Actions

The Doctor's to-do list: Difference between revisions

From HacDC Wiki

No edit summary
No edit summary
 
(31 intermediate revisions by one other user not shown)
Line 1: Line 1:
Stuff will be <strike>stricken out</strike> as I finish it.  If anyone wants to jump in and help me with this, by all means do so, just put your initials at the end so I know who did what.
Stuff will be <strike>stricken out</strike> as I finish it.  If anyone wants to jump in and help me with this, by all means do so, just put your initials at the end so I know who did what.


In no particular order, this is the stuff I want to accomplish over Labor Day weekend:
In no particular order, this is the stuff I want to accomplish:
 
* <strike>[http://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-13.37/slackware/n/ Official Slackware g package]</strike>
** <strike>Default webroot is /srv/httpd/htdocs.</strike>
** Will need to rework module to clear out /var/www.  We won't need that stuff.
** <strike>Custom config files are a given.  I guess this pushes us back to using separate config files for each app.</strike>
** Comment out authn*, authz*, dumpio_module, ldap_module, usertrack_module, proxy*, dav_module, status_module, cgi_module, status_module, cgi_module, dav_fs_module, vhost_alias_module, imagemap_module, userdir_module in /etc/httpd/httpd.conf.
** <strike>Uncomment ssl_module.</strike>
** Disable logging when everything is working.
** <strike>/srv/httpd and /srv/www are symlinks to /var/www.  Oh, well.</strike>
** Look into setting up [http://core.segfault.pl/~hobbit/mod_chroot/ mod_chroot].  There is an package on [http://slackbuilds.org/repository/13.37/network/mod_chroot/ slackbuilds.org] that could be built and converted.
** Look into setting up [http://slackbuilds.org/repository/13.37/network/mod_evasive/ mod_evasive].  It's an anti-DoS, anti-bruteforce module.
 
* <strike>[http://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-13.37/slackware/n/php-5.3.6-i486-6.txzx Official Slackware PHP package.]</strike>
** php.ini - need to turn log_errors, ignore_repeated_errors off.
** Look through the list of extensions in php.ini and turn all of the unnecessary ones off.
*** calendar, ldap.
 
* Set Porteus up to set its hostname to the IPv6 address of the primary wireless interface of the node.


