[EP-tech] Configuring Azure Web Application Firewall (WAF) for eprints

Francis Jayakanth fjayakanth at gmail.com
Fri Sep 18 12:22:07 BST 2020


Hi< David, Thanks a lot for your valuable inputs. We were able to
resolve both the issues - one concerning auto log out and the other
not being able to upload files. The first issue was resolved after the
inclusion of a configuration option, $c->{ignore_login_ip} = 1:  in a
configuration file in the archive's cfg/cfg.d/ directory.

The file upload issue persisted because there are symbolic links in
the /ARCHIVENAME/documents/ folder. After changing the SELinux
contexts for the folders referred to by the symbolic links, the file
upload issue was resolved.

Thanks and regards, Francis

On Mon, Sep 14, 2020 at 4:54 PM Francis Jayakanth via Eprints-tech
<eprints-tech at ecs.soton.ac.uk> wrote:
>
> Hi David, Thanks a lot for the prompt reply and for the possible
> solution as well. The solution is bang-on. I created a file,
> ingnore_login_ip.pl, and inserted the statement, $c->{ignore_login_ip}
> = 1; in that file, and restarted the httpd server. The action solved
> the issue of auto log out, but I was still unable to upload a file.
> Apache error log file was complaining about the permission issue:
>
> Failed to mkdir /documents/disk7/00/06/29/35/01: Permission denied
>
> I was quite sure that the above issue was related SELinux
> configuration. I disabled SELinux, and I am now able to upload files.
>
> I followed the instructions related to changing directory permissions
> and SELinux contexts available here,
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_and_SELinux&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdda9e65346f947a5652a08d85bc4e90e%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=8ZJWO18ekXi1UAasyga2LATY4S60zqhCdPJwu5dnci8%3D&amp;reserved=0 , and enabled SELinux
> by setting SELINUX=enforcing. Upon enabling SELinux, I'm again able to
> upload file. The Apache error log reports, Unable to write to
> /opt/eprints3/
> archives/iisceprints/documents/disk7/00/06/29/35/01/baccelli1989.pdf:
> Permission denied
>
> Can you please let me know what else needs to be done.
>
> Btw, everything was working fine before moving Eprints behind the WAF.
>
> Thanks and regards, Francis
>
> On Sat, Sep 12, 2020 at 11:10 PM David R Newman <drn at ecs.soton.ac.uk> wrote:
> >
> > Hi Francis,
> >
> > I don't have any significant knowledge about Azure WAF but EPrints
> > should only require TCP ports 80 and 443 to be open to be fully
> > functional.  (In some configurations only port 443 or 80 need be open).
> > You have tried turning off SELinux which rules out one potential issue.
> > My suspicion is that the Azure WAF might cause the apparent IP address
> > of the connecting user to change between requests.  This would be
> > supported by you saying that you seem to get logged out.  EPrints can be
> > configured to not enforce the IP address being maintained during a
> > session with the following configuration option in a configuration file
> > in your archive's cfg/cfg.d/ directory:
> >
> > $c->{ignore_login_ip} = 1;
> >
> > and then reloading the Apache webserver.  If this does not help it is
> > worth checking the error logs in /var/log/httpd/ to see if there is any
> > obvious problem.  You want to check both error_log and ssl_error_log.
> > It may also be worth checking access_log and ssl_access_log whilst you
> > are attempting to upload files to see if you can find any unexpected
> > HTTP codes in the responses to your requests.
> >
> > Regards
> >
> > David Newman
> >
> > On 12/09/2020 15:23, Francis Jayakanth via Eprints-tech wrote:
> > > Hi, I would like to know if any of you have configured Azure WAF to
> > > run an eprints 3.4 instance? If so, please share your experience in
> > > resolving the issue we are having in configuring WAF for eprints.
> > >
> > > Our network support team has implemented WAF for eprints, After the
> > > WAF implementation, we are unable to upload files of any format into
> > > the repository, and eprints logs out automatically when the uploading
> > > fails.
> > >
> > > For the sake of testing, we even tried turning off SELinux, but it doesn' help.
> > >
> > > We are running eprints version 3.4.1 eps on Centos 7
> > >
> > > I would greatly appreciate it if someone guides me in resolving the issue.
> > >
> > > Thanks and regards, Francis
> > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> > > *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdda9e65346f947a5652a08d85bc4e90e%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=7L3EWcMpO1gqGn6CNIHvbMg0YRdqVlktDhObP0hkSd8%3D&amp;reserved=0
> > > *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdda9e65346f947a5652a08d85bc4e90e%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=cQanHF483jC68sOOt%2FQA9rXd6EoqI7VUo9sTkgoi%2B%2F8%3D&amp;reserved=0
> >
> > --
> > This email has been checked for viruses by AVG.
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdda9e65346f947a5652a08d85bc4e90e%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=a4ytma8l%2FVZUGga%2FLM1plIYer72EiG1MQygmZMYym8E%3D&amp;reserved=0
> >
>
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdda9e65346f947a5652a08d85bc4e90e%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=7L3EWcMpO1gqGn6CNIHvbMg0YRdqVlktDhObP0hkSd8%3D&amp;reserved=0
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cdda9e65346f947a5652a08d85bc4e90e%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=cQanHF483jC68sOOt%2FQA9rXd6EoqI7VUo9sTkgoi%2B%2F8%3D&amp;reserved=0



More information about the Eprints-tech mailing list