On 8/26/24 04:41, Zé Loff wrote:
> On Sun, Aug 25, 2024 at 08:10:52PM -0400, David Colburn wrote:
>> On 8/25/24 17:55, Zé Loff wrote:
>>> On Sun, Aug 25, 2024 at 02:49:03PM -0400, David Colburn wrote:
>>>>> After a cursory reading, it looks OK. But don't forget to read the
>>>>> supplied documentation, after installing the package:
>>>>>
>>>>> less /usr/local/share/doc/pkg-readmes/mariadb-server
>>>>>
>>>>> Also, most of those steps don't have to do with mariadb, but with simple
>>>>> system administration. Installing the package, starting and stopping
>>>>> services, and checking if processes are running and ports are open are
>>>>> all tasks you should be familiar with.
>>>> All good to this point, thanks.
>>>>
>>>> Now I'm reading this in
>>>>
>>>> /usr/local/share/doc/pkg-readmes/mariadb-server
>>>>
>>>> Given that lighttpd runs in chroot am I correct that I need to run the
>>>> following
>>>>
>>>> install and then edit /etc/my.cnf for things to play nicely together?
>>>>
>>>> Thanks,
>>>>
>>>> David
>>>>
>>>> --------------------------------------------------------------------------------------------------------------------
>>>>
>>>> chrooted daemons and MariaDB socket
>>>> ===================================
>>>>
>>>> For external program running under a chroot(8) to be able to access the
>>>> MariaDB server without using a network connection, the socket must be
>>>> placed inside the chroot.
>>>>
>>>> e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP
>>>> ---------------------------------------------------------
>>>> Create a directory for the MariaDB socket:
>>>>
>>>> # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql
>>>>
>>>> Adjust /etc/my.cnf to use the socket in the chroot - this
>>>> applies to both client and server processes:
>>>>
>>>> [client-server]
>>>> socket = /var/www/var/run/mysql/mysql.sock
>>> You have three progressively less restrictive ways of providing access
>>> to your database server:
>>>
>>> * A Unix socket:
>>> If all the database consumers will be running locally, you can use a
>>> socket. If any of the consumers will be running chrooted to /var/www,
>>> then you'll need to put the socket in the chroot, as described on the
>>> pkg-readme (and remember not to use the full path when configuring the
>>> chrooted clients).
>>>
>>> * TCP, listening on 127.0.0.1:
>>> If all consumers will be running on the same host, and if you don't want
>>> the hassle of setting up the socket -- the tradeoff being having the
>>> socket available for every process that can use inet -- then you can
>>> just configure mariadb to listen on the loopback interface. If you have
>>> "set skip on lo0" on pf.conf (it's there by default), then you won't
>>> need to add anything else to that file.
>>>
>>> * TCP, listening on other interfaces:
>>> You'll need this if the database is to be accessible to other hosts.
>>> Using this option might require adjusting your filtering rules on
>>> pf.conf.
>>>
>>>
>>> You can use any combination of the above methods (socket only, loopback
>>> only, socket+loopback, socket+other interfaces, etc). See the "port",
>>> "socket", "skip-networking" and "bind-address" options on the [mysqld]
>>> section of /etc/my.cnf, and remember to setup the [client] section
>>> accordingly (i.e., if you skip-networking, don't configure the client to
>>> use TCP/IP, and if you don't setup a server socket, don't configure the
>>> client to use it).
>>>
>>> And make sure you know what you need, and why, before configuring
>>> things.
>>>
>> Thank you for your reply.
>>
>> Here's my attempt to assess & describe what I need, and why ...
>>
>> This will be a self-hosted Web-facing server using the Chamilo-LMS
>>
>> (learning management system) interface.
>>
>> All of the users, students and teachers alike, would log into the
>> Chamilo-LMS host.
>>
>> All of the data that Chamilo-LMS would serve would be hosted on the same
>>
>> machine where it resides.
>>
>> (Note: If I understand, correctly, the preferred best-security practice is
>> to require
>>
>> a user of Chamilo-LMS to access any external links by leaving the server -
>>
>> e.g. a remote user would open a second tab on their machine to open a
>> non-local
>>
>> URL, rather than my server passing that content. True?)
>>
>> As I understand it, Chamilo-LMS is based on PHP and uses MariaDB, but
>> Lighttpd
>>
>> is what manages the internal and Web-facing network side of things?
>>
>> So, database consumers would only communicate with MariaDB via Chamilo-LMS?
>>
>> Would Chamilo-LMS need a Unix socket to communicate with MariaDB?
>>
>> And then Lighttpd would use TCP (listening on 127.0.0.1) between the
>> Chamilo-LMS
>>
>> consumer login accounts and the world?
>>
>> Thanks!
>>
> I'm not familiar with Chamilo-LMS, but you'll probably need to also run
> php-fpm. I'm far from understanding the inner workings of all this, but
> I believe this is how it usually goes: a web server gets the request
> from the client (whether 'internal' or 'web-facing', it doesn't matter),
> and if its a PHP page, it passes it via CGI to an interpreter (e.g.
> php-fpm). You'll need to configure your web server to do this, by
> setting up a rule not unlike "if the requested URL ends with .php then
> forward it to the interpreter". The interpreter will then parse and
> execute the code (including connecting to and querying the database),
> and generate the HTML code that is sent back to the web server (and then
> to the client's browser, obviously).
>
> php-fpm is installed by the `php-<version>` packages and, in my
> experience, can pretty much run with the default configuration. That
> being said, taking a look at `/etc/php-fpm.conf` to see if it all makes
> sense is always a good idea. You can run it and make it start by
> default using `rcctl`, just like the other services. As per the default
> config, php-fpm will run chrooted to `/var/www`, just like lighttpd.
>
> Since PHP code runs server-side, all connections to the database will
> come from the PHP interpreter. Since you are running everything (web
> and database) on the same machine, then yes, the PHP interpreter can
> communicate with the database via the Unix socket. Like I said in my
> previous message, you can also have them communicate through a TCP
> socket, via an IP interface (loopback, or whatever). Since you are
> setting up the MariaDB server just for this, I'd keep it simple and go
> with the socket.
>
> I'm not sure if Chamilo-LMS _requires_ lighttpd, and I bet you could do
> with OpenBSD's own httpd, but you managed to get lighttpd running by
> now, so that's fine. You can try switching later, if you want to.
>
> As for the external links thing, I'd say yes, it is preferable to have
> the client fetch those directly, both for security and efficiency
> reasons.
>
> Cheers
>
Sorry for my delayed reply. Too many distractions here for days to focus
on this.
In `/etc/php-fpm.conf` almost everything is commented out.
I think this correctly represents what isn't commented out:
``` include = /etc/php-fpm.d/*.conf
user = www
group = www
;pool name
[www]
listen = /var/www/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
pm = dynamic
pm.max_children=5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chroot = /var/www
```
No comments:
Post a Comment