[OpenAFS] Delivering confidential information in AFS via Apache

Charles Karney ckarney@sarnoff.com
Fri, 3 Aug 2001 17:49:09 -0400 (EDT)


seph writes:
 > From: seph <seph@commerceflow.com>
 > Date: 03 Aug 2001 14:07:48 -0700
 > 
 > > I've got some scrappy patches/notes on how to set this up.  If there's
 > > interest I can post this.
 > 
 > I'd be interested in your notes.

Notes on using AFSWeb from OpenAFS 1.1.1 with apache 1.3.20 and Mod_SSL
2.8.4-1.3.20

This environment is Linux 2.2 Redhat 6.2
(also works with Linux 2.4 with i386_linux22 -> i386_linux24)

This machine was an AFS client running Transarc AFS.
Also works with OpenAFS 1.1.1 -- change /usr/afsws/lib to /usr/lib.

OpenSSL (whatever comes with Redhat) already installed.

We also had the apache-devel RPM installed so that afsweb can find the
apache header files.  This isn't necessary -- but then you'll have to make
sure afsweb knows where to find the headers.

This machine was running a production web server (apache 1.3.6 with the
Transarc websecure).  So this setup installs into /tmp, but picks up our
AFS-based content in /usr/local/apache/htdocs (which is a link into AFS).
Similarly, it listens on 8443 (instead of 443).  I didn't turn off
listening on the regular 8080 for this test case.  (In our production
environment this is done.)

This is a minimal configuration of apache.  The only add on we use is
suexec.  Actually suexec only works under afsweb with major kludges.  I'm
looking at better solutions to this.

Two defects with afsweb:

The AFS magic only works for the stuff in DocumentRoot.  ~user/public_html
content does not work properly (which is the reason for the suexec kludge
alluded to above).  Also cgi-bin needs to be UNDER DocumentRoot if you want
this to be in AFS too (we do).

Finally, I have the IBM/Transarc documentation for afsweb in PS and HTML.
If someone in charge at IBM/Transarc will given be permission to distribute
them I will.  Better yet, IBM should contribute the afsweb documentation to
the OpenAFS documentation set.

Here goes...

