[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Openvds-clients] RE: [Openvds-devel] Control Panels
From: |
Joe Cooper |
Subject: |
Re: [Openvds-clients] RE: [Openvds-devel] Control Panels |
Date: |
Mon, 10 Dec 2001 20:18:38 -0600 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010628 |
Paul Marshall wrote:
> By the way, regarding the Webmin, I am not opposed to using the
> existing ACL system as long as we can modify the security settings
> so that you get the same results when you use Apache instead of the
> native web server.
I'm curious why you would want to do that (run Webmin under Apache)?
There are a lot of good reasons not to, but I don't know of any good
reasons for doing so...
The good reasons for using the Webmin miniserv.pl webserver instead of
Apache, since I'm sure someone is asking:
Small and easily audited for security. Has proven quite secure and
robust in its ~three years of heavy use all over the world. Webmin
overall has a quite good security record, and miniserv.pl has been
flawless in the two+ years that I've been using it. That's not to say
that Apache isn't secure, because it is, but the environment is so much
larger and easier to misconfigure--I don't like the idea of a
misconfiguration so easily leading to an exploit. Apache would have to
run as root and outside of a chroot jail. I prefer a tiny perl
webserver that I can study thoroughly in a couple of hours to Apache
which would take years to fully understand and audit.
It's fast enough. Using Apache will not speed up Webmin in any useful
fashion. With an appropriately designed module hierarchy
(client->reseller->server owner->cluster administrator) there's no way
to overload the miniserv webserver. Administration is not a high load
environment.
Provides additional ACLs that Apache can't without quite a lot of
additional tweaking and configuration. miniserv.pl can provide IP level
access controls in addition to other cool stuff, like SSL certificate
authentication. Sure, you can do these things with Apache, but why not
point and click your way there in about 20 seconds?
Also, I'm not sure if the RPC features of Webmin work with any other
webserver (they might--I've never tested). If they rely on miniserv,
then we'd be fighting an uphill battle to make Apache do the same
things. RPC will be our mantra by the time the project gets itself into
some large hosting environments--and Webmin will do the heavy lifting
for us. Hmmm...Checking...Ok, looks like the RPC stuff is all in the
web-lib, not in miniserv. So, scratch this reason. But wow, RPC in
Webmin is supercool. It's fun to talk about so I'll leave this part of
my comments even though it isn't relevant.
So to answer your demand "as long as we can modify the security settings
so that you get the same results", sure you can! But why would Webmin
do all of the Apache configuration for you when it already has an
excellent and configurable webserver designed specifically for this
purpose? For what it's worth, you /can/ use the Apache Webmin module to
configure these details with a GUI. ;-) At least IP level ACLs can be
configured. I'm not sure how SSL certificate logins are handled (I
don't mean https connections...I'm talking automatic logins using no
password, just a certificate).
Anyway, I /strongly/ urge not switching from miniserv to Apache. It
just doesn't make sense to add more complexity to a beautifully simple
setup (for anyone who has ever installed Webmin, you know that given the
complexity of the tasks it tries to address it is amazingly simple).
Ok, so I'm a long time Webmin bigot...I love everything about it, and I
don't want to change a thing. ;-)
Oh, yeah, for those who are unfamiliar with Webmin's ACL system...The
/only/ part of it that relies on miniserv.pl is the IP level access
controls and maybe the SSL certificate logins. All of the user level
controls are handled by the web-lib and the specific modules, whether
you're using miniserve.pl or apache as the host webserver.
--
Joe Cooper <address@hidden>
http://www.swelltech.com
Web Caching Appliances and Support