Proposal for ns7 VirtualHost page

davidep · April 6, 2016, 8:14am

I think the stupid here is our UI and we shall improve it!

This is my proposal for ns7. Let’s create a new page, say Virtual hosts. Generally, a virtual host requires a DNS record, and the right place to set it up by now is under the DNS > Alias server page. Virtual hosts lists the same items of DNS > Alias server, and could also allow creating a new one. I think it is more intuitive to allow both methods of creation. In other words the two pages should offer different views of the same DB records.

When an item of Virtual hosts is modified, the interface allows selecting the shared folders that it serves. Each shared folder can be mounted with an alias or selected as the web root of the virtual host. To persist this relation I propose to add a prop to self records in hosts DB.

ProxyPass configuration should be implemented in a similar way.

The other object that needs to be associated to virtual hosts are SSL certificates. There’s some UI work also on that side. I think the following choices should cover all use cases:

Optional self-signed certificate (both HTTP and HTTPS work)
Mandatory self-signed certificate (HTTP redirects to HTTPS)
Mandatory existing SSL certificate (uploaded, letsencrypt…, HTTP redirects to HTTPS)

Then there are a lot of app/site specific configurations. They can be provided by additional plugins; for instance, I’m thinking about PHP ini values, like @stephdl’s nethserver-php-settings does for shared folders, or URL rewriting rules. A free text-area where configuration is pasted from an howto should guarantee the command line is never required!

In the end, filesystem permissions and HTTP authentication are still controlled by the Shared folders page. Only the “virtual host” features are moved to the new Virtual hosts page.

Shared folder page could still provide HTTP (and even WebDAV) access but

only the Apache default virtual host is configured (i.e. server IP in site URL)
alias can’t be changed: is fixed to ibay name
SSL certificate is always the default one

alefattorini · April 6, 2016, 9:48am

I agree with your proposal. I have some concerns about keeping the HTTP authentication on Shared Folders panel, what about remove it totally? Using “Shared Folders” just for configure samba. People frequently confuse the multipurpose aspect of shared folders, I’d like to simplify this part.

In my mind:

Shared folders = fileserver
VirtualHost = WebServer

I like to preserve this part but it would be completly configured by the Virtual Hosts panel. Just to be clear, I’d like to remove this tab moving it on the VH panel:

Finally, stuff like these should be included into the new Virtual Host page:

Any thoughts? @JOduMonT @Technet @stephdl @Hunv @fasttech @ctek @GG_jr @Nas @eliezer.axiem

davidep · April 6, 2016, 9:59am

I think the whole HTTP is multi-purpose! Thus we should focus on two main aspects

file sharing
web applications / virtual host

I’m afraid this would lead to an excessive duplication of objects and features. I think that separating virtual host from shared folders balances effectively all aspects.

To set up a web application we need one or more directories in the server, and granting permissions to user and groups, and configuring one or more a file protocols… I think duplicating all this stuff on two different pages is not good for both the final user and the development barriers.

giacomo · April 6, 2016, 10:06am

I agree with this point of view, but probably final users expect to access web folders using Samba (as suggested by Davide).

From a technical perspective I’d to separate things and have something like this:

Shared folders, accessible only from Samba (and NFS)
Virtual hosts, accessible using webdav, SFTP and FTP (optional)

Ctek · April 6, 2016, 10:20am

I really like this discussion, we are getting somewhere now.
At least a draft of the “new” virtual hosts can be planned.

alefattorini · April 6, 2016, 10:22am

Indeed, I don’t want duplicate anything, just:

move totally the http configuration on VirtualHost
keep the chance in the VH configuration to select and existing shared folders that it serves. No shared folders? Nothing to serve.

In this scenario we can configure virtualhosts also to serve objects different from shared folders like: webapp (owncloud or wordpress) proxypass, etc…
Am I wrong?

davidep · April 6, 2016, 10:28am

AFAIK this means we loose a nice feature: access to http://<server_ip>/ibayname

If I just need accessing files through HTTP(+WebDAV), why I must configure a virtual-bells-and-whistles-host?

Do not remove it. Just rename “Web access” as “HTTP” and remove fields “Virtual host” and “Web address (URL)”.

