Re: [Openvds-clients] RE: [Openvds-devel] Control Panels

[Joe Cooper]

Paul Marshall wrote:

> By the way, regarding the Webmin, I am not opposed to using the
> existing ACL system as long as we can modify the security settings
> so that you get the same results when you use Apache instead of the
>  native web server.

I'm curious why you would want to do that (run Webmin under Apache)? 
There are a lot of good reasons not to, but I don't know of any good 
reasons for doing so...

The good reasons for using the Webmin miniserv.pl webserver instead of 
Apache, since I'm sure someone is asking:

Small and easily audited for security.  Has proven quite secure and 
robust in its ~three years of heavy use all over the world.  Webmin 
overall has a quite good security record, and miniserv.pl has been 
flawless in the two+ years that I've been using it.  That's not to say 
that Apache isn't secure, because it is, but the environment is so much 
larger and easier to misconfigure--I don't like the idea of a 
misconfiguration so easily leading to an exploit.  Apache would have to 
run as root and outside of a chroot jail.  I prefer a tiny perl 
webserver that I can study thoroughly in a couple of hours to Apache 
which would take years to fully understand and audit.

It's fast enough.  Using Apache will not speed up Webmin in any useful 
fashion.  With an appropriately designed module hierarchy 
(client->reseller->server owner->cluster administrator) there's no way 
to overload the miniserv webserver.  Administration is not a high load 
environment.

Provides additional ACLs that Apache can't without quite a lot of 
additional tweaking and configuration.  miniserv.pl can provide IP level 
access controls in addition to other cool stuff, like SSL certificate 
authentication.  Sure, you can do these things with Apache, but why not 
point and click your way there in about 20 seconds?

Also, I'm not sure if the RPC features of Webmin work with any other 
webserver (they might--I've never tested).  If they rely on miniserv, 
then we'd be fighting an uphill battle to make Apache do the same 
things.  RPC will be our mantra by the time the project gets itself into 
some large hosting environments--and Webmin will do the heavy lifting 
for us.  Hmmm...Checking...Ok, looks like the RPC stuff is all in the 
web-lib, not in miniserv.  So, scratch this reason.  But wow, RPC in 
Webmin is supercool.  It's fun to talk about so I'll leave this part of 
my comments even though it isn't relevant.

So to answer your demand "as long as we can modify the security settings 
so that you get the same results", sure you can!  But why would Webmin 
do all of the Apache configuration for you when it already has an 
excellent and configurable webserver designed specifically for this 
purpose?  For what it's worth, you /can/ use the Apache Webmin module to 
configure these details with a GUI.  ;-)  At least IP level ACLs can be 
configured.  I'm not sure how SSL certificate logins are handled (I 
don't mean https connections...I'm talking automatic logins using no 
password, just a certificate).

Anyway, I /strongly/ urge not switching from miniserv to Apache.  It 
just doesn't make sense to add more complexity to a beautifully simple 
setup (for anyone who has ever installed Webmin, you know that given the 
complexity of the tasks it tries to address it is amazingly simple). 
Ok, so I'm a long time Webmin bigot...I love everything about it, and I 
don't want to change a thing.  ;-)

Oh, yeah, for those who are unfamiliar with Webmin's ACL system...The 
/only/ part of it that relies on miniserv.pl is the IP level access 
controls and maybe the SSL certificate logins.  All of the user level 
controls are handled by the web-lib and the specific modules, whether 
you're using miniserve.pl or apache as the host webserver.
--
Joe Cooper <address@hidden>
http://www.swelltech.com
Web Caching Appliances and Support