# $Id: INSTALL,v 1.8 2005/10/16 02:14:47 dme26 Exp $ # # WebNAG: Web-based Network Authentication Gateway # # Copyright 2005 David Eyers. # This software is GPLed - see file COPYING for license details. # # ------------------------------- # Notes on how to install WebNAG. # ------------------------------- # # There's no installer yet. No surprises there given that the software # is in its infancy - more important things need to be improved first! # # In the installations I've done, this file would be in the base of the # home directory of a user such as 'nag' under which the bulk of WebNAG # configuration and status files will be kept. # # This file is intended to cooperate with Shell syntax highlighting, # but you'll probably break all sorts of things if you just cut and # paste into a shell!! The idea is to read through it configuring for # your particular setup. This will be improved over time. # David.Eyers in the cantab.net email domain # ---------------------------------------- # I installed Debian Sarge stable using the net-inst CD, after which I # directed downloads from the UCam http apt sources: http # . ftp-uxsup.csx.cam.ac.uk . /pub/linux/debian # For the Debian installation packages use "no software selection" # Setup Packages: su apt-get install dhcp3-server ntp-simple ntpdate apache2 apache2-dev perl-suid # General Networking and DHCP # # I'm assuming you're happy setting up the networking stuff and DHCP # to suit your needs. In most cases you'll need at least one extra # network interface, or at least an additional network alias. This # sort of thing is set up in /etc/network/interfaces under Debian. # # --> installHelp/netconfig/interfaces is an example of a potential # /etc/network/interfaces file # # You'll definitely need to set up IP forwarding if this host is going # to be doing the NATing (I have plans for switch-based VLAN remote # control too, but that's a way off yet!). The start-up setting for # this is in /etc/neetwork/options under Debian, and the run-time # setting can be made by: # # echo 1 > /proc/sys/net/ipv4/ip_forward # # Also, DHCP won't be functional until you tell it about the topology # of your network. You probably only want it running on your internal # network: on Debian it seems to guess eth1 if you have two cards, but # otherwise you can edit this explicitly in /etc/default/dhcp3-server # The main DHCP configuration file will be: /etc/dhcp3/dhcpd.conf # # --> installHelp/netconfig/dhcp.conf is an e.g /etc/dhcp3/dhcp.conf # # Note: You probably want to improve the NTP config to point to # servers closer to you - i.e. edit /etc/ntp.conf # I always create a user account to store files and take actions in # the name of the WebNAG software: adduser nag cd ~nag # If you're reading this from the web, here's one way to expand the # distribution. wget http://www.cl.cam.ac.uk/~dme26/proj/WebNAG/WebNAG0.3.tar.gz tar zxf WebNAG0.3.tar.gz rm WebNAG0.3.tar.gz # If you'd already expanded the distribution elsewhere, the rest of # these directions will presume you'll have copied or moved all the # distribution files into the ~nag directory. # I'm going to explicitly specify the rebuilding of file ownership and # permissions. # initial safe settings chmod 755 . chmod -R 750 * chown -R nag:nag * chgrp -R www-data sessions public_html cgi-bin perl chmod g+w sessions chmod -R 644 AUTHORS COPYING INSTALL installHelp chown root:root installHelp/* # setuid iptables scripts chown root:www-data perl/blockClient.pl perl/permitClient.pl chmod u+s perl/blockClient.pl perl/permitClient.pl # The files in the installHelp directory are just for the initial # setup - if you're doing an in-place install, they'll get moved # elsewhere in your directory tree. mv installHelp/nagFirewall.sh /etc/init.d/nagFirewall.sh update-rc.d nagFirewall.sh start 40 S . stop 89 0 6 . # Install the two required Apache site configurations. mv installHelp/nag* /etc/apache2/sites-available/ # Note that you should edit the /etc/apache2/sites-available/nag site # to change the ServerAdmin variable from the dummy root@localhost # address to something specific suitable for your deployment. # Acquire the Raven module (if that's how you're going to do your # authentication checking) # wget http://www.cl.cam.ac.uk/~dme26/proj/WebNAG/support/mod_ucam_webauth-1.2.2.1dme26.tar.gz tar zxf mod_ucam_webauth-1.2.2.1dme26.tar.gz cd mod_ucam_webauth-1.2.2.1dme26 make make install cd .. rm -r mod_ucam_webauth-1.2.2.1dme26* # if you want the space back, we're done with the apache2-dev package apt-get remove apache2-dev # get the Raven public key. wget https://raven.cam.ac.uk/project/keys/pubkey2 mkdir -p /etc/apache2/conf/webauth_keys/ mv pubkey2 /etc/apache2/conf/webauth_keys/ # Setup the Apache2 configuration cd /etc/apache2/sites-enabled/ rm 000-default ln -s /etc/apache2/sites-available/nag 010-nag ln -s /etc/apache2/sites-available/nagcapture 020-nagcapture mv ~nag/installHelp/ucam_webauth.load /etc/apache2/mods-available/ rm -r ~nag/installHelp ln -s /etc/apache2/mods-available/ucam_webauth.load /etc/apache2/mods-enabled/ ln -s /etc/apache2/mods-available/expires.load /etc/apache2/mods-enabled/ ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/ ln -s /etc/apache2/mods-available/proxy.load /etc/apache2/mods-enabled/ # Add the web-cache listening port, since this is where capture # redirects get sent... grep '^[[:space:]]*Listen[[:space:]]*8080\>' /etc/apache2/ports.conf || echo 'Listen 8080' >> /etc/apache2/ports.conf # When moved to mod_perl, the URI module won't be required, but for # the moment it is, so if not already in your Perl distribution: cd ~nag wget http://www.cl.cam.ac.uk/~dme26/proj/WebNAG/support/URI-1.35.tar.gz tar zxf URI-1.35.tar.gz cd URI-1.35 perl Makefile.PL make make test make install cd .. rm -r URI-1.35* # The main configuration variables are in ~nag/perl/nagcommon.pm you # must edit this to set up what your internal versus external network # is, etc, etc. Sensible(ish) defaults are provided, but you'll # definitely want to check this. The configuration section will # hopefully be cleaned up significantly when heading into mod_perl. # (for a start the constants should Perl constants not variables!!) $EDITOR ~nag/perl/nagcommon.pm # The connection management is done by a cron job. I caused cron to do # its thing by adding the following line into /etc/crontab grep purgeDeadConns /etc/crontab || echo "*/3 * * * * www-data PERL5LIB=/home/nag/perl /home/nag/cgi-bin/secured/purgeDeadConns.pl -q" >>/etc/crontab # If moved into an installer, this should probably be done within a # user crontab I think. # Hopefully you'll be finished now. Linux being Linux, all the above # setting up should be possible to be done to completion without # rebooting. Having said that, it's probably a good idea to check that # your system really does come back up as you expect after a reboot!