Differences between revisions 6 and 9 (spanning 3 versions)
Revision 6 as of 2017-11-22 00:38:49
Size: 7265
Comment:
Revision 9 as of 2017-11-22 01:31:05
Size: 6567
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

Described by KA on Nov 21st, 2017.
Line 61: Line 63:
- This command makes the change permanent.'''This command has already been run'''.
{{{
iptables-save > /etc/sysconfig/iptables
}}}
Line 63: Line 70:
- Tried a simplest setting as possible. I installed elinks, a text based browser, to test the local access to the web. And the server worked locally but not remotely. It seemed that the ports were not open. === Global settings ===
Line 65: Line 72:
- A command "iptables" is the way to make specific ports available.

- This required to specify correct interface name. This could be checked with "ifconfig -a". nodus has two ethernet I/Fs. i.e. enp1s0f0 and enp1s0f1

- Therefore the commands are like the following:
- To work with the server daemon, use systemctl command.
Line 72: Line 75:
iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo systemctl (start|restart|stop|status) httpd
Line 80: Line 78:
- Check the iptable status. 5 to 0 are the new entries. NOTE that this modification is not permanent yet. We need to run the above commands everytime we reboot the host. - All apache setting can be found in {{{/etc/httpd}}} .

- The main config file is {{{/etc/httpd/conf/}}} . This takes care the global setting of the web service.

- PHP is required for dokuwikis. So it was installed. We need more careful investigation of the php configuration later.
Line 83: Line 85:
# iptables -vnL INPUT --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination>
1 532K 1294M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 62 3808 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 3378K 1896M INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 3378K 1896M INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED
6 8 512 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED
7 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED
8 5 320 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED
9 3378K 1896M INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
10 113 4814 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
11 3273K 1869M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
sudo yum -y install php
Line 99: Line 88:
- Now I configured non-SSL version of 30889 server. This was done by /etc/httpd/sites-available/nodus30889_nosecure.conf and the symbolic link of it in /etc/httpd/sites-enabled. === SSL ===
Line 101: Line 90:
- I realized that we need php for dokuwikis. It was installed. Maybe we need more careful configuration of php later.
> sudo yum -y install php
- {{{/etc/httpd/conf.d/}}} has sub config files. Only ssl.conf was reviewed. This config has the following line.
Line 104: Line 92:
- To work with the server daemon, use systemctl command. Currently the server is not running.
> sudo systemctl (start|restart|stop|status) httpd
{{{
SSLPassPhraseDialog exec:/etc/httpd/passphrase.sh
}}}

And the corresponding file can be found as {{{/etc/httpd/passphrase.sh}}} .

- SSL Certificates were copied from the old backup. They are located in {{{/etc/httpd/ssl}}}. So each '''https''' sites should have the following directives in each {{{VirtualHost}}}.

{{{
SSLCertificateFile /etc/httpd/ssl/nodus.ligo.caltech.edu.crt
SSLCertificateKeyFile /etc/httpd/ssl/nodus.ligo.caltech.edu.key
}}}

=== Site files ===

- The actual web site settings are found in {{{/etc/httpd/site-enabled}}} . '''This folder should have symbolic links to the corresponding files in''' {{{site-available}}}. The important files are {{{elog.conf}}} and {{{nodus30889_secure.conf}}} for now. SVN setting should be added later.

- The site on the port 30889 is configured by {{{nodus30889_secure.conf}}}. This is a normal web server looking at the files in {{{/export//home}}}, not in {{{/users/public_html}}}!. One who wants to add a folder to the web is to make a link to the folder in {{{/export//home}}} and add a corresponding {{{Directory}}} entry in {{{nodus30889_secure.conf}}}.

- {{{elog.conf}}} takes care of redirecting and proxy of 8081 (https) to 8080. The line
{{{Header add Strict-Transport-Security "max-age=0"}}}
is important so that the client browsers '''does not''' remember 8080 as https.
Line 109: Line 117:
- The new executable seemed installed at /usr/local/sbin. The setting files are in /export/elog. - The new executable was installed (via RPM by Rana) at /usr/local/sbin. The nominal setting files are in /export/elog.
Line 111: Line 119:
- The current (best) elog staring script is /export/elog/startELOGD.sh. - The current (best) elog staring script is /export/elog/startELOGD.sh. '''This does not kill running process. Some sophisticated mechanism (as before) will be useful.
Line 113: Line 121:
- By disabling 8081 secure elog thing, the elog is running at the port 8080. However, the elogd does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as
Resource dir = /usr/local/elog
in
/export/elog/elog-common/elogd.cfg
- '''Riddle:''' {{{elogd}}} does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as
Line 118: Line 123:
- This is not the perfect solution but this allows us to use the elog. There is no true secure password for the elog, this is OK for today, I guess? We need more investigation on the theme and the SSL version of the elog (i.e. port 8081). {{{Resource dir = /usr/local/elog}}}
Line 120: Line 125:

ELOG CFG
URL = https://nodus.ligo.caltech.edu:8081/
in the main config file {{{/export/elog/elog-common/elogd.cfg}}}.
Line 126: Line 129:
SVN installation
{{{
Line 127: Line 132:
}}}

To create a repository from an existing repository: We can't just copy the files. We need to use a dump file created by svnadmin. This can be done for an existing svn repository in the new system.

