savannah-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] [246] DevelSite, HostRedirection: document the gnu/ nongn


From: assafgordon
Subject: [Savannah-cvs] [246] DevelSite, HostRedirection: document the gnu/ nongnu redirection mystery
Date: Sun, 2 Oct 2016 01:56:42 +0000 (UTC)

Revision: 246
          
http://svn.sv.gnu.org/viewvc/?view=rev&root=administration&revision=246
Author:   agn
Date:     2016-10-02 01:56:39 +0000 (Sun, 02 Oct 2016)
Log Message:
-----------
DevelSite,HostRedirection: document the gnu/nongnu redirection mystery

Modified Paths:
--------------
    trunk/sviki/FrontEndDevelopmentSite.mdwn
    trunk/sviki/FrontEndHostRedirection.mdwn

Modified: trunk/sviki/FrontEndDevelopmentSite.mdwn
===================================================================
--- trunk/sviki/FrontEndDevelopmentSite.mdwn    2016-09-29 05:48:19 UTC (rev 
245)
+++ trunk/sviki/FrontEndDevelopmentSite.mdwn    2016-10-02 01:56:39 UTC (rev 
246)
@@ -223,7 +223,9 @@
     cd /home/jsmith/savannah/
     cp -r /etc/savane ./etc/
     chown -R jsmith:jsmith ./etc
-    chgrp www-data ./etc/.savane.conf.php ./etc/savane.pass
+    cd ./etc/savane
+    chgrp www-data .savane.conf.php .savane.pass nongnu-conf/.savane.conf.php
+    chmod o= .savane.conf.php .savane.pass nongnu-conf/.savane.conf.php
 
 *NOTE*: At this point, the files contain the MySQL user/password
 for the production website - DO NOT FORGET TO CHANGE THEM.
@@ -258,7 +260,14 @@
     $sys_trackers_attachments_dir=$sys_appdatadir . "/trackers_attachments";
     $sys_debug_email_override_address = "address@hidden";
 
+The following settings should be updated in `./nongnu-conf/.savane.conf.php`
+(note that default-vs-brother are swapped in the nongnu file):
 
+    $sys_default_domain="agn.frontend0.savannah.nongnu.org";
+    $sys_brother_domain="agn.frontend0.savannah.gnu.org";
+    $sys_incdir="/home/agn/savannah/etc/savane/content/nongnu-content";
+
+
 See [[FrontEndHostRedirection]] to learn about gnu/nongnu host redirection
 (keep the debug variable `true` unless you read and understand the redirection
 page).
@@ -295,14 +304,16 @@
 
 ### Hostnames
 
-The apache config file defines the following server names
-(see also DNS section above):
+The apache config file defines the following virtual host names
 
-    ServerName  jsmith.frontend0.savannah.gnu.org
-    ServerAlias jsmith.frontend0.sv.gnu.org
-    ServerAlias jsmith.frontend0.savannah.nongnu.org
-    ServerAlias jsmith.frontend0.sv.nongnu.org
+    jsmith.frontend0.savannah.gnu.org
+    jsmith.frontend0.sv.gnu.org
+    jsmith.frontend0.savannah.nongnu.org
+    jsmith.frontend0.sv.nongnu.org
 
+See [[FrontEndHostRedirection]] for the gory details
+of savannah's multiple hostnames configuration
+(e.g. gnu/nongnu redirections).
 
 ### SSL Certificates
 
@@ -346,15 +357,20 @@
 
     DocumentRoot /home/jsmith/savanne/savane/frontend/php
 
-
 ### Savane's PHP configuration
 
 In this apache config file, an environment variable `SAVANE_CONF` should
 point to the development site's configuration directory
 (e.g. `frontend0:/home/jsmith/savannah/etc/savane`).
 
-    SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/
+  <If "%{HTTP_HOST} == 'agn.frontend0.savannah.gnu.org'">
+    SetEnv SAVANE_CONF /home/agn/savannah/etc/savane/
+  </If>
+  <ElseIf "%{HTTP_HOST} == 'agn.frontend0.savannah.nongnu.org'">
+    SetEnv SAVANE_CONF /home/agn/savannah/etc/savane/nongnu-conf/
+  </ElseIf>
 
