Revision: 862
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=862
Author: ineiev
Date: 2026-03-18 08:26:17 -0400 (Wed, 18 Mar 2026)
Log Message:
-----------
partially update on Apache-to-nginx migration
Modified Paths:
--------------
trunk/sviki/FrontEndDevelopmentSite.mdwn
trunk/sviki/FrontEndHostRedirection.mdwn
trunk/sviki/FrontEndSetup.mdwn
trunk/sviki/HomePage.mdwn
trunk/sviki/HomepageAvailabilityOfPhpAndMysql.mdwn
trunk/sviki/HomepageUpload.mdwn
trunk/sviki/HowToAdminThisWiki.mdwn
trunk/sviki/MailSystem.mdwn
trunk/sviki/SavannahHosts.mdwn
trunk/sviki/SavannahServices.mdwn
trunk/sviki/Stats.mdwn
trunk/sviki/https.mdwn
Modified: trunk/sviki/FrontEndDevelopmentSite.mdwn
===================================================================
--- trunk/sviki/FrontEndDevelopmentSite.mdwn 2026-01-12 19:53:02 UTC (rev
861)
+++ trunk/sviki/FrontEndDevelopmentSite.mdwn 2026-03-18 12:26:17 UTC (rev
862)
@@ -1,6 +1,11 @@
FrontEnd Development Sites
==========================
+*This page is obsolete. First, since 2025-12, frontend uses nginx rather than
+Apache; second, Savane is quite easy to [[setup locally|RunndingSavaneLocally]]
+if anyone wants to work on it; then, the idea about giving per-user development
+sites has never been really implemented.*
+
With the new servers we aim to provide development copies of the frontend's PHP
code, enabling savannah admins/volunteers to develop features and fix bugs more
quickly.
Modified: trunk/sviki/FrontEndHostRedirection.mdwn
===================================================================
--- trunk/sviki/FrontEndHostRedirection.mdwn 2026-01-12 19:53:02 UTC (rev
861)
+++ trunk/sviki/FrontEndHostRedirection.mdwn 2026-03-18 12:26:17 UTC (rev
862)
@@ -1,5 +1,4 @@
-FrontEnd GNU/NONGNU host redirection
-====================================
+# FrontEnd GNU/NONGNU host redirection
Savannah handles three types of hosts redirection:
@@ -12,11 +11,10 @@
`file.savannah.gnu.org/submission-uploads/`) and non-file requests
from `file.savannah.*.org` to the original domain.
-Shortcut URL redirection
-------------------------
+## Shortcut URL redirection
Shortcurt URL redirection (.e.g `*.sv.gnu.org` => `*.savannah.gnu.org`)
-is handled entirely in the Apache configuration.
+is handled entirely in the web server configuration.
This would've been simple, if it were't for two complications:
@@ -34,102 +32,10 @@
while still requiring that <https://sv.gnu.org/p/coreutils>
redirects to the full <https://savannah.gnu.org/p/coreutils>.
-The [[FrontEndDevelopmentSite]] currently uses the following method:
+FIXME: Document the nginx setup for the production website.
- <VirtualHost *:80>
- ServerName jsmith.frontend0.savannah.gnu.org
- ServerAlias jsmith.frontend0.savannah.nongnu.org
- ServerAlias jsmith.frontend0.sv.gnu.org
- ServerAlias jsmith.frontend0.sv.nongnu.org
+## GNU/NONGNU redirection
- <If "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
- RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
- </If>
- <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
- RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
- </ElseIf>
- <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.gnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
- RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
- </ElseIf>
- <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.nongnu.org' &&
%{REQUEST_URI} !~ /\.well-known/" >
- RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
- </ElseIf>
- Include sites-available/certbot-wellknown.inc
- </VirtualHost>
-
-
- <VirtualHost *:443>
- ServerAlias jsmith.frontend0.sv.gnu.org
- ServerAlias jsmith.frontend0.sv.nongnu.org
- ServerName jsmith.frontend0.savannah.gnu.org
- ServerAlias jsmith.frontend0.savannah.nongnu.org
-
- <If "%{HTTP_HOST} == 'jsmith.frontend0.savannah.gnu.org'">
- SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/
- </If>
- <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.savannah.nongnu.org'">
- SetEnv SAVANE_CONF /home/jsmith/savannah/etc/savane/nongnu-conf/
- </ElseIf>
- # If the '.sv.gnu.org' shortcut is used, redirect to the full
- # '.savannah.gnu.org' URL.
