plc.d/httpd

   1 #!/bin/bash
   2 #
   3 # priority: 600
   4 #
   5 # Configure Apache web server
   6 #
   7 # Mark Huang <mlhuang@cs.princeton.edu>
   8 # Copyright (C) 2006 The Trustees of Princeton University
   9 #
  10
  11 # Source function library and configuration
  12 . /etc/plc.d/functions
  13 . /etc/planetlab/plc_config
  14
  15 # Be verbose
  16 set -x
  17
  18 # Default locations
  19 DocumentRoot=/var/www/html
  20 php_ini=/etc/php.ini
  21 httpd_conf=/etc/httpd/conf/httpd.conf
  22 ssl_conf=/etc/httpd/conf.d/ssl.conf
  23 plc_conf=/etc/httpd/conf.d/plc.conf
  24 php_fpm_conf=/etc/php-fpm.d/plc.conf
  25 php_fpm_dir=$(dirname $php_fpm_conf)
  26
  27 function disable_file () {
  28     file=$1; shift
  29     [ -f $file ] && mv -f $file $file.disabled
  30 }
  31 function enable_file () {
  32     file=$1; shift
  33     [ ! -f $file ] && mv -f $file.disabled $file
  34 }
  35
  36 case "$1" in
  37     start)
  38         if [ "$PLC_API_ENABLED" != "1" -a \
  39              "$PLC_BOOT_ENABLED" != "1" -a \
  40              "$PLC_WWW_ENABLED" != "1" ] ; then
  41             exit 0
  42         fi
  43
  44         MESSAGE=$"Starting web server"
  45         dialog "$MESSAGE"
  46
  47         # set document root - not really useful on fedora but just in case
  48         sed -i -e "s@^DocumentRoot.*@DocumentRoot \"$DocumentRoot\"@" $httpd_conf
  49         # whether WWW is enabled or not :
  50         if [ "$PLC_WWW_ENABLED" != "1" ] ; then
  51             # avoid hitting drupal, that would try to connect to the db and create noise
  52             disable_file $DocumentRoot/index.php
  53         else
  54             enable_file $DocumentRoot/index.php
  55         fi
  56
  57         # Set the default include path
  58         include_path=".:$DocumentRoot/planetlab/includes:$DocumentRoot/plekit/php:$DocumentRoot/generated:/etc/planetlab/php:/usr/share/plc_api/php"
  59         sed -i -e "s@[;]*include_path = \"\.:.*\"@include_path = \"$include_path\"@" $php_ini
  60
  61         # Set open_basedir so as to avoid leaks
  62         open_basedir="$DocumentRoot:/etc/planetlab/php:/usr/share/plc_api/php:/var/log/myslice:/var/tmp/bootmedium:/var/log/bm:/tmp"
  63         sed -i -e "s@[;]*open_basedir =.*@open_basedir = \"$open_basedir\"@" $php_ini
  64
  65         # for php-5.3 under fedora12, otherwise issues tons of warning messages
  66         # Set timezone in php.ini if not already there
  67         if grep '^;date.timezone' $php_ini >& /dev/null; then
  68             dialog 'Setting PHP timezone to GMT'
  69             sed -i -e 's,^;date.timezone.*,date.timezone = GMT,' $php_ini
  70         fi
  71
  72         if grep '^short_open_tag = Off' $php_ini >& /dev/null; then
  73             sed -i -e 's,^short_open_tag = Off,short_open_tag = On,' $php_ini
  74         fi
  75
  76         ## patch php.ini
  77         # memory limit
  78         sed -i -e 's,^memory_limit = 32M *;,memory_limit = 80M ; patch myplc -- ,' $php_ini
  79         # log_errors : is On by default
  80         # error_log
  81         if ! grep '^error_log *=' $php_ini > /dev/null ; then
  82             sed -i -e '/^;error_log = syslog/a error_log = /var/log/php.log' $php_ini
  83             sed -i -e 's/display_errors =.*/display_errors = On/' $php_ini
  84             sed -i -e 's/display_startup_errors =.*/display_startup_errors = On/' $php_ini
  85             # create the log file and make it writable by apache
  86             touch /var/log/php.log
  87             chmod 666 /var/log/php.log
  88         fi
  89
  90         # configure php-fpm as well if present (starting with f27)
  91         if [ -d $php_fpm_dir ] ; then
  92             cat > $php_fpm_conf << EOF
  93 [www]
  94 php_value[include_path] = $include_path
  95 php_value[open_basedir] = $open_basedir
  96 php_value[date.timezone] = GMT
  97 php_value[short_open_tag] = On
  98 php_value[memory_limit] = 80M
  99 EOF
 100             # this is needed because otherwise, the first time
 101             # we do this configuration, the service is already up
 102             # and the config is usable only the second time
 103             systemctl restart php-fpm
 104         fi
 105
 106         # Disable default Listen directive
 107         sed -i -e '/^Listen/d' $httpd_conf
