Documentation

Difference between revisions of "Webserver changes summer 2016"

(What will change?)
 
(15 intermediate revisions by one other user not shown)
Line 1: Line 1:
This page lists the changes to the webservers of ULYSSIS in the summer of 2015, and how you can prepare for it. If any of these
+
This page lists the changes to the webservers of ULYSSIS in the summer of 2016, and how you can prepare for it. If any of these
 
instructions are not clear to you, or if you have some more questions about the change, '''don't hesitate to e-mail us at [mailto:ulyssis@ulyssis.org ulyssis@ulyssis.org]'''.
 
instructions are not clear to you, or if you have some more questions about the change, '''don't hesitate to e-mail us at [mailto:ulyssis@ulyssis.org ulyssis@ulyssis.org]'''.
  
 
= When are the changes planned? =
 
= When are the changes planned? =
  
The exact date will still be announced, but are currently planned for the last weekend of July: there will be a downtime
+
The change will be in effect after the downtime on '''June 25 and 26''' when we upgrade all of our servers. After that, we will use the new webserver configuration.
on '''July 25 and 26''' when we upgrade all of our servers. After that, we will use the new webserver configuration.
 
  
 
= How can I test if my site will still work? =
 
= How can I test if my site will still work? =
 +
 +
'''Beware, PHP 7.0 has already been deployed. The PHP 7.0 test server has now been configured to be a temporary PHP 5.5 server to help those who did not update their website in time. Please refer to [[Temporary PHP 5.5 server]] for more information'''
  
 
Our new webservers can be directly accessed at the IP address <code>193.190.253.243</code>. You can see if your site still works on the new servers by changing your hosts file.
 
Our new webservers can be directly accessed at the IP address <code>193.190.253.243</code>. You can see if your site still works on the new servers by changing your hosts file.
Line 34: Line 35:
 
The most important changes are the following, click on them or scroll down for more info:
 
The most important changes are the following, click on them or scroll down for more info:
  
# [[#PHP_moving_from_5.3_to_5.5|The '''PHP''' version will change from 5.5 to '''7.0''']]
+
# [[#PHP_moving_from_5.5_to_7.0|The '''PHP''' version will change from 5.5 to '''7.0''']]
 
# The OS will be upgraded from '''Ubuntu''' 14.04 to '''16.04'''
 
# The OS will be upgraded from '''Ubuntu''' 14.04 to '''16.04'''
  
Line 40: Line 41:
 
just work.
 
just work.
  
= Multiple servers + load balancer =
+
= PHP moving from 5.5 to 7.0 =
 
 
If you use a common CMS, like Wordpress or Drupal, this will usually pose no issues. Any changes to files within your home directory (and your www directory) are
 
already automatically updated on all of our servers. Your files are actually located on a single server, and we use NFS on all of our other servers to access it.
 
 
 
Make sure that none of the software you wrote yourself relies on having everything on a single server. This could be the case if you put files in <code>/tmp</code>,
 
that you then access from another user session, or such. You are discouraged to put temporary files in <code>/tmp</code>, and should prefer to put those in a folder
 
within your home directory.
 
 
 
== Log format change ==
 
 
 
The logs in <code>/var/log/apache_user</code> used to be in so-called NCSA combined log format. In the new webserver configuration, we've added two extra fields: a unique id for the request, and the name of the webserver. For example, if you have a log message like:
 
 
 
94.226.69.174 - - [08/Jun/2014:20:23:18 +0200] "GET /sdfds HTTP/1.1" 404 404 "-"
 
  "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0" U5SqFsCoAI0AAGnQH3MAAAAA bc1
 
 
 
Then <code>U5SqFsCoAI0AAGnQH3MAAAAA</code> is the unique request id, and <code>bc1</code> is the webserver. You can use the unique id to easily find the accompanying log message in the error log. The error log will contain <code>[R:U5SqFsCoAI0AAGnQH3MAAAAA]</code> and <code>[H:bc1]</code>.
 
 
 
If you use a log processing tool, make sure that you change its configuration, so that it can handle this change. For AWStats, you can use:
 
 
 
%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot %other %other
 
 
 
Note that the date and time of log messages may be out of order, because the logs come from different webservers. AWStats can deal with this, but other log processing tools might not.
 
 
 
= PHP moving from 5.3 to 5.5 =
 
 
 
On the new webservers, the PHP version is 5.5, whereas on the old webserver, this was 5.3.
 
 
 
On the php.net website, there are lists of the most important changes [http://www.php.net/manual/en/migration54.changes.php from 5.3 to 5.4],
 
and [http://www.php.net/manual/en/migration55.changes.php from 5.4 to 5.5].
 
 
 
Notably, '''magic quotes''' and '''register_globals''' are '''removed''': these features have been deprecated for a long time, and had been disabled by default on our webserver. If you have turned on these features, change your code to not rely on them. If you use an up-to-date CMS or framework, it should already not rely on magic quotes, or register_globals.
 
 
 
= mod_php to PHP-FPM =
 
 
 
== Things that may or may not break ==
 
 
 
If you use an old version of TYPO3, this will stop working, because it explicitly checks for how PHP is provided, but doesn't know about PHP-FPM. Make sure you update to a recent, supported, version.
 
