Configuring web services (revision 1)

Introduction

This page describes how Alexis Huxley installed and configured his front-end Apache web server.

Prologue

  1. Since the website must be addressed by the right name in order to work you should now:
    1. block public access to the web server or put up a “in maintenance” web site
    2. make any necessary DNS changes to access the new machine
  2. Define the following variables: 
    WEBSITENAME=<your-web-site-name>    #  e.g. WEBSITENAME=www.pasta.freemyip.com

Apache2: configuration for all virtual hosts

  1. Run: 
    apt-get install apache2
  2. Create a basic configuration file by editing /etc/apache2/sites-available/$WEBSITENAME.conf to contain only: 
    LogFormat "%h (%a) %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined2

<VirtualHost *:80>

    DocumentRoot /var/www/WEBSITENAME
    ServerName WEBSITENAME
    ServerAdmin webmaster@dont-use-this-address
    CustomLog /var/log/apache2/WEBSITENAME-access.log combined2
    ErrorLog /var/log/apache2/WEBSITENAME-error.log
    LogLevel warn
    ServerSignature On
    <Directory /var/www/WEBSITENAME>
        Order allow,deny
        Allow from all
    </Directory>

</VirtualHost>

    and then substitute placeholders by running:

    perl -pi -e "s/WEBSITENAME/$WEBSITENAME/g" /etc/apache2/sites-available/$WEBSITENAME.conf
  3. Run the commands: 
    cp -ar /var/www/default /var/www/$WEBSITENAME
a2ensite $WEBSITENAME
systemctl reload apache2
  4. For personal home pages. run: 
    perl -pi -e 's/public_html/.public_html/g' /etc/apache2/mods-available/userdir.conf
a2enmod userdir
systemctl reload apache2
  5. If you have any content to migrate then do it now.

Fancy directory indexing

  1. Run: 
    cd /var/www/$WEBSITENAME
git clone https://github.com/Vestride/fancy-index
rm -fr fancy-index/{.git,test}
mv /etc/apache2/mods-available/autoindex.conf /etc/apache2/mods-available/autoindex.conf.orig
mv fancy-index/.htaccess /etc/apache2/mods-available/autoindex.conf
  2. Edit /var/www/$WEBSITENAME/fancy-index/script.js and change: 
    titleText = titleize(path).replace(/-|_/g, ' ');
...
font-size: 0.875rem;

    to:

    // titleText = titleize(path).replace(/-|_/g, ' ');
titleText = path
...
// font-size: 0.875rem;
font-size: 1.500rem;

Subversion

  1. Install the following packages and their prerequisites:
    • subversion
    • libapache2-svn
  2. Add the following to /etc/apache2/sites-available/$WEBSITENAME: 
    <VirtualHost *:80>
   ...
    <Location /svn>
        DAV svn
        SVNPath /staging/svnrepos/main
        Require all granted
        AuthType Digest
        AuthName "Subversion Service"
        AuthUserFile /etc/apache2/subversion.htdigest
        <LimitExcept GET PROPFIND OPTIONS REPORT>
            Require valid-user
        </LimitExcept>
    </Location>
   ...
</VirtualHost>

    adjusting SVNPath, AuthName and AuthUserFile to suit local requirements.

  3. Run the commands: 
    a2enmod auth_digest
systemctl restart apache2
  4. Create /var/www/$WEBSITENAME/robots.txt containing: 
    User-agent: *
Disallow: /svn/
  5. Migrate repository content with a dump/reload, i.e.: 
    #  old machine
svnadmin dump <old-repo-path> > <repo-name>.dump
scp <repo-name>.dump <new-machine>:
    #  new machine
svnadmin create <new-repo-path>
svnadmin load <new-repo-path> < <repo-name>.dump

    and then run:

    chown -R www-data:www-data <new-repo-path>
  6. Migrate password files.
  7. If you need to restore access to a repository then do so now. Verify that the ownership of the repository is www-data:www-data.
  8. Run the commands: 
    systemctl reload apache2
  9. Test by running: 
    w3m -dump http://$WEBSITENAME/svn/
  10. If you wish to allow commit logs to be corrected after the commit has been made then run: 
    cd <repo-root-dir>/hooks
cp pre-revprop-change.tmpl pre-revprop-change

    The command to actually change the property is:

    svn propedit -r <revision> --revprop svn:log <url>

    (This is take from from the FAQ).

Public access to local Debian, Redhat and source repositories

  1. Add a stanza like these to /etc/apache2/sites-available/$WEBSITENAME: 
    <VirtualHost *:80>
    ...
    #  Public access to Debian repository
    Alias /debian/ "/pub/computing/software/local/debian/localpublic-deb/"
    <Directory "/pub/computing/software/local/debian/localpublic-deb/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    #  Private access to private Debian repository
    Alias /debian-private/ "/pub/computing/software/local/debian/localprivate-deb/"
    <Directory "/pub/computing/software/local/debian/localprivate-deb/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require ip 192.168.0.0/16
    </Directory>

    #  Public access to source repository
    Alias /sources/ "/pub/computing/software/local/sources/localpublic-src/"
    <Directory "/pub/computing/software/local/sources/localpublic-src/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    #  Public access to redhat repository
    Alias /redhat/ "/pub/computing/software/local/redhat/localpublic-rpm/"
    <Directory "/pub/computing/software/local/redhat/localpublic-rpm/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    #  Private access to private redhat repository
    Alias /redhat-private/ "/pub/computing/software/local/redhat/localprivate-rpm/"
    <Directory "/pub/computing/software/local/redhat/localprivate-rpm/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require ip 192.168.0.0/16
    </Directory>
    ...
</VirtualHost>
  2. Run: 
    systemctl reload apache2

HTTPS Support

  1. Ensure the firewall is forwarding port 443 to the appropriate host.
  2. Obtain SSL certificates (maybe see Setting up LetsEncrypt).

Proxying

  1. Run: 
    a2enmod headers
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_html
a2enmod rewrite
a2enmod xml2enc         #  without this expect Apache error AH01425
  2. Proxying of specific services is described elsewhere:
  3. Remember to set up any htdigest files for these services.

IPTables

  1. Install iptables-persistent.
  2. To ban an IP range:
    1. Run: 
      whois <ip-addr>

      and not the CIDR for the address range. If no CIDR is displayed then go to this site, enter the upper and lower addresses in the range and click ‘Convert’ to get the CIDR.

    2. Run something like: 
      iptables -A INPUT -s <cidr> -j DROP -m comment --comment "$(date +%Y%m%d): <explanation-of-ban>"
netfilter-persistent save

Miscellaneous

  1. If pages have moved or been replaced then you might consider configuring automatic redirections.
  2. Review old apache configuration files to see if anything was missed.
  3. Review old crontab entries for all users; there may be some that need to be copied across.
  4. Set up a maintenance page for use when services are under maintenance.
  5. Install spb by running: 
    apt-get install libnetaddr-ip-perl
svn co https://svn.pasta.freemyip.com/private/webtools/trunk ~/opt/webtools
mkdir ~/etc
crontab -l > ~/etc/crontab
echo "30 *  * * *   ~/opt/webtools/bin/spb" >> ~/etc/crontab
crontab - < ~/etc/crontab
cp -a /var/log/apache2/$WEBSITENAME-access.log /var/log/apache2/$WEBSITENAME-access.log.1   #  needed 'cos script looks at two last logs

Epilogue

Since the website must be addressed by the right name in order to work you should now:

  1. make any necessary DNS changes to access the new machine
  2. unblock public access to the web server

See also