Hi Good that you put this on topic again. I wrote an apache policy some time ago. Some parts is not good but others are. I mostly aim for configuration policy. http://www.opal.dhs.org/involved/debian/apache/ It might be something useful there. On Sat, Dec 06, 2003 at 03:21:28PM -0500, Joey Hess wrote: > Maybe it's time to think about amending section 11.5. of policy (Web > servers and applications) to address some of the problems with it. Here > are the problems I know of: > > - Some admins want to tightly control which cgi scripts are available, > beyond merely picking packages to install. For example you might want > to install analog without activating its cgi script. > > - Some admins may need to use http://host/cgi-bin/ for their own > custom cgi scripts for historical or local policy reasons, but would > also prefer to be able to use cgi scripts from debian packages, > without tracking/linking them on a per-package basis. > > - Some might want http://host/doc to be their own content, and not > the debian docs. I think the Debian web site is one example. > > - Some web servers (eg apache2) can cooexist with other web servers > installed concurrently. But historically we've had the debian web > server install a default /var/www/index.html particular to that > server, and only one web server can do that at a time. So apache2 > currently violates debian policy by using a different directory as > its web server root. Which leads to many other administration > problems, such as anything dropped in /var/www not being available > under apache2. I suggest that we drop /var/www or make it depricated. > - If you use vhosts, you can only have one pointing to /var/www, > so only one will get the debian content provided there. To add it to the > others, you have to maintain lots of symlinks. > > - /var/www violates the FHS. Of course the FHS has not laid out a place > for web stuff, though they might eventually with /srv. This proposal > does not mandate /srv, but it does lay groundwork to make it ok > for web servers to use /srv when it becomes part of the FHS, and to > help make it easier to transition to it. > > - Any others? > > I notice that many of these come down to a namespace problem. We have > appropriated the default top-level namespace of the web server for > Debian-provided content, which doesn't give the admin enough control. If > they take back control, for example by changing the web document root to > /home/web or /srv/web, and creating their own cgi-bin directory, then > they lose all the benefits of the Debian integration. Unfortunatly many > hrefs are absolute, and so they break when you do things like this, so > even making http://host/debian link to all the debian provided stuff is > not feasable without a lot of work. > > This brings me to the policy proposal: > > -------------------------------------------------------------------------- > > 11.5. Web servers and applications > > 11.5.1. Filesystem locations for web-accessible content > > This section describes the filesystem locations that should be > used for web-accessible content provided by the Debian system. > > CGI executable files are installed in /usr/lib/cgi-bin/<cgi-name>. Good. > HTML documents for a package are stored in > /usr/share/doc/<package>. > > Web applications should store static web-accessible files (icons, > non-documentation html pages, etc), under /usr/share/<package> and > /usr/lib/<package>. Variable web-accessible files (such as mrtg > graphs) may be stored under /var/lib/<package>. Good. > Web applications may also store web-accessible files in /var/www/, > but use of this directory is deprecated and will become a bug in a > future edition of Debian policy. The sooner we get rid of /var/www the better. > All of the above content is gathered together in the directory > /var/lib/debian-www/, which includes links to /usr/lib/cgi-bin/, > and /usr/share/doc, and to which links can be added to content > in /usr/share/<package>, /usr/lib/<package>, /var/lib/<package>, > and /var/www (deprecated). Hmm... I'm not sure that I like this. I suggest that each application make sure that they have a configuration file that can be included in the vhost that need it. They have to make scriptalias and aliases in there to make sure everything work instead. One config file for basic support and one for display/view support. > Packages should only add symlinks, and possibly subdirectories > to the /var/lib/debian-www/ directory, and not actual content. I can not see why this is better than the /var/www approach. I can be convinced though. > 11.5.2. URLs for web-accessible content > > This section specifies the URLs that should be used to access > web-accessible content provided by the Debian system. > > The Debian web content will be available at the URL > http://<site>/debian-www/. This includes > http://<site>/debian-www/cgi-bin for CGI programs, > http://<site>/debian-www/doc for documentation, and > http://<site>/debian-www/<application> for web application data. > > These URLs should also work for any virtual hosts on the Debian > system, unless the administrator has chosen to not include the > Debian content on a virtual host. > > The