What could be your dreamed lamp module for NS8

oneitonitram · May 28, 2024, 6:11am

does current webserver module support this?

capote · May 28, 2024, 6:12am

in NS7 yes.

oneitonitram · May 28, 2024, 6:15am

i meant in ns8. if not then it should be a priority, otherwise very many web apps cant be hosted

KdB · May 28, 2024, 7:45am

I liked the integration of web server into NS7 as it did help deploying some web based apps. I believe intranets still have a place in the world.

stephdl · May 28, 2024, 8:26am

for now I am not sure but chronie is not installed inside the nginx app

stephdl · May 29, 2024, 2:14pm

I did a quick tour, some errors to solve but but

localhost/my-lamp-stack             latest               508755d7a00e  36 seconds ago  650 MB

for apache, php, mariadb, phpmyadmin 650MB

Tbaile · June 5, 2024, 1:27pm

Yesterday night I did some digging on how to manage the all-in-one solution.
Okay, going to be really honest, handling this project is no easy task.
Going to start with a breakdown on what is needed and the possible solution available at the moment, will start with an high complexity system then decrese the complexity going forward with some automation.
So far two different uses of the webserver are raised:

Static only (single nginx container)
PHP-FPM backend (nginx + php-fpm)

On top of that, it has been asked to bring some “plug-ins” which are:

Database Support (with PHPMyAdmin and PGAdmin?)
Cron jobs

And the mandatory requirement on top is:

SSH/SFTP access

Going to iterate over the critical points, which if you agree, I might give a shot at:

Every container that needs parameters (i.e. php extensions, additional software as git or whatever…) must be built onto the machine, which means no prior downloads but higher deployment time due to manually building the images. Since everything needs a bit of configuration, I’ll build every image from the node you run the module on**.
There will be a version selection for every container, which means it will be impossible to try out every combination. Be aware that bugs happening due to mismatching versions are rare, but they exist.
No HTML UI at the moment, I won’t waste time on something that might be thrown away due to complexity.
Won’t create any backup/feat related to NS8, at the time of writing.

Wrapping up, I’ve got a base to do list that might happen (it’s a busy time in Nethesis, we’ll see)

Standalone and FPM mode of the module, giving the possibility to develop applications using remote DBs.
SSH Access directly in the working container
Cron Jobs
DB support
Maybe DB GUI, I don’t agree in using such tools, due to an abundance of CVEs (usually)

**: in addition, I’ve found a way to completely customize the image if you speak a bit of Containerfile, this will be given to the hardcore devs to try it out

oneitonitram · June 5, 2024, 2:05pm

Hello @Tbaile Based on your findings and discussions above, I would kindly ask you to do the following.

Deploy a New VM, Instal Control-webPanel

For some of the Advanced functions,i will sugget getting a Pro License its only $1.50 without support

Install installed, Play Around with the PHP-FPM Nginx Manager componets,

I am sure it will be very enlightening and will answer alot of questions you have above.
Including how the Various php versions, Extensions and modules are handled.

While its a multi tenant ssytem, some of the ideas an rules as you have stated above apply

stephdl · June 5, 2024, 6:11pm

I will share with you the code but for mattermost ldap I already did it

Nginx + php fpm + pdo postgres

stephdl · June 5, 2024, 8:08pm

github.com

NethServer/ns8-mattermost/blob/3875e0e8f86bb927902d11aa802f7f19d457d96c/build-images.sh#L47


      
              --label="org.nethserver.rootfull=0" \
              --label="org.nethserver.images=docker.io/postgres:13.13-alpine docker.io/mattermost/mattermost-team-edition:$MATTERMOST_VERSION ghcr.io/nethserver/mattermost-ldap:${IMAGETAG}" \
              "${container}"
          # Commit the image
          buildah commit "${container}" "${repobase}/${reponame}"
          
          # Append the image URL to the images array
          images+=("${repobase}/${reponame}")
          
          
          # Create mattermost-ldap image
          reponame="mattermost-ldap"
          container=$(buildah from  docker.io/library/alpine:${ALPINE_VERSION})
          buildah config --env MATTERMOST_LDAP=${MATTERMOST_LDAP_VERSION} "${container}"
          buildah run "${container}" /bin/sh <<'EOF'
          set -e
          apk add --no-cache \
            curl \
            nginx \
            php83 \
            php83-fpm \

Matt_Hudson · June 7, 2024, 11:06am

PHP in my firewall? Apache in my firewall?

NethSec could become a pretty compelling product, however LAMP will be a single reason to reject NethServer for many of us in the security community. I understand LAMP has its following in the journeyman web community but it is not appropriate in serious security products.

stephdl · June 7, 2024, 11:13am

We are talking about a lamp container in nethserver 8, the server part…anyway welcome in the community

Tbaile · June 7, 2024, 11:13am

Yes there are examples all over the web, but some times they lack the flexibility to do everything (I mean, they’re containers, they’re supposed to be immutable…)

Hi Matt and welcome!
Worry not, NethSecurity won’t have anything like that.
We’re talking about a possible NethServer module!

Matt_Hudson · June 7, 2024, 11:21am

Understood and agreed. I think the overall product is interesting but there are more than a couple of problems with this direction, which motivated me to post.

Security is about trust and LAMP cannot be trusted.
Why is a firewall managing utility containers? This seems like an unnecessary risk; container escape is a thing, and a container running LAMP will be used against you.
PHP is chum in the water for automated compromise. They will look harder if they know your team is accepting toward software with such a long record of exploitation.

stephdl · June 7, 2024, 11:58am

NethSecurity !== NethServer 8

Tbaile · June 7, 2024, 3:05pm

As Steph said, you’re referring to NethSecurity 8 project, which is way different from NethServer 8. You might want to take a look at that too!

I see these allegations all over the web, all the time. And, yes, LAMP stack have been a recurring security issue over the times, however most* of the vulnerabilites and attacks that have been exploited happens to fall on the hands of a developer (I see you, SQL Injections)

Nowadays I see no evil starting up a PHP project due to the wide support available and the longevity of the project (I must admit that PHP 8 took the project way forward to current times, before that everything was a little bit sluggish)

Even with this said, care to join the conversation and give your perspective?

Matt_Hudson · June 8, 2024, 2:19pm

Thanks for that clarification - I was totally conflating NethServer with NethSecurity. I don’t have much to say about supporting PHP behind the firewall. I am glad I can keep NethSecurity in consideration!

That said I would still shy from green field PHP. I hear “PHP N took the project forward” for almost all versions of PHP; it’s been less than two weeks since a 9.4 CVE was issued on multiple versions of PHP 8.

Tbaile · June 10, 2024, 8:35am

Feel free to let us know if you need something!

True, for example there’s this one but again, if you leave your user input parameters in a proc_open(), maybe the issue is not the software, is the developer

Matt_Hudson · June 10, 2024, 10:01am

I might be confused. Are you condemning the PHP language or the people who use it? I’m thinking it sorta doesn’t matter if the result is buggy!

Eitherhow, I am looking for a homelab firewall and NS8 looks good so far. Summer is my travel season so progress is slow until I’m at the desk more.

stephdl · June 10, 2024, 10:02am

problem on the earth are always humans, not really technologies