usual svn command from remote and https://nodus.ligo.caltech.edu:30889/svn/.
websvn
- Download the latest distribution
cd /cvs/cds/caltech/users/public_html wget http://websvn.tigris.org/files/documents/1380/49056/websvn-2.3.3.tar.gz tar zxvf websvn-2.3.3.tar.gz
- Expose the downloaded file as "websvn"
cd /export/home ln -s /cvs/cds/caltech/users/public_html/websvn-2.3.3 ./websvn
- Edit configuration to specify the location of the repository
cd websvn/include mv distconfig.php config.php emacs -nw config.php
Add the following line right next to "// Local repositories (without and with optional group)"
$config->addRepository('40m SVN', 'file:///export/svn/', NULL, 'svn40m', '0p2iCs');