World: r3wp
[!Cheyenne] Discussions about the Cheyenne Web Server
older newer | first last |
onetom 17-Apr-2011 [9746x2] | so, doc, an ideas / questions about my scenario? where all the logs should go and whether is it possible or necessary to have 1 system-wide cheyenne which connects with per-user ones? |
(do u seem my private msgs? im not sure what should i see / notice when i get a priv msg in altme...) | |
Dockimbel 17-Apr-2011 [9748x2] | Yes, I have answered to them. You should see my nickname go red. |
onetom: I started writing you a reply by email, but it might be easier to discuss it there. | |
Maxim 17-Apr-2011 [9750x2] | onetom... ever since the weird user reset bug which affected altme, the very first time anyone ever sends you a personal message, you won't be notified... you actually have to click on the group to see the message updated :-( |
this is true for each user. | |
Dockimbel 17-Apr-2011 [9752] | Logs: I must say that I don't like much having all logs under current/, which is the webapp root folder. Putting all logs there (especially error.log which can contain critical information like user logins and password hashes) is bad practice to me. |
onetom 17-Apr-2011 [9753x3] | Maxim: ok, thx. i turned off the dividers and it's great like this |
doc: i didnt say current, but current/log/ | |
but in cheyenne's case it could be current/private/log/ | |
Dockimbel 17-Apr-2011 [9756x2] | Yes, everything that is under current/ might be at risk, so better avoid putting critical information there. |
Same remark for Cheyenne webapp's private/ folder, you shouldn't put critical information there. | |
onetom 17-Apr-2011 [9758x2] | what should go there then and how is it more private than the protected area? (is it documented somewhere?) |
let's collaborate on a directory structure here: http://piratepad.net/KkvkZ9AtME | |
Dockimbel 17-Apr-2011 [9760x2] | Those "private" folders are protected from the requests by the webserver, but not by the OS. If an attacker finds a way to workaround the server's protection, better avoid giving him critical info. |
I would say that logs shouldn't have the same user permission than the web accounts (prod, stg and devel1 in your example from email). | |
onetom 17-Apr-2011 [9762x4] | the devel1 should be able to access his own logs |
and also should be able to clear them regularly | |
i always had to put the developers into the adm group so they can access the /var/log/apache2/ directory | |
where they saw a lot more than their interest | |
Dockimbel 17-Apr-2011 [9766] | Agreed, but you could create per-user sub-folders there? |
onetom 17-Apr-2011 [9767x4] | running their own app server (mongrel/thin/unicorn) helped a littlebit, but they couldn't easily test what was returned just by the webserver from cache / static files |
the main problem with my setup was always the autonomity of the users | |
i had to edit config files when a new user joined the company | |
and i had to be aware where are they checking out the source of the projects they were working on and i also had to assign port numbers to them, so i could configure the reverse proxy in apache/nginx to connect to their app servers | |
Dockimbel 17-Apr-2011 [9771x2] | Your need is pretty clear. |
You could do the same (reverse proxy/nginx) with Cheyenne instances. | |
onetom 17-Apr-2011 [9773] | security in such a case is not a big concern (unless the machine get rooted :) |
Dockimbel 17-Apr-2011 [9774] | Cheyenne just needs to be able to pick the config file from a remote folder instead of just current one. |
onetom 17-Apr-2011 [9775] | sure, but i would love to get rid of any external component, since cheyenne seems to be pretty close being able to cater for such a setup |
Dockimbel 17-Apr-2011 [9776] | Where would Cheyenne binary be in your scenario? |
onetom 17-Apr-2011 [9777x2] | /usr/local/bin/ |
or sbin | |
Dockimbel 17-Apr-2011 [9779x3] | then how could Cheyenne know where to look for config file ? |
the only way I see is passing the config file path as command-line argument, something like: cheyenne -p 8001 -conf /home/devel1/app/current/ | |
Would such feature cover your needs for user autonomy? | |
onetom 17-Apr-2011 [9782x5] | if it still looks in the current directory for a httpd.cfg by default, then it's not even necessary |
cd approot; cheyenne | |
cheyenne --conf approot | |
not a big difference | |
doesnt worth the trouble, i guess | |
Dockimbel 17-Apr-2011 [9787] | is approot linux specific? |
Maxim 17-Apr-2011 [9788] | why not a mod_log ;-) |
Dockimbel 17-Apr-2011 [9789] | might still be needed for MacOS X servers? |
onetom 17-Apr-2011 [9790] | by app-root i mean that directory level which cheyenne will never try to reach above |
Dockimbel 17-Apr-2011 [9791] | ok |
onetom 17-Apr-2011 [9792] | any relative path in a config file is normally calculated from there |
Maxim 17-Apr-2011 [9793] | again, why not allow these configs in the httpd.cfg file? |
Dockimbel 17-Apr-2011 [9794] | because, the httpd.cfg place is unknown to Cheyenne in this case ;) |
Maxim 17-Apr-2011 [9795] | ah so you're talking about the embeded mode? |
older newer | first last |