 108
 109         plc_api_path_noslash=$(echo $PLC_API_PATH | sed -e s,/,,g)
 110         # Set the port numbers
 111         for server in WWW API BOOT ; do
 112             enabled=PLC_${server}_ENABLED
 113             if [ "${!enabled}" != "1" ] ; then
 114                 continue
 115             fi
 116             hostname=PLC_${server}_HOST
 117             http_port=PLC_${server}_PORT
 118             https_port=PLC_${server}_SSL_PORT
 119
 120             # API should always be accessed via SSL
 121             if [ "$server" = "API" ] ; then
 122                 https_port=${!http_port}
 123                 http_port=
 124             fi
 125
 126             # Check if we are already listening on these ports
 127             skip_http=0
 128             skip_https=0
 129             for previous_server in WWW API BOOT ; do
 130                 if [ "$server" = "$previous_server" ] ; then
 131                     break
 132                 fi
 133                 previous_enabled=PLC_${previous_server}_ENABLED
 134                 if [ "${!previous_enabled}" != "1" ] ; then
 135                     continue
 136                 fi
 137                 previous_http_port=PLC_${previous_server}_PORT
 138                 previous_https_port=PLC_${previous_server}_SSL_PORT
 139
 140                 if [ -z "${http_port}" ]; then
 141                     skip_http=1;
 142                 elif [ -z "${!http_port}" ]; then
 143                     skip_http=1;
 144                 elif [ "${!http_port}" = "${!previous_http_port}" ] ; then
 145                     skip_http=1
 146                 fi
 147                 if [ -z "${https_port}" ]; then
 148                     skip_https=1
 149                 elif [ -z "${!https_port}" ]; then
 150                     skip_https=1
 151                 elif [ "${!https_port}" = "${!previous_https_port}" ] ; then
 152                     skip_https=1
 153                 fi
 154             done
 155
 156             # HTTP configuration
 157             if [ $skip_http -eq 0 ] ; then
 158                 cat <<EOF
 159 Listen ${!http_port}
 160 <VirtualHost *:${!http_port}>
 161     # Make sure that the admin web pages are always accessed via SSL
 162     Redirect /db https://$PLC_WWW_HOST:$PLC_WWW_SSL_PORT/db
 163     Redirect /planetlab https://$PLC_WWW_HOST:$PLC_WWW_SSL_PORT/planetlab
 164 # as a matter of fact most xmlrpc clients won't follow the redirection
 165 # so this is mostly rethorical, but just in case...
 166    Redirect /$plc_api_path_noslash https://$PLC_WWW_HOST:$PLC_WWW_SSL_PORT/$plc_api_path_noslash
 167 </VirtualHost>
 168
 169 EOF
 170             fi
 171
 172             # HTTPS configuration
 173             if [ $skip_https -eq 0 ] ; then
 174                 # XXX Cannot support NameVirtualHost over SSL. If
 175                 # the API, boot, and web servers are all running
 176                 # on the same machine, the web server certificate
 177                 # takes precedence.
 178                 sed -i \
 179                     -e "s/^Listen .*/Listen ${!https_port}/" \
 180                     -e "s/<VirtualHost _default_:.*>/<VirtualHost _default_:${!https_port}>/" \
 181                     $ssl_conf
 182                 # this is used to locate the right certificates
 183                 server_lower=$(echo $server | tr 'A-Z' 'a-z')
 184
 185                 # which one is used is currently configured in myplc.spec,
 186                 # with mod_python preferred
 187                 if rpm -q mod_python >& /dev/null ; then
 188                     configure_for_mod_python=true
 189                 elif rpm -q mod_wsgi >& /dev/null \
 190           || rpm -q python2-mod_wsgi >& /dev/null \
 191           || rpm -q python3-mod_wsgi >& /dev/null ; then
 192                     configure_for_mod_wsgi=true
 193                 else
 194                     echo "Requires mod_python or mod_wsgi.... exiting"
 195                     exit 1
 196                 fi
 197
 198                 # It would be tempting to use <IfModule> here
 199                 # but early tests showed this could be tricky/fragile
 200                 # So let's hard-wire it for one module
 201                 # A lot of trial-and -error was involved in getting this that way...
