Webserver changes summer 2020: Difference between revisions

From ULYSSIS documentation
No edit summary
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This page lists the changes to the webservers of ULYSSIS in the summer of 2020, and how you can prepare for it. If any of these
This page lists the changes to the webservers of ULYSSIS in the summer of 2020, and how you can prepare for it. If any of these
instructions are not clear to you, or if you have some more questions about the change, '''don't hesitate to e-mail us at [mailto:ulyssis@ulyssis.org ulyssis@ulyssis.org]'''.
instructions are not clear to you, or if you have some more questions about the changes, '''don't hesitate to e-mail us at [mailto:ulyssis@ulyssis.org ulyssis@ulyssis.org]'''.


= When are the changes planned? =
== When are the changes planned? ==


The change will be in effect after the downtime in september when we upgrade all of our servers. The exact date has not yet been decided. We will contact our users once it has. After that, we will use the new webserver configuration.
The changes will be in effect after the downtime in September when we upgrade all of our servers. The exact date has not yet been decided. We will contact our users once it has. After that, we will use the new webserver configuration.


= What will change? =
== What will change? ==


We will upgrade the Ubuntu release on our servers from 18.04 LTS to 20.04 LTS. This will include newer version of many services. An overview of the most important version changes can be found below. For other services/packages, one can always use the [https://packages.ubuntu.com/ Ubuntu Package Search]. The distribution name for Ubuntu 20.04 LTS is "focal".
We will upgrade the Ubuntu release on our servers from 18.04 LTS to 20.04 LTS. This will include newer version of many services. An overview of the most important version changes can be found below. For other services/packages, you can always use the [https://packages.ubuntu.com/ Ubuntu Package Search]. The distribution name for Ubuntu 20.04 LTS is "focal".


* PHP will be updated from 7.2 to 7.4
* PHP will be updated from 7.2 to 7.4
Line 19: Line 19:
Additionally, we will make use of the maintenance window to change certain aspects of our services. Notably, we will no longer support the user of <code>php_flag</code> and <code>php_value</code> in <code>.htaccess</code> files. Instead, users are advised to use <code>.user.ini</code> files. More details regarding the changes can be found on the remainder of this page.
Additionally, we will make use of the maintenance window to change certain aspects of our services. Notably, we will no longer support the user of <code>php_flag</code> and <code>php_value</code> in <code>.htaccess</code> files. Instead, users are advised to use <code>.user.ini</code> files. More details regarding the changes can be found on the remainder of this page.


== Support for <code>php_flag</code> and <code>php_value</code> ==
=== Support for <code>php_flag</code> and <code>php_value</code> ===
Support for <code>php_flag</code> and <code>php_value</code> in <code>.htaccess</code> as described in older versions of [[Special:PermanentLink/714|Managing PHP errors]] and [[Special:PermanentLink/715|Setting PHP options]] will no longer be supported. If you have added these options, you will have to remove them and migrate them to a <code>.user.ini</code> file. The current versions of these pages ([[Managing PHP errors]] and [[Setting PHP options]]) explain how one can do this.  Note that if the the options are inside a block that checks for the existence of a specific version of <code>mod_php</code>, then this will not cause an error. This is the case for many CMSs.
{{info|To help users trying to find out if their accounts still contain problematic cases of php_flag and php_value, we've introduced a [https://docs.ulyssis.org/summer2020tool/ simple tool] that tries to automatically check all .htaccess files that are in use.}}
Support for <code>php_flag</code> and <code>php_value</code> in <code>.htaccess</code> as described in older versions of [[Special:PermanentLink/714|Managing PHP errors]] and [[Special:PermanentLink/715|Setting PHP options]] will no longer be supported. If you have added these options, you will have to remove them and migrate them to a <code>.user.ini</code> file. The current versions of these pages ([[Managing PHP errors]] and [[Setting PHP options]]) explain how you can do this.  Note that if the options are inside a block that checks for the existence of a specific version of <code>mod_php</code>, then this will not cause an error. This is the case for many CMSs.


