On 8/25/24 17:55, Zé Loff wrote:
> On Sun, Aug 25, 2024 at 02:49:03PM -0400, David Colburn wrote:
>>> After a cursory reading, it looks OK. But don't forget to read the
>>> supplied documentation, after installing the package:
>>>
>>> less /usr/local/share/doc/pkg-readmes/mariadb-server
>>>
>>> Also, most of those steps don't have to do with mariadb, but with simple
>>> system administration. Installing the package, starting and stopping
>>> services, and checking if processes are running and ports are open are
>>> all tasks you should be familiar with.
>> All good to this point, thanks.
>>
>> Now I'm reading this in
>>
>> /usr/local/share/doc/pkg-readmes/mariadb-server
>>
>> Given that lighttpd runs in chroot am I correct that I need to run the
>> following
>>
>> install and then edit /etc/my.cnf for things to play nicely together?
>>
>> Thanks,
>>
>> David
>>
>> --------------------------------------------------------------------------------------------------------------------
>>
>> chrooted daemons and MariaDB socket
>> ===================================
>>
>> For external program running under a chroot(8) to be able to access the
>> MariaDB server without using a network connection, the socket must be
>> placed inside the chroot.
>>
>> e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP
>> ---------------------------------------------------------
>> Create a directory for the MariaDB socket:
>>
>> # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql
>>
>> Adjust /etc/my.cnf to use the socket in the chroot - this
>> applies to both client and server processes:
>>
>> [client-server]
>> socket = /var/www/var/run/mysql/mysql.sock
> You have three progressively less restrictive ways of providing access
> to your database server:
>
> * A Unix socket:
> If all the database consumers will be running locally, you can use a
> socket. If any of the consumers will be running chrooted to /var/www,
> then you'll need to put the socket in the chroot, as described on the
> pkg-readme (and remember not to use the full path when configuring the
> chrooted clients).
>
> * TCP, listening on 127.0.0.1:
> If all consumers will be running on the same host, and if you don't want
> the hassle of setting up the socket -- the tradeoff being having the
> socket available for every process that can use inet -- then you can
> just configure mariadb to listen on the loopback interface. If you have
> "set skip on lo0" on pf.conf (it's there by default), then you won't
> need to add anything else to that file.
>
> * TCP, listening on other interfaces:
> You'll need this if the database is to be accessible to other hosts.
> Using this option might require adjusting your filtering rules on
> pf.conf.
>
>
> You can use any combination of the above methods (socket only, loopback
> only, socket+loopback, socket+other interfaces, etc). See the "port",
> "socket", "skip-networking" and "bind-address" options on the [mysqld]
> section of /etc/my.cnf, and remember to setup the [client] section
> accordingly (i.e., if you skip-networking, don't configure the client to
> use TCP/IP, and if you don't setup a server socket, don't configure the
> client to use it).
>
> And make sure you know what you need, and why, before configuring
> things.
>
Thank you for your reply.
Here's my attempt to assess & describe what I need, and why ...
This will be a self-hosted Web-facing server using the Chamilo-LMS
(learning management system) interface.
All of the users, students and teachers alike, would log into the
Chamilo-LMS host.
All of the data that Chamilo-LMS would serve would be hosted on the same
machine where it resides.
(Note: If I understand, correctly, the preferred best-security practice
is to require
a user of Chamilo-LMS to access any external links by leaving the server -
e.g. a remote user would open a second tab on their machine to open a
non-local
URL, rather than my server passing that content. True?)
As I understand it, Chamilo-LMS is based on PHP and uses MariaDB, but
Lighttpd
is what manages the internal and Web-facing network side of things?
So, database consumers would only communicate with MariaDB via Chamilo-LMS?
Would Chamilo-LMS need a Unix socket to communicate with MariaDB?
And then Lighttpd would use TCP (listening on 127.0.0.1) between the
Chamilo-LMS
consumer login accounts and the world?
Thanks!
No comments:
Post a Comment