impelement itk plus mode

itk plus mode is an additional mode to deploy itk based hostings
which should be a bit more performant. The idea is that we have
two apache-instances running:

 A) prefork based, listening on the external interface
 B) itk based, listening on the loopback interface

A) will serve all static webpages, as well as possibly serve all static
   content of dynamic websites. All requests to dynamic content will be
   redirected to B). The idea is that A) doesn't load any modules to server
   dynamic content at all.
B) will serve all the dynamic scripts of a vhost.

This will mean that for vhosts (static ones) as well as static content (all
none dynamic scripts) we can benefit from the fast prefork model, while we
can use itk's security model for all the dynamic scripts.

There are two new additional run_modes:

- proxy-itk: this just passes all requests to apache instance B). This one
             is similar to plain itk based mode and should be used for vhosts
             that shouldn't (yet) changed to the mixed mode.
- static-itk: this passes only requests to dynamic scripts to B) while all
              static content is served by A). Beware that the user with which
              A) is running should be member of the run group of B) and all
              static files need to readable by the group. This reduces
              the security model you have with plain itk, as the prefork
              apache user will be able to read php (config-) files of any
              vhost that runs in static-itk mode. If you want to keep
              the level of security for a certain vhost, you need to run
              the specific vhost in proxy-itk mode.

Note 1: you cannot run vhosts in itk mode and others in proxy or static
        itk mode. There is a duplicate file resource definition that
        blocks that possibility.
Note 2: This mode works currently only on CentOS based systems, as no
        work have been done so far to implement an init.d script that's
        able to run 2 apache instances.

1 files changed, 210 insertions, 5 deletions

diff --git a/templates/vhosts/php_gallery2/php_gallery.erb b/templates/vhosts/php_gallery2/php_gallery.erb
index 8d10d02..fdcc89b 100644
--- a/templates/vhosts/php_gallery2/php_gallery.erb
+++ b/templates/vhosts/php_gallery2/php_gallery.erb
@@ -1,4 +1,7 @@
 # <%= servername %>
+<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%>
+<IfDefine HttpdLocal>
+<%- end -%>
 <%- unless ssl_mode.to_s == 'only'  then -%>
 <VirtualHost *:80>
     Include include.d/defaults.inc
@@ -26,16 +29,20 @@
     ErrorLog <%= logdir %>/error_log
     CustomLog <%= logdir %>/access_log combined
     <%- end -%>
+
     <%- if ssl_mode.to_s == 'force' then -%>
     Redirect permanent / https://<%= servername %>/
+
     <%- end -%>
     <%- if default_charset.to_s != 'absent' then -%>
     AddDefaultCharset <%= default_charset %>
+
     <%- end -%>
-    <%- if run_mode.to_s == 'itk' -%>
+    <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%>
     <IfModule mpm_itk_module>
         AssignUserId <%= run_uid+" "+run_gid %>
     </IfModule>
+
     <%- end -%>
     <%- if not ssl_mode.to_s == 'force' then -%>
     <Directory "<%= documentroot %>/">
@@ -74,6 +81,7 @@
     </Directory>
     <%- end -%>
 
+    <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%>
     <IfModule mod_security2.c>
         <%- if mod_security.to_s == 'true' then -%>
         SecRuleEngine On
@@ -91,6 +99,7 @@
         SecAuditLog <%= logdir %>/mod_security_audit.log
         SecDebugLog <%= logdir %>/mod_security_debug.log
     </IfModule>
+    <%- end -%>
 
     <%- unless additional_options.to_s == 'absent' then -%>
     <%= additional_options %>
@@ -126,13 +135,16 @@
     ErrorLog <%= logdir %>/error_log
     CustomLog <%= logdir %>/access_log combined
     <%- end -%>
-    <%- if run_mode.to_s == 'itk' -%>
+
+    <%- if default_charset.to_s != 'absent' then -%>
+    AddDefaultCharset <%= default_charset %>
+
+    <%- end -%>
+    <%- if run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%>
     <IfModule mpm_itk_module>
         AssignUserId <%= run_uid+" "+run_gid %>
     </IfModule>
-    <%- end -%>
-    <%- if default_charset.to_s != 'absent' then -%>
-    AddDefaultCharset <%= default_charset %>
+
     <%- end -%>
     <Directory "<%= documentroot %>/">
         AllowOverride <%= allow_override %>
@@ -169,6 +181,7 @@
         RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L]
     </Directory>
 
