On Sun, Aug 25, 2024 at 08:10:52PM -0400, David Colburn wrote:
> On 8/25/24 17:55, Zé Loff wrote:
> > On Sun, Aug 25, 2024 at 02:49:03PM -0400, David Colburn wrote:
> > > > After a cursory reading, it looks OK. But don't forget to read the
> > > > supplied documentation, after installing the package:
> > > >
> > > > less /usr/local/share/doc/pkg-readmes/mariadb-server
> > > >
> > > > Also, most of those steps don't have to do with mariadb, but with simple
> > > > system administration. Installing the package, starting and stopping
> > > > services, and checking if processes are running and ports are open are
> > > > all tasks you should be familiar with.
> > > All good to this point, thanks.
> > >
> > > Now I'm reading this in
> > >
> > > /usr/local/share/doc/pkg-readmes/mariadb-server
> > >
> > > Given that lighttpd runs in chroot am I correct that I need to run the
> > > following
> > >
> > > install and then edit /etc/my.cnf for things to play nicely together?
> > >
> > > Thanks,
> > >
> > > David
> > >
> > > --------------------------------------------------------------------------------------------------------------------
> > >
> > > chrooted daemons and MariaDB socket
> > > ===================================
> > >
> > > For external program running under a chroot(8) to be able to access the
> > > MariaDB server without using a network connection, the socket must be
> > > placed inside the chroot.
> > >
> > > e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP
> > > ---------------------------------------------------------
> > > Create a directory for the MariaDB socket:
> > >
> > > # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql
> > >
> > > Adjust /etc/my.cnf to use the socket in the chroot - this
> > > applies to both client and server processes:
> > >
> > > [client-server]
> > > socket = /var/www/var/run/mysql/mysql.sock
> > You have three progressively less restrictive ways of providing access
> > to your database server:
> >
> > * A Unix socket:
> > If all the database consumers will be running locally, you can use a
> > socket. If any of the consumers will be running chrooted to /var/www,
> > then you'll need to put the socket in the chroot, as described on the
> > pkg-readme (and remember not to use the full path when configuring the
> > chrooted clients).
> >
> > * TCP, listening on 127.0.0.1:
> > If all consumers will be running on the same host, and if you don't want
> > the hassle of setting up the socket -- the tradeoff being having the
> > socket available for every process that can use inet -- then you can
> > just configure mariadb to listen on the loopback interface. If you have
> > "set skip on lo0" on pf.conf (it's there by default), then you won't
> > need to add anything else to that file.
> >
> > * TCP, listening on other interfaces:
> > You'll need this if the database is to be accessible to other hosts.
> > Using this option might require adjusting your filtering rules on
> > pf.conf.
> >
> >
> > You can use any combination of the above methods (socket only, loopback
> > only, socket+loopback, socket+other interfaces, etc). See the "port",
> > "socket", "skip-networking" and "bind-address" options on the [mysqld]
> > section of /etc/my.cnf, and remember to setup the [client] section
> > accordingly (i.e., if you skip-networking, don't configure the client to
> > use TCP/IP, and if you don't setup a server socket, don't configure the
> > client to use it).
> >
> > And make sure you know what you need, and why, before configuring
> > things.
> >
> Thank you for your reply.
>
> Here's my attempt to assess & describe what I need, and why ...
>
> This will be a self-hosted Web-facing server using the Chamilo-LMS
>
> (learning management system) interface.
>
> All of the users, students and teachers alike, would log into the
> Chamilo-LMS host.
>
> All of the data that Chamilo-LMS would serve would be hosted on the same
>
> machine where it resides.
>
> (Note: If I understand, correctly, the preferred best-security practice is
> to require
>
> a user of Chamilo-LMS to access any external links by leaving the server -
>
> e.g. a remote user would open a second tab on their machine to open a
> non-local
>
> URL, rather than my server passing that content. True?)
>
> As I understand it, Chamilo-LMS is based on PHP and uses MariaDB, but
> Lighttpd
>
> is what manages the internal and Web-facing network side of things?
>
> So, database consumers would only communicate with MariaDB via Chamilo-LMS?
>
> Would Chamilo-LMS need a Unix socket to communicate with MariaDB?
>
> And then Lighttpd would use TCP (listening on 127.0.0.1) between the
> Chamilo-LMS
>
> consumer login accounts and the world?
>
> Thanks!
>
I'm not familiar with Chamilo-LMS, but you'll probably need to also run
php-fpm. I'm far from understanding the inner workings of all this, but
I believe this is how it usually goes: a web server gets the request
from the client (whether 'internal' or 'web-facing', it doesn't matter),
and if its a PHP page, it passes it via CGI to an interpreter (e.g.
php-fpm). You'll need to configure your web server to do this, by
setting up a rule not unlike "if the requested URL ends with .php then
forward it to the interpreter". The interpreter will then parse and
execute the code (including connecting to and querying the database),
and generate the HTML code that is sent back to the web server (and then
to the client's browser, obviously).
php-fpm is installed by the `php-<version>` packages and, in my
experience, can pretty much run with the default configuration. That
being said, taking a look at `/etc/php-fpm.conf` to see if it all makes
sense is always a good idea. You can run it and make it start by
default using `rcctl`, just like the other services. As per the default
config, php-fpm will run chrooted to `/var/www`, just like lighttpd.
Since PHP code runs server-side, all connections to the database will
come from the PHP interpreter. Since you are running everything (web
and database) on the same machine, then yes, the PHP interpreter can
communicate with the database via the Unix socket. Like I said in my
previous message, you can also have them communicate through a TCP
socket, via an IP interface (loopback, or whatever). Since you are
setting up the MariaDB server just for this, I'd keep it simple and go
with the socket.
I'm not sure if Chamilo-LMS _requires_ lighttpd, and I bet you could do
with OpenBSD's own httpd, but you managed to get lighttpd running by
now, so that's fine. You can try switching later, if you want to.
As for the external links thing, I'd say yes, it is preferable to have
the client fetch those directly, both for security and efficiency
reasons.
Cheers
--
No comments:
Post a Comment