[Mageia-webteam] Forum installation (almost) complete

Maât maat-ml at vilarem.net
Tue Feb 22 15:08:16 CET 2011 

Le 22/02/2011 13:42, Michael Scherer a écrit :
> Hi,
>
> I finished the most part of the puppet deployment of the forum this
> night, as those who were idling on #mageia-sysadmin know.
\o/ great !

> So thanks to the work of Maat and ashledombos, we do have :
> - a git repository on git://git.mageia.org/forum/ ( write access :
> ssh://git.mageia.org/git/forum/ for them, as they requested ). Filled
> with what was sent to me last week.
>
> - the friteuse vm that hold the forum is hosted on alamut, for the
> moment, with a reverse proxy, on both http and https
>
We'll need perhaps to force a redirection for http to https (dunno is phpbb works well with both ways)


> - the database is hosted on alamut, on pgsql. 
>
> - a git snapshot of the current code that was sent is deployed, along
> with puppet stuff to deploy it more than once ( hosting for more than
> one forum was on the TODO list after all )
>
> - I had to remove ./install/, as asked by phpbb who refused to work. I
> do not know if there was something needed, it is still in git, just
> removed on the snapshot with rm ( I kept in git to ease the merge of
> code later ).
>
an other approach is to rename install -> noinstall and prevent completely access to noinstall with apache deny

-> when we need to use again install a move noinstall -> install sets back the forum to maintenance mode

(for better security controlling access to install with an ip whitelist or even a http based login against ldap would be nice)

> What is left to do :
>
> - There is likely missing write permissions ( I have started to lock
> down and opened ./cache/, and it was sufficient to have something to
> see )
>
Yup but we'll need also write access to upload dirs (for uploaded files, pictures, avatars, smilies...)


> - As using .htaccess cause performance penalty, I have not enabled them,
> but maybe part of them are required. In any case, we need to review them
> and add them to the apache configuration if needed. IIRC, most are just
> "do not go to this directory".
>
we need to rewrite, control accesses and other things like that.

If we don't use .htaccess then all these configs need to be moved to apache vhost config

> - https has to be forced for the login, and cleartext has to be disabled
> ( as cleartext passwords for sysadmins and people with ldap admin rights
> is IMHO 'niet', and we cannot rely on people never forgetting this to
> always log using SSL )
>
https for all ?

(and redirection http->https)

> - ssl certs should be corrected ( as I discovered during the night ),
> but that should be quick ( when I mean corrected, I speak of the wrong
> host, not of the fact they are self signed ).
>
> - IMHO, a clearer separation of code and theme should be done, as for
> now, we do have everything in the same git repository
>
Ok but how ?

> - Various things would IMHO have to be adjusted ( like email, etc ). 
>
yup

> - for sysadmin, the git hosting has to be completed ( mail notification,
> web interface, various commits hooks, etc )
>
> - php deployment should also be hardened and fixed ( fixed because php
> complain about some timezone issue ).
>
-> Define timezone in php.ini

> - registration on the forum without using identity, as we decided in
> this thread
> ( https://www.mageia.org/pipermail/mageia-sysadm/2010-November/000897.html ) should be disabled. I didn't went further but it didn't seemed to be the case ( at least, not in the interface ).
>
yes... at registration could be done but the created account would not be able to log in

> - prepare the migration to the vm at nfrance ( once it is ready ). This
> will requires some adjustments to some puppet modules, as we assumed
> that only one db server would be used.
>
ph34r the distance between db server (Marseille) and forum (Toulouse)


> For now, the forum is locked ( using the builtin forum facility ) until
> I do a quick review of the .htaccess stuff, and because I think people
> didn't want to have it opened without knowing it was installed. Forum
> admin should be able to unlock it if they want ( unless I was wrong
> about the way phpbb work )
I'll try to log in and do also a tiny review

Thanks Misc

More information about the Mageia-webteam mailing list