[Koha-devel] Thoughts on retiring libapache2-mpm-itk?

Tue Jul 26 05:23:37 CEST 2022

Hi Chris,

I said "the main problem" would be the CGI scripts. Not the only problem. I did think about the permissions for the Unix sockets but I disagree about "the right apache sites being able to talk to the right sockets...is a very important thing". I think having them be writable by "www-data" is an easy and reasonable thing to do, so not even really a problem. 

Consider it another way. Let's say you were using TCP sockets instead of Unix sockets. They wouldn't be writeable by only a particular Apache site. They'd be writeable by anything that can make a TCP connection. I think that we're using Unix sockets for the performance improvement - not for security. 

What's the perceived risk? 

We're hard-coding the Unix socket locations into Apache configuration, so I only see two risks:

1) A Koha sysadmin makes a typo and sends the wrong VirtualHost to the wrong Unix socket, which is unlikely due to koha-create automation (but then input credentials won't match up with the backend database so there should be no unauthorized behaviour and worst case someone is viewing the wrong read-only site)

2) Someone hacks Apache (but then your per-Koha permissions at the Starman level will still protect instances from each other's files)

Multithreaded servers like Tomcat don't have any way of using multiple users for multiple sites. I reckon there are lots of people out in the world using mpm_event and mpm_worker as well. I'd be curious how BibLibre implement their Nginx reverse proxy too.

David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia

Office: 02 9212 0899
Online: 02 8005 0595

-----Original Message-----
From: Chris Cormack <chris at bigballofwax.co.nz> 
Sent: Tuesday, 26 July 2022 1:03 PM
To: dcook at prosentient.com.au
Cc: Koha Devel <koha-devel at lists.koha-community.org>; Tomas Cohen Arazi <tomascohen at theke.io>
Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?

HI David

On Tue, 26 Jul 2022 at 14:07, <dcook at prosentient.com.au> wrote:
>
> Hi all,
>
>
>
> I was looking at BibLibre’s ERM sandbox, and I noticed that the Nginx reverse proxy was using HTTP/2. It got me thinking about Apache httpd and HTTP/2.
>
>
>
> Apparently, Apache has an optional mod_http2 module, but it is said to work better with mpm_event and mpm_worker than mpm_prefork.
>
>
>
> But because we use mpm_itk (in order to declare “AssignUserID kohadev-koha kohadev-koha” per VirtualHost) we’re tied to using mpm_prefork.
>
>
>
> Yet… Koha mostly runs in Starman these days. We don’t necessarily get that much benefit from AssignUserID anymore. The main problem would be permissions for the CGI scripts that we don’t proxy. So maybe we wait until after we’re proxying everything through Apache and Apache is just a reverse proxy to Starman and a static asset server. Because at that point… there’s no reason it couldn’t just run under the “www-data” user.
>
>
That's not entirely true, plack runs on a unix socket as a user, with potentially multiple sites on a single server. So having only the right apache sites being able to talk to the right sockets by them both being the same user is a very important thing.

For example

 starman worker -M FindBin --max-requests 50 --workers 2 --user=demo-koha --group demo-koha --pid /var/run/koha/demo/plack.pid --daemonize --access-log /var/log/koha/demo/plack.log --error-log /var/log/koha/demo/plack-error.log -E deployment --socket /var/run/koha/demo/plack.sock /etc/koha/plack.psgi

So you need to find some way to achieve this, without mpm_itk or accept the big step backwards in site segregation.

>
> I mean we could try testing mod_http2 with mpm_prefork anyway I suppose. And there’s always the old “if it ain’t broke, don’t fix it”.
>
>
> I suppose I just think it’s funny that HTTP/3 exists (although it’s not widely supported on FOSS servers yet) but we haven’t even moved from HTTP/1.1 to HTTP/2.
>
>
>
> Frido, curious if you have any comments on HTTP/2 since I’m guessing you set up that Nginx reverse proxy?
>
Chris