www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Asylum v2
Date Fri, 23 Jul 2010 06:35:10 GMT
Goal: Enable 'random' committers and members to more easily create
authenticated web applications for use by other members and
committers.

Recently we have had a few requests from ASF members to have an easy
way to expose a web application for others -- the whole web based
voting experience seems to have created some yearning for more
infrastructure features.

The Setup

Running inside a jail is the Asylum webserver, just a standard Apache
2.2 configured as a reverse proxy.  It would require authentication
against LDAP for /, any committer could access that base path.
/members/ would require the user to be part of the members group.

The frontend webserver would reverse proxy to web applications running
on localhost.  It would pass through several X- headers to let
applications customize themselves:
  X-ASF-Username: pquerna
  X-Forwarded-For: 1.2.3.4

Any HTTP authorization headers however will be stripped, so that the
backend web applications have no access to user passwords.

Any committer wanting to run a webapp would open an INFRA Jira issue,
with an application name, and weither it was for all committers or
members only.  Infra would create them a non-root, no sudo account on
the asylum for them.  They would be assigned a TCP port on localhost
to run their web application, and their application with a one line
description will be added to the index.html page.

The footer of all HTML pages from a users webapp, would be appended
with <h1>This webapp is maintained by username@apache.org</h1>.  This
would be done via an Apache Module.  If the User's webapp was not
responding, the 5xx page error page would also reference their
username, rather than infrastructure for support questions.

Infrastructure team will only provide support for the frontend proxy
server, individual webapps are supported by whomever requested them.

If an application proves to be popular, and there is agreement to
'productionize it', it must be properly documented so infrastructure
can run it somewhere else -- but lets just get this running first.

Resources needed:
 - Jail to get started
 - Access to LDAP
 - existing ssl cert

Thoughts?

Thanks,

Paul

Mime
View raw message