Setting up a server on RHEL 7

[David Martin]

Many thanks for the documentation on setting up on RHEL 7. There are some small issues with the documentation which I have noted in the attached document. Waiting on SSL certificates at which point I will be able to test the installation. Hopefully these will be of use in correcting the errors and filling in a few gaps.

My notes are prefixed with ##DMAM (or ## DMAM).

..d

[David Martin]

Further fun with the installation. 

I've got it to a point where nginx is running, the ssl certificates are installed, I've persuaded selinux to let me play  and I now get an internal server error when trying to access the web page. It looks like it should be a trivial fix, but I don't know Django that well.

..d

Internal Server Error: /

Traceback (most recent call last):

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner

    response = get_response(request)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response

    response = self.process_exception_by_middleware(e, request)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/channels/handler.py", line 243, in process_exception_by_middleware

    return super(AsgiHandler, self).process_exception_by_middleware(exception, request)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response

    response = wrapped_callback(request, *callback_args, **callback_kwargs)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view

    return view_func(*args, **kwargs)

  File "/srv/numbas-lti-provider/numbas_lti/views/entry.py", line 26, in index

    return render(request,'numbas_lti/index.html',context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/shortcuts.py", line 36, in render

    content = loader.render_to_string(template_name, context, request, using=using)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/loader.py", line 62, in render_to_string

    return template.render(context, request)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/backends/django.py", line 61, in render

    return self.template.render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 171, in render

    return self._render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 163, in _render

    return self.nodelist.render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 937, in render

    bit = node.render_annotated(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 904, in render_annotated

    return self.render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/loader_tags.py", line 150, in render

    return compiled_parent._render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 163, in _render

    return self.nodelist.render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 937, in render

    bit = node.render_annotated(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 904, in render_annotated

    return self.render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/loader_tags.py", line 62, in render

    result = block.nodelist.render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 937, in render

    bit = node.render_annotated(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/template/base.py", line 904, in render_annotated

    return self.render(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/templatetags/static.py", line 106, in render

    url = self.url(context)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/templatetags/static.py", line 103, in url

    return self.handle_simple(path)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/templatetags/static.py", line 118, in handle_simple

    return staticfiles_storage.url(path)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 153, in url

    return self._url(self.stored_name, name, force)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 132, in _url

    hashed_name = hashed_name_func(*args)

  File "/opt/numbas_lti_python/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 420, in stored_name

    raise ValueError("Missing staticfiles manifest entry for '%s'" % clean_name)

ValueError: Missing staticfiles manifest entry for 'bootstrap/css/bootstrap.css'

[David Martin]

Turns out the staticfiles error is the need to run (as numbas_lti)

source /opt/numbas_lti_provider/bin/activate

cd  /srv/numbas_lti_provider

python3 manage.py collectstatic

Then as root or sudo

systemctl restart supervisord

Hope this helps.

..d

On Monday, 27 July 2020 19:35:54 UTC+1, David Martin wrote:

[David Martin]

And we go on - finally have the server up and running and a firewall that lets me access it. 

I try to log in as admin (on Google Chrome) and get:

Forbidden (403)

CSRF verification failed. Request aborted.

You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests.

More information is available with DEBUG=True.

This is due to Google enforcing the SameSite directive in cookies.  To quote from the information given in the issues raised by Chrome:

1. Mark cross-site cookies as Secure to allow setting them in cross-site contexts

1. Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection.

   Resolve this issue by updating the attributes of the cookie:

   • Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
   • Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests

2. AFFECTED RESOURCES
1. 1 cookie
2. 1 request

Microsoft Edge does not have this issue as they do not follow the guidelines so strictly.

reference https://web.dev/samesite-cookies-explained/?utm_source=devtools

Hope this is helpful in sorting the issue - this may be a simple config change for Django.

..d

[David Martin]

To fix this issue with Chrome, edit 

/srv/numbas_lti_provider/numbasltiprovider/settings.py and add the lines:

SESSION_COOKIE_SAMESITE = None

SESSION_COOKIE_SECURE = True

CSRF_COOKIE_SAMESITE = None

CSRF_COOKIE_SECURE = True

restart supervisord and all is good.

# systemctl restart supervisord

This then ensures the cookies are flagged correctly and Google Chrome will digest them without issues.

..d

[Christian Lawson-Perfect]

Thanks for sticking with this, David. I'll fold these notes into the documentation.

--
You received this message because you are subscribed to the Google Groups "Numbas Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to numbas-users...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/14f95df3-9a33-45ae-98e8-c7bf2a5824b7o%40googlegroups.com.

[drdmamartin]

no problem. I'd just come across this in another context so it was a aimple fix.

..d

Sent from my Samsung Galaxy smartphone.

You received this message because you are subscribed to a topic in the Google Groups "Numbas Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/numbas-users/jRUTkWP9GhU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to numbas-users...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/CAEMHSOg-dhqZcewSgLY18GKQcCi1o7w2PG4ctnVufPk22rCHJw%40mail.gmail.com.

[Christian Lawson-Perfect]

I've managed to install the LTI tool on a fresh RHEL 7.8 virtual machine, using your changes. I had some trouble installing python 3.6, while you stuck with 3.4, but I've documented what to do. The instructions at https://numbas-lti-provider.readthedocs.io/en/latest/installation/rhel-7.html are now up to date.

I've added the secure cookie settings to the first_setup script, so that shouldn't be a problem any more.

Thanks again!

To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/5f22ee3e.1c69fb81.5d29f.9c07%40mx.google.com.

[deevan shafait]

Hi,

I'm in the process of installing Numbas LTI on CentOS with a MySQL database, and I notice in your personal instructions that the /etc/supervisord.d/numbas_lti.ini is missing the the section for '[program:numbas_lti_huey]', I assume you added this later?

For test purposes, I am running the service on localhost, but I see an internal server error message when accessing the web site, can you point me in the right direction for error logging? (I can confirm nginx is running OK via resorting to the default.conf file, and restarting nginx, I see the NGINX home page when accessing http://localhost:80.

Thanks,

Naveed

[Christian Lawson-Perfect]

Yes, the huey section is a recent addition.

I think the logs for the numbas LTI tool should be in /var/log/supervisor, if you followed the installation instructions exactly. You might want to look at the nginx logs too, in /var/log/nginx, and turn on DEBUG mode in numbasltiprovider/settings.py, if you haven't already.

--

You received this message because you are subscribed to the Google Groups "Numbas Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to numbas-users...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/72a93752-5654-4390-ab7e-a53dbc91a97en%40googlegroups.com.

[deevan shafait]

I can now see the Numbas LTI home page :  "Numbas LTI Provider : Welcome to the Numbas LTI tool provider" ... but post login, I see the following in Chrome and I.E : "a CSRF verification failed. Request aborted." error :  403 Forbidden

Reason given for failure:

Referer checking failed - Referer is insecure while host is secure.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

• Your browser is accepting cookies.
• The view function passes a request to the template's render method.
• In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
• If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
• The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.

You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

I've disabled the following in default.conf given I'm not using https for my test 'thorow away' server, and I can now login successfully!

#proxy_set_header X-FORWARDED-PROTO https;

Thanks.