I can only speak about the vhost topic because I don’t use the other stuff.
It is related to webhosting so, as @Ctek said, it should be separated.
How this should look in detail, I don’t know. Above you see how Sophos solved this. I don’t know if it has to be that big, but at least I must have the possibility to add new vhosts (http and https) and modify the settings of each vhost. Maybe automatic certificate-handling using Let’s encrypt can also be added here.
@Ctek remarked we must separate vhosts and file sharing. I absolutely agree on this.
@alefattorini says everyone uses FTP/SCP to upload websites, so SMB is not required for vhosts.
My concerns are not duplicating features on “shared folders” and “virtual hosts” pages, such as filesystem permission handling. I’d prefer keeping the filesystem permissions part on “shared folders” and allow referencing them from the “virtual hosts page”. A virtual host could require or even not require (in case of proxypass) a filesystem folder.
Why not a filesystem hierarchy that keeps them separated? Isn’t it simpler? For example creating a new folder under /var/lib/nethserver/virtualhosts with apache:apache
Referencing a shared folder from the “virtual hosts page” IMHO is useless and makes things unnecessarily complicated
This is exactly a “Shared folders” feature I don’t want to duplicate!
The new User & Groups model in NS7 allows simplifying the underlying implementation of ACLs for Apache. We could add apache group as “Owner” and also apache user under ACLs tab.
This would remove the need of that exoteric checkbox “Allow .htaccess and write permissions overrides”…
I had a little time think about this feature and I would like to present my proposal.
Let’s start from a strong assumption: FTP is an insecure protocol, password of system users must not be sent over FTP protocol.
Given a virtual host named goofy, the virtual host should have:
DNS name automatically associated as server alias
Custom URL
HTTPS access with custom certificate (auto-signed or Let’s Encrypt or purchased)
Text area for advanced options (like PHP options or rewrite rules)
htaccess support
Password protection
FTP access using the virtual host name as user and a strong generated strong random password.
Example:
User: goofy
Password: GBq6Hdvn
WebDav access (thanks to @stephdl for the implementation already done for NS 6)
This implementation could be very simple to maintain and extend.
Yes, we loose access using system users but this will save us from many problems and hacky code.
It’s not a big lost, virtual users are commonly used to access ftp, since who uploads files isn’t a system users but external webmasters
Like it, we may start with this, see how it goes and improve along the way.
I think it is important to make the use of a ‘proper’ (i.e. not self-signed) SSL certificate achievable for every Nethserver user! Basically to make it a standard setting for every web host/-site using a FQDN (using LE! or a purchased cert).
FTP? No! SFTP, yes. For those vhost users that need it, throw in restricted secure shell access as well.
What people are used to is one thing, what we would like them to use can be something different. If we would like to stop them using ftp and we can make configuring and using sftp just as easy . . . why not.
Making it easy to use SSH keys in stead of passwords might also be a good idea.
Hi all.
Having read through the comments above, and currently testing N7 A3. Firstly, great job on the new install UI. As a webmaster I always use FTP to upload sites and pages, so please do not make this more difficult when upgrading the security side of things. As a sys admin I need a UI that makes it easy to install sites on a server with the individual SSL certs. Also we need to think about the newbie sys admin, these are people who need a system that is from their point of view is simple and easy to setup.
I like the letsencrypt integration into Nethserver idea, and as a db programmer I know it’s not easy to code something simple to use.