cat > afsweb.pat <<'EOF'
--- src/afsweb/apache_afs_plugin.c.orig	Sat Nov  4 05:03:52 2000
+++ src/afsweb/apache_afs_plugin.c	Thu Jul 19 15:12:24 2001
@@ -468,7 +468,7 @@
  */
 static int log_Access_Error(request_rec *r)
 {
-  if(FIND_LINKED_MODULE("afs_module.c") != NULL) {
+  if((void*)FIND_LINKED_MODULE("afs_module.c") != NULL) {
     char err_msg[1024];
     int rc = 0;
     int len = 0;
@@ -502,7 +502,7 @@
   afsassert(r);
   afsassert(r->uri);
   afsassert(cell);
-  if(FIND_LINKED_MODULE("afs_module.c") != NULL) {
+  if((void*)FIND_LINKED_MODULE("afs_module.c") != NULL) {
     int rc, status;      
     char *type;  
     static int haveToken = 1; /* assume that we always have a token */
@@ -517,7 +517,7 @@
      * UserDir (tilde) support
      */
 #ifndef APACHE_1_3
-    if (FIND_LINKED_MODULE("mod_userdir.c") != NULL) {
+    if ((void*)FIND_LINKED_MODULE("mod_userdir.c") != NULL) {
       rc=translate_userdir(r);
       if ((rc != OK) && (rc != DECLINED)) {
 	LOG_REASON("afs_module: Failure while translating userdir", r->uri,r);
--- src/afsweb/apache_api.h.orig	Sat Nov  4 05:03:52 2000
+++ src/afsweb/apache_api.h	Thu Jul 19 15:12:24 2001
@@ -24,6 +24,10 @@
 #include "1.3.6/httpd.h"
 #include "1.3.6/http_conf_globals.h"
 #include "1.3.6/ap_compat.h"
+#elif defined(APACHE_1_3_20)
+#include "apache/httpd.h"
+#include "apache/http_conf_globals.h"
+#include "apache/ap_compat.h"
 #else
 #error No Apache subversion defined for APACHE_1_3 (such as APACHE_1_3_6)
 #endif /* APACHE_1_3_1 */
--- src/afsweb/Makefile.orig	Tue Mar 27 02:06:49 2001
+++ src/afsweb/Makefile	Thu Jul 19 15:31:20 2001
@@ -89,24 +89,12 @@
 			$(MAKE) AUX_CFLAGS=-DSOLARIS "XLIBS=-lsocket -lnsl" $(BINARIES) ;; \
 		*linux*) \
 			$(MAKE) libclean ; \
-			$(MAKE) AUX_FLAGS=-DLINUX $(APACHE_AFS_LIB) ; \
-			${INSTALL} $(APACHE_AFS_LIB) ${DESTDIR}root.afsweb/lib/apache_1.2 ; \
-			$(MAKE) libclean ; \
-			$(MAKE) AUX_FLAGS=-DLINUX $(APACHE_AFS_LIB) VERSION_CFLAG="-DAPACHE_1_3 -DAPACHE_1_3_1" ; \
-			${INSTALL} $(APACHE_AFS_LIB) ${DESTDIR}root.afsweb/lib/apache_1.3.1 ; \
-			$(MAKE) libclean ; \
-			$(MAKE) AUX_FLAGS=-DLINUX $(APACHE_AFS_LIB) VERSION_CFLAG="-DAPACHE_1_3 -DAPACHE_1_3_6" ; \
-			${INSTALL} $(APACHE_AFS_LIB) ${DESTDIR}root.afsweb/lib/apache_1.3.6 ; \
+			$(MAKE) AUX_FLAGS=-DLINUX $(APACHE_AFS_LIB) VERSION_CFLAG="-DAPACHE_1_3 -DAPACHE_1_3_20" ; \
+			${INSTALL} $(APACHE_AFS_LIB) ${DESTDIR}root.afsweb/lib/apache_1.3.20 ; \
 			/bin/rm -f $(SRC_MODULE) ; \
-			$(MAKE) $(SRC_MODULE) VERSION_CFLAG=-DAPACHE_1_2 ; \
-			${INSTALL} $(SRC_MODULE) ${DESTDIR}root.afsweb/src/apache_1.2 ; \
-			/bin/rm -f $(SRC_MODULE) ; \
-			$(MAKE) $(SRC_MODULE) VERSION_CFLAG="-DAPACHE_1_3 -DAPACHE_1_3_1" ; \
-			${INSTALL} $(SRC_MODULE) ${DESTDIR}root.afsweb/src/apache_1.3.1 ; \
-			/bin/rm -f $(SRC_MODULE) ; \
-			$(MAKE) $(SRC_MODULE) VERSION_CFLAG="-DAPACHE_1_3 -DAPACHE_1_3_6" ; \
-			${INSTALL} $(SRC_MODULE) ${DESTDIR}root.afsweb/src/apache_1.3.6 ; \
-			$(MAKE) AUX_CFLAGS=-DLINUX "XLIBS=-lnsl" $(BINARIES) ;; \
+			$(MAKE) $(SRC_MODULE) VERSION_CFLAG="-DAPACHE_1_3 -DAPACHE_1_3_20" ; \
+			${INSTALL} $(SRC_MODULE) ${DESTDIR}root.afsweb/src/apache_1.3.20 ; \
+			$(MAKE) AUX_CFLAGS=-DLINUX "XLIBS=-lnsl -lresolv" $(BINARIES) ;; \
 		* ) \
 			 echo "NOT BUILT FOR ${SYS_NAME}"; ;; \
 	esac
--- src/afsweb/nsafs.h.orig	Sat Nov  4 05:03:53 2000
+++ src/afsweb/nsafs.h	Thu Jul 19 15:12:24 2001
@@ -50,11 +50,11 @@
 void sha_finish(shaState *shaStateP);
 void sha_hash(shaState *shaStateP, const char *buffer, int bufferLen);
 void sha_bytes(const shaState *shaStateP, char *bytes);
-
+/*
 extern afs_int32 nsafs_SetToken (
     struct ktc_principal *aserver,
     struct ktc_token *atoken,
     struct ktc_principal *aclient,
     afs_int32 flags);
-
+*/
 #endif /* _NSAFS_H_ */
--- src/afsweb/weblog.c.orig	Thu Jul 12 15:58:25 2001
+++ src/afsweb/weblog.c	Thu Jul 19 15:12:24 2001
@@ -830,13 +830,13 @@
     /* there is a file descriptor instead of stdin */
     readPipe = atoi(as->parms[aREADPIPE].items->data);
   else 
-    readPipe = stdin;
+    readPipe = (int)stdin;
   
