A new request with request id 8207 has been created by koha-devel-request@lists.koha-community.org. Short info on the request is :

Title : Koha-devel Digest, Vol 200, Issue 25
Category :
Description :
Send Koha-devel mailing list submissions to
    koha-devel@lists.koha-community.org

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
or, via email, send a message with subject or body 'help' to
    koha-devel-request@lists.koha-community.org

You can reach the person managing the list at
    koha-devel-owner@lists.koha-community.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Koha-devel digest..."


Today's Topics:

1. Thoughts on retiring libapache2-mpm-itk?
(dcook@prosentient.com.au)
2. Re: Thoughts on retiring libapache2-mpm-itk? (Chris Cormack)
3. Re: Thoughts on retiring libapache2-mpm-itk?
(dcook@prosentient.com.au)
4. Re: Thoughts on retiring libapache2-mpm-itk?
(dcook@prosentient.com.au)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Jul 2022 12:05:39 +1000
From: <dcook@prosentient.com.au>
To: "'Koha Devel'" <koha-devel@lists.koha-community.org>
Cc: "'Fridolin SOMERS'" <fridolin.somers@biblibre.com>, "'Tomas Cohen
    Arazi'" <tomascohen@theke.io>
Subject: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?
Message-ID: <065001d8a094$3f1c8fb0$bd55af10$@prosentient.com.au>
Content-Type: text/plain; charset="utf-8"

Hi all,



I was looking at BibLibre's ERM sandbox, and I noticed that the Nginx
reverse proxy was using HTTP/2. It got me thinking about Apache httpd and
HTTP/2.



Apparently, Apache has an optional mod_http2 module, but it is said to work
better with mpm_event and mpm_worker than mpm_prefork.



But because we use mpm_itk (in order to declare "AssignUserID kohadev-koha
kohadev-koha" per VirtualHost) we're tied to using mpm_prefork.



Yet. Koha mostly runs in Starman these days. We don't necessarily get that
much benefit from AssignUserID anymore. The main problem would be
permissions for the CGI scripts that we don't proxy. So maybe we wait until
after we're proxying everything through Apache and Apache is just a reverse
proxy to Starman and a static asset server. Because at that point. there's
no reason it couldn't just run under the "www-data" user.



I mean we could try testing mod_http2 with mpm_prefork anyway I suppose. And
there's always the old "if it ain't broke, don't fix it".



I suppose I just think it's funny that HTTP/3 exists (although it's not
widely supported on FOSS servers yet) but we haven't even moved from
HTTP/1.1 to HTTP/2.



Frido, curious if you have any comments on HTTP/2 since I'm guessing you set
up that Nginx reverse proxy?



David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia



Office: 02 9212 0899

Online: 02 8005 0595



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20220726/c6eb016d/attachment-0001.htm>

------------------------------

Message: 2
Date: Tue, 26 Jul 2022 15:03:20 +1200
From: Chris Cormack <chris@bigballofwax.co.nz>
To: dcook@prosentient.com.au
Cc: Koha Devel <koha-devel@lists.koha-community.org>, Tomas Cohen
    Arazi <tomascohen@theke.io>
Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?
Message-ID:
    <CA+95qVT7NUbmjzK2xQJk8j629P3oUJGZz_ivCOP9NdyGoz=QDA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

HI David

On Tue, 26 Jul 2022 at 14:07, <dcook@prosentient.com.au> wrote:
>
> Hi all,
>
>
>
> I was looking at BibLibre’s ERM sandbox, and I noticed that the Nginx reverse proxy was using HTTP/2. It got me thinking about Apache httpd and HTTP/2.
>
>
>
> Apparently, Apache has an optional mod_http2 module, but it is said to work better with mpm_event and mpm_worker than mpm_prefork.
>
>
>
> But because we use mpm_itk (in order to declare “AssignUserID kohadev-koha kohadev-koha” per VirtualHost) we’re tied to using mpm_prefork.
>
>
>
> Yet… Koha mostly runs in Starman these days. We don’t necessarily get that much benefit from AssignUserID anymore. The main problem would be permissions for the CGI scripts that we don’t proxy. So maybe we wait until after we’re proxying everything through Apache and Apache is just a reverse proxy to Starman and a static asset server. Because at that point… there’s no reason it couldn’t just run under the “www-data” user.
>
>
That's not entirely true, plack runs on a unix socket as a user, with
potentially multiple sites on a single server. So having only the
right apache sites being able to talk to the right sockets by them
both being the same user is a very important thing.

For example

starman worker -M FindBin --max-requests 50 --workers 2
--user=demo-koha --group demo-koha --pid /var/run/koha/demo/plack.pid
--daemonize --access-log /var/log/koha/demo/plack.log --error-log
/var/log/koha/demo/plack-error.log -E deployment --socket
/var/run/koha/demo/plack.sock /etc/koha/plack.psgi

So you need to find some way to achieve this, without mpm_itk or
accept the big step backwards in site segregation.

>
> I mean we could try testing mod_http2 with mpm_prefork anyway I suppose. And there’s always the old “if it ain’t broke, don’t fix it”.
>
>
> I suppose I just think it’s funny that HTTP/3 exists (although it’s not widely supported on FOSS servers yet) but we haven’t even moved from HTTP/1.1 to HTTP/2.
>
>
>
> Frido, curious if you have any comments on HTTP/2 since I’m guessing you set up that Nginx reverse proxy?
>
Chris


------------------------------

Message: 3
Date: Tue, 26 Jul 2022 13:23:37 +1000
From: <dcook@prosentient.com.au>
To: "'Chris Cormack'" <chris@bigballofwax.co.nz>
Cc: "'Koha Devel'" <koha-devel@lists.koha-community.org>, "'Tomas
    Cohen Arazi'" <tomascohen@theke.io>
Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?
Message-ID: <066b01d8a09f$24425200$6cc6f600$@prosentient.com.au>
Content-Type: text/plain;    charset="utf-8"

Hi Chris,

I said "the main problem" would be the CGI scripts. Not the only problem. I did think about the permissions for the Unix sockets but I disagree about "the right apache sites being able to talk to the right sockets...is a very important thing". I think having them be writable by "www-data" is an easy and reasonable thing to do, so not even really a problem.

Consider it another way. Let's say you were using TCP sockets instead of Unix sockets. They wouldn't be writeable by only a particular Apache site. They'd be writeable by anything that can make a TCP connection. I think that we're using Unix sockets for the performance improvement - not for security.

What's the perceived risk?

We're hard-coding the Unix socket locations into Apache configuration, so I only see two risks:

1) A Koha sysadmin makes a typo and sends the wrong VirtualHost to the wrong Unix socket, which is unlikely due to koha-create automation (but then input credentials won't match up with the backend database so there should be no unauthorized behaviour and worst case someone is viewing the wrong read-only site)

2) Someone hacks Apache (but then your per-Koha permissions at the Starman level will still protect instances from each other's files)

Multithreaded servers like Tomcat don't have any way of using multiple users for multiple sites. I reckon there are lots of people out in the world using mpm_event and mpm_worker as well. I'd be curious how BibLibre implement their Nginx reverse proxy too.

David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia

Office: 02 9212 0899
Online: 02 8005 0595

-----Original Message-----
From: Chris Cormack <chris@bigballofwax.co.nz>
Sent: Tuesday, 26 July 2022 1:03 PM
To: dcook@prosentient.com.au
Cc: Koha Devel <koha-devel@lists.koha-community.org>; Tomas Cohen Arazi <tomascohen@theke.io>
Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?