+
 *Sanity checks when visiting <https://jsmith.frontend0.savannah.gnu.org>*
 
 1. Take note of the <TITLE> of the page (usually appears in the title

Modified: trunk/sviki/FrontEndHostRedirection.mdwn
===================================================================
--- trunk/sviki/FrontEndHostRedirection.mdwn    2016-09-29 05:48:19 UTC (rev 
245)
+++ trunk/sviki/FrontEndHostRedirection.mdwn    2016-10-02 01:56:39 UTC (rev 
246)
@@ -1,30 +1,149 @@
 FrontEnd GNU/NONGNU host redirection
 ====================================
 
-Savannah hosts both GNU and NONGNU projects.
-For each type, it redirects the visitor to the
-correct URL (savannah.gnu.org or savannah.nongnu.org, respectively).
+Savannah handles three types of hosts redirection:
 
-Redirection happens for every project-related page (e.g. main project page,
-bugs, support, etc.).
+1. shortcut URL to full URL (.e.g `*.sv.gnu.org` => `*.savannah.gnu.org`).
+2. `*.gnu.org` <=> `*.nongnu.org`, depending on project's type.
+3. automatic-login to both `savannah.gnu.org` and `savannah.nongnu.org`
 
+Shortcut URL redirection
+------------------------
 
+Shortcur URL redirection (.e.g `*.sv.gnu.org` => `*.savannah.gnu.org`)
+is handled entirely in the apache configuration.
 
-Enable/Disable redirection
---------------------------
+This would've been simple, if it were't for two complications:
 
+1. For HTTP, all URLs should be redirected as-is with full URI
+   (e.g. <http://sv.gnu.org/p/coreutils> should redirect to
+    <http://savannah.gnu.org/p/coreutils>, not just to
+    <http://savannah.gnu.org>) *EXCEPT* the `.well-known` directory,
+   which must not be redirected because of the use
+   of Let's-Encrypt certboot (i.e. <http://sv.gnu.org/.well-known/XXX>
+   must be valid and not redirected).
+   See [[https]] for details about the certbot configuration.
+
+2. For HTTPS, slightly different configuration is set needed
+   on whether it's gnu or nongnu domain,
+   while still requiring that <https://sv.gnu.org/p/coreutils>
+   redirects to the full <https://savannah.gnu.org/p/coreutils>.
+
+The [[FrontEndDevelopmentSite]] currently uses the following method:
+
+    <VirtualHost *:80>
+       ServerName   jsmith.frontend0.savannah.gnu.org
+       ServerAlias  jsmith.frontend0.savannah.nongnu.org
+       ServerAlias  jsmith.frontend0.sv.gnu.org
+       ServerAlias  jsmith.frontend0.sv.nongnu.org
+
+       <If "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org' && 
%{REQUEST_URI} !~ /\.well-known/" >
+        RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
+       </If>
+       <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org' && 
%{REQUEST_URI} !~ /\.well-known/" >
+        RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
+       </ElseIf>
+       <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.gnu.org' && 
%{REQUEST_URI} !~ /\.well-known/" >
+        RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
+       </ElseIf>
+       <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.nongnu.org' && 
%{REQUEST_URI} !~ /\.well-known/" >
+        RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
+       </ElseIf>
+       Include sites-available/certbot-wellknown.inc
+    </VirtualHost>
+
+
+    <VirtualHost *:443>
+      ServerAlias jsmith.frontend0.sv.gnu.org
+      ServerAlias jsmith.frontend0.sv.nongnu.org
+      ServerName  jsmith.frontend0.savannah.gnu.org
+      ServerAlias jsmith.frontend0.savannah.nongnu.org
+
+      <If "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org'">
+        SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/
+      </If>
+      <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.savannah.nongnu.org'">
+        SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/nongnu-conf/
+      </ElseIf>
+      # If the '.sv.gnu.org' shortcut is used, redirect to the full
+      # '.savannah.gnu.org' URL.
+      <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.gnu.org'">
+        RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
+      </ElseIf>
+      <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.nongnu.org'">
+        RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
+      </ElseIf>
+      [...]
+    </VirtualHost>
+
+Note that certbot's configuration uses `Alias`, which has lower precedence
+in Apache than `RedirectMatch` - requiring some fiddling with the conditions.
+
+FIXME: If there's a better configuration, please write to
address@hidden .
+
+FIXME: Document the apache setup for the production website, which use:
+
+     sites-enabled/000-vhosts-gnu.org.conf -> ../sites-available/vhosts-gnu.org
+     sites-enabled/vhosts-nongnu.org.conf -> 
../sites-available/vhosts-nongnu.org
+
+     # in sites-available/vhosts-gnu.org:
+     <VirtualHost *:80>
+       Include sites-available/sv.gnu.inc
+     </VirtualHost>
+     <VirtualHost *:443>
+      Include sites-available/sv.gnu.inc
+     </VirtualHost>
+     <VirtualHost *:443>
+       ServerName frontend0.savannah.gnu.org
+       Include sites-available/sv.inc
+     </VirtualHost>
+
+     # in sites-available/vhosts-nongnu.org:
+     <VirtualHost *:80>
+       Include sites-available/sv.nongnu.inc
+     </VirtualHost>
+     <VirtualHost *:443>
+       Include sites-available/sv.nongnu.inc
+     </VirtualHost>
+     <VirtualHost *:443>
+       ServerName frontend0.savannah.nongnu.org
+       SetEnv SV_LOCAL_INC_PREFIX /etc/savane/nongnu-conf
+       Include sites-available/sv.inc
+     </VirtualHost>
+
+     # in sites-available/sv.gnu.inc:
+     ServerName savannah.gnu.org
+     Include sites-available/sv.inc
+
+     # in sites-available/sv.nongnu.org:
+     ServerName savannah.nongnu.org
+     SetEnv SV_LOCAL_INC_PREFIX /etc/savane/nongnu-conf
+     Include sites-available/sv.inc
+
+
+
+GNU/NONGNU redirection
+----------------------
+
+gnu/nongnu redirection is handled entirely in thePHP code, based on
+whether the viewed project belongs to gnu or not (sometimes refers
+to as 'brother' site in the code/config files).
+
+Example: when a user visits <https://savannah.nongnu.org/projects/coreutils>
+she will be redirected to <https://savannah.gnu.org/projects/coreutils>
+because coreutils is an official gnu package.
+
+
+### Enabling/Disabling redirection
+
 In `.savane.conf.php`, setting the boolean variable
 `$sys_debug_nobasehost` to `true` disable redirection completely -
 useful for [[FrontEndDevelopmentSite]].
 