- <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.gnu.org'">
- RedirectMatch "(.*)" https://jsmith.frontend0.savannah.gnu.org$1
- </ElseIf>
- <ElseIf "%{HTTP_HOST} == 'jsmith.frontend0.sv.nongnu.org'">
- RedirectMatch "(.*)" https://jsmith.frontend0.savannah.nongnu.org$1
- </ElseIf>
- [...]
- </VirtualHost>
-
-Note that certbot's configuration uses `Alias`, which has lower precedence
-in Apache than `RedirectMatch` - requiring some fiddling with the conditions.
-
-FIXME: If there's a better configuration, please write to
[email protected] .
-
-FIXME: Document the Apache setup for the production website, which use:
-
- sites-enabled/000-vhosts-gnu.org.conf -> ../sites-available/vhosts-gnu.org
- sites-enabled/vhosts-nongnu.org.conf ->
../sites-available/vhosts-nongnu.org
-
- # in sites-available/vhosts-gnu.org:
- <VirtualHost *:80>
- Include sites-available/sv.gnu.inc
- </VirtualHost>
- <VirtualHost *:443>
- Include sites-available/sv.gnu.inc
- </VirtualHost>
- <VirtualHost *:443>
- ServerName frontend0.savannah.gnu.org
- Include sites-available/sv.inc
- </VirtualHost>
-
- # in sites-available/vhosts-nongnu.org:
- <VirtualHost *:80>
- Include sites-available/sv.nongnu.inc
- </VirtualHost>
- <VirtualHost *:443>
- Include sites-available/sv.nongnu.inc
- </VirtualHost>
- <VirtualHost *:443>
- ServerName frontend0.savannah.nongnu.org
- SetEnv SV_LOCAL_INC_PREFIX /etc/savane/nongnu-conf
- Include sites-available/sv.inc
- </VirtualHost>
-
- # in sites-available/sv.gnu.inc:
- ServerName savannah.gnu.org
- Include sites-available/sv.inc
-
- # in sites-available/sv.nongnu.org:
- ServerName savannah.nongnu.org
- SetEnv SV_LOCAL_INC_PREFIX /etc/savane/nongnu-conf
- Include sites-available/sv.inc
-
-
-GNU/NONGNU redirection
-----------------------
-
gnu/nongnu redirection is handled entirely in the PHP code, based on
whether the viewed group belongs in GNU or not (sometimes referred
to as 'brother' site in the code/config files).
@@ -138,12 +44,10 @@
they are redirected to <https://savannah.gnu.org/projects/coreutils>
because coreutils is an official GNU package.
-
### Enabling/Disabling redirection
-In `.savane.conf.php`, setting the boolean variable
-`$sys_debug_nobasehost` to `true` disables redirection completely -
-useful for [[FrontEndDevelopmentSite]].
+In `/etc/savane/savane.conf.php`, setting the boolean variable
+`$sys_debug_nobasehost` to `true` disables redirection completely.
### Group-based redirection
@@ -166,35 +70,6 @@
+---------+------------------------------------+---------------------+
5 rows in set (0.00 sec)
-Meaning: if redirection is enabled on a development site, these values
-will cause redirection to the real website.
-
-To test redirection on a [[FrontEndDevelopmentSite]], do the following
-(*on a development database copy, never on the real database `savane`*):
-
- mysql> update group_type set base_host =
"jsmith.frontend0.savannah.gnu.org" where type_id in (1,3,6);
- Query OK, 3 rows affected (0.00 sec)
- Rows matched: 3 Changed: 3 Warnings: 0
-
- mysql> update group_type set base_host =
"jsmith.frontend0.savannah.nongnu.org" where type_id in (2,4);
- Query OK, 2 rows affected (0.00 sec)
- Rows matched: 2 Changed: 2 Warnings: 0
-
- mysql> select type_id, name, base_host from group_type ;
-
+---------+------------------------------------+--------------------------------------+
- | type_id | name | base_host
|
-
+---------+------------------------------------+--------------------------------------+
- | 1 | Official GNU software |
jsmith.frontend0.savannah.gnu.org |
- | 2 | non-GNU software and documentation |
jsmith.frontend0.savannah.nongnu.org |
- | 3 | www.gnu.org portions |
jsmith.frontend0.savannah.gnu.org |
- | 4 | GUG |
jsmith.frontend0.savannah.nongnu.org |
- | 6 | www.gnu.org translation teams |
jsmith.frontend0.savannah.gnu.org |
-
+---------+------------------------------------+--------------------------------------+
- 5 rows in set (0.00 sec)
-
-Then set `$sys_debug_nobasehost=false;` the development `.savane.conf.php`
file.
