Update 260310 Apache 2.2 uses the directive AuthUserFile rather than AuthDigestFile used by Apache 2.0
The purpose of this document is minimizing downtime and possible errors.
It is understood that before following this process in a production server, you have done it successfully on a test machine!!!
This process should be repeatable by copy-paste by someone without any previous knowledge.
PRE
Compile and install a new Apachef1 version
cd /usr/local/src
rm -Rf httpd-2.0.63
wget http://www.apache.org/dist/httpd/httpd-2.0.63.tar.bz2
wget http://www.apache.org/dist/httpd/httpd-2.0.63.tar.bz2.md5
md5sum httpd-2.0.63.tar.bz2 > apache.md5
diff apache.md5 httpd-2.0.63.tar.bz2.md5
rm apache.md5
tar -xvjf httpd-2.0.63.tar.bz2
cd httpd-2.0.63
./configure --prefix=/usr/local/apachef1.2.0.63 --enable-rewrite --enable-ssl --with-mpm=prefork --enable-auth-digest --enable-ssl --disable-include --disable-env --enable-status --disable-asis --disable-cgi --disable-negotiation --disable-autoindex --disable-imap --disable-actions --disable-userdir --disable-alias
make
make install
/usr/local/apachef1.2.0.63/bin/httpd -l
Create new password files to use with htdigest
For F1…
cd /home/ulysse/bf/f1/
/usr/local/apache/bin/htdigest -c .auth.digest.f1 PrivateArea.f1 NewUserName
chown nobody:ulysse .auth.digest.f1
chmod 640 .auth.digest.f1
For test…
cd /home/ulysse/bf/test/
/usr/local/apache/bin/htdigest -c .auth.digest.sandbox PrivateArea.sandbox NewUserName
chown nobody:ulysse .auth.digest.sandbox
chmod 640 .auth.digest.sandbox
Copy old configuration files
cp -fa /usr/local/apachef1/conf/* /usr/local/apachef1.2.0.63/conf/
cp -fa /usr/local/apachef1/logs/* /usr/local/apachef1.2.0.63/logs/
cp -fa /usr/local/apachef1/modules/* /usr/local/apachef1.2.0.63/modules/
Disable .htaccess on specific directories
Make a copy of the actual online configuration
cp /usr/local/apache/conf/httpd-bf.conf /usr/local/apache/conf/httpd-bf.conf.`date +%d%b%g`
Edit /usr/local/apache/conf/httpd-bf.conf
In the <VirtualHost *:80> section, change the following lines:
<Directory /home/ulysse/bf>
# AuthName "By Invitation Only ="
# AuthType Basic
# AuthUserFile /home/ulysse/bf/.htpasswd
# Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Include conf/forbiddenIpsAndAgents.conf
Include conf/httpd-rewrite-bf.conf
</Directory>
**TO**
<Directory /home/ulysse/bf>
# AuthName "By Invitation Only ="
# AuthType Basic
# AuthUserFile /home/ulysse/bf/.htpasswd
# Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
--> AllowOverride None <---
Order allow,deny
Allow from all
Include conf/forbiddenIpsAndAgents.conf
Include conf/httpd-rewrite-bf.conf
</Directory>
<In the <VirtualHost *:443> section, change the following lines
<Directory /home/ulysse/bf>
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Include conf/forbiddenIpsAndAgents.conf
Include conf/httpd-rewrite-bf.conf
</Directory>
**TO**
<Directory /home/ulysse/bf>
DirectoryIndex index.cfm
Options FollowSymLinks
---> AllowOverride None <---
Order allow,deny
Allow from all
Include conf/forbiddenIpsAndAgents.conf
Include conf/httpd-rewrite-bf.conf
</Directory>
Set up Digest Authentication
Edit /usr/local/apache/conf/httpd.conf
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.`date +%d%b%g`
vi /usr/local/apache/conf/httpd.conf
Find the line that reads:
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>
**And add:**
<FilesMatch "^\.auth">
Order allow,deny
Deny from all
</FilesMatch>
Change the following sections:
vi /usr/local/apache/conf/httpd-bf.conf
In Virtual host www.hummy.org
Change:
<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
AuthName "Access 2 f1"
AuthType Basic
AuthUserFile /home/ulysse/bf/.htpasswd.disabled
Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
# Order allow,deny
# Allow from all
</Directory>
