[Mageia-webteam] Forum installation (almost) complete

Michael Scherer misc at zarb.org
Tue Feb 22 16:09:27 CET 2011 

Le mardi 22 février 2011 à 15:08 +0100, Maât a écrit :
> Le 22/02/2011 13:42, Michael Scherer a écrit :
> > Hi,
> >
> > I finished the most part of the puppet deployment of the forum this
> > night, as those who were idling on #mageia-sysadmin know.
> \o/ great !
> 
> > So thanks to the work of Maat and ashledombos, we do have :
> > - a git repository on git://git.mageia.org/forum/ ( write access :
> > ssh://git.mageia.org/git/forum/ for them, as they requested ). Filled
> > with what was sent to me last week.
> >
> > - the friteuse vm that hold the forum is hosted on alamut, for the
> > moment, with a reverse proxy, on both http and https
> >
> We'll need perhaps to force a redirection for http to https (dunno is phpbb works well with both ways)

Well, I didn't want to force everybody just reading to go the https way.

But that's a tricky problem to solve.

> > - I had to remove ./install/, as asked by phpbb who refused to work. I
> > do not know if there was something needed, it is still in git, just
> > removed on the snapshot with rm ( I kept in git to ease the merge of
> > code later ).
> >
> an other approach is to rename install -> noinstall and prevent completely access to noinstall with apache deny
>
> -> when we need to use again install a move noinstall -> install sets back the forum to maintenance mode
> 
> (for better security controlling access to install with an ip whitelist or even a http based login against ldap would be nice)

http based login seems easier to manage. ip based whitelist is usually
bad the day you discover something urgent need to be done and you
cannot.

Now, what is in install/ that would be used later ? 

> > What is left to do :
> >
> > - There is likely missing write permissions ( I have started to lock
> > down and opened ./cache/, and it was sufficient to have something to
> > see )
> >
> Yup but we'll need also write access to upload dirs (for uploaded files, pictures, avatars, smilies...)

Yes, I just didn't look at where this should be done.
On the other hand, I have guessed most of them, as they are the one with
a .htaccess to prevent direct listing ( listing that are already
disabled on server ).

> > - As using .htaccess cause performance penalty, I have not enabled them,
> > but maybe part of them are required. In any case, we need to review them
> > and add them to the apache configuration if needed. IIRC, most are just
> > "do not go to this directory".
> >
> we need to rewrite, control accesses and other things like that.

Ie, like wordpress, the application write it's own rewriterule in
a .htaccess ? I have seen some stuff related to SEO with a module, but I
didn't look further.

> If we don't use .htaccess then all these configs need to be moved to apache vhost config

IMHO, that's safer.

> > - IMHO, a clearer separation of code and theme should be done, as for
> > now, we do have everything in the same git repository
> >
> Ok but how ?

That's up to you to tell me. I see 2 possibility :
- 2 repositories ( one for code, one for theme ), with different access
right 
- coordination with the web team for that ( ie decide when the code is
ready and when the theme is, and deploy accordingly ). Using 2 branch
could maybe help. 

It seems to me that trying to decouple both would be better, but that's
twice the admin work, and coordination is still required.

( speaking of that, I also have to arrange a way to upgrade the code by
manual intervention and so on, I didn't forget )


> > - registration on the forum without using identity, as we decided in
> > this thread
> > ( https://www.mageia.org/pipermail/mageia-sysadm/2010-November/000897.html ) should 
> be disabled. I didn't went further but it didn't seemed to be the case ( at least, not in the interface ).
> >
> yes... at registration could be done but the created account would not be able to log in

IMHO, that mean the db will quickly be filled by spam bots. 

> > - prepare the migration to the vm at nfrance ( once it is ready ). This
> > will requires some adjustments to some puppet modules, as we assumed
> > that only one db server would be used.
> >
> ph34r the distance between db server (Marseille) and forum (Toulouse)

That's why we need a adjustment, I have started to rework the pgsql
module for that, but that's not as urgent as others tasks ( as deploying
wiki, bittorrent, etc )

( otoh, as phpbb seems to have a rather aggressive cache system, maybe
this will not be as horrible as it seems, or at least, this would be
sufficient for the start ).
-- 
Michael Scherer

More information about the Mageia-webteam mailing list