-
-
### PHP Code
The variable `$sys_debug_nobasehost` is mentioned in the following files:
@@ -217,8 +92,7 @@
}
-Auto-login to 'brother' site
-----------------------------
+## Auto-login to 'brother' site
When a user visits the login page on
<https://savannah.gnu.org/account/login.php>, there's is a check-box
@@ -225,7 +99,7 @@
at the bottom of the page asking for "Login also in
savannah.nongnu.org".
-This is called a "brother" site in the code and config files.
+This is called a 'brother' site in the code and config files.
It is implemented using several HTTP redirects from
one site to the other (e.g from the default 'savannah.gnu.org'
to 'savannah.nongnu.org') sending hashed session IDs back and
@@ -233,43 +107,25 @@
physical server and share PHP session cookies).
-In `/etc/savane/.savane.conf.php` there are these two variables:
+In `/etc/savane/savane.conf.php` there are these two variables:
$sys_default_domain="savannah.gnu.org";
$sys_brother_domain="savannah.nongnu.org";
- $sys_incdir="/etc/savane/content/gnu-content";
-In the correspnding `/etc/savane/nongnu-conf/.savane.conf.php` the
+In the correspnding `/etc/savane/nongnu-conf/savane.conf.php` the
default/brother hosts are swapped:
$sys_default_domain="frontend0.savannah.nongnu.org";
$sys_https_host="$sys_default_domain";
$sys_brother_domain="frontend0.savannah.gnu.org";
- $sys_incdir="/etc/savane/content/nongnu-content";
+The nginx configuration must be set appropriately for each domain.
-If using a development site [[FrontEndDevelopmentSite]],
-use the following in `/home/jsmith/savannah/etc/savane/.savane.conf.php`:
-
- $sys_default_domain="jsmith.frontend0.savannah.gnu.org";
- $sys_brother_domain="jsmith.frontend0.savannah.nongnu.org";
- $sys_incdir="/home/jsmith/savannah/etc/savane/content/gnu-content";
-
-and in `/home/jsmith/savannah/etc/savane/nongnu-conf/.savane.conf.php`:
-
- $sys_default_domain="jsmith.frontend0.savannah.nongnu.org";
- $sys_https_host="$sys_default_domain";
- $sys_brother_domain="jsmith.frontend0.savannah.gnu.org";
- $sys_incdir="/home/jsmith/savannah/etc/savane/content/nongnu-content";
-
-The Apache configuration must be set appropriately for each domain.
-See `SAVANE_CONF` settings above.
-
*NOTE*:
If the "login to [brother] set" checkbox is set,
Savannah will do the redirection even if the variable is set
(`$sys_debug_nobasehost=true`).
-If you forget to update the settings in `nongnu-conf/.savane.conf.php`,
+If you forget to update the settings in `nongnu-conf/savane.conf.php`,
you might get redirected to the real website (e.g. `savannah.nongnu.org`),
which will not only confuse things, but will also cause troubles
with cookie authentication (you'll see an error message saying
@@ -288,26 +144,9 @@
that `$from_brother=1`, and will set the cookie/session for this domain
as well, then redirect back to `savannah.gnu.org/`.
-File redirection
-----------------
+## File redirection
Since July 2020, Savannah serves user-supplied files from a separate
-domain for security reasons. Old URLs are redirected to that domain,
-non-file requests are redirected to the main domain.
-
- ServerAlias file.savannah.gnu.org
-
- <If "%{HTTP_HOST} == 'savannah.gnu.org'">
- RedirectPermanent /submissions_uploads/ \
- https://file.savannah.gnu.org/submissions_uploads/
- RedirectPermanent /file https://file.savannah.gnu.org/file
- </If>
- <If "%{REQUEST_URI} =~ m#^/((submissions_uploads/)|(file((/.*)?)$))#">
- # Empty section: the server will redirect when %{REQUEST_URI}
- # does _not_ match the above regular expression.
