[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

draft proposal for a new web server policy

Maybe it's time to think about amending section 11.5. of policy (Web
servers and applications) to address some of the problems with it. Here
are the problems I know of:

 - Some admins want to tightly control which cgi scripts are available,
   beyond merely picking packages to install. For example you might want
   to install analog without activating its cgi script.
 - Some admins may need to use http://host/cgi-bin/ for their own
   custom cgi scripts for historical or local policy reasons, but would
   also prefer to be able to use cgi scripts from debian packages,
   without tracking/linking them on a per-package basis.
 - Some might want http://host/doc to be their own content, and not
   the debian docs. I think the Debian web site is one example.
 - Some web servers (eg apache2) can cooexist with other web servers
   installed concurrently. But historically we've had the debian web
   server install a default /var/www/index.html particular to that
   server, and only one web server can do that at a time. So apache2
   currently violates debian policy by using a different directory as
   its web server root. Which leads to many other administration
   problems, such as anything dropped in /var/www not being available
   under apache2.

 - If you use vhosts, you can only have one pointing to /var/www,
   so only one will get the debian content provided there. To add it to the
   others, you have to maintain lots of symlinks.

 - /var/www violates the FHS. Of course the FHS has not laid out a place
   for web stuff, though they might eventually with /srv. This proposal
   does not mandate /srv, but it does lay groundwork to make it ok
   for web servers to use /srv when it becomes part of the FHS, and to
   help make it easier to transition to it.

 - Any others?

I notice that many of these come down to a namespace problem. We have
appropriated the default top-level namespace of the web server for
Debian-provided content, which doesn't give the admin enough control. If
they take back control, for example by changing the web document root to
/home/web or /srv/web, and creating their own cgi-bin directory, then
they lose all the benefits of the Debian integration. Unfortunatly many
hrefs are absolute, and so they break when you do things like this, so
even making http://host/debian link to all the debian provided stuff is
not feasable without a lot of work.

This brings me to the policy proposal:


11.5. Web servers and applications

11.5.1. Filesystem locations for web-accessible content

     This section describes the filesystem locations that should be
     used for web-accessible content provided by the Debian system.

     CGI executable files are installed in /usr/lib/cgi-bin/<cgi-name>.
     HTML documents for a package are stored in

     Web applications should store static web-accessible files (icons,
     non-documentation html pages, etc), under /usr/share/<package> and
     /usr/lib/<package>. Variable web-accessible files (such as mrtg
     graphs) may be stored under /var/lib/<package>.

     Web applications may also store web-accessible files in /var/www/,
     but use of this directory is deprecated and will become a bug in a
     future edition of Debian policy.

     All of the above content is gathered together in the directory
     /var/lib/debian-www/, which includes links to /usr/lib/cgi-bin/,
     and /usr/share/doc, and to which links can be added to content
     in /usr/share/<package>, /usr/lib/<package>, /var/lib/<package>,
     and /var/www (deprecated).

     Packages should only add symlinks, and possibly subdirectories
     to the /var/lib/debian-www/ directory, and not actual content.

11.5.2. URLs for web-accessible content

     This section specifies the URLs that should be used to access
     web-accessible content provided by the Debian system.

     The Debian web content will be available at the URL
     http://<site>/debian-www/. This includes
     http://<site>/debian-www/cgi-bin for CGI programs,
     http://<site>/debian-www/doc for documentation, and
     http://<site>/debian-www/<application> for web application data.

     These URLs should also work for any virtual hosts on the Debian 
     system, unless the administrator has chosen to not include the
     Debian content on a virtual host.

     The following URLs may be used for Debian provided content, but
     are deprecated in favor of the new URLs listed above:
     http://<host>/cgi-bin/ for CGI programs.
     http://<host>/doc for documentation.

11.5.3. Web server configuration and virtual hosts

     Web servers should ship with a default configuration that may include
     a default front page, specfic to that web server, at http://<site>/,
     and must include http://<site>/debian-www/.

     The web server should restrict access to http://<site>/debian-www/doc
     so that only clients on the same host can read the documents. If the web
     server does not support such access controls, then it should not provide
     access at all, or ask about providing access during installation.

     Web servers may default to using /var/www as their web document root.
     If they include an index.html (or localised index.html.ll or similar
     files) there, they must take care to not overwrite files created by
     the administrator, or by other web servers, and removal of the web
     server should remove those files. /var/www/debian-www should be a
     link to /var/lib/debian-www/. As this direcotry is not approved by the
     FHS, use of /var/www is deprecated.

     Alternatively, web servers may choose to use a different directory
     as their web document root. It is acceptable to prompt the user
     for what directory to use. In any case, debian-www in that directory
     should be a link to /var/lib/debian-www/, and the web server should
     take care to not overwrite existing index.html files, etc in that
     directory, and to clean up after itself when it is removed.


Here how the problems I listed at the top of this mail can be addressed
using the new system. Note that I'm using /srv/ as the web document roots
in these examples, mainly as it makes talking about vhosts easier, but they
are only examples.

 - So you want to control every cgi programs that is enabled. Make
   /var/lib/debian-www/cgi-bin your own directory, instead of a link
   to /usr/lib/cgi-bin/, and add links to the cgi programs you want.
   It should also be possible to make this vary by vhost if you wanted.

 - So you want http://host/cgi-bin/ to be your own custom cgi scripts.
   No problem, it is, debian cgi scripts are
 - So you want http://host/doc/ to be your own content. No problem,
   debian /usr/share/doc is at http://host/debian-www/doc/ (generally
   where "host" is "localhost").
 - So apache2 wants to provide its own index.html without conflicting
   with the index.html of any other web server that might be installed,
   while at the same time keeping the debian content available. Then
   /srv/apache2/index.html can be apache2's web document root, and
   http://<apache2-host>/debian-www/ stil works. In the short term,
   while /srv is only theory, apache2 might go on using
   /var/www/apache2-default as it does now, but with the addition of a
   debian-www link in there to make it policy compliant.

 - So you want to add a vhost that still includes the Debian content.
   Just make sure that /srv/<vhost>/debian-www -> /var/lib/debian-www.

As to how we would transition to this, all of section 11.5.1. matches
current policy, or allows current policy (/var/www) but deprecates it.
11.5.2. allows the old URLs for cgi-bin and documentation to be preserved,
but deprecates them. 11.5.3. allows web servers to go on using /var/www
(or /var/www/apache2-default) as they do now. 

So we could adopt this into policy without requiring immediate changes
to everything. First the change would be the web servers, which would
start providing debian-www links in their web document roots, and access
to the debian-www urls for their vhosts. Next would come package
providing cgi scripts, which could begin to document and link to the new
urls to the cgi scripts. And then packages that provide "web
application" content in /var/www would move over to the new set of
directories, and to providing symlinks to it in /var/lib/debian-www/.
After most stuff was converted to using the new system, web servers
would drop support for the old http://host/<doc> and http://<host>/cgi-bin/
and the deprecated parts would become policy violations.

At this time, I'm seeking comments, but not seconds for this proposal.
In particular, I'm interested in any problems with the current web
policy which I did not address.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: