Forum OpenACS Development: Re: OpenACS 4.6 Install Doc Changes

Collapse
Posted by Michael Bluett on
I am planning on putting OpenACS and AOLServer on a shared server (Hatters Cooperative), and am interested in setting the server up on the box as safely as I can, with as little future maintenance as possible.
  • I will be running multiple instances of AOLServer (using Jerry Asher's virtual hosting patch). I believe that means running AOLServer 3.3+ad13.
  • We still need to have the server running as web? I'll create a separate user for each server and have them all as members of a renamed "web" group (the group of the log and server directories according to the AOLServer guide). I will also need to change the group of where the socket files (for virtual hosting) live to "web".
  • AOLServer maintenance docs suggests I shouldn't worry about rolling the server log (not the access log) in normal use. This thread features people that have worried about server log rolling.
  • Should I be worried enough to use SSL (scottg's site) for logins for my personal sites? It doesn't appear that OpenACS.org uses it.
Does anyone have any other suggestions? Thanks in advance.
Collapse
Posted by Andrew Piskorski on
Michael,

You certainly should roll the server log as well as the access log, unless you want it to grow enormous and eventually fill up your disk. I'm not sure what you mean by "worry about". Rolling the log is very easy, you might as well do it. Use ns_logroll - see this thread, but basically, just do something like this:

ns_schedule_daily 00 00 ns_logroll

Using nsopenssl isn't that hard, so if I'd use it at least for logging into any OpenACS account with admin privileges. But it's up to you. How much security do you want? Plus if you don't have the general public using SSL, you might as well just save some money and use a self-signed cert.

You don't "need" to have an particular scheme for what unix user and group AOLserver runs as, you just have to come up with something that meets your needs. In the OpenACS world, I believe nsadmin/web is still the most common. I believe both AOLserver 3.3+ad13 and 3.4.x (don't know abou 3.5 and 4.0) still have a bug where non-default unix group memberships are not honored, but I don't remember the details - search the BBoard, it's all in here somewhere.

Preferably, if AOLserver runs as user nsadmin then nsadmin should not have write access to the AOLserver binaries or anything else it doesn't really need write access to, but most people don't worry about that. (And those people will be in worse shape if their AOLserver gets cracked.)

Collapse
Posted by Bart Teeuwisse on

Michael,

Dossy recently patched Jerry's virtual hosting for AOLserver 3.5.1. You can download it from aolserver.sourceforge.net. Dossy's message as posted on the AOLserver list:

Everyone,

After thorough testing, I've finally committed the changes 
to nsvhr and nsunix which originated from Jerry Asher's 
excellent work on these two modules for the AOLserver 3.3.x 
core, which I reviewed and pared down to the minimal changes
and have tested against the AOLserver 3.5.x core.

There are no AOLserver core changes required to use nsvhr 
and nsunix now. nsvhr and nssock should also continue to 
work just fine.

The changes have been checked in and tagged as nsvhr3_5 and 
nsunix3_5.

Any feedback is certainly welcome,

-- Dossy 

Some OpenACS sites do use SSL. Seven Sisters Trading (www.7-sisters.com) is a good example. This eCommerce site uses the ecommerce package, which requires SSL to secure the checkout process.

Be aware that you can secure only one site with SSL if you are combining SSL and virtual hosting.

/Bart