- </If>
- <ElseIf "%{HTTP_HOST} == 'file.savannah.gnu.org'">
- RedirectPermanent / https://savannah.gnu.org/
- </ElseIf>
-
-Likewise, for savanah.nongnu.org.
+domain (file.savannah.{non,}gnu.org) for security reasons. Old URLs
+are redirected to that domain, non-file requests are redirected
+to the main domain (savannah.{non,}gnu.org).
Modified: trunk/sviki/FrontEndSetup.mdwn
===================================================================
--- trunk/sviki/FrontEndSetup.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/FrontEndSetup.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -34,6 +34,8 @@
## Apache/PHP configuration file location
+*This section os obsolete. Since late 2025-12, frontend uses nginx.*
+
`init.php` accepts a fallback variable `SV_LOCAL_INC_PREFIX`, which
is referenced in sites-available/vhosts-nongnu.inc:
`SetEnv SV_LOCAL_INC_PREFIX /etc/savane/nongnu-conf`.
Modified: trunk/sviki/HomePage.mdwn
===================================================================
--- trunk/sviki/HomePage.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/HomePage.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -21,8 +21,8 @@
"there's also the fact that CVS doesn't handle symlinks") - use
.symlinks instead. Add a file named .symlinks in each directory where
you want to make symbolic links. Each line of the file lists a real
-file name followed by the name of the symbolic link. The symbolic
-links are built every hour.
+file name, a directory or an external URL followed by the name
+of the symbolic link. The symbolic links are built twice an hour.
## .htaccess
Modified: trunk/sviki/HomepageAvailabilityOfPhpAndMysql.mdwn
===================================================================
--- trunk/sviki/HomepageAvailabilityOfPhpAndMysql.mdwn 2026-01-12 19:53:02 UTC
(rev 861)
+++ trunk/sviki/HomepageAvailabilityOfPhpAndMysql.mdwn 2026-03-18 12:26:17 UTC
(rev 862)
@@ -1,11 +1,14 @@
-Neither PHP nor MySQL are available for projects' web pages on Savannah.
+# Tools for Savannah group web pages
+
+See also: [[HomePage]].
+
+Neither PHP nor MySQL are available for group web pages on Savannah.
We could offer this facility if anyone is ready to volunteer to maintain
this for Savannah and gnu.org in the long run. Installing it is not a
big deal; however, making sure it actually works as expected day after
day requires lot of attention (and perpetual worry).
-The same goes for Perl, Python, or any other CGI. Apache SSI is
-available.
+The same goes for Perl, Python, or any other CGI. SSI is available.
An excerpt from a mail exchange with (past FSF sysadmin) James Blair:
@@ -19,8 +22,7 @@
at the moment, and I'm not sure we should be adding any more
work for them.
-Comments
---------
+## Comments
**sandboxing and virtualization** --foo, Thu, 23 Sep 2010 23:38:19 +0000
Modified: trunk/sviki/HomepageUpload.mdwn
===================================================================
--- trunk/sviki/HomepageUpload.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/HomepageUpload.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -65,15 +65,19 @@
A successful call should result in an empty HTTP-200, e.g.:
- # curl -D /dev/stderr http://www.gnu.org/new-savannah-project/new.py -s -F
type=non-gnu -F project=pretest 2>&1
+ # curl -D /dev/stderr http://www.gnu.org/new-savannah-project/new.py \
+ -s -F type=non-gnu -F project=pretest 2>&1
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
- Date: Thu, 01 Dec 2016 04:29:15 GMT
- Server: Apache/2.4.7
+ Date: Wed, 18 Mar 2026 12:08:26 GMT
+ Server: Apache
+ Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+ X-Frame-Options: sameorigin
+ X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: (null)
Cache-Control: max-age=0
- Expires: Thu, 01 Dec 2016 04:29:15 GMT
+ Expires: Wed, 18 Mar 2026 12:08:26 GMT
Content-Length: 0
Content-Type: text/html
Content-Language: en
Modified: trunk/sviki/HowToAdminThisWiki.mdwn
===================================================================
--- trunk/sviki/HowToAdminThisWiki.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/HowToAdminThisWiki.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -300,6 +300,9 @@
### Apache configuration
+*This section is outdated. Since late 2025-12, sviki uses nginx rather than
+Apache.*
+
If you have an apache server running locally, the following configuration
mimics the GNU Savannah settings:
Modified: trunk/sviki/MailSystem.mdwn
===================================================================
--- trunk/sviki/MailSystem.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/MailSystem.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -85,11 +85,11 @@
(postfix on those systems) and then out to eggs.gnu.org, then to
lists.gnu.org and out to the mailing list for delivery.
