[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [246] DevelSite, HostRedirection: document the gnu/ nongn
From: |
assafgordon |
Subject: |
[Savannah-cvs] [246] DevelSite, HostRedirection: document the gnu/ nongnu redirection mystery |
Date: |
Sun, 2 Oct 2016 01:56:42 +0000 (UTC) |
Revision: 246
http://svn.sv.gnu.org/viewvc/?view=rev&root=administration&revision=246
Author: agn
Date: 2016-10-02 01:56:39 +0000 (Sun, 02 Oct 2016)
Log Message:
-----------
DevelSite,HostRedirection: document the gnu/nongnu redirection mystery
Modified Paths:
--------------
trunk/sviki/FrontEndDevelopmentSite.mdwn
trunk/sviki/FrontEndHostRedirection.mdwn
Modified: trunk/sviki/FrontEndDevelopmentSite.mdwn
===================================================================
--- trunk/sviki/FrontEndDevelopmentSite.mdwn 2016-09-29 05:48:19 UTC (rev
245)
+++ trunk/sviki/FrontEndDevelopmentSite.mdwn 2016-10-02 01:56:39 UTC (rev
246)
@@ -223,7 +223,9 @@
cd /home/jsmith/savannah/
cp -r /etc/savane ./etc/
chown -R jsmith:jsmith ./etc
- chgrp www-data ./etc/.savane.conf.php ./etc/savane.pass
+ cd ./etc/savane
+ chgrp www-data .savane.conf.php .savane.pass nongnu-conf/.savane.conf.php
+ chmod o= .savane.conf.php .savane.pass nongnu-conf/.savane.conf.php
*NOTE*: At this point, the files contain the MySQL user/password
for the production website - DO NOT FORGET TO CHANGE THEM.
@@ -258,7 +260,14 @@
$sys_trackers_attachments_dir=$sys_appdatadir . "/trackers_attachments";
$sys_debug_email_override_address = "address@hidden";
+The following settings should be updated in `./nongnu-conf/.savane.conf.php`
+(note that default-vs-brother are swapped in the nongnu file):
+ $sys_default_domain="agn.frontend0.savannah.nongnu.org";
+ $sys_brother_domain="agn.frontend0.savannah.gnu.org";
+ $sys_incdir="/home/agn/savannah/etc/savane/content/nongnu-content";
+
+
See [[FrontEndHostRedirection]] to learn about gnu/nongnu host redirection
(keep the debug variable `true` unless you read and understand the redirection
page).
@@ -295,14 +304,16 @@
### Hostnames
-The apache config file defines the following server names
-(see also DNS section above):
+The apache config file defines the following virtual host names
- ServerName jsmith.frontend0.savannah.gnu.org
- ServerAlias jsmith.frontend0.sv.gnu.org
- ServerAlias jsmith.frontend0.savannah.nongnu.org
- ServerAlias jsmith.frontend0.sv.nongnu.org
+ jsmith.frontend0.savannah.gnu.org
+ jsmith.frontend0.sv.gnu.org
+ jsmith.frontend0.savannah.nongnu.org
+ jsmith.frontend0.sv.nongnu.org
+See [[FrontEndHostRedirection]] for the gory details
+of savannah's multiple hostnames configuration
+(e.g. gnu/nongnu redirections).
### SSL Certificates
@@ -346,15 +357,20 @@
DocumentRoot /home/jsmith/savanne/savane/frontend/php
-
### Savane's PHP configuration
In this apache config file, an environment variable `SAVANE_CONF` should
point to the development site's configuration directory
(e.g. `frontend0:/home/jsmith/savannah/etc/savane`).
- SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/
+ <If "%{HTTP_HOST} == 'agn.frontend0.savannah.gnu.org'">
+ SetEnv SAVANE_CONF /home/agn/savannah/etc/savane/
+ </If>
+ <ElseIf "%{HTTP_HOST} == 'agn.frontend0.savannah.nongnu.org'">
+ SetEnv SAVANE_CONF /home/agn/savannah/etc/savane/nongnu-conf/
+ </ElseIf>
+
*Sanity checks when visiting <https://jsmith.frontend0.savannah.gnu.org>*
1. Take note of the <TITLE> of the page (usually appears in the title
Modified: trunk/sviki/FrontEndHostRedirection.mdwn
===================================================================
--- trunk/sviki/FrontEndHostRedirection.mdwn 2016-09-29 05:48:19 UTC (rev
245)
+++ trunk/sviki/FrontEndHostRedirection.mdwn 2016-10-02 01:56:39 UTC (rev
246)
@@ -1,30 +1,149 @@
FrontEnd GNU/NONGNU host redirection
====================================
-Savannah hosts both GNU and NONGNU projects.