 
 
<code>php_value</code> and <code>php_flag</code> instructions in <code>.htaccess</code> files are normally only available when using <code>mod_php</code>, but we use the <code>htscanner</code> module so that these are still supported, so don't worry about those: they shouldn't break.
 
 
 
 
 
== More security ==
 
 
 
With PHP-FPM, you can make your PHP code more secure. '''After''' the switch you can make the following changes.
 
 
 
PHP code used to be executed using <code>mod_php</code>, and run as the <code>www-data</code> user. This will now change: PHP code will run using PHP-FPM and as your ULYSSIS user. '''This is an opportunity to tighten up your website's security''': the user <code>www-data</code> no longer needs to be able to read <code>.php</code> files, it only needs to know that these files exist. This means that any PHP files have to be only readable by you. This also means that in order to be able to create files inside of a directory, that directory only has to be writeable by you.
 
 
 
=== Securing database login info ===
 
 
 
Suppose you have a file called <code>config.php</code>, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using <code>chmod 600 config.php</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:
 
 
 
[[File:config-php_dropdown.png]]
 
[[File:config-php_attrs.png]]
 
 
 
=== Securing uploads directory ===
 
 
 
Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called <code>uploads</code>, you can remove write rights for others with <code>chmod go-w uploads</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:
 
 
 
[[File:uploads_dropdown.png]]
 
[[File:uploads_attrs.png]]
 
 
 
== Changed behaviour of the mail() function ==
 
 
 
As noted earlier, PHP is now executed as your user instead of <code>www-data</code>. This also has the effect that by default email sent using the mail() function will come from <code>username@ulyssis.org</code> (where username is your username) instead of <code>www-data@ulyssis.org</code>. This also means that all bounces caused by emailing to an non-existing or unavailable address will now arrive in your ULYSSIS account.
 
  
= Apache from 2.2 to 2.4 =
+
On the new webservers, the PHP version is 7.0, whereas on the old webserver, this was 5.5.
  
Notably, the old <code>Order</code>, <code>Deny</code> and <code>Allow</code> directives are removed. However, we use the <code>mod_access_compat</code> module to continue to provide these directives. You are however encouraged to switch to the new auth directives. Consult the [http://httpd.apache.org/docs/2.4/howto/auth.html Apache documentation] for more information.
+
On the php.net website, there are lists of the most important changes [http://php.net/manual/en/migration56.php from 5.5 to 5.6],
 +
and [http://php.net/manual/en/migration70.php from 5.6 to 7.0].
  
<b>To faculty organisations: If your website uses the Centrale KULeuven Login, you will have to add <code>ShibDisable Off</code> to your <code>.htaccess</code> file.</b> We have to disable Shibboleth by default, because it inferferes with regular file-based basic authentication.
+
Notably, php_mysql has been removed. Instead use the [http://php.net/manual/en/book.mysqli.php php_msqli] or the [http://php.net/manual/en/ref.pdo-mysql.php PDO_MySQL] extension. If you use a common CMS, like Wordpress or Drupal, that has been updated to its latest version, this will usually pose no issues.

Latest revision as of 03:12, 6 July 2016

This page lists the changes to the webservers of ULYSSIS in the summer of 2016, and how you can prepare for it. If any of these instructions are not clear to you, or if you have some more questions about the change, don't hesitate to e-mail us at ulyssis@ulyssis.org.

When are the changes planned?

The change will be in effect after the downtime on June 25 and 26 when we upgrade all of our servers. After that, we will use the new webserver configuration.

How can I test if my site will still work?

Beware, PHP 7.0 has already been deployed. The PHP 7.0 test server has now been configured to be a temporary PHP 5.5 server to help those who did not update their website in time. Please refer to Temporary PHP 5.5 server for more information

Our new webservers can be directly accessed at the IP address 193.190.253.243. You can see if your site still works on the new servers by changing your hosts file.

Where is the hosts file?

On Windows: if Windows is installed in C:\Windows (the default), this will be C:\Windows\System32\drivers\etc\hosts.

On Mac OS X: /private/etc/hosts.

On Linux: /etc/hosts.

How should I change the hosts file?

If your website is at username.ulyssis.be and username.studentenweb.org, then you can test if it works by adding the following line to your hosts file:

193.190.253.243 username.ulyssis.be username.studentenweb.org

Make sure that you remove these changes when you're done testing.

If any issues crop up, you can check the logs at /var/log/new_apache_user/username (where username is your username) for hints on what went wrong. Don't worry if you don't find your username listed in the directory /var/log/new_apache_user, it will appear automatically when you enter it. If you found a problem that you can't fix yourself, please do e-mail us at ulyssis@ulyssis.org. We'd like the transfer to go smoothly for all of our users.

What will change?

The most important changes are the following, click on them or scroll down for more info:

  1. The PHP version will change from 5.5 to 7.0
  2. The OS will be upgraded from Ubuntu 14.04 to 16.04

If you stuck to best practices when working with PHP, and if you have kept everything up to date, your website will in most cases just work.

PHP moving from 5.5 to 7.0

On the new webservers, the PHP version is 7.0, whereas on the old webserver, this was 5.5.

On the php.net website, there are lists of the most important changes from 5.5 to 5.6, and from 5.6 to 7.0.

Notably, php_mysql has been removed. Instead use the php_msqli or the PDO_MySQL extension. If you use a common CMS, like Wordpress or Drupal, that has been updated to its latest version, this will usually pose no issues.