   if (as->parms[aWRITEPIPE].items) 
     /* there is a file descriptor instead of stdout */
     writePipe = atoi(as->parms[aWRITEPIPE].items->data);
   else 
-    writePipe = stdout;
+    writePipe = (int)stdout;
 
   if (as->parms[aCACHEEXPIRATION].items) 
     /* set configurable cache expiration time */
EOF

tar xfpz /u/admin/sources/openafs/openafs-1.1.1-src.tar.gz &
cd openafs-1.1.1
patch -p0 -b < ../afsweb.pat 
./configure --with-afs-sysname=i386_linux22 --with-linux-kernel-headers=/usr/src/linux
make

# Compile afsweb
cd src/afsweb
make SYS_NAME=i386_linux22 DESTDIR=../../i386_linux22/dest/ TOP_SRCDIR=../../src SRCDIR=../../i386_linux22/dest/

# Install components needed for build and operation of apache in
# /tmp/afswsp (this was a test setup)

OPENAFS=/u/ckarney/web/openafs-1.1.1/i386_linux22/dest
mkdir /tmp/afswsp
install $OPENAFS/root.afsweb/bin/weblog{,_starter} /tmp/afswsp/
install -m 644 $OPENAFS/root.afsweb/lib/apache_1.3.20/libapacheafs.a /tmp/afswsp/
install -m 644 $OPENAFS/root.afsweb/src/apache_1.3.20/afs_module.c /tmp/afswsp/
install -m 644 /usr/afsws/lib/afs/libsys.a /tmp/afswsp/

# Compile apache

tar xfpz /u/admin/sources/apache_1.3.20.tar.gz &
tar xfpz /u/admin/sources/mod_ssl-2.8.4-1.3.20.tar.gz 

cd mod_ssl-2.8.4-1.3.20
./configure --with-apache=../apache_1.3.20 --prefix=/tmp/apache
cd ..
cd apache_1.3.20
cd src
install -m 644 /tmp/afswsp/afs_module.c modules/extra/

# A patch to Configuration.tmpl to turn on AFS support

+++ Configuration.tmpl  Thu Jul 19 13:56:28 2001
@@ -90,7 +90,7 @@
 #
 EXTRA_CFLAGS=
 EXTRA_LDFLAGS=
-EXTRA_LIBS=
+EXTRA_LIBS=/tmp/afswsp/libapacheafs.a /tmp/afswsp/libsys.a
 EXTRA_INCLUDES=
 EXTRA_DEPS=
 
@@ -502,3 +502,4 @@
 
 # AddModule modules/ssl/libssl.a
 
+AddModule modules/extra/afs_module.o

cp Configuration.tmpl Configuration
./Configure

cd ..
SSL_BASE=SYSTEM ./configure --enable-module=ssl --prefix=/tmp/apache --enable-suexec --suexec-caller=apache
make
make certificate TYPE=test

