Notes about setting up a Moin-1.5.3 Wiki Farm on SL4 with these features:
- Apache/SSL
- mod_python
- multiple wikis
Contents
install Apache with SSL support
rm -rf /etc/httpd yum -y install httpd system-config-httpd mod_python mod_ssl mod_auth_kerb /sbin/service httpd start
Check that http and https work. A dummy certificate is created automatically during mod_ssl installation.
TODO
- htdocs/index.html should be adapted
- apache config to redirect everything to http
- share the underlay directories
- farmconfig? or stay with one mod_python instance per wiki (safer?)
moin basic installation (single wiki, CGI)
cd /tmp tar xvfz moin-1.5.3.tar.gz cd moin-1.5.3 python setup.py --quiet install --prefix=/usr1/moin --record=/tmp/moin.inst.log
Create a Wiki instance:
cd /usr1/moin/share/moin mkdir testwiki cp -a data underlay testwiki mkdir testwiki/cgi-bin cp server/moin.cgi testwiki/cgi-bin cp config/wikiconfig.py testwiki chown -R apache:apache testwiki chmod -R ug+rwX testwiki chmod -R o-rwx testwiki
Deal with SELinux:
chcon -R system_u:object_r:httpd_sys_content_t /usr1/moin chcon -R system_u:object_r:httpd_sys_script_exec_t testwiki/cgi-bin chcon system_u:object_r:httpd_sys_content_t /usr1
The last one is important, or apache cannot access the wiki.
=> better have a separate filesystem under / for that
These lines are needed in testwiki/cgi-bin/moin.cgi:
sys.path.insert(0, '/usr1/moin/share/moin/testwiki') sys.path.insert(0, '/usr1/moin/lib/python2.3/site-packages')
Edit wikiconfig.py:
sitename = u'Test Wiki' page_front_page = u"TestWiki" data_dir = '/usr1/moin/share/moin/testwiki/data/' data_underlay_dir = '/usr1/moin/share/moin/testwiki/underlay/'
The default of './data' for data_dir and './underlay' for data_underlay_dir doesn't work. The paths are relative to the cgi executable, hence would need to be '../data' etc.
Create /etc/httpd/conf.d/moin.conf:
Alias /wiki/ "/usr1/moin/share/moin/htdocs/" <Directory "/usr1/moin/share/moin/htdocs/"> Order deny,allow Allow from all </Directory> ScriptAlias /testwiki "/usr1/moin/share/moin/testwiki/cgi-bin/moin.cgi" <Directory "/usr1/moin/share/moin/testwiki/cgi-bin/"> Order deny,allow Allow from all </Directory>
mod_python
Simply change the Apache config to this:
Alias /wiki/ "/usr1/moin/share/moin/htdocs/" <Directory "/usr1/moin/share/moin/htdocs/"> Order deny,allow Allow from all </Directory> <Location /testwiki> SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/testwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter testwiki </Location>
So instead of the ScriptAlias we define a Location and heve it handled by mod_python. The PythonInterpreter directive is not needed if just a single Wiki is set up, but it's crucial if multiple wikis are used:
add another Wiki
Simply create another directory:
cd usr1/moin/share/moin mkdir DVInfo cp -a data underlay DVInfo cp testwiki/wikiconfig.py DVInfo chown -R apache:apache DVInfo chmod -R ug+rwX DVInfo chmod -R o-rwx DVInfo
The selinux context should be correct without having to chcon. Now Make the obvious changes in DVInfo/wikiconfig.py and create Apache configuration for the wiki in /etc/httpd/conf.d/moin-DVInfo.conf:
<Location /DVInfo> SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/DVInfo', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter DVInfo </Location>
Don't forget the last directive, or the subinterpreters for the wikis will share a single namespace. This doesn't work well...
Security: Force SSL
Add to Apache config (in global context):
<VirtualHost *:80> RewriteEngine on RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] </VirtualHost>
Secure Wiki using Kerberos5 and automatic user creation
Surprisingly, this even works with SELinux enabled.