+    <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%>
     <IfModule mod_security2.c>
         <%- if mod_security.to_s == 'true' then -%>
         SecRuleEngine On
@@ -182,9 +195,201 @@
         SecAuditLog <%= logdir %>/mod_security_audit.log
         SecDebugLog <%= logdir %>/mod_security_debug.log
     </IfModule>
+    <%- end -%>
 
     <%- unless additional_options.to_s == 'absent' then -%>
     <%= additional_options %>
     <%- end -%>
 </VirtualHost>
 <%- end -%>
+<%- if run_mode.to_s =~ /(proxy\-|static\-)itk/ -%>
+</IfDefine>
+<IfDefine !HttpdLocal>
+<%- unless ssl_mode.to_s == 'only'  then -%>
+<VirtualHost *:80>
+    Include include.d/defaults.inc
+
+    ServerName <%= servername %>
+    <%- unless serveralias.to_s.empty? then -%>
+    ServerAlias <%= serveralias %>
+    <%- end -%>
+    <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%>
+    ServerAdmin <%= server_admin %>
+    <%- end -%>
+    <%- if run_mode.to_s == 'static-itk' -%>
+    DocumentRoot <%= documentroot %>/
+    DirectoryIndex index.htm index.html index.php
+    <%- end -%>
+
+    <%- case logmode.to_s
+        when 'nologs' -%>
+    ErrorLog /dev/null
+    CustomLog /dev/null
+    <%- when 'semianonym' -%>
+    ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log
+    CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip
+    <%- when 'anonym' -%>
+    ErrorLog /dev/null
+    CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip
+    <%- else -%>
+    ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log
+    CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined
+    <%- end -%>
+
+    ProxyPreserveHost On
+    ProxyRequests off
+    <%- if run_mode.to_s == 'static-itk' -%>
+    ProxyPassMatch ^/(.*\.php/?.*)$ http://127.0.0.1/$1
+    <%- else -%>
+    ProxyPass / http://127.0.0.1/
+    <%- end -%>
+    ProxyPassReverse / http://127.0.0.1/
+
+    <%- if ssl_mode.to_s == 'force' then -%>
+    Redirect permanent / https://<%= servername %>/
+
+    <%- end -%>
+    <%- if default_charset.to_s != 'absent' then -%>
+    AddDefaultCharset <%= default_charset %>
+
+    <%- end -%>
+    <%- if run_mode.to_s == 'static-itk' then -%>
+    <%- if not ssl_mode.to_s == 'force' then -%>
+    <Directory "<%= documentroot %>/">
+        AllowOverride <%= allow_override %>
+        <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%>
+        Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%>
+
+        <%- end -%>
+        <%- unless htpasswd_file.to_s == 'absent' then -%>
+        AuthType Basic
+        AuthName "Access fuer <%= servername %>"
+        AuthUserFile <%= real_htpasswd_path %>
+        require valid-user
+        <%- end -%>
+
+        # Always rewrite login's
+        # Source: http://gallery.menalto.com/node/30558
+        RewriteEngine On
+        RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR]
+        RewriteCond %{QUERY_STRING} subView=core\.UserLogin
+        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L]
+        # https -> see below
+        # Then, unset baseUri in config.php (to keep Gallery from trying to redirect users to either HTTP or HTTPS):
+        # $gallery->setConfig('baseUri', '');
+    </Directory>
+    <%- end -%>
+    <%- end -%>
+
+    <IfModule mod_security2.c>
+        <%- if mod_security.to_s == 'true' then -%>
+        SecRuleEngine On
+        <%- if mod_security_relevantonly.to_s == 'true' then -%>
+        SecAuditEngine RelevantOnly
+        <%- else -%>
+        SecAuditEngine On
