r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

[!Cheyenne] Discussions about the Cheyenne Web Server

onetom
17-Apr-2011
[9746x2]
so, doc, an ideas / questions about my scenario? where all the logs 
should go and whether is it possible or necessary to have 1 system-wide 
cheyenne which connects with per-user ones?
(do u seem my private msgs? im not sure what should i see / notice 
when i get a priv msg in altme...)
Dockimbel
17-Apr-2011
[9748x2]
Yes, I have answered to them. You should see my nickname go red.
onetom: I started writing you a reply by email, but it might be easier 
to discuss it there.
Maxim
17-Apr-2011
[9750x2]
onetom... ever since the weird user reset bug which affected altme, 
the very first time anyone ever sends you a personal message, you 
won't be notified... you actually have to click on the group to see 
the message updated  :-(
this is true for each user.
Dockimbel
17-Apr-2011
[9752]
Logs: I must say that I don't like much having all logs under current/, 
which is the webapp root folder. Putting all logs there (especially 
error.log which can contain critical information like user logins 
and password hashes) is bad practice  to me.
onetom
17-Apr-2011
[9753x3]
Maxim: ok, thx. i turned off the dividers and it's great like this
doc: i didnt say current, but current/log/
but in cheyenne's case it could be current/private/log/
Dockimbel
17-Apr-2011
[9756x2]
Yes, everything that is under current/ might be at risk, so better 
avoid putting critical information there.
Same remark for Cheyenne webapp's private/ folder, you shouldn't 
put critical information there.
onetom
17-Apr-2011
[9758x2]
what should go there then and how is it more private than the protected 
area? (is it documented somewhere?)
let's collaborate on a directory structure here: http://piratepad.net/KkvkZ9AtME
Dockimbel
17-Apr-2011
[9760x2]
Those "private" folders are protected from the requests by the webserver, 
but not by the OS. If an attacker finds a way to workaround the server's 
protection, better avoid giving him critical info.
I would say that logs shouldn't have the same user permission than 
the web accounts (prod, stg and devel1 in your example from email).
onetom
17-Apr-2011
[9762x4]
the devel1 should be able to access his own logs
and also should be able to clear them regularly
i always had to put the developers into the adm group so they can 
access the /var/log/apache2/ directory
where they saw a lot more than their interest
Dockimbel
17-Apr-2011
[9766]
Agreed, but you could create per-user sub-folders there?
onetom
17-Apr-2011
[9767x4]
running their own app server (mongrel/thin/unicorn) helped a littlebit, 
but they couldn't easily test what was returned just by the webserver 
from cache / static files
the main problem with my setup was always the autonomity of the users
i had to edit config files when a new user joined the company
and i had to be aware where are they checking out the source of the 
projects they were working on and i also had to assign port numbers 
to them, so i could configure the reverse proxy in apache/nginx to 
connect to their app servers
Dockimbel
17-Apr-2011
[9771x2]
Your need is pretty clear.
You could do the same (reverse proxy/nginx) with Cheyenne instances.
onetom
17-Apr-2011
[9773]
security in such a case is not a big concern (unless the machine 
get rooted :)
Dockimbel
17-Apr-2011
[9774]
Cheyenne just needs to be able to pick the config file from a remote 
folder instead of just current one.
onetom
17-Apr-2011
[9775]
sure, but i would love to get rid of any external component, since 
cheyenne seems to be pretty close being able to cater for such a 
setup
Dockimbel
17-Apr-2011
[9776]
Where would Cheyenne binary be in your scenario?
onetom
17-Apr-2011
[9777x2]
/usr/local/bin/
or sbin
Dockimbel
17-Apr-2011
[9779x3]
then how could Cheyenne know where to look for config file ?
the only way I see is passing the config file path as command-line 
argument, something like:
cheyenne -p 8001 -conf /home/devel1/app/current/
Would such feature cover your needs for user autonomy?
onetom
17-Apr-2011
[9782x5]
if it still looks in the current directory for a httpd.cfg by default, 
then it's not even necessary
cd approot; cheyenne
cheyenne --conf approot
not a big difference
doesnt worth the trouble, i guess
Dockimbel
17-Apr-2011
[9787]
is approot linux specific?
Maxim
17-Apr-2011
[9788]
why not a mod_log  ;-)
Dockimbel
17-Apr-2011
[9789]
might still be needed for MacOS X servers?
onetom
17-Apr-2011
[9790]
by app-root i mean that directory level which cheyenne will never 
try to reach above
Dockimbel
17-Apr-2011
[9791]
ok
onetom
17-Apr-2011
[9792]
any relative path in a config file is normally calculated from there
Maxim
17-Apr-2011
[9793]
again, why not allow these configs in the httpd.cfg file?
Dockimbel
17-Apr-2011
[9794]
because, the httpd.cfg place is unknown to Cheyenne in this case 
;)
Maxim
17-Apr-2011
[9795]
ah so you're talking about the embeded mode?