flh1 httpd

[hirokomatsui]

I'd like to use the old setting of httpd.conf, which is copied at: /home/hiroko/httpd.conf.171023

When I simply replace it, it did not work. Can you take a look?

[tatarsky]

Is the default one still in the same location?

Apache has moved to version 2.4 and there are several items that need change in such configs. I will look after dinner.

[hirokomatsui]

Yes, I've moved it back.

[tatarsky]

Thanks. I'll look in about an hour!

[tatarsky]

So to summarize basically what I see:

Some userdir enables with authentication for a handful of users

Some top level Aliases with authentication. The syntax of authentication changed a fair chunk in 2.4.

Do you object to me making these part of the concept called:

/etc/httpd/conf.d/(somename).conf

Which allows us to spot the mods to defaults a bit better and also not risk overwrite?

I'll probably make a stab at it as "frazer.conf" for now. And you can verify what existed before does now.

[hirokomatsui]

OK, sounds good.

[tatarsky]

Phase one. I've taken the top level aliases and placed them into:

/etc/httpd/conf.d/frazer.conf

And reloaded Apache. Can you verify that part works? Seems to but you want to make sure the passwords function. There have been some syntax changes and I may need to still make them.

I will work on the other diffs in a moment.

[hirokomatsui]

Worked: http://flh1.ucsd.edu/hipsci/

Not worked: http://flh1.ucsd.edu/~hiroko

[tatarsky]

Yep, the "UserDir" items changed in 2.4 IIRC. Remembering what they changed to!

[tatarsky]

Ah yes, they didn't change the module but its another "conf.d" item: /etc/httpd/conf.d/userdir.conf

Merging your mods into that. One moment.

[tatarsky]

OK. I've enabled userdir in I believe the same way as before but these four people should CHECK to be safe:

UserDir enabled cdeboever paul hiroko matteo

I do not see cdeboever having any security on his directory. I am actually disabling mine. I don't need it.

This part of Apache 2.4 is controlled by: /etc/httpd/conf.d/userdir.conf

[tatarsky]

Looking for any other diffs from the old file that might be needed so just advise if things are closer.

[hirokomatsui]

Worked. Thanks!

[tatarsky]

Cool! Marking these two files as "modified". Did not see any other major changes but just re-open if missing something. Have a nice evening.

[billgreenwald]

Mine still does not work. I get "You don't have permission to access /~bill on this server."

[tatarsky]

Odd, you were not in the list of people that supported this access. Did it work before? Looked like a specific list of people were being maintained but perhaps I mis-read it.

Do you want your public_html to ask for a password? Thats not a default...and you'll need to have a password file for it.

[tatarsky]

@hirokomatsui how did you want this maintained BTW: ask for UserDir access via you or just turn on for all...I have no preference.

[tatarsky]

Also minor issue. I believe when you store the password file in the UserDir as I see being done, in theory it can be taken by anyone with a password and offline cracked. Its often wise to consider placing such password files outside of the areas being shared if you worry about such things. Just mentioning.

@billgreenwald I added your userdir to the allow list WITHOUT a password file so just advise if you want one!

[tatarsky]

(and I can explain how to maintain said password file if you've not done that before)

[billgreenwald]

No password is good for me.

It used to just work as soon as someone created a folder. I know a few people you didn't specify had it up and running

[tatarsky]

Ah, ok. It might have been 2.2 was default allow for UserDir....checking. Just don't want to expose stuff by accident ;)

[hirokomatsui]

Yes, I remember that was, but changed at some version.

[tatarsky]

OK. So basically then I'm going to turn on with access. So if people have a ~/public_html it will be exposed. Do you want to warn people?

<Directory "/frazer01/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Here's the people with public_html dirs.

bill/public_html
cdeboever/public_html
djakubosky/public_html
ensmith/public_html
hel070/public_html
hiroko/public_html
joreyna/public_html
matteo/public_html
mdonovan/public_html
nnariai/public_html
paola/public_html

And please re-check that the folks that HAD passwords still have them. In case I need to alter the inheritance of the directory stanzas.

[tatarsky]

Appears to allow access to everyone except @hirokomatsui and @s041629 who have password files defined. Please double check. I do not wish to expose data that is not desired exposed.

[tatarsky]

@hirokomatsui please also double check

/etc/httpd/conf.d/userdir.conf

For sanity....

[billgreenwald]

went thru the drylab and asked paola, matteo, margaret, and joqauin, and no one had passwords before

[hirokomatsui]

Matteo should have passwords

[tatarsky]

Yep. Matteo is defined with passwords.

[hirokomatsui]

I don't want to open everyone's directories without password. Can you use wild card to set AuthUserFile entity?

[tatarsky]

I'll check. I'm not sure actually. Do you want me to disable (while I check)?

[hirokomatsui]

Do you know <Directory "/frazer01//home/*/public_html"> works?

[tatarsky]

Yes, thats how things are currently enabled with no password. But I do not believe you can wild card a password file in that stanza. I believe you have to separately do what you were doing....per user.

[tatarsky]

Checking module docs though.

[s041629]

I am trying to find my password

[tatarsky]

You define it in public_html/.htpasswd

Thats controlled by the "htpasswd" command (consult man page for details or I can explain).

it is NOT your UNIX password and should not be for safety. That format is quite crackable. In fact I just cracked yours. (its your username)

[s041629]

found and updated it

[tatarsky]

I do not know of a way to "pattern expand" an AuthUserFile in a Directory Stanza @hirokomatsui

So would you like me to revert the open of dirs while these are made?

[hirokomatsui]

I think we can open Bill's. I'll open others by request.

[tatarsky]

Ok. So reverting back to a list of users and a stanza per user with the needed auth or non-auth! Then I'll defer to you as controller of this file and concept!

[hirokomatsui]

Thanks!

[tatarsky]

OK. So the key parts of the file /etc/httpd/conf.d/userdir.conf:

UserDir enabled hiroko matteo bill

If you are not there, your dir is not available. You must list the user there. (Confirmed with mine)

Then the stanzas per said users with the various auth v.s. non-auth config.

Advise if questions and please re-check all exported UserDirs.