Make wikiconfig.py start like this:
Lines 1 and 4 are there by default. Lines 2,5,6 need to be added. Notice spaces are significant in python...
Add to Apache config:
<Location /DVInfo> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms IFH.DE KrbVerifyKDC Off #Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Location>
- only works if /etc/krb5.conf is MIT-compatible
and maybe we could finally roll one out that is ?!
- for production, one should of course:
- get a keytab file for HTTP/host.ifh.de and configure it
KrbVerifyKDC On
- then also negotiate should work (krb w/o password from browsers)
Now Krb5 Authentication happens before this Wiki can be accessed. And MoinMoin will automatically create a user profile! The username is the Kerberos Principal (user@IFH.DE), which is ugly! However, with a very tiny patch
--- MoinMoin/auth.py.orig 2006-06-05 15:54:55.000000000 +0200 +++ MoinMoin/auth.py 2006-06-05 15:55:13.000000000 +0200 @@ -183,6 +183,7 @@ auth_type = env.get('AUTH_TYPE','') if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate',]: username = env.get('REMOTE_USER','') + username = username.split('@')[0] if auth_type in ('NTLM', 'Negotiate',): # converting to standard case so the user can even enter wrong case # (added since windows does not distinguish between e.g.
it works acceptably. An alias can be set in the User Preferences, which will be shown e.g. in the Recent Changes. And one could create a second homepage which just includes the first one, e.g. StephanWiesand would look like this:
[[Include(wiesand}]]
Obviously, instead of stripping the realm, one could
- replace it with @DESY.DE
fetch information from VAMOS or the registry and construct a WikiName
- this runs for EVERY request, hence the result should be cached persistently
- possibly: create a mapping table for all registered users (platform adapter?)
- this runs for EVERY request, hence the result should be cached persistently
Notice that mod_auth_kerb can deal with a list of realms to try.
how about IFH.DE DESY.DE ?
or IFH.DE DESY.DE WIN.DESY.DE ?
- verified: this works!
or, maybe even IFH.DE DESY.DE WIN.DESY.DE CERN.CH ... ???
It just needs a service key for all of these realms (or leaving KrbVerifyKDC off, which also inhibits Negotiate aka SPNEGO).
Refinement: Allow anonymous access, login, logout
Example: "xwiki".
/etc/httpd/conf.d/moin-xwiki.conf:
<Location /xwiki> SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki </Location> <Location /xwiki(auth)> SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki SSLRequireSSL AuthType Kerberos AuthName "Please log in with your Kerberos (AFS) Password" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms IFH.DE KrbVerifyKDC Off #Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Location>
And in ssl.conf, add to the virtual host (at the end):
RewriteEngine on RewriteCond %{QUERY_STRING} action=login$ RewriteRule ^(.+)/(.+)$ $1(auth)/$2? [L,R] RewriteCond %{QUERY_STRING} action=logout RewriteRule ^(.+)\(auth\)(.+)$ $1$2? [L,R]
It turns out this can also be combined into /etc/httpd/conf.d/moin-xwiki.conf:
<Location /xwiki> Order Deny,Allow Allow from All SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.4/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki RewriteEngine on RewriteCond %{QUERY_STRING} action=login$ RewriteRule ^.+?/xwiki/(.+)$ /xwiki(authenticated)/$1? [L,R] </Location> <Location /xwiki(authenticated)> SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.4/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki SSLRequireSSL AuthType Kerberos AuthName "Please log in with your Kerberos (AFS) Password" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms IFH.DE KrbVerifyKDC Off #Krb5KeyTab /etc/httpd/conf/keytab require valid-user RewriteEngine On RewriteCond %{QUERY_STRING} action=logout RewriteRule ^.+?/xwiki\(authenticated\)/(.*)$ /xwiki/$1 [L,R] </Location>