Hosting of mozilladanmark.dk

RESOLVED FIXED

Status

RESOLVED FIXED
7 years ago
2 months ago

People

(Reporter: bugzilla, Unassigned)

Tracking

Details

(Whiteboard: approved, URL)

(Reporter)

Description

7 years ago
We would like to investigate the possibility of having Mozilla provided hosting for our community site at mozilladanmark.dk

    Where the users will come from (Europe, America, etc)
Denmark (Europe)

    What will run on it
PHP applications, which are currently phpBB, Wordpress, MediaWiki and some custom PHP code.

    An estimation of the number of visitors
Our traffic for March was 14.7 GB

    If you want to manage the server yourself
        if so, your sysadmin skills (1 click install Wordpress, or Linux from scratch (which distrib)?) 
We would like to have a LAMP stack, which we do not want to manage ourselves. We would like to manage the PHP applications and the MySQL databases ourselves, as well as the sub-domains we use.

Our current hosting solution gives us:
* Access to our (PHP) files via FTP.
* Apache.
* MySQL.
* PHP with safe_mode=off.
* A control panel where we can create multiple databases and set permissions for them.
* A control panel where we can create multiple sub domains.
* An email address, which forwards mails to a number of other email addresses.

We would like to keep these properties of our hosting.

Further improvements, which would be nice to have:
* Replace FTP with a secure alternative such as SCP.
* Ability to perform simple shell commands on the server. For example to upload a tar.gz file and unpacking it on the server instead of having to upload thousands of individual files.
* More fine grained control over file access to the files, which would allow us to mark most files read-only by the user, which runs our PHP scripts.
* Ability to use https.
This is approved by ReMo Council meeting 2012-04-29 for a VM. Arzhel please proceed.
Assignee: nobody → arzhel
Status: NEW → ASSIGNED
Whiteboard: approved
Jesper, could you create an account on 
https://www.ovh.ie/cgi-bin/nic/newNic.cgi
(or https://www.ovh.com/fr/cgi-bin/nic/newNic.cgi , No .dk website yet...)
And communicate me your "username/nic-handle?
(Reporter)

Comment 3

6 years ago
Sure, I can do that, but first, it would be nice to know for what purpose. Do you plan to offer us hosting at this provider? And if yes, which kind of hosting? (which of their products, in case it is one of the products listed on their page) I think it would make sense to figure this out before registering for something, but if you want to do this the other way around, we can do that.
My bad :)
I think we have 2 options here,
1/ Hosting it on a shared server, that way you will have something easy to manage with a control panel (Plesk), this is also good only if you don't plan to use something else than what is provided by Plesk (LAMP/email...).
2/ Hosting it on a VPS (http://www.ovh.ie/vps/) and having someone to help you to setup the server (LAMP), more complicated to maintain/setup but the possibility to install anything you need.

My choice here would be to start with the shared server, which seems to match your needs (and further improvements).
And then, if you need more, migrate to something dedicated.

In this case you don't need to create an OVH account :) Just tell us who will be the person in charge of the server (email/name).
(Reporter)

Comment 5

6 years ago
I do not want to manage a VPS, because I don't have enough spare time to run it at a security level, which is appropriate for our community site.

It looks like OVH provides a number of shared hosting solutions. Which one would we get?

Here are some stats for our site:
* Files: 311 MB
* MySQL databases: 3 (16 MB, 74 MB and 31 MB)
* Domains: 2 (mozilladanmark.dk and mozilla-danmark.dk)
* Subdomains: 5 (www, forum, blog, wiki, files)
* Traffic: 8.2 GB in 23 days

I am in charge of managing our site. My email address is mail at jesperkristensen dot dk.

Before we sign up for anything, I need to discuss this with the rest of our local community. However I would like to know what our options are before going into that discussion.
We have a dedicated server with a Plesk instance, so it's not a OVH shared hosting. And there is way enough resource for your needs.

Take your time ;)
Assigning approved requests to Arzhel
(Reporter)

Comment 8

6 years ago
I have talked with the other core members of our community, and we agree that we should continue with this. You already have my name and email address that you asked for earlier.
Assignee: arzhel → Ash

Comment 9

6 years ago
i'll take care of this request...

assuming that Jesper will be the main administrator of this hosting, right?
(Reporter)

Comment 10

6 years ago
(In reply to Ash from comment #9)
> assuming that Jesper will be the main administrator of this hosting, right?

Yes. The full list of people, who may be allowed administrative rights if they which are me (Jesper Kristensen), Søren Munk Skrøder, Kim Ludvigsen and Jørgen Rasmussen.

Comment 11

6 years ago
I would like to have administrative rights too. That way we do not depend on only one person in case of problems.

Comment 12

6 years ago
hosting account created.

the account informations have been sent to jesper by mail.

kim, in order to have these rights, ask jesper to create your user account and give you them
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 13

6 years ago
I have now looked at hosting, and I have some questions regarding how we can use it securely.

First of all I can see which other Mozilla communities are hosted on the server. This seems quite odd. Is that how it is supposed to be? It looks like I cannot see the contents of their sites. Can I trust that? I have uploaded one part of our site to the new server. It can be accessed by adding 87.98.158.159 mozilladanmark.dk to your hosts file. Fetching images and CSS and so on worked fine, but PHP only works if I make files world readable and executable. Now since I have SSH access and PHP runs in safe_mode off, what ensures that other communities cannot see my files, if they are marked world readable? Or is there some other setting, which allows me to run PHP scripts without marking them world readable and executable?

