On Fri, Jan 12, 2007 at 08:39:45AM -0800, Adam Chlipala wrote: > Michael Olson wrote: > > Admins, if you've made a > > custom change to /etc/apache2, please check over the log (and the > > files themselves) to make sure I didn't accidentally revert your > > changes (especially apache2/mods-available/proxy.conf). > > I don't remember/understand any changes I may have made well enough to be > able to do this. I'm sure it will be fine. :) > > > * apache2/apache2.conf (worker.c module): Start 5 servers, much like our > > old setup. Only allow one thread per child, as in our old setup. > > Presumably we had some valid reason for doing that. > > (HeaderName): Use HEADER.shtml rather than HEADER.html, as per old > > config. > > (VirtualHost stuff): Move to apache2/conf.d/home.conf. > > Any custom tweaking that went on would only have been to make Apache play > well with ulimits (despite the fact that we wanted Apache not to be > subject to them but couldn't figure out how to do that). We won't be > using ulimits on the new servers, so I don't see any particular reason to > preserve old configuration instead of doing whatever you would do in a > fresh sysadmining situation. > > > * apache2/mods-available/userdir.conf: Set AllowOverride to none in > > users' public_html, as per old config. > > We may even want to only enable userdirs on mire, to keep all member web > serving in one place. Any thoughts on this?
This would be good. > > > * apache2/passwds: Copied over from fyodor. > > I'd still love to replace these separate passwords with an Apache module > that would use system passwords. Has the situation changed since we last > looked into this, such that someone can recommend a good, secure way of > doing that? Well. I don't like this, but one way we can go about it is also install OTP packages (one-time password), so that users can log in either using the real password, OR the OTP password (which changes every time you use it). This would require them to, over a secure connection, pre-generate say, 10 passwords (OTP), and then be able to log in 10 times until they'd had to renew them again. So in summary, you could always use either the real or otp password, (so - we're not forcing anything), but the security-conscious users would have a way to use OTP when they feel they're connecting from untrusted machines. > > > _______________________________________________ > HCoop-SysAdmin mailing list > [email protected] > http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
