Apache

UGCS uses Apache2 to do our webserving. However, we have a number of customizations to make it work nicely with AFS etc.

=Customizations=
 * Apache needs to start under K5start so everything has the right kerberos tokens (for www-data). This requires a minor modification to apache2ctl: on the line where it starts httpd, you need to prepend a ${KSTART_CMD} to the command.  Note that you will have to re-do this edit every time apache2 is updated.

export APACHE_ARGUMENTS='-D NO_DETACH'
 * You then need to edit the file /etc/apache2/envvars:

export KSTART_CMD="/usr/bin/k5start -b -o www-data -g www-data -m 640 -K 10 -t -f /etc/apache2/www-data.keytab www-data@UGCS.CALTECH.EDU --"

This way apache won't background, which causes k5start to exit. k5start only really works right with AFS when it is running a command. You also have to make sure that the wrapper scripts create a new PAG before getting tokens, otherwise AFS will get confused (you can tell by running `tokens`, `klist` won't show it)

=Basic info=
 * Currently www.ugcs.caltech.edu is a CNAME for poseidon. Poseidon runs apache2 and is the main webserver
 * Dionysus also has a copy of the webserver and its config. Webserver config is generated on demeter and distributed through remctl and cfengine.
 * Logs are sent to charon via syslog-ng. syslog:local1 (/var/log/ugcs/poseidon/local1.log) is used for errors, and syslog:local2 (/var/log/ugcs/poseidon/local2.log) is used for access logs.  The messages go through wrapper scripts in /usr/local/sbin which also try to determine what user the message was for, and put it in their appropriate folder in /afs/.ugcs/apache-logs. See also Logging

=Scripts= Scripting on UGCS is run through a series of wrappers and some apache configuration. The apache configuration re-writes requests for ~/cgi-bin and ~/*.php to the appropriate wrapper scripts. There is a bit of messiness in the configuration to make sure that the file exists (and is accessable) before it gets rewritten to avoid information leakage. See /etc/apache2/site-parts/ugcs-homedirs for the scripts

The wrapper scripts are /usr/local/lib/apache/(php,cgi)-wrapper.

FastCGI
For vhost php scripting, we have a fastcgi system set up. This way, the php-cgi processes can stay alive and we avoid the huge hit (~0.3s) to start up php each time. It works by having fastcgi call a different wrapper (/usr/local/lib/apache/fcgi-php-vhost) which does roughly the same things (gets tokens, etc) but doesn't do filename checks and runs k5start background to keep php-cgi's tokens alive.

This means that if you change php or fastcgi stuff, you need to either completely restart apache or "killall php-cgi" so the new changes will get picked up.

=Virtual hosts= Virtual hosts are supported by a series of remctl scripts that automatically generate the configuration files, place them in the appropriate place, and reload apache as necessary. See Remctl and demeter:/usr/local/lib/remctl/vhost and demeter:/usr/local/lib/vhost

See `man vhost`, and also create_vhost (a wrapper to automate creating the files)

Note that if you remove a vhost, you have to manually delete stuff from drop/vhost/aliases and from the vhosts directory on the webservers.

=Nagios tests=
 * Basic HTTP (issues a GET / request, sees if it succeedes)
 * User static/cgi/php- gets files from /~test/ to make sure they work and the script wrapper is working correctly. The test php script also tries to connect to the database
 * Vhost static/cgi/php- gets files from jdtest.caltech.edu (vhost for test) and checks same thing as user stuff
 * Apache k5start process- ensures that apache's k5start process hasn't died
 * fastcgi process count- makes sure that at least 1 or 2 fastcgi processes are running, otherwise there is probably an issue with the fastcgi setup