'''Dumping'''
{{{
cd /home/export/svn
sudo svnadmin dump ./ > ../svndump
}}}

'''Create a new repository'''
{{{
cd /home/export
sudo mv svn svn_old
sudo svnadmin create svn
}}}


'''Loading'''
{{{
cd /home/export
sudo svnadmin load ./svn < svndump
}}}

Described by KA on Nov 21st, 2017.

OLD nodus etc / export

Backup of the old nodus configurations are found in /cvs/cds/caltech/nodus_backup .

Some useful locations:

Old apache configurations

cd /cvs/cds/caltech/nodus_backup/etc/apache2

iptables

We want nodus to make several ports available from Martian and internet. Otherwise, the access to these ports are just rejected. To enable the ports, allow this, we need to run the following commands. 8080: non-secure elog, 8081: secure-elog, 30889: web service

sudo iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT 
sudo iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT 

Here we need to specify two ethernet interfaces (enp1s0f0 and enp1s0f1). They could be checked by ifconfig

ifconfig -a

To check the current IPTable setup, the following command is useful

sudo iptables -vnL INPUT --line

The output of this should look like this

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    1005K 1464M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2      889 49872 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
3    5772K 3236M INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4    5772K 3236M INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     tcp  --  enp1s0f0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 state NEW,ESTABLISHED
6     1565 97196 ACCEPT     tcp  --  enp1s0f1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 state NEW,ESTABLISHED
7        0     0 ACCEPT     tcp  --  enp1s0f0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30889 state NEW,ESTABLISHED
8      412 23688 ACCEPT     tcp  --  enp1s0f1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30889 state NEW,ESTABLISHED
9        0     0 ACCEPT     tcp  --  enp1s0f0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8081 state NEW,ESTABLISHED
10    2884  175K ACCEPT     tcp  --  enp1s0f1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8081 state NEW,ESTABLISHED
11   5767K 3236M INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12     370 15354 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
13   5586K 3192M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

To delete an entry (e.g. #3 in INPUT section)

sudo iptables -D INPUT 3

- This command makes the change permanent.This command has already been run.

iptables-save > /etc/sysconfig/iptables

Apache

Global settings

- To work with the server daemon, use systemctl command.

sudo systemctl (start|restart|stop|status) httpd

- All apache setting can be found in /etc/httpd .

- The main config file is /etc/httpd/conf/ . This takes care the global setting of the web service.

- PHP is required for dokuwikis. So it was installed. We need more careful investigation of the php configuration later.

sudo yum -y install php

SSL

- /etc/httpd/conf.d/ has sub config files. Only ssl.conf was reviewed. This config has the following line.

SSLPassPhraseDialog exec:/etc/httpd/passphrase.sh

And the corresponding file can be found as /etc/httpd/passphrase.sh .

- SSL Certificates were copied from the old backup. They are located in /etc/httpd/ssl. So each https sites should have the following directives in each VirtualHost.

SSLCertificateFile /etc/httpd/ssl/nodus.ligo.caltech.edu.crt
SSLCertificateKeyFile /etc/httpd/ssl/nodus.ligo.caltech.edu.key

Site files

- The actual web site settings are found in /etc/httpd/site-enabled . This folder should have symbolic links to the corresponding files in site-available. The important files are elog.conf and nodus30889_secure.conf for now. SVN setting should be added later.

- The site on the port 30889 is configured by nodus30889_secure.conf. This is a normal web server looking at the files in /export//home, not in /users/public_html!. One who wants to add a folder to the web is to make a link to the folder in /export//home and add a corresponding Directory entry in nodus30889_secure.conf.

- elog.conf takes care of redirecting and proxy of 8081 (https) to 8080. The line Header add Strict-Transport-Security "max-age=0" is important so that the client browsers does not remember 8080 as https.

elogd

- The new executable was installed (via RPM by Rana) at /usr/local/sbin. The nominal setting files are in /export/elog.

- The current (best) elog staring script is /export/elog/startELOGD.sh. This does not kill running process. Some sophisticated mechanism (as before) will be useful.

- Riddle: elogd does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as

Resource dir = /usr/local/elog

in the main config file /export/elog/elog-common/elogd.cfg.

SVN

SVN installation

sudo yum install subversion

To create a repository from an existing repository: We can't just copy the files. We need to use a dump file created by svnadmin. This can be done for an existing svn repository in the new system.

Dumping

cd /home/export/svn
sudo svnadmin dump ./ > ../svndump

Create a new repository

cd /home/export
sudo mv svn svn_old
sudo svnadmin create svn

Loading

cd /home/export
sudo svnadmin load ./svn < svndump

NodusUpgradeNov2017 (last edited 2018-09-13 05:48:45 by KojiaraiATligoDOTorg)