To:
<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
--> AuthName "PrivateArea.f1" <--
--> AuthType Digest <--
--> AuthDigestFile /home/ulysse/bf/f1/.auth.digest.f1 <--
Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
# Order allow,deny
# Allow from all
</Directory>
Change:
<Directory /home/ulysse/bf/test>
AllowOverride All
AuthName "Access 2 test"
AuthType Basic
AuthUserFile /home/ulysse/bf/test/.htpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
To:
<Directory /home/ulysse/bf/test>
AllowOverride All
--> AuthName "PrivateArea.sandbox" <--
--> AuthType Digest <--
--> AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox <--
Require valid-user
Order allow,deny
Allow from all
</Directory>
In Virtual host monitor.hummy.org
**Change:**
<Directory /home/ulysse/bf>
AllowOverride All
AuthName "Access 2 test"
AuthType Basic
AuthUserFile /home/ulysse/bf/test/.htpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
**TO:**
<Directory /home/ulysse/bf>
AllowOverride All
--> AuthName "PrivateArea.sandbox" <--
--> AuthType Digest <--
--> AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox <--
Require valid-user
Order allow,deny
Allow from all
</Directory>
In Virtual host https://www.hummy.org
Change:
<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
AuthName "Access 2 f1"
AuthType Basic
AuthUserFile /home/ulysse/bf/.htpasswd.disabled
Require valid-user
###DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
# Order allow,deny
# Allow from all
</Directory>
To:
<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
--> AuthName "PrivateArea.f1" <--
--> AuthType Digest <--
--> AuthDigestFile /home/ulysse/bf/f1/.auth.digest.f1 <--
Require valid-user
###DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
# Order allow,deny
# Allow from all
</Directory>
Change:
<Directory /home/ulysse/bf/test>
AllowOverride All
AuthName "Access 2 test"
AuthType Basic
AuthUserFile /home/ulysse/bf/test/.htpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
To:
<Directory /home/ulysse/bf/test>
AllowOverride All
--> AuthName "PrivateArea.sandbox" <--
--> AuthType Digest <--
--> AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox <--
Require valid-user
Order allow,deny
Allow from all
</Directory>
Edit /usr/local/apachef1.2.0.63/conf/httpd.conf
cp /usr/local/apachef1.2.0.63/conf/httpd.conf /usr/local/apachef1.2.0.63/conf/httpd.conf.`date +%d%b%g`
vi /usr/local/apachef1.2.0.63/conf/httpd.conf
**Find the line that reads:**
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>
**And add:**
<FilesMatch "^\.auth">
Order allow,deny
Deny from all
</FilesMatch>
Change the following sections in Apache F1:
cp /usr/local/apachef1.2.0.63/conf/httpd-bf.conf /usr/local/apachef1.2.0.63/conf/httpd-bf.conf.`date +%d%b%g`
vi /usr/local/apachef1.2.0.63/conf/httpd-bf.conf
Change:
<Directory /home/ulysse/bf>
AuthName "By Invitation Only"
AuthType Basic
AuthUserFile /home/ulysse/bf/.htpasswd.disabled
Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Include conf/httpd-rewrite-bf.conf
</Directory>
To:
<Directory /home/ulysse/bf>
--> AuthName "PrivateArea.sandbox" <--
--> AuthType Digest <--
--> AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox <--
Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Include conf/httpd-rewrite-bf.conf
</Directory>
Change:
<Directory /home/ulysse/bf/f1>
AuthName "Admin Only"
AuthType Basic
AuthUserFile /home/ulysse/bf/f1/.htpasswd
Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
To:
<Directory /home/ulysse/bf/f1>
--> AuthName "PrivateArea.f1" <--
--> AuthType Digest <--
--> AuthDigestFile /home/ulysse/bf/f1/.auth.digest.f1 <--
Require valid-user
DirectoryIndex index.cfm
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Check apachef1 syntax
/usr/local/apachef1.2.0.63/bin/apachectl -t
