Re: EARLY PROPOSAL Apache (and webapp?) policy
Hi
On Fri, Sep 13, 2002 at 10:07:47AM +1000, Matthew Palmer wrote:
> On Thu, 12 Sep 2002, Ola Lundqvist wrote:
>
> > Suggestions are very welcome. And yes before we start that discussion.
> > This is needed because sometimes this kind of things are really
> > a mess.
>
> Why do we necessarily need two separate dirs for config stuff? Why not just
> /etc/apacheconf/config.d for all apache config fragments? Then, for each
> virtual host, we can create a directory
This is because then you can just do Include /etc/apacheconf/config.d
in httpd.conf. This directory is for site-wide (all virtual hosts).
For each virtual host you can then include separate things from webapp.d
> /etc/apacheconf/<virtualhost>
I think it is up to the computer admin to set up virtual hosts, maybe.
> make a file which defines all the necessary config for the virtual host
> (ACL, name, et al) and symlink everything we want into there.
That is a solution but I do not think it is as flexible.
> However, I don't know if that sort of thing will necessarily work in the
> longer term. Imagine, if you will, two virtual hosts - one which wants
> squirrelmail (and I'm not picking on this package, it's just the first that
> popped into my head) accessible to the entire world, and one which wants it
> only accessible to 10.0.0.0/8. How do we handle that? Assuming all the
This is here your solution have a flaw. I think it is up to the sysadmin to
set up each virtual host (maybe not very clearly stated in the policy)
him/her-self. The things in webapp.d should be such that it can fit into
a virtualhost configuration (do not remeber the syntax right now).
<vhost1>
Include /etc/apacheconf/webapp.d/squirrelmail.conf
Include /etc/apacheconf/visible.d/squirrelmail.conf
Extraparam
</vhost1>
<vhost1>
Include /etc/apacheconf/webapp.d/squirrelmail.conf
Include /etc/apacheconf/visible.d/squirrelmail-restriced.conf #(selfmade)
Extraparam
</vhost1>
This is the reason for the visible.d directory. It is more clear what these
files are for.
> squirrelmail config is in one file, the ACL for /usr/share/squirrelmail (or
> wherever it's living) will be set in there. To have it different for
> different vhosts, we can't use symlinks so we need to copy the file. As it
> turns out, the apache config for squirrelmail changes on upgrade, breaking
> previous config files. All of a sudden, the copy of the squirrelmail apache
> config breaks and the admin puts his head through the wall.
Hmm. Well the configuration have to be split into the needed things to work
properly and the visible parts. Each sysadmin is responsible for all new
visible parts and the default one can be seen as a template (but a working
template if you do not need to fiddle with it).
> I have no idea how to fix this for the general case, however, so <shrug>.
>
> Overall, I like the way you're thinking, but it needs a lot of flesh to it.
> I'd prefer to see it move away from being an Apache Policy to being a web
> content policy - that is, encompassing web servers, webapps, static content
> (where packages should put stuff) and whatever else fits. Restricting it to
> apache doesn't feel like the way to go.
Maybe you are right. I just wanted to start on the apache part so it do not grow
too big. I'm working on an other project that is very general but it will not
cover policy issues though. That project is to extend wwwconfig-common to
something that can work for other packages.
Regards,
// Ola
>
> --
> Matthew Palmer, Debian Developer
> mpalmer@debian.org http://www.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Annebergsslingan 37 \
| opal@lysator.liu.se 654 65 KARLSTAD |
| +46 (0)54-10 14 30 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: