/
submitty.conf
156 lines (134 loc) · 6.49 KB
/
submitty.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# If hosting more than just Submitty on Apache, you should set the
# VirtualHost * to the domain name you use for Submitty (e.g. example.com)
<VirtualHost *:80>
AddDefaultCharset utf-8
# Set the email address of your webmaster/sysadmin to be displayed in case
# of 500 errors
ServerAdmin ADMIN@DOMAIN.HERE
# Uncomment the ServerName line below and set to the FQDN you are using
# to access Submitty so that this configuration is used for only Submitty
# ServerName __your_domain__
# Set the base root for where files are loaded from, as well as some
# subfolder aliases needed for accessing cgi-bin scripts and git
DocumentRoot /usr/local/submitty/site/public
ScriptAlias /cgi-bin /usr/local/submitty/site/cgi-bin
ScriptAlias /git/ /usr/local/submitty/site/cgi-bin/git-http-backend/
# Specify the files to try and load if user goes to a directory,
# else if they're not found, Apache will just show directory listing
DirectoryIndex index.html index.php index.cgi
# Use the apache2-suexec-custom module to set a user/group that
# we use for all requests that hit this configuration. Therefore,
# all files/directories that get executed must also be owned by
# this user, and so helps us make sure we're better isolated
# from any potential other apache2 configurations that are active.
SuexecUserGroup submitty_cgi submitty_cgi
# Disables use of .htaccess for Submitty. While this is technically
# the default for Apache (as of 2.3.9), we leave this here just
# to make sure we don't ever accidentally start allowing .htaccess
<Directory />
AllowOverride None
</Directory>
# Allow anyone to access things under site/public
<Directory /usr/local/submitty/site/public>
Require all granted
RewriteEngine On
# Routing Flexibility: Removes the trailing slash if it is supplied
# Example: /courses/f21/csci1200/ -> /courses/f21/csci1200
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} /(.*)/$
RewriteRule ^ /%1 [R=301,L]
# If the requested filename exists, simply serve it.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]
# Else if index.html exists on the local filesystem because we are
# updating Submitty, we serve the index.html so that users do not
# get served with strange PHP errors and such.
RewriteCond /usr/local/submitty/site/public/index.html -f
RewriteRule ^ index.html [L]
# Else rewrite urls to use index.php, however we have to be aware of two
# possible conditions of whether index.php is in the URL already or not.
# To be backwards compatible, we want to ensure that having /index.php
# is valid and usable. In anycase, we rewrite everything up-to /index.php
# to be the "url" parameter of the query, and then append whatever else we
# had in the QUERY_STRING after it.
RewriteRule ^(.+)/index\.php$ /index.php?url=$1&%{QUERY_STRING} [B,NC,END]
RewriteRule ^(.+)$ /index.php?url=$1&%{QUERY_STRING} [B,NC,END]
# Allow Authorization header to pass which is used for passing the token
# for API requests
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</Directory>
# Specification for scripts running under /cgi-bin
<Directory /usr/local/submitty/site/cgi-bin>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
# We only want to allow internal requests to scripts under
# cgi-bin. If using a domain name for Submitty
# (e.g. example.com), then use Require host, else if
# using IP (e.g. 192.168.56.111), use Require ip. Can add
# as many lines as allowed domains/IP addresses used for
# Submitty access.
# ex:
# Require host example.com
# Require ip 192.168.56.111
Require host __your_domain__
</Directory>
# Git we want to leave open though, with the expectation
# that we will restrict access below to the git-http-backend
<Directory /usr/lib/git-core>
Options +ExecCGI +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
# Set a handler for the PHP scripts, which in this case is proxying
# to PHP-FPM. PHP-FPM also sets the user/group that executes the
# PHP scripts and so they're not affected by the above SuexecUserGroup
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/var/run/php/php-fpm-submitty.sock|fcgi://localhost/"
</If>
</FilesMatch>
# Define a matching worker for proxying requests. The max
# number of workers should match the number of available
# pm.max_children that you define within PHP-FPM's configuration.
# On Ubuntu, this will be at:
# /etc/php/<PHP_VERSION>/fpm/pool.d/submitty.conf
#
# The part that is matched to the SetHandler is the part that
# follows the pipe above. If you need to distinguish, "localhost; can
# be anything unique.
<Proxy "fcgi://localhost/" enablereuse=on max=20>
</Proxy>
# These directives block any requests going to things that start
# with a "." or "#" or end with a "~", as these are generally either
# private files or tmp files that regular web users do not need to
# access.
<Files .*>
Require all denied
</Files>
<Files *~>
Require all denied
</Files>
<Files #*>
Require all denied
</Files>
# This overwrites the cgi-bin Directory directive, so that
# we allow any host/ip address for this script, so long as they
# provide proper authentication credentials for the valid-user directive.
# To handle the authentication we use the libapache2-mod-wsgi-py3
# module so that we can use a complex python script that checks stuff in
# the database/PAM and the exact directory trying to be accessed
<Files "git-http-backend">
AuthType Basic
AuthName "Git Access"
AuthBasicProvider wsgi
WSGIAuthUserScript /usr/local/submitty/sbin/authentication.py
Require valid-user
</Files>
# https://httpd.apache.org/docs/2.4/mod/core.html#loglevel
# If you experience weird issues with apache2, you'll want to
# probably drop this to info or debug, but that for general
# operation, just warn is fine
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/submitty.log
CustomLog ${APACHE_LOG_DIR}/submitty.log combined
</VirtualHost>