following URLs may be used for Debian provided content, but > are deprecated in favor of the new URLs listed above: > http://<host>/cgi-bin/ for CGI programs. > http://<host>/doc for documentation. Hmm well this is a bit better than the /var/www thing but I do not still find it perfect. > 11.5.3. Web server configuration and virtual hosts > > Web servers should ship with a default configuration that may include > a default front page, specfic to that web server, at http://<site>/, > and must include http://<site>/debian-www/. Ok. > The web server should restrict access to http://<site>/debian-www/doc > so that only clients on the same host can read the documents. If the web > server does not support such access controls, then it should not provide > access at all, or ask about providing access during installation. Good. > Web servers may default to using /var/www as their web document root. > If they include an index.html (or localised index.html.ll or similar > files) there, they must take care to not overwrite files created by > the administrator, or by other web servers, and removal of the web > server should remove those files. /var/www/debian-www should be a > link to /var/lib/debian-www/. As this direcotry is not approved by the > FHS, use of /var/www is deprecated. > > Alternatively, web servers may choose to use a different directory > as their web document root. It is acceptable to prompt the user > for what directory to use. In any case, debian-www in that directory > should be a link to /var/lib/debian-www/, and the web server should > take care to not overwrite existing index.html files, etc in that > directory, and to clean up after itself when it is removed. I suggest that the second alternative here is the suggested method. > -------------------------------------------------------------------------- > > Here how the problems I listed at the top of this mail can be addressed > using the new system. Note that I'm using /srv/ as the web document roots > in these examples, mainly as it makes talking about vhosts easier, but they > are only examples. > > - So you want to control every cgi programs that is enabled. Make > /var/lib/debian-www/cgi-bin your own directory, instead of a link > to /usr/lib/cgi-bin/, and add links to the cgi programs you want. > It should also be possible to make this vary by vhost if you wanted. To make it easier to handle vhost I suggest that each vhost include config files that each application provides. But you are right that symlinks can solve the problem too. > - So you want http://host/cgi-bin/ to be your own custom cgi scripts. > No problem, it is, debian cgi scripts are > http://host/debian-www/cgi-bin/. > > - So you want http://host/doc/ to be your own content. No problem, > debian /usr/share/doc is at http://host/debian-www/doc/ (generally > where "host" is "localhost"). > > - So apache2 wants to provide its own index.html without conflicting > with the index.html of any other web server that might be installed, > while at the same time keeping the debian content available. Then > /srv/apache2/index.html can be apache2's web document root, and > http://<apache2-host>/debian-www/ stil works. In the short term, > while /srv is only theory, apache2 might go on using > /var/www/apache2-default as it does now, but with the addition of a > debian-www link in there to make it policy compliant. > > - So you want to add a vhost that still includes the Debian content. > Just make sure that /srv/<vhost>/debian-www -> /var/lib/debian-www. Rest seems to be solved. > As to how we would transition to this, all of section 11.5.1. matches > current policy, or allows current policy (/var/www) but deprecates it. > 11.5.2. allows the old URLs for cgi-bin and documentation to be preserved, > but deprecates them. 11.5.3. allows web servers to go on using /var/www > (or /var/www/apache2-default) as they do now. > > So we could adopt this into policy without requiring immediate changes > to everything. First the change would be the web servers, which would > start providing debian-www links in their web document roots, and access > to the debian-www urls for their vhosts. Next would come package > providing cgi scripts, which could begin to document and link to the new > urls to the cgi scripts. And then packages that provide "web > application" content in /var/www would move over to the new set of > directories, and to providing symlinks to it in /var/lib/debian-www/. > After most stuff was converted to using the new system, web servers > would drop support for the old http://host/<doc> and http://<host>/cgi-bin/ > and the deprecated parts would become policy violations. > > At this time, I'm seeking comments, but not seconds for this proposal. > In particular, I'm interested in any problems with the current web > policy which I did not address. > > -- > see shy jo Well this was some comments. Hope you found some of them useful. Regards, // Ola -- --------------------- Ola Lundqvist --------------------------- / opal@debian.org Annebergsslingan 37 \ | opal@lysator.liu.se 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
Attachment:
pgpuc2YhP3q_U.pgp
Description: PGP signature