== Basic Auth in PHP and FCGI scripts ==
=== Basic Auth in PHP and FCGI scripts ===
When using Basic authentication on a PHP or FCGI script, it was necessary to apply a [[Basic authentication|workaround]]. This will no longer be needed in the future as the Authorization header will be passed by default to the script. This behavior can be disabled using the CGIPassAuth directive. For more details see https://httpd.apache.org/docs/current/en/mod/core.html#cgipassauth .
When using Basic authentication on a PHP or FCGI script, it was necessary to apply a [[Basic authentication|workaround]]. This will no longer be needed in the future as the Authorization header will be passed by default to the script. This behavior can be disabled using the CGIPassAuth directive. For more details see https://httpd.apache.org/docs/current/en/mod/core.html#cgipassauth .


== Client IP address ==
=== Client IP address ===
Currently, the [[Getting Apache logs|Apache logs]] only show the proper client IP when unencrypted traffic is used (no HTTPS). When using HTTPS, the client IP is logged as 193.190.253.234, the IP address of our loadbalancer. During the maintenance, we will make the required changes to ensure that the logged IP adres will be the clients IP adres, even if HTTPS is used. Additionally, this will improve the effectiveness of the brute-force detection in place on our webservers for Wordpress installations. For more information, see [[ULYSSIS security measures#CMSs and other popular software|ULYSSIS security measures]].
Currently, the [[Getting Apache logs|Apache logs]] only show the proper client IP when unencrypted traffic is used (no HTTPS). When using HTTPS, the client IP is logged as 193.190.253.234, the IP address of our loadbalancer. During the maintenance, we will make the required changes to ensure that the logged IP address will be the client's IP address, even if HTTPS is used. Additionally, this will improve the effectiveness of the brute-force detection in place on our webservers for WordPress installations. For more information, see [[ULYSSIS security measures#CMSs and other popular software|ULYSSIS security measures]].
 
[[Category:Webserver]]

Latest revision as of 11:32, 21 December 2020

This page lists the changes to the webservers of ULYSSIS in the summer of 2020, and how you can prepare for it. If any of these instructions are not clear to you, or if you have some more questions about the changes, don't hesitate to e-mail us at ulyssis@ulyssis.org.

When are the changes planned?

The changes will be in effect after the downtime in September when we upgrade all of our servers. The exact date has not yet been decided. We will contact our users once it has. After that, we will use the new webserver configuration.

What will change?

We will upgrade the Ubuntu release on our servers from 18.04 LTS to 20.04 LTS. This will include newer version of many services. An overview of the most important version changes can be found below. For other services/packages, you can always use the Ubuntu Package Search. The distribution name for Ubuntu 20.04 LTS is "focal".

  • PHP will be updated from 7.2 to 7.4
  • PostgreSQL will be updated from 10 to 12
  • MariaDB (MySQL) will be updated from 10.1.44 to 10.3.22
  • Python will be updated from 3.6 to 3.8

Note that any existing Python virtual environments in use will need to be recreated in order to function properly.

Additionally, we will make use of the maintenance window to change certain aspects of our services. Notably, we will no longer support the user of php_flag and php_value in .htaccess files. Instead, users are advised to use .user.ini files. More details regarding the changes can be found on the remainder of this page.

Support for php_flag and php_value

To help users trying to find out if their accounts still contain problematic cases of php_flag and php_value, we've introduced a simple tool that tries to automatically check all .htaccess files that are in use.


Support for php_flag and php_value in .htaccess as described in older versions of Managing PHP errors and Setting PHP options will no longer be supported. If you have added these options, you will have to remove them and migrate them to a .user.ini file. The current versions of these pages (Managing PHP errors and Setting PHP options) explain how you can do this. Note that if the options are inside a block that checks for the existence of a specific version of mod_php, then this will not cause an error. This is the case for many CMSs.

Basic Auth in PHP and FCGI scripts

When using Basic authentication on a PHP or FCGI script, it was necessary to apply a workaround. This will no longer be needed in the future as the Authorization header will be passed by default to the script. This behavior can be disabled using the CGIPassAuth directive. For more details see https://httpd.apache.org/docs/current/en/mod/core.html#cgipassauth .

Client IP address

Currently, the Apache logs only show the proper client IP when unencrypted traffic is used (no HTTPS). When using HTTPS, the client IP is logged as 193.190.253.234, the IP address of our loadbalancer. During the maintenance, we will make the required changes to ensure that the logged IP address will be the client's IP address, even if HTTPS is used. Additionally, this will improve the effectiveness of the brute-force detection in place on our webservers for WordPress installations. For more information, see ULYSSIS security measures.