+ Post New Thread
Results 1 to 14 of 14
Web Development Thread, Getting a web-server ready for production in Coding and Web Development; Hello all, So i am readying a Mac OS X Server (10.5.6) ready to serve out our web-pages, VLE, Support ...
  1. #1

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Getting a web-server ready for production

    Hello all,

    So i am readying a Mac OS X Server (10.5.6) ready to serve out our web-pages, VLE, Support desk and email. But first i have a few questions.

    1. I have currently set up the sites so that the DBs are on a different server from the Web front-ends. So each website (Joomla, Moodle, Support desk) has to connect back to another machine. Is this a good idea. The two servers won't be in the same location.

    2. If the first answer is yes it's a good idea, then is it a good idea to use non-standard port numbers? For example moving MySQL's port number from 3306 to something else. Moving IMAP port numbers to something else? and SMTP? Is it worth the extra hassle of configuring?

    4.MySQL Permissions for DB access. When configuring Joomla, Moodle etc. You create a user to connect to the DB to. What permissions should this user be given? Do they need all of them or only a select few?

    3. The final one (I think). I have numerous sites hosted on the one server and all of them use a log in facility. To protect the passwords i am using SSL. Now the problem is Apache complains about using SSL in conjunction with Virtual Hosts. This is something i need to research. But if this is the case how can i use more than one SSL site on one server?

    Hope you can help. I think that's everything...for now

    Thanks in advance.

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by HodgeHi View Post
    1. I have currently set up the sites so that the DBs are on a different server from the Web front-ends. So each website (Joomla, Moodle, Support desk) has to connect back to another machine. Is this a good idea. The two servers won't be in the same location.
    If you're expecting to be very, very busy then yes, it is. But in a typical school I'd be surprised if you will notice any difference. It would make more sense if each front-end was on a different server as well, then you could take one down without killing other services.

    Quote Originally Posted by HodgeHi View Post
    2. If the first answer is yes it's a good idea, then is it a good idea to use non-standard port numbers? For example moving MySQL's port number from 3306 to something else. Moving IMAP port numbers to something else? and SMTP? Is it worth the extra hassle of configuring?
    I doubt it. A well-configured firewall would be a better solution.

    Quote Originally Posted by HodgeHi View Post
    4.MySQL Permissions for DB access. When configuring Joomla, Moodle etc. You create a user to connect to the DB to. What permissions should this user be given? Do they need all of them or only a select few?
    They won't need GRANT after initial installation except during upgrades.


    Quote Originally Posted by HodgeHi View Post
    3. The final one (I think). I have numerous sites hosted on the one server and all of them use a log in facility. To protect the passwords i am using SSL. Now the problem is Apache complains about using SSL in conjunction with Virtual Hosts. This is something i need to research. But if this is the case how can i use more than one SSL site on one server?
    No, you can only have one SSL site per IP address (so lots of IPs, lots of sites).

  3. Thanks to powdarrmonkey from:

    HodgeHi (26th March 2009)

  4. #3

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,450
    Thank Post
    369
    Thanked 650 Times in 531 Posts
    Rep Power
    160
    Quote Originally Posted by powdarrmonkey View Post
    No, you can only have one SSL site per IP address (so lots of IPs, lots of sites).
    Or have it all in subfolders.

  5. Thanks to matt40k from:

    HodgeHi (26th March 2009)

  6. #4

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    Quote Originally Posted by matt40k View Post
    Or have it all in subfolders.
    Do you mean inside each one? How would this work when upgrading sites such as Joomla, Moodle? Would it not make it harder to do these things?

    So SSL requires individual IP addresses for each site. Would this then allow me to use as many self-signed certs without errors appearing in the logs? The sites still work but i am unsure as to what issues/vulnerabilities could arise from keeping it this way.

    Thanks for the advice so far though guys. Most appreciated.

  7. #5

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,450
    Thank Post
    369
    Thanked 650 Times in 531 Posts
    Rep Power
    160
    You can have 1 SSL address like ssl.webserver.local then have subfolders so:
    ssl.webserver.local/joomla
    ssl.webserver.local/helpdesk
    ssl.webserver.local/email

    or you have have multiple SSL addresses like:
    joomla.webserver.local
    helpdesk.webserver.local
    email.webserver.local

    the second would require 3 (static) IPs

  8. #6
    SteveBentley's Avatar
    Join Date
    Jun 2007
    Location
    Yorkshire
    Posts
    1,450
    Thank Post
    120
    Thanked 263 Times in 189 Posts
    Rep Power
    73
    Quote Originally Posted by HodgeHi View Post
    4.MySQL Permissions for DB access. When configuring Joomla, Moodle etc. You create a user to connect to the DB to. What permissions should this user be given? Do they need all of them or only a select few?
    It depends on how the package needs to interact with the database. The install guide will tell you how to do it, for example https://help.ubuntu.com/community/Joomla specifies

    mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON joomla.* TO 'yourusername'@'localhost' IDENTIFIED BY 'yourpassword';

    Some packages are more specific, such as PHPMyAdmin requires a user with very specific rights on the main mysql database, and has different rights on each table. Probably because it is the main mysql database and if you leave it too loose you could compromise the whole server.