[root]
make install

httpd.conf changes

--- /tmp/apache/conf/httpd.conf	Thu Jul 26 17:03:39 2001
+++ /tmp/apache.bak/conf/httpd.conf	Thu Jul 26 17:02:44 2001
@@ -258,8 +258,8 @@
 #  when the value of (unsigned)Group is above 60000; 
 #  don't use Group nobody on these systems!
 #
-User nobody
-Group nobody
+User apache
+Group apache
 
 #
 # ServerAdmin: Your address, where problems with the server should be
@@ -291,7 +291,7 @@
 # documents. By default, all requests are taken from this directory, but
 # symbolic links and aliases may be used to point to other locations.
 #
-DocumentRoot "/tmp/apache/htdocs"
+DocumentRoot "/usr/local/apache/htdocs"
 
 #
 # Each directory to which Apache has access, can be configured with respect
@@ -316,7 +316,7 @@
 #
 # This should be changed to whatever you set DocumentRoot to.
 #
-<Directory "/tmp/apache/htdocs">
+<Directory "/usr/local/apache/htdocs">
 
 #
 # This may also be "None", "All", or any combination of "Indexes",
@@ -366,6 +366,20 @@
 #    </LimitExcept>
 #</Directory>
 
+<Directory /u/*/public_html>
+#    AllowOverride FileInfo AuthConfig Limit
+    Options +ExecCGI
+    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    <Limit GET POST OPTIONS PROPFIND>
+        Order allow,deny
+        Allow from all
+    </Limit>
+    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
+        Order deny,allow
+        Deny from all
+    </Limit>
+</Directory>
+
 #
 # DirectoryIndex: Name of the file or files to use as a pre-written HTML
 # directory index.  Separate multiple entries with spaces.
@@ -567,13 +581,15 @@
     # The same rules about trailing "/" apply to ScriptAlias directives as to
     # Alias.
     #
-    ScriptAlias /cgi-bin/ "/tmp/apache/cgi-bin/"
+#    ScriptAlias /cgi-bin/ "/tmp/apache/cgi-bin/"
+ScriptAlias /cgi-bin/ "/usr/local/apache/htdocs/cgi-bin/"
 
     #
     # "/tmp/apache/cgi-bin" should be changed to whatever your ScriptAliased
     # CGI directory exists, if you have that configured.
     #
-    <Directory "/tmp/apache/cgi-bin">
+#    <Directory "/tmp/apache/cgi-bin">
+<Directory "/usr/local/apache/htdocs/cgi-bin">
         AllowOverride None
         Options None
         Order allow,deny
@@ -788,7 +804,8 @@
     #
     # To use CGI scripts:
     #
-    #AddHandler cgi-script .cgi
+    AddHandler cgi-script .cgi
+    AddHandler cgi-script .pl
 
     #
     # To use server-parsed HTML files
@@ -1063,7 +1080,7 @@
 <VirtualHost _default_:8443>
 
 #  General setup for the virtual host
-DocumentRoot "/tmp/apache/htdocs"
+DocumentRoot "/usr/local/apache/htdocs"
 ServerName server.sarnoff.com
 ServerAdmin ckarney@server.sarnoff.com
 ErrorLog /tmp/apache/logs/error_log
@@ -1184,7 +1201,7 @@
 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
 </Files>
-<Directory "/tmp/apache/cgi-bin">
+<Directory "/usr/local/apache/htdocs/cgi-bin">
     SSLOptions +StdEnvVars
 </Directory>
 
@@ -1226,3 +1243,14 @@
 
 </IfDefine>
 
+# AFS directives
+SetAFSDefaultCell sarnoff.com
+SetAFSCacheExpiration 600
+SetAFSTokenExpiration 3600
+SetAFSWeblogPath /tmp/afswsp/weblog_starter
+SetAFSAccessLog  logs/AFS.log
+
+<Location />
+AFSAuthType AFS
+AFSLoginPrompt "AFS Login for sarnoff.com"
+</Location>

Start apache with
    /tmp/apache/bin/apachectl startssl