MP:

composer/docker-compose-development.yaml

@@ -62,11 +62,6 @@ services:
 #       than seems to work with the docker healthcheck approach
 
 
-
-
-
-
-
 # get dante and parsifal twice.
 # once before generating the copy so that we have it in place before init.sh for the update scripts etc.
 # a second time in webserver-after-copy, to be sure that we have the freshest version even when we did not redo the complete copy cycle
@@ -99,7 +94,7 @@ services:
       dante-network:
         aliases: 
           - dante.local
-    command: "install-webserver-certificate.sh get-dante.sh get-parsifal.sh generate-mediawiki-private.sh chown.sh set-user-preferences.sh initial-xml-git.sh run-apache-no-cache.sh"
+    command: "install-webserver-certificate.sh chown.sh set-user-preferences.sh PAUSED-initial-xml-git.sh run-apache.sh"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost"]
       interval: 30s
@@ -123,7 +118,7 @@ services:
       dante-network:
         aliases: 
           - dante.local
-    command: "prepare-database.sh  install-webserver-certificate.sh get-dante.sh get-parsifal.sh generate-mediawiki-private.sh  init.sh  chown.sh set-user-preferences.sh initial-xml-git.sh run-apache-no-cache.sh"
+    command: "prepare-database.sh  install-webserver-certificate.sh get-dante.sh get-parsifal.sh generate-mediawiki-private.sh  init.sh  chown.sh set-user-preferences.sh initial-xml-git.sh run-apache.sh"
 
 
 ## starts a container which has not been initialized but which does not require a copy to the development environment
@@ -142,7 +137,7 @@ services:
       dante-network:
         aliases: 
           - dante.local
-    command: "prepare-database.sh install-webserver-certificate.sh get-dante.sh get-parsifal.sh generate-mediawiki-private.sh init.sh set-user-preferences.sh initial-xml-git.sh run-apache-no-cache.sh"
+    command: "prepare-database.sh install-webserver-certificate.sh get-dante.sh get-parsifal.sh generate-mediawiki-private.sh init.sh set-user-preferences.sh initial-xml-git.sh run-apache.sh"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost"]
       interval: 30s
@@ -167,7 +162,7 @@ services:
       dante-network:
         aliases: 
           - dante.local
-    command: "prepare-database.sh install-webserver-certificate.sh get-dante.sh get-parsifal.sh generate-mediawiki-private.sh init.sh set-user-preferences.sh initial-xml-git.sh run-apache-no-cache.sh"
+    command: "prepare-database.sh install-webserver-certificate.sh get-dante.sh get-parsifal.sh generate-mediawiki-private.sh init.sh set-user-preferences.sh initial-xml-git.sh run-apache.sh"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost"]
       interval: 30s
@@ -219,7 +214,7 @@ services:
       dante-network:
         aliases: 
           - dante.local
-    command: "prepare-database.sh restore-initial-sql.sh chown.sh run-apache-no-cache.sh"
+    command: "prepare-database.sh restore-initial-sql.sh chown.sh run-apache.sh"
 
 # TODO: waiting for mysql: maybe we can put this into a health check ?!?!? in a better way than thus far ????
 

composer/generate-and-run-development.sh

@@ -28,7 +28,7 @@ build
 # TODO: research if we can also do this with -d for detached mode and make better use of the health check dependency in the yaml file
 #  docker compose -f $TOP_DIR/composer/docker-compose-development.yaml up -d
 
-upServices $TOP_DIR/composer/docker-compose-development.yaml database copy-to-host webserver-after-copy phpmyadmin
+upServices $TOP_DIR/composer/docker-compose-development.yaml  database  copy-to-host  webserver-after-copy  phpmyadmin
 
 waitForContainerRunning dante-wiki-container
 # waitForContainerHealthy dante-wiki-container

doc/DEVELOPMENT-LESSONS-LEARNED.md

@@ -61,4 +61,17 @@ rm -f /tmp/${NAME}
 
 set -e leads to an immediate abort of the script in case of an error. Also a trap is not
 taken (unless, maybe, it is on EXIT). Thus, control does not return to the calling script
-for error handling.
+for error handling.
+
+
+## APACHE CONFIGURATION
+
+The concept of the Apache configuration, especially where it comes to access to environment variables
+and conditional directives, is fundamentally brain-damaged from the side of Apache as well as of Debian.
+Sorry to say so.
+
+Here, we generate shell environment variables for use in Apache configuraiton in env-dante, which is loaded
+from envvars which is loaded by apachectl. It works. Recommend not to make it shorter or more elegant
+since this does not work as documented and is badly documented.
+
+

images/dante-wiki/src/etc/apache2/apache2.conf

@@ -0,0 +1,96 @@
+### Overrides the generic apache configuration file
+
+# The directory where shm and other runtime files will be stored. This needs to be set in /etc/apache2/envvars
+DefaultRuntimeDir ${APACHE_RUN_DIR}
+
+# PidFile: The file in which the server should record its process identification number when it starts. This needs to be set in /etc/apache2/envvars
+PidFile ${APACHE_PID_FILE}
+
+# Timeout: The number of seconds before receives and sends time out.
+Timeout 300
+
+# KeepAlive: Whether or not to allow persistent connections (more than one request per connection). Set to "Off" to deactivate.
+KeepAlive On
+
+# MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+MaxKeepAliveRequests 100
+
+# KeepAliveTimeout: Number of seconds to wait for the next request from the same client on the same connection. 10, a bit higher, for Parsifal situations
+KeepAliveTimeout 10
+
+# User name and group. These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+# HostnameLookups: Log the names of clients or just their IP addresses. Off to save on DNS requests
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+ErrorLog ${APACHE_LOG_DIR}/general-error.log
+
+# LogLevel: Control the severity of messages logged to the error_log. Available values: trace8, ..., trace1, debug, info, notice, warn, error, crit, alert, emerg.
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+
+# Include list of ports to listen on
+Include ports.conf
+
+<Directory />
+  Options FollowSymLinks
+  AllowOverride None
+  Require all denied
+</Directory>
+
+<Directory /usr/share>
+  AllowOverride None
+  Require all granted
+</Directory>
+
+<Directory /var/www/>
+  Options Indexes FollowSymLinks
+  AllowOverride None
+  Require all granted
+</Directory>
+
+
+# AccessFileName: The name of the file to look for in each directoryfor additional configuration directives.
+AccessFileName .htaccess
+
+# Prevent .htaccess and .htpasswd files from being viewed by Web clients.
+<FilesMatch "^\.ht">
+  Require all denied
+</FilesMatch>
+
+# Define log formats
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Info on server returned in the header.  one of:  Full | OS | Minimal | Minor | Major | Prod
+# 'Full' sends info about OS-Type and compiled in modules.   Prod sends the least for production scenarios
+ServerTokens Prod
+
+# Send minimal identification information on error pages
+ServerSignature Off
+
+# Disallow TRACE methoid
+TraceEnable Off
+
+# Forbid access to version control directories
+RedirectMatch 404 /\.git
+RedirectMatch 404 /\.svn
+
+# Prevent other sites from embedding pages from this site as frames. This defends against clickjacking attacks.
+Header set Content-Security-Policy "frame-ancestors 'self';"
+
+# Include enabled configurations
+IncludeOptional conf-enabled/*.conf
+
+# Include enabled hosts
+IncludeOptional sites-enabled/*.conf

images/dante-wiki/src/etc/apache2/conf-available/cache.conf

@@ -0,0 +1,45 @@
+
+
+# run all other modules, such as access permission and authentication and do not satify request immediately from cache.
+CacheQuickHandler off
+
+# Lock the cache to prevent race conditions
+CacheLock on
+CacheLockPath /tmp/mod_cache-lock
+CacheRoot /var/cache/apache2/mod_cache_disk
+
+# Set parameters for disk cache
+CacheDirLevels 2
+CacheDirLength 1
+
+# Set cache control for specific types of files
+CacheEnable disk
+CacheHeader on
+CacheDefaultExpire 3600
+CacheMaxExpire 86400
+CacheLastModifiedFactor 0.5
+
+# Rather not set this as it might affect page personalization (according to ChatGPT 4)
+# CacheIgnoreHeaders Set-Cookie
+
+<Location "/">
+  # Enable expirations
+  ExpiresActive On
+
+  # Default directive
+  ExpiresDefault "access plus 1 day"
+
+  # html files expire immediately since they change frequently
+  ExpiresByType text/html   "now"
+
+  # Other file types do not expire since they do not change or come with hash coding inside
+  ExpiresByType image/gif                "access plus 1 day"
+  ExpiresByType image/jpeg               "access plus 1 day"
+  ExpiresByType image/png                "access plus 1 day"
+  ExpiresByType text/css                 "access plus 1 day"
+  ExpiresByType text/javascript          "access plus 1 day"
+  ExpiresByType application/javascript   "access plus 1 day"
+  ExpiresByType application/pdf          "access plus 1 day"
+  ExpiresByType image/x-icon             "access plus 1 day"
+
+</Location>

