[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Configuring Azure Web Application Firewall (WAF) for eprints

Subject: [EP-tech] Configuring Azure Web Application Firewall (WAF) for eprints
From: drn at ecs.soton.ac.uk (David R Newman)
Date: Sun, 13 Sep 2020 17:27:29 +0100
In-reply-to: <CAAVv=LSW1WLPbQRQVLVxt5hUf7u=q-a8cHz=iMUjWnruJY9o4A@mail.gmail.com>
References: <CAAVv=LQpiwNmnDNesayrk5NHw1wTRYB13c=Y2XiuhPO5yE_-xg@mail.gmail.com> <EMEW3|65f88bf88e9a67f549da48e96adf1bc1w8BFNf14eprints-tech-bounces|ecs.soton.ac.uk|CAAVv=LQpiwNmnDNesayrk5NHw1wTRYB13c=Y2XiuhPO5yE_-xg@mail.gmail.com> <5bb60ee8-0171-ab7d-e692-0dc871ab6267@ecs.soton.ac.uk> <CAAVv=LSW1WLPbQRQVLVxt5hUf7u=q-a8cHz=iMUjWnruJY9o4A@mail.gmail.com> <f8338d92-b481-2238-b23f-8db116e8eb53@ecs.soton.ac.uk>

Hi Francis,

I am a bit puzzled to why you are still having problems with SELinux 
following the instructions on the wiki page you linked to (which I 
wrote). The following line should have done the trick.

/opt/eprints3/archives/[^/]*/documents(/.*)? 
unconfined_u:object_r:httpd_sys_rw_content_t:s0

My best advice at this point is to have a look at the SELinux logs 
whilst uploading a file and see what it says:

tail -f /var/log/audit/audit.log

Usually it is fairly straightforward to work out what you need to add to 
eprints.fc. Then you will need to use the redo.sh script to update your 
server's SELinux configuration.? It might be worth checking directories 
permissions and ownership more generally.? However, I cannot how this 
would work when SELinux is disabled and not when it is enabled but if 
your permissions/ownership are a bit off to start with due to SELinux 
being enabled you may need to make some manual changes.? Make sure the 
owner and group of the documents directory and subdirectories are owned 
and have the same User and Group as set inside httpd.conf (i.e. apache) 
and that the directory and subdirectories have read, write and execute 
permissions for the user and group, with SetGID bit set for groups, i.e. 
something like:

drwxrwsr-x. 3 eprints eprints 4096 Aug? 2? 2018 disk0

Regards

David Newman


On 13/09/2020 17:05, Francis Jayakanth wrote:
> Hi David, Thanks a lot for the prompt reply and for the possible
> solution as well. The solution is bang-on. I created a file,
> ingnore_login_ip.pl, and inserted the statement, $c->{ignore_login_ip}
> = 1; in that file, and restarted the httpd server. The action solved
> the issue of auto log out, but I was still unable to upload a file.
> Apache error log file was complaining about the permission issue:
>
> Failed to mkdir /documents/disk7/00/06/29/35/01: Permission denied
>
> I was quite sure that the above issue was related SELinux
> configuration. I disabled SELinux, and I am now able to upload files.
>
> I followed the instructions related to changing directory permissions
> and SELinux contexts available here,
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_and_SELinux&amp;data=01%7C01%7C%7C4077b6b68d2b424d0a2508d85801eabb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=KEmL1sqaEegeM2pf4V%2F%2FQsojIMnLaz6KUg0x8%2FS%2Fznk%3D&amp;reserved=0 , and enabled SELinux
> by setting SELINUX=enforcing. Upon enabling SELinux, I'm again able to
> upload file. The Apache error log reports, Unable to write to
> /opt/eprints3/
> archives/iisceprints/documents/disk7/00/06/29/35/01/baccelli1989.pdf:
> Permission denied
>
> Can you please let me know what else needs to be done.
>
> Btw, everything was working fine before moving Eprints behind the WAF.
>
> Thanks and regards, Francis
>
> On Sat, Sep 12, 2020 at 11:10 PM David R Newman <drn at ecs.soton.ac.uk> wrote:
>> Hi Francis,
>>
>> I don't have any significant knowledge about Azure WAF but EPrints
>> should only require TCP ports 80 and 443 to be open to be fully
>> functional.  (In some configurations only port 443 or 80 need be open).
>> You have tried turning off SELinux which rules out one potential issue.
>> My suspicion is that the Azure WAF might cause the apparent IP address
>> of the connecting user to change between requests.  This would be
>> supported by you saying that you seem to get logged out.  EPrints can be
>> configured to not enforce the IP address being maintained during a
>> session with the following configuration option in a configuration file
>> in your archive's cfg/cfg.d/ directory:
>>
>> $c->{ignore_login_ip} = 1;
>>
>> and then reloading the Apache webserver.  If this does not help it is
>> worth checking the error logs in /var/log/httpd/ to see if there is any
>> obvious problem.  You want to check both error_log and ssl_error_log.
>> It may also be worth checking access_log and ssl_access_log whilst you
>> are attempting to upload files to see if you can find any unexpected
>> HTTP codes in the responses to your requests.
>>
>> Regards
>>
>> David Newman
>>
>> On 12/09/2020 15:23, Francis Jayakanth via Eprints-tech wrote:
>>> Hi, I would like to know if any of you have configured Azure WAF to
>>> run an eprints 3.4 instance? If so, please share your experience in
>>> resolving the issue we are having in configuring WAF for eprints.
>>>
>>> Our network support team has implemented WAF for eprints, After the
>>> WAF implementation, we are unable to upload files of any format into
>>> the repository, and eprints logs out automatically when the uploading
>>> fails.
>>>
>>> For the sake of testing, we even tried turning off SELinux, but it doesn' help.
>>>
>>> We are running eprints version 3.4.1 eps on Centos 7
>>>
>>> I would greatly appreciate it if someone guides me in resolving the issue.
>>>
>>> Thanks and regards, Francis
>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>>> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7C4077b6b68d2b424d0a2508d85801eabb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=LVr9dwKvLOes%2BfT3jkwPHVyUsxufV1CevBY9%2Fh7XDQk%3D&amp;reserved=0
>>> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7C4077b6b68d2b424d0a2508d85801eabb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=EihKTbmFYYFnNJkg9s7wrL%2BIFuyNg7KVLcLHOPPiOv8%3D&amp;reserved=0
>> --
>> This email has been checked for viruses by AVG.
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=01%7C01%7C%7C4077b6b68d2b424d0a2508d85801eabb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=Rvg4wc7pEa%2FmQ6F4Un%2BJJ0l%2F1EvpFKs1edSznJss8ms%3D&amp;reserved=0
>>


-- 
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=01%7C01%7C%7C4077b6b68d2b424d0a2508d85801eabb%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=Rvg4wc7pEa%2FmQ6F4Un%2BJJ0l%2F1EvpFKs1edSznJss8ms%3D&amp;reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20200913/7ca5aa1c/attachment.html

References:
- [EP-tech] Configuring Azure Web Application Firewall (WAF) for eprints
  - From: fjayakanth at gmail.com (Francis Jayakanth)
- [EP-tech] Configuring Azure Web Application Firewall (WAF) for eprints
  - From: fjayakanth at gmail.com (Francis Jayakanth)

Prev by Date: [EP-tech] Configuring Azure Web Application Firewall (WAF) for eprints
Next by Date: [EP-tech] Alphabetically sort a view
Next by thread: [EP-tech] Re: Eprints divisions problem
Index(es):
- Date
- Thread