-For each type, it redirects the visitor to the
-correct URL (savannah.gnu.org or savannah.nongnu.org, respectively).
+Savannah handles three types of hosts redirection:
-Redirection happens for every project-related page (e.g. main project page,
-bugs, support, etc.).
+1. shortcut URL to full URL (.e.g `*.sv.gnu.org` => `*.savannah.gnu.org`).
+2. `*.gnu.org` <=> `*.nongnu.org`, depending on project's type.
+3. automatic-login to both `savannah.gnu.org` and `savannah.nongnu.org`
+Shortcut URL redirection
+------------------------
+Shortcur URL redirection (.e.g `*.sv.gnu.org` => `*.savannah.gnu.org`)
+is handled entirely in the apache configuration.
-Enable/Disable redirection
---------------------------
+This would've been simple, if it were't for two complications:
+1. For HTTP, all URLs should be redirected as-is with full URI
+ (e.g. <http://sv.gnu.org/p/coreutils> should redirect to
+ <http://savannah.gnu.org/p/coreutils>, not just to
+ <http://savannah.gnu.org>) *EXCEPT* the `.well-known` directory,
+ which must not be redirected because of the use
+ of Let's-Encrypt certboot (i.e. <http://sv.gnu.org/.well-known/XXX>
+ must be valid and not redirected).
+ See [[https]] for details about the certbot configuration.
+
+2. For HTTPS, slightly different configuration is set needed
+ on whether it's gnu or nongnu domain,
+ while still requiring that <https://sv.gnu.org/p/coreutils>
+ redirects to the full <https://savannah.gnu.org/p/coreutils>.
+
+The [[FrontEndDevelopmentSite]] currently uses the following method:
+
+ <VirtualHost *:80>
+ ServerName jsmith.frontend0.savannah.gnu.org
+ ServerAlias jsmith.frontend0.savannah.nongnu.org
+ ServerAlias jsmith.frontend0.sv.gnu.org
+ ServerAlias jsmith.frontend0.sv.nongnu.org
+
+ <If "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
+ RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
+ </If>
+ <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
+ RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
+ </ElseIf>
+ <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.gnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
+ RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
+ </ElseIf>
+ <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.nongnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
+ RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
+ </ElseIf>
+ Include sites-available/certbot-wellknown.inc
+ </VirtualHost>
+
+
+ <VirtualHost *:443>
+ ServerAlias jsmith.frontend0.sv.gnu.org
+ ServerAlias jsmith.frontend0.sv.nongnu.org
+ ServerName jsmith.frontend0.savannah.gnu.org
+ ServerAlias jsmith.frontend0.savannah.nongnu.org
+
+ <If "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org'">
+ SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/
+ </If>
+ <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.savannah.nongnu.org'">
+ SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/nongnu-conf/
+ </ElseIf>
+ # If the '.sv.gnu.org' shortcut is used, redirect to the full
+ # '.savannah.gnu.org' URL.
+ <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.gnu.org'">
+ RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
+ </ElseIf>
+ <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.nongnu.org'">
+ RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
+ </ElseIf>
+ [...]
+ </VirtualHost>
+
+Note that certbot's configuration uses `Alias`, which has lower precedence
+in Apache than `RedirectMatch` - requiring some fiddling with the conditions.
+
+FIXME: If there's a better configuration, please write to
address@hidden .
+
+FIXME: Document the apache setup for the production website, which use:
+
+ sites-enabled/000-vhosts-gnu.org.conf -> ../sites-available/vhosts-gnu.org
+ sites-enabled/vhosts-nongnu.org.conf ->
../sites-available/vhosts-nongnu.org
+
+ # in sites-available/vhosts-gnu.org:
+ <VirtualHost *:80>
+ Include sites-available/sv.gnu.inc
+ </VirtualHost>
+ <VirtualHost *:443>
+ Include sites-available/sv.gnu.inc
+ </VirtualHost>
+ <VirtualHost *:443>
+ ServerName frontend0.savannah.gnu.org
+ Include sites-available/sv.inc
+ </VirtualHost>
+
+ # in sites-available/vhosts-nongnu.org:
+ <VirtualHost *:80>
+ Include sites-available/sv.nongnu.inc
+ </VirtualHost>
+ <VirtualHost *:443>
+ Include sites-available/sv.nongnu.inc
+ </VirtualHost>
+ <VirtualHost *:443>
+ ServerName frontend0.savannah.nongnu.org
+ SetEnv SV_LOCAL_INC_PREFIX /etc/savane/nongnu-conf
+ Include sites-available/sv.inc
+ </VirtualHost>
+
+ # in sites-available/sv.gnu.inc:
+ ServerName savannah.gnu.org
+ Include sites-available/sv.inc
+
+ # in sites-available/sv.nongnu.org:
+ ServerName savannah.nongnu.org
+ SetEnv SV_LOCAL_INC_PREFIX /etc/savane/nongnu-conf
+ Include sites-available/sv.inc
+
+
+
+GNU/NONGNU redirection
+----------------------
+
+gnu/nongnu redirection is handled entirely in thePHP code, based on
+whether the viewed project belongs to gnu or not (sometimes refers
+to as 'brother' site in the code/config files).
+
+Example: when a user visits <https://savannah.nongnu.org/projects/coreutils>
+she will be redirected to <https://savannah.gnu.org/projects/coreutils>
+because coreutils is an official gnu package.
+
+
+### Enabling/Disabling redirection
+
In `.savane.conf.php`, setting the boolean variable
`$sys_debug_nobasehost` to `true` disable redirection completely -
useful for [[FrontEndDevelopmentSite]].
+### Project's based redirection
-Redirection hosts
------------------
-
-The hosts used for redirections are defined in the *database*
-(*not* in the configuration file). This is both annoying and confusing.
-
When page is visited (if it relates to a hosted project), the
function `$project->getTypeBaseHost()` is called and returns the host
that is relevant to the viewed project (baed on the project's type).
@@ -71,54 +190,99 @@
Then set `$sys_debug_nobasehost=false;` the development `.savane.conf.php`
file.
-Redirection should work within the development site, between gnu and nongnu.
+### PHP Code
-Brother-Domain in savane conf
------------------------------
+The variable `$sys_debug_nobasehost` is mentioned in the following files:
-In `.savane.conf.php` there are these two variables:
+in `./frontend/php/include/init.php`:
+ # if we are at wrong url, redirect
+ if (!$sys_debug_nobasehost && strcasecmp($_SERVER['HTTP_HOST"],
$project->getTypeBaseHost()) != 0 && $project->getTypeBaseHost())
+ {
+ header ("Location:
http".(session_issecure()?'s":'")."://".$project->getTypeBaseHost().$_SERVER['PHP_SELF"]);
+ exit;
+ }
+
+in `./frontend/php/include/project_home/php`:
+
+ if (strcasecmp($_SERVER['HTTP_HOST"], $project->getTypeBaseHost()) != 0 &&
$project->getTypeBaseHost())
+ {
+ header ('Location:
http".(session_issecure()?'s":'").'://".$project->getTypeBaseHost().$_SERVER["REQUEST_URI"]);
+ exit;
+ }
+
+
+
+
+Auto-login to 'brother' site
+----------------------------
+
+When a user visits the login page on
+<https://savannah.gnu.org/account/login.php>, there's is a check-box
+at the bottom of the page asking for "Login also in
+savannah.nongnu.org".
+
+This is called a "brother" site in the code and config files.
+It is implemented using several HTTP redirects from
+one site to the other (e.g from the default 'savannah.gnu.org'
+to 'savannah.nongnu.org') sending hashed session IDs back and
+forth (counting on the fact that both sites run on the same
+physical server and share PHP session cookies).