 
+### Project's based redirection
 
-Redirection hosts
------------------
-
-The hosts used for redirections are defined in the *database*
-(*not* in the configuration file). This is both annoying and confusing.
-
 When page is visited (if it relates to a hosted project), the
 function `$project->getTypeBaseHost()` is called and returns the host
 that is relevant to the viewed project (baed on the project's type).
@@ -71,54 +190,99 @@
 
 Then set `$sys_debug_nobasehost=false;` the development `.savane.conf.php` 
file.
 
-Redirection should work within the development site, between gnu and nongnu.
 
+### PHP Code
 
-Brother-Domain in savane conf
------------------------------
+The variable `$sys_debug_nobasehost` is mentioned in the following files:
 
-In `.savane.conf.php` there are these two variables:
+in `./frontend/php/include/init.php`:
 
+    # if we are at wrong url, redirect
+    if (!$sys_debug_nobasehost && strcasecmp($_SERVER['HTTP_HOST"], 
$project->getTypeBaseHost()) != 0 && $project->getTypeBaseHost())
+    {
+      header ("Location: 
http".(session_issecure()?'s":'")."://".$project->getTypeBaseHost().$_SERVER['PHP_SELF"]);
+      exit;
+    }
+
+in `./frontend/php/include/project_home/php`:
+
+    if (strcasecmp($_SERVER['HTTP_HOST"], $project->getTypeBaseHost()) != 0 && 
$project->getTypeBaseHost())
+     {
+      header ('Location: 
http".(session_issecure()?'s":'").'://".$project->getTypeBaseHost().$_SERVER["REQUEST_URI"]);
+      exit;
+     }
+
+
+
+
+Auto-login to 'brother' site
+----------------------------
+
+When a user visits the login page on
+<https://savannah.gnu.org/account/login.php>, there's is a check-box
+at the bottom of the page asking for "Login also in
+savannah.nongnu.org".
+
+This is called a "brother" site in the code and config files.
+It is implemented using several HTTP redirects from
+one site to the other (e.g from the default 'savannah.gnu.org'
+to 'savannah.nongnu.org') sending hashed session IDs back and
+forth (counting on the fact that both sites run on the same
+physical server and share PHP session cookies).
+
+
+In `/etc/savane/.savane.conf.php` there are these two variables:
+
     $sys_default_domain="savannah.gnu.org";
     $sys_brother_domain="savannah.nongnu.org";
+    $sys_incdir="/etc/savane/content/gnu-content";
 
-Or in a [[FrontEndDevelopmentSite]]:
+In the correspnding `/etc/savane/nongnu-conf/.savane.conf.php` the
+default/brother hosts are swapped:
 
