ARWG 19 March 2003

Present
andrew, beecher, benno, bz32, david, ed2019, marquis, melissa, nlevitt, selsky [wassa]

Agenda
  1. Apache Packages
  2. mod_auth_wd retirement, UDB support termination
  3. Server configurations (1 pool vs n little hosts)
  4. /opt/ACISweb
  5. Web server upgrade, perl consolidation, suexec

Discussion
The following items were discussed, in no particular order:
  • Touch up Apache 1 and Apache 2 packages, for SSL and non-SSL, including documentation and integration with CPP generation of configuration files.
  • lingerd is good, but not if keepalive is on. lingerd needs to be integrated or eliminated. mod_auth_wd support of UDB: udb should be transitioned to .htpasswd, if possible. Big users are IRE, CCS, and LSO.
  • mod_auth_wind vs mod_auth_shib vs basic auth based Apache modules vs locally developed module(s) to be offered back to the Apache project. Anything requiring Basic Auth was eliminated from consideration. Apache 2 support considered essential. (Much discussion of this happened in the bonus hour, see below.)
  • New web servers will be a series of v120s, or possibly SunFires. PHP will be considered like CGI, and so available on primary web servers via restricted access directory. All CGIs will run via suexec. Tomcat and any other heavier apps will run on wwwapp servers. All servers will be identical as possible, including cubmail, except for which servers respond to which names.
  • Audit all AcIS web servers running PHP to make sure PHP is not served from outside the "approved" directories.
  • suexec for "critical" cgis, eg those that store passwords in files readable by www, like switchmgr. Full suexec will wait until web server upgrade.
  • On the hitlist for server consolidation (alhan is already decommissioned):
    1. oregano to move to newwww
    2. iceberg to use standard package
    3. bianaoh to move to pecan, non-ssl stuff before ssl stuff if pecan httpsd is still not available
    4. doorstop to be decommissioned
    5. kalimera to be decommissioned
  • April certificate dance approaches. pwdserver needs to be moved from ops, wdamb renewals should be planned ASAP to avoid last minutes rush.
  • /opt/ACISweb cleanup continues.
  • Proposal to meet again eventually.

In addition, a bonus hour was established to discuss mod_auth_wd replacement issues.

  1. .htaccess directives
    1. WD/CLIO directives (going away, eventually)
    2. UDB directives (transition to .htpasswd needs to be planned)
    3. user+group directives: rewrite all .htaccess files or implement old directives in the new module? This may depend on what the new module can handle.
    4. $ENV needs to be maintained.
  2. Logout/UI changes: Basic auth bad, login form (eg: WIND) not as bad.
  3. Code implementation and maintenance
    1. Apache krb/ldap modules: Do these use basic auth? Do they even exist?
    2. Apache 1 vs 2
  4. Documentation, for end users and for admins.
  5. Do nothing? No, we'll just end up with more security vulnerabilities and no in house expertise.