+
+
+In `/etc/savane/.savane.conf.php` there are these two variables:
+
$sys_default_domain="savannah.gnu.org";
$sys_brother_domain="savannah.nongnu.org";
+ $sys_incdir="/etc/savane/content/gnu-content";
-Or in a [[FrontEndDevelopmentSite]]:
+In the correspnding `/etc/savane/nongnu-conf/.savane.conf.php` the
+default/brother hosts are swapped:
+ $sys_default_domain="frontend0.savannah.nongnu.org";
+ $sys_https_host="$sys_default_domain";
+ $sys_brother_domain="frontend0.savannah.gnu.org";
+ $sys_incdir="/etc/savane/content/nongnu-content";
+
+
+If using a development site [[FrontEndDevelopmentSite]],
+use the following in `/home/jsmith/savannah/etc/savane/.savane.conf.php`:
+
$sys_default_domain="jsmith.frontend0.savannah.gnu.org";
$sys_brother_domain="jsmith.frontend0.savannah.nongnu.org";
+ $sys_incdir="/home/jsmith/savannah/etc/savane/content/gnu-content";
-These variables only seem to affect the login process
-(i.e. the "Login also in savannah.nongnu.org" checkbox in the login page).
+and in `/home/jsmith/savannah/etc/savane/nongnu-conf/.savane.conf.php`:
-Setting these alone will not make the redirection work - updating the database
-is required (as shown above).
+ $sys_default_domain="jsmith.frontend0.savannah.nongnu.org";
+ $sys_https_host="$sys_default_domain";
+ $sys_brother_domain="jsmith.frontend0.savannah.gnu.org";
+ $sys_incdir="/home/jsmith/savannah/etc/savane/content/nongnu-content";
+The apache configuration must be set appropriately for each domain.
+See `SAVANE_CONF` settings above.
+*NOTE*:
+If the "login to [brother] set" checkbox is set,
+Savannah will do the redirection even if the variable is set
+(`$sys_debug_nobasehost=true`).
+If you forget to update the settings in `nongnu-conf/.savane.conf.php`,
+you might get redirected to the real website (e.g. `savannah.nongnu.org`),
+which will not only confuse things, but will also cause troubles
+with cookie authentication (you'll see an error message saying
+"Savane thinks your cookies are not activated for XXX" from `login.php`).
-PHP Code
---------
-The variable `$ sys_debug_nobasehost` is mentioned in the following files:
+The 'brother' login sequences is used in two files:
+`./frontend/php/account/login.php` and `./frontend/php/account/su.php`
+(`su` implements "become superuser" feature for admins).
- $ git grep debug_nobasehost
- include/init.php:$sys_debug_nobasehost = false;
- include/init.php: if (isset($group_id) && empty($no_redirection) &&
!$sys_debug_nobasehost)
- include/project_home.php:if (!$sys_debug_nobasehost &&
strcasecmp($_SERVER['HTTP_HOST'], $project->getTypeBaseHost())
+The gist is:
-The variable domain/brother-domain variables are mentioned here:
+1. After successful login to `savannah.gnu.org`, `login.php` will redirect to:
+
<https://savannah.NONGNU.org/account/login.php?session_uid=94790&session_hash=XXXXXXXXXX&cookie_for_a_year=&from_brother=1&login=1&stay_in_ssl=1&brotherhood=1&uri=%2F>
- $ git grep brother_domain
- account/login.php: if (!empty($GLOBALS['sys_brother_domain']) &&
$brotherhood)
- account/login.php: header ("Location:
".$http."://".$GLOBALS['sys_brother_domain'].$GLOBALS['sys_home']."/a
- account/login.php: header("Location:
".$http."://".$GLOBALS['sys_brother_domain'].$uri);
- account/login.php:if (!empty($GLOBALS['sys_brother_domain']))
- account/login.php: printf (_("Login also in %s").'</span><br />',
$GLOBALS['sys_brother_domain']);
- account/su.php: if (!empty($GLOBALS['sys_brother_domain']))
- account/su.php: header ("Location:
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$GLOBALS['sys_home']."acc
- account/su.php: header("Location:
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
- account/su.php: header("Location:
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
- account/su.php: if (!empty($GLOBALS['sys_brother_domain']))
- account/su.php: header ("Location:
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$GLOBALS['sys_home']."acc
- account/su.php: header("Location:
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
- account/su.php: header("Location:
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
-
+2. `login.php` (this time called on host `savannah.nongnu.org`) will see
+ that `$from_brother=1`, and will set the cookie/session for this domain
+ as well, then redirect back to `savannah.gnu.org/`.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] [246] DevelSite, HostRedirection: document the gnu/ nongnu redirection mystery,
assafgordon <=