-If there is an error in sending, PHP and Apache combination should
-log an error to the frontend1:/var/log/apache2/error.log file.
+If there is an error in sending, PHP and nginx combination should
+log an error to the frontend2:/var/log/nginx/error.log file.
All of the mail status should be logged to
-`frontend1:/var/log/mail.*`. When a message is sent, you should see
+`frontend2:/var/log/mail.*`. When a message is sent, you should see
the transaction logged there.
Logs are rotated. If you are looking back into the past you will need
Modified: trunk/sviki/SavannahHosts.mdwn
===================================================================
--- trunk/sviki/SavannahHosts.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/SavannahHosts.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -627,7 +627,7 @@
to enable safer troubleshooting of database issues
(see `internal0:/root/agn/create-savane-readonly-user.sh` for full details)
- GRANT SELECT, SHOW VIEW ON savane.* TO [email protected]
IDENTIFIED BY '******';
+ GRANT SELECT, SHOW VIEW ON savane.\* TO
[email protected] IDENTIFIED BY '******';
To remove and discard an access revoke it.
@@ -652,8 +652,11 @@
/root/ChangeLog : -u : [email protected]
/root/.ssh/authorized_keys : -u : [email protected]
-## Host frontend1
+## Host frontend
+*This section is outdated. Since 2025-12, frontend uses nginx rather than
+Apache.*
+
The IPv4 address for frontend1 is 209.51.188.72. It does not
currently have an IPv6 address. This is needed to provide universal
access to Savannah and is yet to be allocated. It also needs a
@@ -683,7 +686,7 @@
database = savane
chmod go-rw /root/.my.cnf
-Install Apache and PHP7. As a future direction I (Bob Proulx) would
+Install Apache and PHP. As a future direction I (Bob Proulx) would
much prefer this to be Nginx and FPM.
apt-get install apache2 apache2-mpm-prefork
Modified: trunk/sviki/SavannahServices.mdwn
===================================================================
--- trunk/sviki/SavannahServices.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/SavannahServices.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -33,7 +33,7 @@
- Main page: <https://savannah.gnu.org> and <https://savannah.nongnu.org>.
-- Apache local setup in `/etc/apache2/sites-available/` is under Git.
+- nginx local setup in `/etc/apache2/sites-available/` is under Git.
- PHP code runs defined in `frontend2:/etc/apache2/sites-available/sv.inc`,
stored in `frontend2:/var/www/savane/frontend/php/`.
Modified: trunk/sviki/Stats.mdwn
===================================================================
--- trunk/sviki/Stats.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/Stats.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -1,5 +1,4 @@
-Admin stats
------------
+## Admin stats
A word of warning: try not to compare VCSs using the stats provided
here: first, they are partial (only HTTP), and second, each VCS has its
@@ -53,13 +52,8 @@
Average number of concurrent users, frequency of commits, frequency
all users exit, etc.?". It would be good to be able answer such
questions.
-- Apache:
- <http://savannah.gnu.org/server-status/>
-- PHP XCache:
- <http://savannah.gnu.org/xcache/>
-User stats
-----------
+## User stats
We have about no stats. It would be good to fix that eventually.
@@ -75,6 +69,6 @@
> descriptors is likely to break). Now that we have mirrors this may
> not be much relevant anyway.
-#### subtopics:
+### subtopics:
- [[SqlQueries]]
Modified: trunk/sviki/https.mdwn
===================================================================
--- trunk/sviki/https.mdwn 2026-01-12 19:53:02 UTC (rev 861)
+++ trunk/sviki/https.mdwn 2026-03-18 12:26:17 UTC (rev 862)
@@ -243,8 +243,11 @@
# Many more SSL-specific configuration
-### Frontend0 apache configuration
+### Frontend apache configuration
+*This section is outdated. Since late 2025-12, frontend uses nginx
+rather than Apache*
+
The majority of the Apache configurations are in
`/etc/apache2/sites-available/sv.inc`. However this file does *not*
contain SSL configuration - as it is included twice in other files
