[rt-users] Trouble/Error with Web deployment httpd/apache/mod_fcgid

Mon Dec 7 16:41:29 EST 2015

Bill Cole-8 wrote
> That's.... odd. The RT configure script should have figured out a better 
> ownership/permissions model and generated a Makefile that did the right 
> thing for you. There is some stuff in RT that's 640 or 750, but if 
> fixperms did the wrong thing it was because configure couldn't determine 
> the right owner and/or group, not because the apache user wasn't in the 
> right group.
> 
> 
> REPLY:
> I flubbed up from the begining and just discovered what my first mistake
> was (fixable mistake but very annoying)...when I ran ./configure I should
> have passed it as such being that I'm installing on RHEL/CentOS...anyone
> installing on RHEL/CentOS take note this could save you a lot of time if
> you configure this way from the get go I believe:
*/
> ./configure --with-web-user=apache --with-web-group=apache
/*
> 
> Since the default on RHEL/CentOS is to use the apache:apache user and
> group and not www/www-data/nobody as far as I know and with other
> distributions.
> 
> *******************************************************************************
> 
> That's slightly odd: I'd expect that to get you the default (httpd.conf) 
> document root.
> 
> I STRONGLY recommend a long read of the Apache docs. Particularly:
> 
> https://httpd.apache.org/docs/2.4/dns-caveats.html
> https://httpd.apache.org/docs/2.4/vhosts/details.html
> https://httpd.apache.org/docs/2.4/vhosts/name-based.html
> 
> 
> REPLY:
> 
> Duly noted...The first link helped me immensely! Thank you!  I changed my
> VirtualHost to use my server's IP address rather than the FQDN 
> <VirtualHost 192.168.1.100:80>
>  ............ instead of........  
> <VirtualHost rt-ir-sandbox.xxx.xxx.xxx.edu:80>
> That seemed to do the trick and stop the majority of the strangeness I was
> experiencing.  The rest was permissions issues due to my first mistake
> above from what I can tell.
> 
> After I installed & enabled the RT-IR addon for RT I had to fix the
> permissions here also due to my first mistake as well:
> 
> From /opt/rt4/var/mason_data/  .....  chown -R apache:apache *
> 
> This got RT-IR working.
> 
> ***********************************************************************
> 
> That sounds like it could be an iptables issue, except that I'd expect 
> an error complaining about the connection.
> 
> Apache's logs should be helpful if you're getting a connection and 
> making a request but then not getting anything back.
> 
> REPLY:
> 
> Again you're on point sir.  I suspected this may be iptables as well but
> was slightly caught off guard as my defauly policy for the INPUT & FORWARD
> chains were ACCEPT...I did not notice the default DENY rule at the bottom
> of the INPUT chain that FILTERS traffic that doesn't match rules above
> it....I re-hashed my iptables rulebase with default DENY for INPUT &
> FORWARD and provisioned proper rules above to allow operations of
> RT/RT-IR.
> 
> 
> ***********************************************************************
> 
> 
> Seems reasonable, but I'd suggest 3 things:
> 
> 1. Set( $DatabaseHost, '' );
>     This causes RT to connect over the mysql local socket rather than 
> TCP to localhost:3306, which means slightly better performance and one 
> more network listener you can kill (unless you need that mysqld for 
> other things that aren't local or are too dumb to use sockets)
> 
> 2. Remove any mention of WebBaseURL. Unless you have RT behind a proxy 
> or have Apache doing HTTPS on a port other than 443, the code in 
> RT_Config.pm will build the correct value for you.
> 
> 3. Set( $WebPort, '443' );
>     Yes, that also means you will need to set up HTTPS in Apache. 
> However, if your RT is serving anything other than you on the same host 
> (don't laugh, I've seen that) you're going to want it only every using 
> TLS. Even more true if you have it on a campus network of a major public 
> university known to operate intensive network sniffing and scanning 
> projects as research.
> 
> 
> REPLY:
> 
> Great stuff.  I def. implemented item #1 here as this is a better way to
> go for my sandbox and for my dev RT/RT-IR servers.
> 
> Item #2 I also went ahead and did as recommend as that makes sense.
> 
> Item #3  That is the plan once I get to the part where I am building my
> production server...I will be setting up apache to use our SSO
> implementation here that requires SSL/TLS at our super scanning major
> university (I've nothing to do with that research other than dealing with
> some of its fallout on occasion so trust me I totally understand what you
> mean.)
> 
> From what I've read thus far setting up https/TLS may be a challenge with
> RT/RT-IR especially with getting rt-mailgate/e-mail ticket creation
> working which is in scope for us so these two things will be my next
> challenge....and I'm sure you'll see posts from me here about in the very
> near future : )
> 
> On that note....this is the best resource i've found on setting up
> rt-mailgate/e-mail ticketing...is there something better out there or an
> example config/tutorial I do not know about yet?
> 
> http://requesttracker.wikia.com/wiki/ManualEmailConfig
> 
> Thank you very much for all your help!!!
> 
> -Drew


--
View this message in context: http://requesttracker.8502.n7.nabble.com/Trouble-Error-with-Web-deployment-CentOS-httpd-mod-fcgid-tp60979p61071.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.