These are chat archives for fiji/fiji

22nd
Jan 2019
Curtis Rueden
@ctrueden
Jan 22 13:54
@turekg What was the appropriate term to promote science software engineers that you introduced during the I2K DevDay? "Scientific software developer"? "Scientific software engineer"?
Josh Moore
@joshmoore
Jan 22 14:02
Research Software Engineer
turekg
@turekg
Jan 22 14:10
Yes, it’s RSE. That’s the official title that was chosen in order to organize. I know some people use “developer” instead in their job titles. I think it’s a matter of gradation. “Engineer” is more general, it implies you do more than developement, which most people assume is mostly programming. But you can get in some serious religious wars, lol. It’s as bad as discussing music subgenres
Curtis Rueden
@ctrueden
Jan 22 14:13
Thanks.
@turekg Naming, amirite? Let's define an ontology! We can probably have it all sorted out in a couple of hours on a whiteboard. :dash:
joshmoore @joshmoore fails to find a good “rolls eyes” emoji ;)
John Bogovic
@bogovicj
Jan 22 14:20
:eyes: :arrow_heading_down: ?
turekg
@turekg
Jan 22 14:31
@ctruden took a look at the server config repo you made available to us. There is nothing specific in there about your WebDAV config, however, there is extensive doco on “Fail2Ban” which is being used to filter authentication for various services. Maybe that too is playing some role in problems some people are having. It is a beast, so I don’t think I want to go there unless we see the need for it. We will run some tests with our webdav setup first. What I would be interested is the actual webdav snippet from the apache site config file is that is available.
Curtis Rueden
@ctrueden
Jan 22 14:33

@joshmoore https://pypi.org/project/em-keyboard-py3/

$ em -s eyeroll
🙄  rolling_eyes

:-D

@turekg Yeah, I warned you it wouldn't be detailed enough. ;-)
Josh Moore
@joshmoore
Jan 22 14:34
Thanks! 🙄
;)
John Bogovic
@bogovicj
Jan 22 14:35
:clap:
Curtis Rueden
@ctrueden
Jan 22 14:35
@joshmoore Clearly a project bringing monumental value to our daily lives :laughing:
@turekg You may be right about Fail2Ban, or iptables in general, causing problems.
@turekg
SetEnvIf User-Agent "^(?!.* ImageJ )(?!Java/)" MustNotUpload

# update sites
<Location />
  DAV on

  AuthType Basic
  AuthUserFile /var/www/vhosts/sites.imagej.net/dav/login.db

  <Limit PUT LOCK MKCOL UNLOCK MOVE POST DELETE>
    Deny from env=MustNotUpload
  </Limit>

  Options +Indexes
</Location>

And also:

<Directory /var/www/vhosts/sites.imagej.net/httpdocs>
  AuthName "ImageJ update sites"
  # requires Apache 2.2.22 or better: AllowOverrideList Require AuthName
  AllowOverride AuthConfig
</Directory>

So that .htaccess files can control each update site of sites.imagej.net separately.

Curtis Rueden
@ctrueden
Jan 22 14:43
As for whether to run Fail2Ban: I would heartily recommend it; it blocks a whole lot of script kiddies from hammering our Apache. Most of the exploits I see people scanning for are PHP-based, so regarding the WebDAV/update site config, it is probably not super important. But if you ever mirror the ImageJ wiki, it could matter, since MediaWiki is in PHP.
turekg
@turekg
Jan 22 14:43
Ah, I wonder if MustNotUpload referes to something set by Fail2Ban. It blacklists according to certain patterns, so it would think it would be possible to run a foul of it in certain cases.
Curtis Rueden
@ctrueden
Jan 22 14:43
No, it is set by the SetEnvIf, when the User-Agent does not match.
turekg
@turekg
Jan 22 14:45
OK. The settings for imagej and fiji update sites must be more restrictive?
I don’t see a use case for mirroring the wiki right now
Curtis Rueden
@ctrueden
Jan 22 14:48
Fail2Ban also blocks people repeatedly trying to login to the WebDAV. This sometimes blocks legitimate access where people try 20 times with wrong username or password, though.

The update.fiji.sc WebDAV stanza is similar:

<Location />
  DAV on
  AuthType Basic
  AuthName "Fiji update site"
  AuthUserFile /var/www/vhosts/update.fiji.sc/auth/dav.db

  Options +Indexes
  <LimitExcept HEAD GET OPTIONS>
    Require valid-user
  </LimitExcept>
</Location>

update.imagej.net does not currently have DAV enabled; historically SSH was used for that one, and currently uploading to that site is disabled due to the Java6-to-Java8 migration.

turekg
@turekg
Jan 22 14:50
That would be a serious case of PEBKAC
Curtis Rueden
@ctrueden
Jan 22 14:51
Haha, I'm pretty sure both Florian and Deborah have been blocked in that fashion in the past. :-D
There are gotchas, like "username must start with a capital letter", that trip people up.
The other big one is "your wiki password is not your upload/WebDAV password"