HI David

On Tue, 26 Jul 2022 at 14:07, <dcook@prosentient.com.au> wrote:
>
> Hi all,
>
>
>
> I was looking at BibLibre’s ERM sandbox, and I noticed that the Nginx reverse proxy was using HTTP/2. It got me thinking about Apache httpd and HTTP/2.
>
>
>
> Apparently, Apache has an optional mod_http2 module, but it is said to work better with mpm_event and mpm_worker than mpm_prefork.
>
>
>
> But because we use mpm_itk (in order to declare “AssignUserID kohadev-koha kohadev-koha” per VirtualHost) we’re tied to using mpm_prefork.
>
>
>
> Yet… Koha mostly runs in Starman these days. We don’t necessarily get that much benefit from AssignUserID anymore. The main problem would be permissions for the CGI scripts that we don’t proxy. So maybe we wait until after we’re proxying everything through Apache and Apache is just a reverse proxy to Starman and a static asset server. Because at that point… there’s no reason it couldn’t just run under the “www-data” user.
>
>
That's not entirely true, plack runs on a unix socket as a user, with potentially multiple sites on a single server. So having only the right apache sites being able to talk to the right sockets by them both being the same user is a very important thing.

For example

starman worker -M FindBin --max-requests 50 --workers 2 --user=demo-koha --group demo-koha --pid /var/run/koha/demo/plack.pid --daemonize --access-log /var/log/koha/demo/plack.log --error-log /var/log/koha/demo/plack-error.log -E deployment --socket /var/run/koha/demo/plack.sock /etc/koha/plack.psgi

So you need to find some way to achieve this, without mpm_itk or accept the big step backwards in site segregation.

>
> I mean we could try testing mod_http2 with mpm_prefork anyway I suppose. And there’s always the old “if it ain’t broke, don’t fix it”.
>
>
> I suppose I just think it’s funny that HTTP/3 exists (although it’s not widely supported on FOSS servers yet) but we haven’t even moved from HTTP/1.1 to HTTP/2.
>
>
>
> Frido, curious if you have any comments on HTTP/2 since I’m guessing you set up that Nginx reverse proxy?
>
Chris



------------------------------

Message: 4
Date: Tue, 26 Jul 2022 13:25:14 +1000
From: <dcook@prosentient.com.au>
To: "'Tomas Cohen Arazi'" <tomascohen@theke.io>, "'Chris Cormack'"
    <chris@bigballofwax.co.nz>
Cc: "'Koha Devel'" <koha-devel@lists.koha-community.org>
Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?
Message-ID: <066c01d8a09f$589f2aa0$09dd7fe0$@prosentient.com.au>
Content-Type: text/plain; charset="utf-8"

What would be insecure about making the Starman/Plack sockets writeable by www-data? It wouldn’t be any different from using TCP sockets (instead of Unix sockets) which is common or a reverse proxy.



David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia



Office: 02 9212 0899

Online: 02 8005 0595



From: Tomas Cohen Arazi <tomascohen@theke.io>
Sent: Tuesday, 26 July 2022 1:10 PM
To: Chris Cormack <chris@bigballofwax.co.nz>
Cc: David Cook <dcook@prosentient.com.au>; Koha Devel <koha-devel@lists.koha-community.org>
Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?




> Yet… Koha mostly runs in Starman these days. We don’t necessarily get that much benefit from AssignUserID anymore. The main problem would be permissions for the CGI scripts that we don’t proxy. So maybe we wait until after we’re proxying everything through Apache and Apache is just a reverse proxy to Starman and a static asset server. Because at that point… there’s no reason it couldn’t just run under the “www-data” user.
>
>
That's not entirely true, plack runs on a unix socket as a user, with
potentially multiple sites on a single server. So having only the
right apache sites being able to talk to the right sockets by them
both being the same user is a very important thing.



+1



Being able to have a secure deployment out of the box is a thing we shouldn't loose!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20220726/24ef32b7/attachment-0001.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/


------------------------------

End of Koha-devel Digest, Vol 200, Issue 25
*******************************************


NOTE: You are receiving this mail because, the Requester/Technician wanted you to get notified on this request creation.