Documentation

Difference between revisions of "Webserver changes summer 2020"

Line 26: Line 26:
  
 
=== Client IP address ===
 
=== Client IP address ===
Currently, the [[Getting Apache logs|Apache logs]] only show the proper client IP when unencrypted traffic is used (no HTTPS). When using HTTPS, the client IP is logged as 193.190.253.234, the IP address of our loadbalancer. During the maintenance, we will make the required changes to ensure that the logged IP adres will be the clients IP adres, even if HTTPS is used. Additionally, this will improve the effectiveness of the brute-force detection in place on our webservers for Wordpress installations. For more information, see [[ULYSSIS security measures#CMSs and other popular software|ULYSSIS security measures]].
+
Currently, the [[Getting Apache logs|Apache logs]] only show the proper client IP when unencrypted traffic is used (no HTTPS). When using HTTPS, the client IP is logged as 193.190.253.234, the IP address of our loadbalancer. During the maintenance, we will make the required changes to ensure that the logged IP address will be the client's IP address, even if HTTPS is used. Additionally, this will improve the effectiveness of the brute-force detection in place on our webservers for WordPress installations. For more information, see [[ULYSSIS security measures#CMSs and other popular software|ULYSSIS security measures]].

Revision as of 01:37, 9 July 2020

This page lists the changes to the webservers of ULYSSIS in the summer of 2020, and how you can prepare for it. If any of these instructions are not clear to you, or if you have some more questions about the changes, don't hesitate to e-mail us at ulyssis@ulyssis.org.

When are the changes planned?

The changes will be in effect after the downtime in September when we upgrade all of our servers. The exact date has not yet been decided. We will contact our users once it has. After that, we will use the new webserver configuration.

What will change?

We will upgrade the Ubuntu release on our servers from 18.04 LTS to 20.04 LTS. This will include newer version of many services. An overview of the most important version changes can be found below. For other services/packages, one can always use the Ubuntu Package Search. The distribution name for Ubuntu 20.04 LTS is "focal".

  • PHP will be updated from 7.2 to 7.4
  • PostgreSQL will be updated from 10 to 12
  • MariaDB (MySQL) will be updated from 10.1.44 to 10.3.22
  • Python will be updated from 3.6 to 3.8

Note that any existing Python virtual environments in use will need to be recreated in order to function properly.

Additionally, we will make use of the maintenance window to change certain aspects of our services. Notably, we will no longer support the user of php_flag and php_value in .htaccess files. Instead, users are advised to use .user.ini files. More details regarding the changes can be found on the remainder of this page.

Support for php_flag and php_value

Support for php_flag and php_value in .htaccess as described in older versions of Managing PHP errors and Setting PHP options will no longer be supported. If you have added these options, you will have to remove them and migrate them to a .user.ini file. The current versions of these pages (Managing PHP errors and Setting PHP options) explain how one can do this. Note that if the options are inside a block that checks for the existence of a specific version of mod_php, then this will not cause an error. This is the case for many CMSs.

Basic Auth in PHP and FCGI scripts

When using Basic authentication on a PHP or FCGI script, it was necessary to apply a workaround. This will no longer be needed in the future as the Authorization header will be passed by default to the script. This behavior can be disabled using the CGIPassAuth directive. For more details see https://httpd.apache.org/docs/current/en/mod/core.html#cgipassauth .

Client IP address

Currently, the Apache logs only show the proper client IP when unencrypted traffic is used (no HTTPS). When using HTTPS, the client IP is logged as 193.190.253.234, the IP address of our loadbalancer. During the maintenance, we will make the required changes to ensure that the logged IP address will be the client's IP address, even if HTTPS is used. Additionally, this will improve the effectiveness of the brute-force detection in place on our webservers for WordPress installations. For more information, see ULYSSIS security measures.