esgf / apache-frontend Goto Github PK

I'm working on a data-node on Centos7 with esgf 2.6.7.
This release change the apache frontend from esgf-httpd service (using old init.d) to httpd (over systemd)
using /etc/sysconfig/httpd config file.
But the systemd script goes into timeout, so do not start :

mars 23 07:46:32 esg1.umr-cnrm.fr systemd[1]: Ignoring invalid environment assignment 'export LD_LIBRARY_PATH=/opt/esgf/python/lib:/opt/esgf/python/lib/python2.7:/opt/esgf/python/lib/python2.7/site-packages/mod_wsgi/server': /etc/sysconfig/httpd
mars 23 07:46:32 esg1.umr-cnrm.fr systemd[1]: Starting The Apache HTTP Server...
mars 23 07:48:02 esg1.umr-cnrm.fr systemd[1]: httpd.service start operation timed out. Terminating.
mars 23 07:48:17 esg1.umr-cnrm.fr apache[696]: 127.0.0.1 - - [23/Mar/2018:07:48:17 +0000] "GET / HTTP/1.1" 302 202
mars 23 07:49:32 esg1.umr-cnrm.fr systemd[1]: httpd.service stop-final-sigterm timed out. Killing.
mars 23 07:49:32 esg1.umr-cnrm.fr systemd[1]: httpd.service: main process exited, code=killed, status=9/KILL
mars 23 07:49:32 esg1.umr-cnrm.fr systemd[1]: Failed to start The Apache HTTP Server.
mars 23 07:49:32 esg1.umr-cnrm.fr systemd[1]: Unit httpd.service entered failed state.
mars 23 07:49:32 esg1.umr-cnrm.fr systemd[1]: httpd.service failed.

to fix the problem, I had to patch the /lib/systemd/system/httpd.service :
8c8,9
< Type=notify

#Type=notify
Type=forking
10c11,12
< ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND

#ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecStart=/usr/sbin/httpd $OPTIONS

I had a look at systemd logs after 2.6.5 upgrade on a data-node ( in centos 7)
and I have error messages such

mars 09 09:54:16 esg1.umr-cnrm.fr systemd[1]: Ignoring invalid environment assignment 'export LD_LIBRARY_PATH=/opt/esgf/python/lib:/opt/esgf/python/lib/python2.7:/opt/esgf/python/lib/python2.7/site-packages/...

the problem comes from /etc/init.d/esgf-httpd. I do not understand why apache needs a python configuration

The NOAA security scan has identified a vulnerability in the ability of browser to "sniff" the mime type of the content served by CoG. We should set the header:
X-Content-Type-Options nosniff
which is at least followed by IE and Chrome.

The Solr master is hidden behind the firewall on port 8984, but the apache httpd module forwards requests from port 80 to the slave on port 8983, which should be secured.

The httpd front-end should set the HSTS (HTTP Strict Transport Security) header in all SSL requests.

The proxied apps and mod_wsgi entries should support only whichever components get deployed. This at first will conform to node type options. Eg. CoG on index (for now), SLCS on IdP. esgf-nm on registry-supporting nodes (most data-nodes should have this).

This issue is a feature request for the 3.x effort. (long term goal).

Remove CoG from the setup, replace with a static page (used to be old node manager diagram)

The solution for this probably means refactoring the apache setup template into something more modular, so the CoG site is only added when CoG is installed

Hi,

We should probably have a data only node specific config for apache or we will find these errors in the log:

Target WSGI script not found or unable to stat: /usr/local/cog

Currently the httpd configuration includes a Flask demo application, which has been flagged by the NOAA security scan for removal.