+    $sys_default_domain="frontend0.savannah.nongnu.org";
+    $sys_https_host="$sys_default_domain";
+    $sys_brother_domain="frontend0.savannah.gnu.org";
+    $sys_incdir="/etc/savane/content/nongnu-content";
+
+
+If using a development site [[FrontEndDevelopmentSite]],
+use the following in `/home/jsmith/savannah/etc/savane/.savane.conf.php`:
+
     $sys_default_domain="jsmith.frontend0.savannah.gnu.org";
     $sys_brother_domain="jsmith.frontend0.savannah.nongnu.org";
+    $sys_incdir="/home/jsmith/savannah/etc/savane/content/gnu-content";
 
-These variables only seem to affect the login process
-(i.e. the "Login also in savannah.nongnu.org" checkbox in the login page).
+and in `/home/jsmith/savannah/etc/savane/nongnu-conf/.savane.conf.php`:
 
-Setting these alone will not make the redirection work - updating the database
-is required (as shown above).
+    $sys_default_domain="jsmith.frontend0.savannah.nongnu.org";
+    $sys_https_host="$sys_default_domain";
+    $sys_brother_domain="jsmith.frontend0.savannah.gnu.org";
+    $sys_incdir="/home/jsmith/savannah/etc/savane/content/nongnu-content";
 
+The apache configuration must be set appropriately for each domain.
+See `SAVANE_CONF` settings above.
 
+*NOTE*:
+If the "login to [brother] set" checkbox is set,
+Savannah will do the redirection even if the variable is set
+(`$sys_debug_nobasehost=true`).
+If you forget to update the settings in `nongnu-conf/.savane.conf.php`,
+you might get redirected to the real website (e.g. `savannah.nongnu.org`),
+which will not only confuse things, but will also cause troubles
+with cookie authentication (you'll see an error message saying
+"Savane thinks your cookies are not activated for XXX" from `login.php`).
 
-PHP Code
---------
 
-The variable `$ sys_debug_nobasehost` is mentioned in the following files:
+The 'brother' login sequences is used in two files:
+`./frontend/php/account/login.php` and `./frontend/php/account/su.php`
+(`su` implements "become superuser" feature for admins).
 
-    $ git grep debug_nobasehost
-    include/init.php:$sys_debug_nobasehost = false;
-    include/init.php:  if (isset($group_id) && empty($no_redirection) && 
!$sys_debug_nobasehost)
-    include/project_home.php:if (!$sys_debug_nobasehost && 
strcasecmp($_SERVER['HTTP_HOST'], $project->getTypeBaseHost())
+The gist is:
 
-The variable domain/brother-domain variables are mentioned here:
+1. After successful login to `savannah.gnu.org`, `login.php` will redirect to:
+   
<https://savannah.NONGNU.org/account/login.php?session_uid=94790&session_hash=XXXXXXXXXX&cookie_for_a_year=&from_brother=1&login=1&stay_in_ssl=1&brotherhood=1&uri=%2F>
 
-    $ git grep brother_domain
-    account/login.php:      if (!empty($GLOBALS['sys_brother_domain']) && 
$brotherhood)
-    account/login.php:            header ("Location: 
".$http."://".$GLOBALS['sys_brother_domain'].$GLOBALS['sys_home']."/a
-    account/login.php:            header("Location: 
".$http."://".$GLOBALS['sys_brother_domain'].$uri);
-    account/login.php:if (!empty($GLOBALS['sys_brother_domain']))
-    account/login.php:  printf (_("Login also in %s").'</span><br />', 
$GLOBALS['sys_brother_domain']);
-    account/su.php:  if (!empty($GLOBALS['sys_brother_domain']))
-    account/su.php:   header ("Location: 
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$GLOBALS['sys_home']."acc
-    account/su.php: header("Location: 
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
-    account/su.php:  header("Location: 
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
-    account/su.php:  if (!empty($GLOBALS['sys_brother_domain']))
-    account/su.php:   header ("Location: 
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$GLOBALS['sys_home']."acc
-    account/su.php: header("Location: 
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
-    account/su.php:  header("Location: 
".su_getprotocol()."://".$GLOBALS['sys_brother_domain'].$uri);
-
+2. `login.php` (this time called on host `savannah.nongnu.org`) will see
+   that `$from_brother=1`, and will set the cookie/session for this domain
+   as well, then redirect back to `savannah.gnu.org/`.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]