  9. Thanks to SteveBentley from:

    HodgeHi (28th April 2009)

  10. #7
    Jay
    Jay is offline

    Join Date
    Mar 2008
    Location
    Autocratic theocracy of Norfolk
    Posts
    71
    Thank Post
    3
    Thanked 4 Times in 4 Posts
    Rep Power
    14
    Have you tried configuring different certificates for each location using <directory> in https.conf? (never tried it, but can't see why it wouldn't work.)

    You could also use a wildcard certificate which would cover *.blah.com, makes things easier as well as cheaper assuming all your virtual hosts are of the format [host].blah.com.

  11. #8

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by Jay View Post
    Have you tried configuring different certificates for each location using <directory> in https.conf? (never tried it, but can't see why it wouldn't work.)
    No, you can't, because of a race condition negotiating the certificate to use for different hostnames. Recall that in HTTP/1.1 the hostname is presented to the browser *after* a secure connection has been negotiated, so the certificate is already chosen. If they don't match, the browser then whinges.

    The only way to use differing certificates based on some condition is to have different IP addresses (since these are lower in the OSI stack than the application layer).
    Last edited by powdarrmonkey; 26th March 2009 at 04:21 PM. Reason: speeling

  12. Thanks to powdarrmonkey from:

    Jay (26th March 2009)

  13. #9

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,450
    Thank Post
    369
    Thanked 650 Times in 531 Posts
    Rep Power
    160
    Quote Originally Posted by Jay View Post
    [host].blah.com.
    God I wish I owned blah.com... such a cool domain.
    Sorry I've wandering off topic...

  14. #10
    Jay
    Jay is offline

    Join Date
    Mar 2008
    Location
    Autocratic theocracy of Norfolk
    Posts
    71
    Thank Post
    3
    Thanked 4 Times in 4 Posts
    Rep Power
    14
    Didn't know that, but it explains a restriction we have with a reverse proxy solution that servers multiple sites. I assumed the host address was presented to the server in the initial handshake. (lesson for today, never assume.)

    Cheers,
    Jay

  15. #11

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by Jay View Post
    Didn't know that, but it explains a restriction we have with a reverse proxy solution that servers multiple sites. I assumed the host address was presented to the server in the initial handshake. (lesson for today, never assume.)
    If that were the case, you could sniff some data from the packet, which defeats the point of SSL (ok, it's not usually the most sensitive part, but that depends how embarrassing a site you're looking at. Or dangerous: https://bombsrus.com/ for example.)

  16. #12

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    I just thought, you could also use one IP address with virtual hosts on multiple ports and therefore multiple SSL sites.

  17. Thanks to powdarrmonkey from:

    HodgeHi (28th April 2009)

  18. #13

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    Sorry i haven't replied to any of these posts but i never got a mail saying there had been replies.

  19. #14

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    Quote Originally Posted by SteveBentley View Post
    It depends on how the package needs to interact with the database. The install guide will tell you how to do it, for example https://help.ubuntu.com/community/Joomla.
    This was a very useful page. Thanks for this.



SHARE:
+ Post New Thread

Similar Threads

  1. 1,2 ,3 Ready Or Not Facebook... Here Comes EduGeek
    By russdev in forum General EduGeek News/Announcements
    Replies: 11
    Last Post: 24th April 2009, 08:45 PM
  2. Ready For The Snow Then?
    By DaveP in forum General Chat
    Replies: 91
    Last Post: 9th February 2009, 03:15 PM
  3. [Pics] Get ready to feast your eyes....
    By Little-Miss in forum Jokes/Interweb Things
    Replies: 19
    Last Post: 31st January 2009, 09:07 PM
  4. Getting ready for VPN : Where to start?
    By contink in forum Wireless Networks
    Replies: 20
    Last Post: 20th October 2006, 10:44 AM
  5. Age of your oldest (production) server?
    By pete in forum General Chat
    Replies: 35
    Last Post: 10th February 2006, 08:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •