Proposal for ns7 VirtualHost page

I can only speak about the vhost topic because I don’t use the other stuff.
It is related to webhosting so, as @Ctek said, it should be separated.

How this should look in detail, I don’t know. Above you see how Sophos solved this. I don’t know if it has to be that big, but at least I must have the possibility to add new vhosts (http and https) and modify the settings of each vhost. Maybe automatic certificate-handling using Let’s encrypt can also be added here.

Because of this:
http://wiki.dreamhost.com/Uploading_your_site
https://it.godaddy.com/help/ftp-how-to-upload-files-96
https://my.bluehost.com/hosting/help/upload-site
Summarizing: everyone uses FTP

Offtopic: FTP is the same as Flash. You should not use it but everybody does.

• @Ctek remarked we must separate vhosts and file sharing. I absolutely agree on this.
• @alefattorini says everyone uses FTP/SCP to upload websites, so SMB is not required for vhosts.

My concerns are not duplicating features on “shared folders” and “virtual hosts” pages, such as filesystem permission handling. I’d prefer keeping the filesystem permissions part on “shared folders” and allow referencing them from the “virtual hosts page”. A virtual host could require or even not require (in case of proxypass) a filesystem folder.

Why not a filesystem hierarchy that keeps them separated? Isn’t it simpler? For example creating a new folder under /var/lib/nethserver/virtualhosts with apache:apache
Referencing a shared folder from the “virtual hosts page” IMHO is useless and makes things unnecessarily complicated

• Shared folders: your files
• Virtualhost folders: your sites

Owner should be who uploads. Apache can can receive read permissions from world-readable bit. BUT, sometimes it needs also write permissions…

This is exactly a “Shared folders” feature I don’t want to duplicate!

The new User & Groups model in NS7 allows simplifying the underlying implementation of ACLs for Apache. We could add apache group as “Owner” and also apache user under ACLs tab.

This would remove the need of that exoteric checkbox “Allow .htaccess and write permissions overrides”…

A virtual host could require more than one directory with different filesystem permissions.

…or no filesystem at all: think about proxypass setup

I vote for two simpler implementations even if we need to duplicate a little code!

I had a little time think about this feature and I would like to present my proposal.

Let’s start from a strong assumption: FTP is an insecure protocol, password of system users must not be sent over FTP protocol.

Given a virtual host named goofy, the virtual host should have:

• DNS name automatically associated as server alias

• Custom URL

• HTTPS access with custom certificate (auto-signed or Let’s Encrypt or purchased)

• Text area for advanced options (like PHP options or rewrite rules)

• htaccess support

• Password protection

• FTP access using the virtual host name as user and a strong generated strong random password.
  Example:

  • User: goofy
  • Password: GBq6Hdvn

• WebDav access (thanks to @stephdl for the implementation already done for NS 6)

This implementation could be very simple to maintain and extend.
Yes, we loose access using system users but this will save us from many problems and hacky code.

It’s not a big lost, virtual users are commonly used to access ftp, since who uploads files isn’t a system users but external webmasters
Like it, we may start with this, see how it goes and improve along the way.

I’m keen to know what @jaapvdv @gavinengel @8omas @robert11 @medworthy @rodmontgt @JOduMonT think

It can be overcomed in two ways.

• First create a file upload management from inside web NS interface (for specific users).
• Use SFTP .

Also having a FTP upload group that will restrict/permit some users to access NS via FTP can be plus.

My two cents:

1. I think it is important to make the use of a ‘proper’ (i.e. not self-signed) SSL certificate achievable for every Nethserver user! Basically to make it a standard setting for every web host/-site using a FQDN (using LE! or a purchased cert).
2. FTP? No! SFTP, yes. For those vhost users that need it, throw in restricted secure shell access as well.

What people are used to is one thing, what we would like them to use can be something different. If we would like to stop them using ftp and we can make configuring and using sftp just as easy . . . why not.

Making it easy to use SSH keys in stead of passwords might also be a good idea.

• SSL configuration per Virtual Host (a must have option)
• Ability to configure alias
• Access through SCP, SFTP
• For novice users to advance users it would be great to have a webui (or file manager) to manage virtual hosts files:

A like the ability of extplorer to manage files via webdav or ftp, chmod, unzip, edit text files, etc.

extplorer.png903×556 99.9 KB

and the simplicity of Ajenti file manager

3.png1029×714 49.6 KB

Hi all.
Having read through the comments above, and currently testing N7 A3. Firstly, great job on the new install UI. As a webmaster I always use FTP to upload sites and pages, so please do not make this more difficult when upgrading the security side of things. As a sys admin I need a UI that makes it easy to install sites on a server with the individual SSL certs. Also we need to think about the newbie sys admin, these are people who need a system that is from their point of view is simple and easy to setup.
I like the letsencrypt integration into Nethserver idea, and as a db programmer I know it’s not easy to code something simple to use.

once you know you’ve to use SFTP instead of FTP, there’s no added difficulty to do things…

@davidep has some good news on this argument I don’t want to spoil the surprise,

A post was split to a new topic: NS7 Virtual host page proposal going on

New module ready, please follow the discussion here NS7 Virtualhost page proposal going on