images/dante-wiki/src/etc/apache2/conf-available/ldap-restrictions.conf

@@ -0,0 +1,23 @@
+# configuration which binds to an ldap server
+# and requires a valid user for accessing the wiki
+#
+#
+#
+
+
+# NOTE 1: AuthnProviderAlias must not be part of an <If>, however below environment variables
+# only are guaranteed to have meaningful values when USING_LDAP is true. Thus we have the If 
+# inside of AuthnProviderAlias
+
+<AuthnProviderAlias ldap ldap_provider_alias>
+    AuthLDAPURL ${AuthLDAPURL} 
+    AuthLDAPBindDN "$AuthLDAPBindDN}"
+    AuthLDAPBindPassword "${AuthLDAPBindPassword}"
+</AuthnProviderAlias>
+
+<Location /wiki-dir >
+    AuthType Basic
+    AuthBasicProvider  ldap_provider_alias
+    AuthName "${LDAP_AUTHNAME}"
+    Require valid-user
+</Location>

images/dante-wiki/src/etc/apache2/conf-available/no-cache.conf

@@ -0,0 +1,9 @@
+##
+
+ExpiresActive Off
+Header always unset Cache-Control
+Header always unset Expires
+Header always unset Pragma
+Header always unset Last-Modified
+Header always unset ETag
+Header always set X-Dante-Cache "no-cache"

images/dante-wiki/src/etc/apache2/conf-enabled/additional-user.conf → images/dante-wiki/src/etc/apache2/conf-available/user-restrictions.conf

@@ -6,11 +6,8 @@
 # Restrict access to location / only if USE_APACHE_PASSWORD is true
 # CAVE: Location is not allowed inside of an If, but If is allowed inside of Location
 <Location />
-  <If "env('APACHE_USE_PASSWORD') == 'true'">
     AuthType Digest
     AuthUserFile /etc/apache2/.htdigest
     AuthName "${APACHE_AUTH_NAME}"
-    AuthUserFile /etc/apache2/.htpasswd
     Require user ${APACHE_AUTH_USER}
-  </If>
 </Location>

images/dante-wiki/src/etc/apache2/sites-enabled/dante-mediawiki.conf → images/dante-wiki/src/etc/apache2/sites-available/dante-mediawiki.conf

@@ -170,61 +170,8 @@ Header set X-Dante-Cache "before-location"
 Header set X-Dante-Headercheck "was set"
 Header always set X-Dante-Headeralways "CustomValue"
 
-##
-## If the symbol NO_CACHE is defined on start we really force-remove cache headers. 
-## This seems necessary since it looks like PHP sets cache headers, eg for load.php URLs of mediawiki
-##
-<IfDefine NO_CACHE>
-    ExpiresActive Off
-    Header always unset Cache-Control
-    Header always unset Expires
-    Header always unset Pragma
-    Header always unset Last-Modified
-    Header always unset ETag
-    Header always set X-Dante-Cache "no-cache"
-</IfDefine>
-
-<Location "/">
-
-<IfDefine DO_CACHE>
-  # Enable expirations
-  ExpiresActive On
-
-  # Default directive
-  ExpiresDefault "access plus 1 month"
-
-  # Configure expiration for various types of files
-  ExpiresByType text/html   "access plus 1 day"
-  ExpiresByType image/gif   "access plus 1 day"
-  ExpiresByType image/jpeg  "access plus 1 day"
-  ExpiresByType image/png   "access plus 1 day"
-  ExpiresByType text/css   "access plus 1 day"
-  ExpiresByType text/javascript "access plus 1 day"
-  ExpiresByType application/javascript "access plus 1 day"
-  ExpiresByType application/pdf "access plus 1 day"
-  ExpiresByType image/x-icon "access plus 1 day"
-
-  CacheQuickHandler on
-  CacheLock on
-  CacheLockPath /tmp/mod_cache-lock
-  CacheIgnoreHeaders Set-Cookie
-
-  # Set parameters for disk cache
-  CacheRoot /var/cache/apache2/mod_cache_disk
-  CacheDirLevels 2
-  CacheDirLength 1
-
-  # Set cache control for specific types of files
-    CacheEnable disk
-    CacheHeader on
-    CacheDefaultExpire 3600
-    CacheMaxExpire 86400
-    CacheLastModifiedFactor 0.5
-
-  Header set X-Dante-Cache "cache-active"
-</IfDefine>
-
-</Location>
+
+
 
 
 
@@ -241,6 +188,10 @@ Header always set X-Dante-Headeralways "CustomValue"
 
 </VirtualHost>
 
+IncludeOptional /etc/apache2/conf-enabled/additional-cache.conf
+IncludeOptional /etc/apache2/conf-enabled/additional-no-cache.conf
+IncludeOptional /etc/apache2/conf-enabled/additional-ip.conf
+IncludeOptional /etc/apache2/conf-enabled/additional-ldap.conf
 
 SSLEngine on
 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH  
@@ -254,5 +205,3 @@ SSLCertificateKeyFile /etc/ssl/apache2/server.key
 # needed so that ldap finds the proper certificate
 # configuring here in any case, as it has no disadvantage andyhow
 SSLCaCertificateFile /etc/ssl/certs/ca-certificates.crt
-
-