This is always possible through plugins and free-text-area!

alefattorini · April 6, 2016, 11:01am

So, your point is: why install a VirtualHost module if you need just a simple http support for ibay? Right?
Uhm, I have to think about this, waiting for others thoughts

Maybe we should create a mockup to clear our mind with a visual example.

Hunv · April 6, 2016, 11:20am

I really like @davidep comments. Thats one thing I don’t like at Nethserver as much as other things (but it’s far away from beeing bad!).
I implemented the whole VirtualHost stuff (with SSL and only for ProxyPass) in my own conf-files (without using templates etc.). It works and I’m happy about that.
To manage this using a WebGUI would be a great advantaged. Let’s Encrypt integration would be the best. Also to request Let’s Encrypt certificates with one certificate for each (Sub)Domain and not just one certificate for all Domains would be great. That would be the easiest usage everybody can imagine without the need of having knowlege of Linux, Apache configuration, Certificates and Let’s Encrypt.

Hunv · April 8, 2016, 5:52am

A friend of mine has shown me how Sophos UTM is managing this.
You have a page, where you configure your Webservers (the Server where the ProxyPass would redirect to) and the Pages (the ServerName of the VirtualHost as well as the Ports).

This is how it looks like:
The “Website”-Management (“virtual Webserver”):

Edit a Website:

And managing the Webservers (“Real Webservers”):

Maybe helpful for some inspiration

giacomo · April 8, 2016, 7:06am

Absolutely, thanks!

alefattorini · April 14, 2016, 8:23am

So Me and @davidep agree on remove the web configuration part from shared folder.
I’m going to write down a small mockup of the new panel

alefattorini · May 27, 2016, 2:32pm

I’d like to revive this topic. As we said, we need to move forward with these guidelines:

Shared Folders and Virtualhost need to be separated!
remove “web access” panel from Shared folders.
re-think the whole “virtualhost” panel adding more features
certificate + let’sencrypt support
advanced php settings
access by ftp or scp (not by smb)
ProxyPass
customizable path (root dir or subdir)

@hunv @Ctek

davidep · May 27, 2016, 2:35pm

What about webdav?

Why not smb?

Ctek · May 27, 2016, 2:41pm

Just my opinion but you must separate vhosts from the concept of having just another method of sharing files.
Vhost is more related to hosting sites, than to make available the files over http/https.

And you already have owncloud if you want to share files over http.

Hunv · May 27, 2016, 2:47pm

I can only speak about the vhost topic because I don’t use the other stuff.
It is related to webhosting so, as @Ctek said, it should be separated.

How this should look in detail, I don’t know. Above you see how Sophos solved this. I don’t know if it has to be that big, but at least I must have the possibility to add new vhosts (http and https) and modify the settings of each vhost. Maybe automatic certificate-handling using Let’s encrypt can also be added here.

alefattorini · May 27, 2016, 2:49pm

Because of this:
http://wiki.dreamhost.com/Uploading_your_site
https://it.godaddy.com/help/ftp-how-to-upload-files-96
https://my.bluehost.com/hosting/help/upload-site
Summarizing: everyone uses FTP

Hunv · May 27, 2016, 3:12pm

Offtopic: FTP is the same as Flash. You should not use it but everybody does.

davidep · May 27, 2016, 3:14pm

@Ctek remarked we must separate vhosts and file sharing. I absolutely agree on this.
@alefattorini says everyone uses FTP/SCP to upload websites, so SMB is not required for vhosts.

My concerns are not duplicating features on “shared folders” and “virtual hosts” pages, such as filesystem permission handling. I’d prefer keeping the filesystem permissions part on “shared folders” and allow referencing them from the “virtual hosts page”. A virtual host could require or even not require (in case of proxypass) a filesystem folder.

alefattorini · May 27, 2016, 3:30pm

Why not a filesystem hierarchy that keeps them separated? Isn’t it simpler? For example creating a new folder under /var/lib/nethserver/virtualhosts with apache:apache
Referencing a shared folder from the “virtual hosts page” IMHO is useless and makes things unnecessarily complicated

Shared folders: your files
Virtualhost folders: your sites