+        <%- end -%>
+        <%- else -%>
+        SecRuleEngine Off
+        SecAuditEngine Off
+        <%- end -%>
+        SecAuditLogType Concurrent
+        SecAuditLogStorageDir <%= logdir %>/
+        SecAuditLog <%= logdir %>/mod_security_audit.log
+        SecDebugLog <%= logdir %>/mod_security_debug.log
+    </IfModule>
+
+    <%- unless additional_options.to_s == 'absent' then -%>
+    <%= additional_options %>
+    <%- end -%>
+</VirtualHost>
+<%- end -%>
+
+<%- unless ssl_mode.to_s == 'false'  then -%>
+<VirtualHost *:443>
+    Include include.d/defaults.inc
+    Include include.d/ssl_defaults.inc
+
+    ServerName <%= servername %>
+    <%- unless serveralias.to_s.empty? then -%>
+    ServerAlias <%= serveralias %>
+    <%- end -%>
+    <%- unless server_admin.to_s.empty? or server_admin.to_s == 'absent' then -%>
+    ServerAdmin <%= server_admin %>
+    <%- end -%>
+    <%- if run_mode.to_s == 'static-itk' -%>
+    DocumentRoot <%= documentroot %>/
+    DirectoryIndex index.htm index.html index.php
+    <%- end -%>
+
+    <%- case logmode.to_s
+        when 'nologs' -%>
+    ErrorLog /dev/null
+    CustomLog /dev/null
+    <%- when 'semianonym' -%>
+    ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log
+    CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip
+    <%- when 'anonym' -%>
+    ErrorLog /dev/null
+    CustomLog <%= logdir %>/<%= logfileprefix %>-access_log noip
+    <%- else -%>
+    ErrorLog <%= logdir %>/<%= logfileprefix %>-error_log
+    CustomLog <%= logdir %>/<%= logfileprefix %>-access_log combined
+    <%- end -%>
+
+    ProxyPreserveHost On
+    ProxyRequests off
+    <%- if run_mode.to_s == 'static-itk' -%>
+    ProxyPassMatch ^/(.*\.php/?.*)$ https://127.0.0.1/$1
+    <%- else -%>
+    ProxyPass / https://127.0.0.1/
+    <%- end -%>
+    ProxyPassReverse / https://127.0.0.1/
+
+    <%- if default_charset.to_s != 'absent' then -%>
+    AddDefaultCharset <%= default_charset %>
+
+    <%- end -%>
+    <%- if run_mode.to_s == 'static-itk' -%>
+    <Directory "<%= documentroot %>/">
+        AllowOverride <%= allow_override %>
+        <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%>
+        Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%><%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%> +Includes<%- end -%>
+
+        <%- end -%>
+        <%- unless htpasswd_file.to_s == 'absent' then -%>
+        AuthType Basic
+        AuthName "Access fuer <%= servername %>"
+        AuthUserFile <%= real_htpasswd_path %>
+        require valid-user
+        <%- end -%>
+        # Always rewrite login's (see above)
+        RewriteEngine On
+        RewriteCond %{HTTP_COOKIE} =""
+        RewriteCond %{REQUEST_METHOD} =GET
+        RewriteCond %{QUERY_STRING} !subView=core\.UserLogin
+        RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L]
+    </Directory>
+    <%- end -%>
+
+    <IfModule mod_security2.c>
+        <%- if mod_security.to_s == 'true' then -%>
+        SecRuleEngine On
+        SecAuditEngine On
+        <%- else -%>
+        SecRuleEngine Off
+        SecAuditEngine Off
+        <%- end -%>
+        SecAuditLogType Concurrent
+        SecAuditLogStorageDir <%= logdir %>/
+        SecAuditLog <%= logdir %>/mod_security_audit.log
+        SecDebugLog <%= logdir %>/mod_security_debug.log
+    </IfModule>
+
+    <%- unless additional_options.to_s == 'absent' then -%>
+    <%= additional_options %>
+    <%- end -%>
+</VirtualHost>
+<%- end -%>
+</IfDefine>
+<%- end -%>