 202
 203                 if [ -n "$configure_for_mod_python" ] ; then
 204 #################### for mod_python
 205                     cat <<EOF
 206 # mod_python location
 207 <Location /PLCAPI/>
 208     SetHandler mod_python
 209     PythonPath "sys.path + ['/usr/share/plc_api']"
 210     PythonHandler apache.ModPython
 211 </Location>
 212 EOF
 213
 214                 elif [ -n "$configure_for_mod_wsgi" ] ; then
 215 #################### for mod_wsgi
 216                     cat <<EOF
 217 # create wsgi socket where we have the permission
 218 WSGISocketPrefix run/wsgi
 219
 220 <VirtualHost *:${!https_port}>
 221
 222    # SSL
 223    SSLEngine On
 224    SSLCertificateFile /etc/planetlab/${server_lower}_ssl.crt
 225    SSLCertificateKeyFile /etc/planetlab/${server_lower}_ssl.key
 226    SSLCertificateChainFile /etc/planetlab/${server_lower}_ca_ssl.crt
 227
 228    WSGIScriptAlias /$plc_api_path_noslash /usr/share/plc_api/apache/plc.wsgi
 229 # xxx would be cool to be able to tweak this through config
 230    WSGIDaemonProcess plcapi-wsgi-ssl user=apache group=apache processes=1 threads=25
 231    WSGIProcessGroup plcapi-wsgi-ssl
 232
 233    <Directory "/usr/share/plc_api/apache">
 234       Options +ExecCGI
 235       $(apache_allow)
 236    </Directory>
 237
 238 </VirtualHost>
 239 EOF
 240                 fi
 241             fi
 242         done >$plc_conf
 243
 244         # Set custom Apache directives
 245         (
 246             # could be restricted to boot boxes but harmless..
 247             cat <<EOF
 248 AddType application/octet-stream .iso
 249 AddType application/octet-stream .usb
 250 EOF
 251             # make sure /PLCAPI can't get accessed if API not enabled here
 252             if [ "$PLC_API_ENABLED" != "1" ] ; then
 253                 cat <<EOF
 254 # mod_wsgi location
 255 <Location $PLC_API_PATH>
 256     $(apache_forbid)
 257 </Location>
 258 EOF
 259             fi
 260
 261             # redirect www requests if not on the right server
 262             if [ "$PLC_WWW_ENABLED" != "1" ] ; then
 263                 cat <<EOF
 264 Redirect /index.html http://$PLC_WWW_HOST:$PLC_WWW_PORT/
 265 EOF
 266             fi
 267         ) >>$plc_conf
 268
 269         # Make alpina-logs directory writable for bootmanager log upload
 270         chown apache:apache $DocumentRoot/alpina-logs/nodes
 271
 272         # Make the Drupal files upload directory owned by Apache
 273         mkdir -p $DocumentRoot/files
 274         chown apache:apache $DocumentRoot/files
 275
 276         # Symlink any (real) files or directories in
 277         # /data/var/www/html/* to /var/www/html/. We could descend
 278         # into subdirectories, but the code to do so properly would be
 279         # madness.
 280         for file in /data/$DocumentRoot/* ; do
 281             if [ -e "$file" -a ! -h "$file" ] ; then
 282                 base=$(basename "$file")
 283                 if [ ! -e "$DocumentRoot/$base" ] ; then
 284                     ln -nsf "$file" "$DocumentRoot/$base"
 285                 fi
 286             fi
 287         done
 288
 289         # Cleanup broken symlinks
 290         for file in $DocumentRoot/* ; do
 291             if [ -h "$file" -a ! -e "$file" ] ; then
 292                 rm -f "$file"
 293             fi
 294         done
 295
 296         # Old style PHP constants
 297         mkdir -p /etc/planetlab/php
 298         cat >/etc/planetlab/php/site_constants.php <<"EOF"
 299 <?php
 300 include('plc_config.php');
 301
 302 define('PL_API_SERVER', PLC_API_HOST);
 303 define('PL_API_PATH', PLC_API_PATH);
 304 define('PL_API_PORT', PLC_API_PORT);
 305 define('PL_API_CAPABILITY_AUTH_METHOD', 'capability');
 306 define('PL_API_CAPABILITY_PASS', PLC_API_MAINTENANCE_PASSWORD);
 307 define('PL_API_CAPABILITY_USERNAME', PLC_API_MAINTENANCE_USER);
 308 define('WWW_BASE', PLC_WWW_HOST);
 309 define('BOOT_BASE', PLC_BOOT_HOST);
 310 define('DEBUG', PLC_WWW_DEBUG);
 311 define('API_CALL_DEBUG', PLC_API_DEBUG);
 312 define('SENDMAIL', PLC_MAIL_ENABLED);
 313 define('PLANETLAB_SUPPORT_EMAIL', PLC_NAME . ' Support <' . PLC_MAIL_SUPPORT_ADDRESS . '>');
 314 define('PLANETLAB_SUPPORT_EMAIL_ONLY', PLC_MAIL_SUPPORT_ADDRESS);
 315 ?>
 316 EOF
 317
 318         ## make room for logs
 319         touch /var/log/plcapi.log
 320         chmod 666 /var/log/plcapi.log
 321
 322         plc_daemon httpd
 323         check
 324
 325         result "$MESSAGE"
 326         ;;
 327
 328     stop)
 329         MESSAGE=$"Stopping web server"
 330         dialog "$MESSAGE"
 331
 332         pkill -f plc_httpd
 333         check
 334
 335         result "$MESSAGE"
 336         ;;
 337 esac
 338
 339 exit $ERRORS