does current webserver module support this?
in NS7 yes.
i meant in ns8. if not then it should be a priority, otherwise very many web apps cant be hosted
I liked the integration of web server into NS7 as it did help deploying some web based apps. I believe intranets still have a place in the world.
for now I am not sure but chronie is not installed inside the nginx app
I did a quick tour, some errors to solve but but
localhost/my-lamp-stack latest 508755d7a00e 36 seconds ago 650 MB
for apache, php, mariadb, phpmyadmin 650MB
Yesterday night I did some digging on how to manage the all-in-one solution.
Okay, going to be really honest, handling this project is no easy task.
Going to start with a breakdown on what is needed and the possible solution available at the moment, will start with an high complexity system then decrese the complexity going forward with some automation.
So far two different uses of the webserver are raised:
- Static only (single nginx container)
- PHP-FPM backend (nginx + php-fpm)
On top of that, it has been asked to bring some âplug-insâ which are:
- Database Support (with PHPMyAdmin and PGAdmin?)
- Cron jobs
And the mandatory requirement on top is:
- SSH/SFTP access
Going to iterate over the critical points, which if you agree, I might give a shot at:
- Every container that needs parameters (i.e. php extensions, additional software as
git
or whateverâŠ) must be built onto the machine, which means no prior downloads but higher deployment time due to manually building the images. Since everything needs a bit of configuration, Iâll build every image from the node you run the module on**. - There will be a version selection for every container, which means it will be impossible to try out every combination. Be aware that bugs happening due to mismatching versions are rare, but they exist.
- No HTML UI at the moment, I wonât waste time on something that might be thrown away due to complexity.
- Wonât create any backup/feat related to NS8, at the time of writing.
Wrapping up, Iâve got a base to do list that might happen (itâs a busy time in Nethesis, weâll see)
- Standalone and FPM mode of the module, giving the possibility to develop applications using remote DBs.
- SSH Access directly in the working container
- Cron Jobs
- DB support
- Maybe DB GUI, I donât agree in using such tools, due to an abundance of CVEs (usually)
**: in addition, Iâve found a way to completely customize the image if you speak a bit of Containerfile
, this will be given to the hardcore devs to try it out
Hello @Tbaile Based on your findings and discussions above, I would kindly ask you to do the following.
Deploy a New VM, Instal Control-webPanel
For some of the Advanced functions,i will sugget getting a Pro License its only $1.50 without support
Install installed, Play Around with the PHP-FPM Nginx Manager componets,
I am sure it will be very enlightening and will answer alot of questions you have above.
Including how the Various php versions, Extensions and modules are handled.
While its a multi tenant ssytem, some of the ideas an rules as you have stated above apply
I will share with you the code but for mattermost ldap I already did it
Nginx + php fpm + pdo postgres
PHP in my firewall? Apache in my firewall?
NethSec could become a pretty compelling product, however LAMP will be a single reason to reject NethServer for many of us in the security community. I understand LAMP has its following in the journeyman web community but it is not appropriate in serious security products.
We are talking about a lamp container in nethserver 8, the server partâŠanyway welcome in the community
Yes there are examples all over the web, but some times they lack the flexibility to do everything (I mean, theyâre containers, theyâre supposed to be immutableâŠ)
Hi Matt and welcome!
Worry not, NethSecurity wonât have anything like that.
Weâre talking about a possible NethServer module!
Understood and agreed. I think the overall product is interesting but there are more than a couple of problems with this direction, which motivated me to post.
- Security is about trust and LAMP cannot be trusted.
- Why is a firewall managing utility containers? This seems like an unnecessary risk; container escape is a thing, and a container running LAMP will be used against you.
- PHP is chum in the water for automated compromise. They will look harder if they know your team is accepting toward software with such a long record of exploitation.
NethSecurity !== NethServer 8
As Steph said, youâre referring to NethSecurity 8 project, which is way different from NethServer 8. You might want to take a look at that too!
I see these allegations all over the web, all the time. And, yes, LAMP stack have been a recurring security issue over the times, however most* of the vulnerabilites and attacks that have been exploited happens to fall on the hands of a developer (I see you, SQL Injections)
Nowadays I see no evil starting up a PHP project due to the wide support available and the longevity of the project (I must admit that PHP 8 took the project way forward to current times, before that everything was a little bit sluggish)
Even with this said, care to join the conversation and give your perspective?
Thanks for that clarification - I was totally conflating NethServer with NethSecurity. I donât have much to say about supporting PHP behind the firewall. I am glad I can keep NethSecurity in consideration!
That said I would still shy from green field PHP. I hear âPHP N took the project forwardâ for almost all versions of PHP; itâs been less than two weeks since a 9.4 CVE was issued on multiple versions of PHP 8.
Feel free to let us know if you need something!
True, for example thereâs this one but again, if you leave your user input parameters in a proc_open()
, maybe the issue is not the software, is the developer
I might be confused. Are you condemning the PHP language or the people who use it? Iâm thinking it sorta doesnât matter if the result is buggy!
Eitherhow, I am looking for a homelab firewall and NS8 looks good so far. Summer is my travel season so progress is slow until Iâm at the desk more.
problem on the earth are always humans, not really technologies