# $Id: INSTALL,v 1.8 2005/10/16 02:14:47 dme26 Exp $
# 
# WebNAG: Web-based Network Authentication Gateway
# 
# Copyright 2005 David Eyers.
# This software is GPLed - see file COPYING for license details.
# 
# -------------------------------
# Notes on how to install WebNAG.
# -------------------------------
# 
# There's no installer yet. No surprises there given that the software
# is in its infancy - more important things need to be improved first!
# 
# In the installations I've done, this file would be in the base of the
# home directory of a user such as 'nag' under which the bulk of WebNAG
# configuration and status files will be kept.
#
# This file is intended to cooperate with Shell syntax highlighting,
# but you'll probably break all sorts of things if you just cut and
# paste into a shell!! The idea is to read through it configuring for
# your particular setup. This will be improved over time.
# David.Eyers in the cantab.net email domain

# ----------------------------------------

# I installed Debian Sarge stable using the net-inst CD, after which I
# directed downloads from the UCam http apt sources: http
# . ftp-uxsup.csx.cam.ac.uk . /pub/linux/debian
# For the Debian installation packages use "no software selection"

# Setup Packages: 

su

apt-get install dhcp3-server ntp-simple ntpdate apache2 apache2-dev perl-suid

# General Networking and DHCP
#
# I'm assuming you're happy setting up the networking stuff and DHCP
# to suit your needs. In most cases you'll need at least one extra
# network interface, or at least an additional network alias. This
# sort of thing is set up in /etc/network/interfaces under Debian.
#
# --> installHelp/netconfig/interfaces is an example of a potential
#     /etc/network/interfaces file
#
# You'll definitely need to set up IP forwarding if this host is going
# to be doing the NATing (I have plans for switch-based VLAN remote
# control too, but that's a way off yet!). The start-up setting for
# this is in /etc/neetwork/options under Debian, and the run-time
# setting can be made by:
#
# echo 1 > /proc/sys/net/ipv4/ip_forward 
#
# Also, DHCP won't be functional until you tell it about the topology
# of your network. You probably only want it running on your internal
# network: on Debian it seems to guess eth1 if you have two cards, but
# otherwise you can edit this explicitly in /etc/default/dhcp3-server
# The main DHCP configuration file will be: /etc/dhcp3/dhcpd.conf
#
# --> installHelp/netconfig/dhcp.conf is an e.g /etc/dhcp3/dhcp.conf
#
# Note: You probably want to improve the NTP config to point to
# servers closer to you - i.e. edit /etc/ntp.conf

# I always create a user account to store files and take actions in
# the name of the WebNAG software:

adduser nag
cd ~nag

# If you're reading this from the web, here's one way to expand the
# distribution.

wget http://www.cl.cam.ac.uk/~dme26/proj/WebNAG/WebNAG0.3.tar.gz
tar zxf WebNAG0.3.tar.gz
rm WebNAG0.3.tar.gz

# If you'd already expanded the distribution elsewhere, the rest of
# these directions will presume you'll have copied or moved all the
# distribution files into the ~nag directory.

# I'm going to explicitly specify the rebuilding of file ownership and
# permissions.

# initial safe settings
chmod 755 .
chmod -R 750 *
chown -R nag:nag *
chgrp -R www-data sessions public_html cgi-bin perl
chmod g+w sessions
chmod -R 644 AUTHORS COPYING INSTALL installHelp
chown root:root installHelp/*
# setuid iptables scripts
chown root:www-data perl/blockClient.pl perl/permitClient.pl
chmod u+s perl/blockClient.pl perl/permitClient.pl

# The files in the installHelp directory are just for the initial
# setup - if you're doing an in-place install, they'll get moved
# elsewhere in your directory tree.

mv installHelp/nagFirewall.sh /etc/init.d/nagFirewall.sh
update-rc.d nagFirewall.sh start 40 S . stop 89 0 6 .

# Install the two required Apache site configurations.

mv installHelp/nag* /etc/apache2/sites-available/

# Note that you should edit the /etc/apache2/sites-available/nag site
# to change the ServerAdmin variable from the dummy root@localhost
# address to something specific suitable for your deployment.

# Acquire the Raven module (if that's how you're going to do your
# authentication checking)
# wget http://www.cl.cam.ac.uk/~dme26/proj/WebNAG/support/mod_ucam_webauth-1.2.2.1dme26.tar.gz

tar zxf mod_ucam_webauth-1.2.2.1dme26.tar.gz
cd mod_ucam_webauth-1.2.2.1dme26
make
make install
cd ..
rm -r mod_ucam_webauth-1.2.2.1dme26*
# if you want the space back, we're done with the apache2-dev package
apt-get remove apache2-dev

# get the Raven public key.

wget https://raven.cam.ac.uk/project/keys/pubkey2
mkdir -p /etc/apache2/conf/webauth_keys/
mv pubkey2 /etc/apache2/conf/webauth_keys/

# Setup the Apache2 configuration

cd /etc/apache2/sites-enabled/
rm 000-default
ln -s /etc/apache2/sites-available/nag 010-nag
ln -s /etc/apache2/sites-available/nagcapture 020-nagcapture
mv ~nag/installHelp/ucam_webauth.load /etc/apache2/mods-available/
rm -r ~nag/installHelp
ln -s /etc/apache2/mods-available/ucam_webauth.load /etc/apache2/mods-enabled/
ln -s /etc/apache2/mods-available/expires.load /etc/apache2/mods-enabled/
ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/
ln -s /etc/apache2/mods-available/proxy.load /etc/apache2/mods-enabled/

# Add the web-cache listening port, since this is where capture
# redirects get sent...

grep '^[[:space:]]*Listen[[:space:]]*8080\>' /etc/apache2/ports.conf || echo 'Listen 8080' >> /etc/apache2/ports.conf

# When moved to mod_perl, the URI module won't be required, but for
# the moment it is, so if not already in your Perl distribution:

cd ~nag
wget http://www.cl.cam.ac.uk/~dme26/proj/WebNAG/support/URI-1.35.tar.gz
tar zxf URI-1.35.tar.gz
cd URI-1.35
perl Makefile.PL
make
make test
make install
cd ..
rm -r URI-1.35*

# The main configuration variables are in ~nag/perl/nagcommon.pm you
# must edit this to set up what your internal versus external network
# is, etc, etc. Sensible(ish) defaults are provided, but you'll
# definitely want to check this. The configuration section will
# hopefully be cleaned up significantly when heading into mod_perl.
# (for a start the constants should Perl constants not variables!!)

$EDITOR ~nag/perl/nagcommon.pm

# The connection management is done by a cron job. I caused cron to do
# its thing by adding the following line into /etc/crontab
grep purgeDeadConns /etc/crontab || echo "*/3 * * * * www-data PERL5LIB=/home/nag/perl /home/nag/cgi-bin/secured/purgeDeadConns.pl -q" >>/etc/crontab
# If moved into an installer, this should probably be done within a
# user crontab I think.

# Hopefully you'll be finished now. Linux being Linux, all the above
# setting up should be possible to be done to completion without
# rebooting. Having said that, it's probably a good idea to check that
# your system really does come back up as you expect after a reboot!