If this is not the right place to ask questions, please tell.
Security is provided by Plesk, which is a well known (but proprietary) hosting platform. You can find more informations on their website: http://www.parallels.com/products/plesk/documentation/

In the meantime I enabled chroot for all the ssh accounts, which locks the users in their own directories and provides a higher level of security.

So that account should be secure enough for you to host everything you need.
(Reporter)

Comment 15

6 years ago
Hi Arzhel

Since your reply I have been busy at work, and after that went on vacation, so I did not have time until now to look into your answer.

I cannot see any difference when logging in, I still see the list of other sites. I don't know if it is a problem or not.

I couldn't find the information I need via the link you provided.

What you are saying is "the server is secure". But I cannot use that for much. I trust you that the server is secure, but I need to know how *I* can use it in a way that is also secure.

What does the different chmod options on a file or directory mean? Who can access it and in what way? What is your recommended configuration? How do I block write access from PHP to my *.php files?
Hey Eric please proceed processing this. Thanks!
Assignee: Ash → eziegenhorn
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Duplicate of this bug: 783891
These are low-level web hosting questions and would be better answered by a web developer.  Securing PHP is more than can be covered in a bug.  What is the server name in question here?  Perhaps I can login and explain the chroot jail to Jesper.
(Reporter)

Comment 19

6 years ago
Hi Eric

The name is ns368374.ovh.net and IP is 87.98.158.159

Thank you.
Ah, I see I'm not going to have a login to that box.  Can you make me one?  Or is there something I can explain in general terms about chroots, etc?
(Reporter)

Comment 21

6 years ago
I replied to Eric by email.
(Reporter)

Comment 22

6 years ago
From my discussions with Eric, it seems like he does not have access to this server or knowledge of how it is set up.

In my limited knowledge of PHP server administration, I have seen two setups.

In one setup the server run a special "virtual" version of Apache, which allows it to use the Linux access control to separate PHP sites. If the server uses this setup, I must ensure that my files are NOT marked world readable.

In another setup the server relies on security features like safe_mode within PHP itself to separate PHP sites. If the server uses this setup, I must ensure that my files ARE marked world readable.

I have not found evidence that this server uses either of these two setups, so I don't really know what I should do.

The owner of my files is
(Reporter)

Comment 23

6 years ago
The owner of my files is "mozilladk", and the group is "psacln". Is "psacln" something associated with my site, or something common for all sites on the server?
Assignee: eziegenhorn → nobody
Cc'ing Cshields to point us to someone in Security that can answer the concerns raised by Jepser
(Reporter)

Comment 25

6 years ago
The deadline for when we will loose our current community website is getting closer fast. Any time frame for when this will be resolved?
Dumitru has been very responsive in other Community IT requests. CC'ing to get extra eyes, hopefully speed things up!
(Reporter)

Comment 27

6 years ago
This is it. By now we have less than two weeks until our existing hosting runs out. Even if we got an answer today, I would not have enough time to move our community site over to our new hosting before our old hosting is shut down. Also my questions (starting comment 13) have not been answered since June. That is over four months. What will happen if the server this runs on breaks down? Will it also take Mozilla's IT over four months to get it back up and running? We cannot live with that.
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → WONTFIX
Jesper, as you were told in comment 14, the environment is chrooted which means nobody can see other users files.

It's completely safe to mark files as world readable/executable and also I assume it's required since plesk process needs to read an execute these files.

Don't worry, your home directory is not world readable/executable, so anybody can see anything inside.

I assume you have everything you need to migrate your site and change DNS pointing to the new server.
Resolution: WONTFIX → FIXED
(Reporter)

Comment 29

6 years ago
(In reply to Rubén Martín [:Nukeador] from comment #28)
> Jesper, as you were told in comment 14, the environment is chrooted which
> means nobody can see other users files.

No, comment 14 said my ssh account is chrooted. I assume you are saying that the PHP process is also chrooted??

> 
> It's completely safe to mark files as world readable/executable

THANK YOU, that was the answer I was looking for.

> and also I
> assume it's required since plesk process needs to read an execute these
> files.
> 
> Don't worry, your home directory is not world readable/executable, so
> anybody can see anything inside.
> 
> I assume you have everything you need to migrate your site and change DNS
> pointing to the new server.

Almost. Who do I ask when there is trouble? What if the server goes down? Who should I contact? Do you (Nukeador) have root access to the server and can restart it? If not, who does? And how can I get in contact with them? I cannot move our site if I know it may go down next week and it will take half a year for somebody to come and restart the server.

Comment 30

6 years ago
Jesper, you should ask me or Arzhel when you need help managing your hosting server
(Reporter)

Comment 31

6 years ago
Hi Ash and Arzhel.

My confidence in this hosting has not exactly increased after I wrote an email to both of you on the first of November and didn't hear anything back since then.

I still have the feeling that if the server gets an issue which needs action from someone with the right admin access, it will take months for you to even notice that something is wrong, and in those months, our community website will be offline. I don't like that risk, and therefore I would like to avoid moving our community website to your hosting. But that again depends on what happens when payment for our current hosting needs to be renewed next year.

Comment 32

6 years ago
Hi jesper,

if you need any help you can contact us ( Arzhel and me ) by mail.

you can even find us on IRC ( Xionox and Barzogh )

we monitor all the servers so that we should know quite instantely when one is down, then we investigate and take actions needed.
(Reporter)

Updated

4 years ago
Depends on: 1094973

Updated

2 months ago
Product: Mozilla Reps → Mozilla Reps Graveyard
You need to log in before you can comment on or make changes to this bug.