Re: [Openvds-clients] RE: [Openvds-devel] Control Panels

[Paul Marshall]

Hi Joe,
At 06:18 PM 12/10/01, you wrote:
>Paul Marshall wrote:
>
>> By the way, regarding the Webmin, I am not opposed to using the
>> existing ACL system as long as we can modify the security settings
>> so that you get the same results when you use Apache instead of the
>>  native web server.
>
>I'm curious why you would want to do that (run Webmin under Apache)? There are 
>a lot of good reasons not to, but I don't know of any good reasons for doing 
>so...

There are two reasons to use Apache over miniserv.pl. 
The first reason is to conserve memory resources. I'm not positive, but I 
believe Webmin uses about 5MB of RAM. If Webmin is installed on all of your 
VSs, then that can consume an unnecessary amount of RAM. If Webmin can run on 
one only a few machines and still control multiple servers then, that would be 
fine. Nick and I were discussing this offline today, and I know it has been 
discussed in the past by others.

The second reason is so that you don't have two web servers running. Why run 
two webservers when 99% of all Virtual Servers will be running Apache anyway?  
Why run an additional webserver that is only used for administration?

>The good reasons for using the Webmin miniserv.pl webserver instead of Apache, 
>since I'm sure someone is asking:
>
>Small and easily audited for security.  Has proven quite secure and robust in 
>its ~three years of heavy use all over the world.  Webmin overall has a quite 
>good security record, and miniserv.pl has been flawless in the two+ years that 
>I've been using it.  

I don't doubt that. I think it works fine for individual servers. However, I 
feel that running an instance of miniserv.pl on each VS will consume too much 
RAM. Not that RAM isn't cheap now, but we have all seen it skyrocket in the 
past. 

>That's not to say that Apache isn't secure, because it is, but the environment 
>is so much larger and easier to misconfigure--I don't like the idea of a 
>misconfiguration so easily leading to an exploit.  Apache would have to run as 
>root and outside of a chroot jail.  I prefer a tiny perl webserver that I can 
>study thoroughly in a couple of hours to Apache which would take years to 
>fully understand and audit.

But Apache is already installed. Any Webmin configuration in httpd.conf could 
be blocked off with comments to indicate that that code should not be modified. 
That won't prevent malicious misconfiguration, but it should prevent accidental 
misconfiguration. You'll have to correct me if I am wrong, but even if the 
webserver is small, Perl has to remain loaded into memory which is where the 
resource consumption comes from. You probably know this better than I, so 
correct me if I am wrong.

>It's fast enough.  Using Apache will not speed up Webmin in any useful 
>fashion.  With an appropriately designed module hierarchy 
>(client->reseller->server owner->cluster administrator) there's no way to 
>overload the miniserv webserver.  Administration is not a high load 
>environment.

Speed is not the issue.


>Provides additional ACLs that Apache can't without quite a lot of additional 
>tweaking and configuration.  miniserv.pl can provide IP level access controls 
>in addition to other cool stuff, like SSL certificate authentication.  Sure, 
>you can do these things with Apache, but why not point and click your way 
>there in about 20 seconds?

I agree, these are cool features of miniserv.pl, however, I would to see the IP 
level access and SSL cert support for Apache. Again, so you only have to run 
one webserver.

>  At least IP level ACLs can be configured.  I'm not sure how SSL certificate 
> logins are handled (I don't mean https connections...I'm talking automatic 
> logins using no password, just a certificate).

These are definitely nice features and only minor hurdles.

>Anyway, I /strongly/ urge not switching from miniserv to Apache.  It just 
>doesn't make sense to add more complexity to a beautifully simple setup (for 
>anyone who has ever installed Webmin, you know that given the complexity of 
>the tasks it tries to address it is amazingly simple). Ok, so I'm a long time 
>Webmin bigot...I love everything about it, and I don't want to change a thing. 
> ;-)

I know you probably have more experience with this than any of us, so tell us 
how we can do this without consuming all the resources. Unfortunately, I don't 
think Webmin will work without some modification, however, I don't feel that it 
will be major. I think it will be much easier to modify Webmin to work with 
XVDS than it will to create a brand new admin utility.

>Oh, yeah, for those who are unfamiliar with Webmin's ACL system...The /only/ 
>part of it that relies on miniserv.pl is the IP level access controls and 
>maybe the SSL certificate logins.  All of the user level controls are handled 
>by the web-lib and the specific modules, whether you're using miniserve.pl or 
>apache as the host webserver.

Sorry if I didn't make that clear. 

Take care,

Paul


>-- 
>Joe Cooper <address@hidden>
>http://www.swelltech.com
>Web Caching Appliances and Support
>
>
>_______________________________________________
>Openvds-clients mailing list
>address@hidden
>http://mail.freesoftware.fsf.org/mailman/listinfo/openvds-clients

Paul Marshall -- President, Senior Consultant
Protelligence
Internet Consulting and Marketing
http://www.protelligence.com  415-721-0123