Copy the already prepared files with current config for apache
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.`date +%d%b%g`
cp /usr/local/apache/conf/httpd-bf.conf /usr/local/apache/conf/httpd-bf.conf.`date +%d%b%g`
cp /usr/local/apache/conf/httpd.conf.28May08.toRestore /usr/local/apache/conf/httpd.conf
cp /usr/local/apache/conf/httpd-bf.conf.28May08.toRestore /usr/local/apache/conf/httpd-bf.conf
Check apache syntax
/usr/local/apache/bin/apachectl -t
IN 1/2
Move .htpasswd files to root
mkdir -p /root/bf/test
mkdir -p /root/bf/f1
mv /home/ulysse/bf/.htpasswd.disabled /root/bf
mv /home/ulysse/bf/test/.htpasswd /root/bf/test
mv /home/ulysse/bf/f1/.ht* /root/bf/f1
Substitute the current apachef1
cd /usr/local
/etc/init.d/apachef1 stop
mv apachef1 apachef1.`date +%d%b%g`
ln -s apachef1.2.0.63 apachef1
/etc/init.d/apachef1 start
Open a tunnel to Online and try to use the Intranet
ssh user@www.hummy.org -L 8080:localhost:8080
http://production:8080/f1/login.cfm
Rollback 1/2
Copy old Apachef1's config and restart
rm /usr/local/apachef1
mv /usr/local/apache.`date +%d%b%g` /usr/local/apachef1
or
mv /usr/local/apachef1.DATE /usr/local/apachef1
/etc/init.d/apachef1 stop
/etc/init.d/apachef1 start
IN 2/2
Restart Apache
/etc/init.d/apache restart
Check
http://www.hummy.org
https://www.hummy.org
http://www.hummy.org/test
https://www.hummy.org/test
Change the username/pass for these scripts
cp /home/ulysse/util/scripts/wget.cron.dailylog.sh /home/ulysse/util/scripts/wget.cron.dailylog.sh.`date%d%b%g`
cp /home/ulysse/util/scripts/wget.cron.sh /home/ulysse/util/scripts/wget.cron.sh.`date%d%b%g`
cp /home/ulysse/util/scripts/wgetpage.sh /home/ulysse/util/scripts/wgetpage.sh.`date%d%b%g`
Check these scripts for all ocurrences in ulysse crontab:
/home/ulysse/util/scripts/wget.cron.dailylog.sh "http://localhost/f1/proc/act_send_generic_mail.cfm?autoprocess=1" notif
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?members=" lucene_index
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?blog=" lucene_index
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?stocks=" lucene_index
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?holdings=" lucene_index
/home/ulysse/util/scripts/wget_seekingalpha.sh
Check if there are more scrits using wget locally
Rollback 2/2
Copy old Apache's config and restart
rm /usr/local/apache
mv /usr/local/apache.`date +%d%b%g` /usr/local/apache
or
mv /usr/local/apache.DATE /usr/local/apache
/etc/init.d/apache restart
POST
Checks
1.
http://www.hummy.org
https://www.hummy.org
http://www.hummy.org/server-status
Visit a member's page
Visit a member's page using HTTPS
2.
www.hummy.org/f1/index.cfm
http://production:8080/f1/index.cfm
3.
http://www.hummy.org/test/mrtg/mr6/index.html
https://www.hummy.org/test/mrtg/mr6/index.html
http://www.hummy.org/test/collectd/mr5/index.html
https://www.hummy.org/test/collectd/mr5/index.html
4. sandbox password:
http://monitor.hummy.org
http://monitor.hummy.org/server-status
http://monitor.hummy.org/test
http://monitor.hummy.org/test/mrtg/mr6/index.html
http://monitor.hummy.org/test/collectd/mr5/index.html
5. mod_security:
http://www.hummy.org/delete from table
6. Forbidden agents
Request a page as User Agent "libwww-perl"
http://hummy.org
http://hummie.org
http://www.hummy.org
http://humm.org
Check .authorized files are not visible
http://www.hummy.org/.auth.digest.sandbox
http://www.hummy.org/.auth.digest.f1
http://www.hummy.org/test/.auth.digest.sandbox
http://www.hummy.org/f1/.auth.digest.f1
http://monitor.hummy.org/.auth.digest.sandbox
http://monitor.hummy.org/.auth.digest.f1
http://monitor.hummy.org/test/.auth.digest.sandbox
http://monitor.hummy.org/f1/.auth.digest.f1
Notify everybody the new users and passwords (no email)
Update subversion with the new config files