* <strike>The build configuration in the .Slackbuild for nginx is already pretty much what we need.</strike>
** <strike>I used the following command line to force nginx to use a custom pseudouser and pseudogroup rather than nobody and nobody (respectively): NGINXUSER=nginx NGINXGROUP=nginx ./nginx.SlackBuild</strike>
** <strike>A user and group called 'nginx' will have to be created in the OS before this will work.  This is to sandbox the daemon more effectively.</strike>
** <strike>The /etc/nginx/nginx.conf file will have to be modified.  I'll check that into Git as well.</strike>
** <strike>Need to create two directories, /etc/nginx/apps (for active web apps) and /etc/nginx/offline_apps (self explanatory) in the .Slackbuild.</strike>
** <strike>Need to create /srv/nginx in the .Slackbuild for the web apps to go into.</strike>
*** <strike>/srv/nginx/root is for the /index.php script</strike>
*** /srv/nginx/<app> is for web apps
*** <strike>Owned by nginx.nginx, mod 0755.</strike>
** Due to how the tgz-to-xzm conversion process works, doinst.sh is not called, so there are some steps that we have to do ourselves, like creating directories.  What a revolting development.
* Test that particular build of nginx against a couple of PHP apps.
* Build nginx packages and check them into SVN.
* Figure out a good PHP build configuration that
** for optimal FastCGI compatibility, needs to be >= v5.3.3.  We've got this covered with the .Slackbuild for Slackware v13.37.
** [http://interfacelab.com/nginx-php-fpm-apc-awesome/ runs under FastCGI]
** includes SQLite
** includes MySQL
* Test that particular build of PHP against a couple of apps.
* Write a .Slackbuild script for PHP with the configuration I work out.
* Build PHP packages and check them into SVN.
** Use the Slackware v.13.37 .Slackbuild script as a base
** ./configure options:
*** EXTENSION_DIR=/usr/lib${LIBDIRSUFFIX}/php/extensions
*** CFLAGS="$SLKCFLAGS"
*** --prefix=/usr --libdir=/usr/lib${LIBDIRSUFFIX} --with-libdir=lib${LIBDIRSUFFIX} --sysconfdir=/etc --disable-safe-mode --disable-magic-quotes --enable-zend-multibyte --enable-mbregex --enable-tokenizer=shared --with-config-file-scan-dir=/etc/php --with-config-file-path=/etc/httpd --enable-mod_charset --with-layout=PHP --enable-sigchild --enable-xml --with-libxml-dir=/usr --enable-simplexml --enable-filter --disable-debug --with-openssl=shared --with-pcre-regex=/usr --with-zlib=shared,/usr --enable-bcmath=shared --with-bz2=shared,/usr --enable-calendar=shared --enable-ctype=shared --with-curl=shared --with-curlwrappers --with-mcrypt=/usr --enable-dba=shared --with-gdbm=/usr --with-db4=/usr --enable-exif=shared --enable-ftp=shared --with-gd=shared --with-jpeg-dir=/usr --with-png-dir=/usr --with-zlib-dir=/usr --with-xpm-dir=/usr --with-freetype-dir=/usr --with-t1lib=/usr --enable-gd-native-ttf --enable-gd-jis-conv --with-gettext=shared,/usr --with-gmp=shared,/usr --with-iconv=shared --with-imap-ssl=/usr --with-imap=$IMAPLIBDIR --with-ldap=shared --enable-mbstring=shared --enable-hash --with-mysql=shared,mysqlnd --with-mysqli=shared,mysqlnd --with-mysql-sock=/var/run/mysql/mysql.sock --enable-pdo=shared --with-pdo-mysql=shared,mysqlnd --with-pdo-sqlite=shared,/usr --with-pspell=shared,/usr --with-enchant=shared,/usr --with-mm=/usr --enable-shmop=shared --with-snmp=shared,/usr --enable-soap=shared --enable-sockets --with-sqlite=shared --with-sqlite3=shared --enable-sqlite-utf8 --with-regex=php --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-wddx=shared --with-xsl=shared,/usr --enable-zip=shared --with-tsrm-pthreads --enable-shared=yes --enable-static=no --with-gnu-ld --with-pic --build=$ARCH-slackware-linux
*** replace the "Make the Apache2 module version of PHP" code with "make the nginx module version of PHP" code
** Suggested ./configure options:
*** --enable-fastcgi --enable-fpm --with-mcrypt=/usr --with-zlib=shared,/usr --enable-mbstring=shared --enable-pdo=shared --with-pdo-mysql=shared,mysqlnd --with-pdo-sqlite=shared,/usr --prefix=/usr --libdir=/usr/lib${LIBDIRSUFFIX} --with-libdir=lib${LIBDIRSUFFIX} --sysconfdir=/etc --with-curl=shared --with-curlwrappers --disable-debug --enable-pic --enable-inline-optimization --with-bz2=shared,/usr --with-zlib-dir=/usr --enable-sockets --enable-sysvshm --enable-sysvsem --enable-pcntl --enable-mbregex --with-mhash --enable-xslt --enable-memcache --enable-zip=shared --with-pcre-regex=/usr --disable-safe-mode --disable-magic-quotes --enable-zend-multibyte --with-config-file-scan-dir=/etc/php --enable-mod_charset --with-layout=PHP --enable-xml --with-libxml-dir=/usr --enable-simplexml --enable-filter --with-openssl=shared --enable-bcmath=shared --with-gd=shared --with-jpeg-dir=/usr --with-png-dir=/usr --with-xpm-dir=/usr --with-freetype-dir=/usr --with-t1lib=/usr --enable-gd-native-ttf --enable-gd-jis-conv --with-gettext=shared,/usr --with-gmp=shared,/usr --with-iconv=shared --enable-hash --with-mysql=shared,mysqlnd --with-mysqli=shared,mysqlnd --with-mysql-sock=/var/run/mysql/mysql.sock --with-pspell=shared,/usr --with-enchant=shared,/usr --with-mm=/usr --enable-shmop=shared --enable-soap=shared --with-sqlite=shared --with-sqlite3=shared --enable-sqlite-utf8 --with-regex=php --enable-sysvmsg --enable-wddx=shared --with-xsl=shared,/usr --with-tsrm-pthreads --enable-shared=yes --enable-static=no --with-gnu-ld --with-pic --build=$ARCH-slackware-linux
** Need to rewrite the destination for the module in the .Slackbuild because we're building against nginx and not Apache.  The .Slackbuild is going to require serious modifications.
** Need to configure so that it's
*** optimized for small-ish systems
*** hardened!
**** [http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html]
**** [https://calomel.org/nginx.html]
**** [http://b7j0c.posterous.com/quick-notes-on-hardening-nginx-ssl]
* Set up an account on the Porteus forums and post the link to our SVN repo.
* Develop a configuration for nginx that
** is lightweight
** somewhat optimized
** modular, so that each app has its own included config file
** hardened
* Write a web app for the control panel that
** Can start and stop nginx on demand
** store its configuration in a database
** move sub-config files for nginx that represent PHP apps into and out of the /etc/nginx/conf.d directory
** force nginx to reload its config files every time an app is (de-)configured
*** /usr/sbin/nginx -s reload
* [http://wiki.nginx.org/HttpSslModule Get OpenSSL working in nginx]
* <strike>Write an initscript that</strike>
** <strike>checks for the presence of a node's SSL cert in /etc/nginx (the default)</strike>
** <strike>terminates if one is found</strike>
* Set Porteus up to set its hostname to the IPv6 address of the node.
* Write a PHP app that
* Write a PHP app that
** displays a "Hello, User!" message
** displays a "Hello, User!" message
** displays links to apps hosted on the node which happen to be active
** displays links to apps hosted on the node which happen to be active
** removes links to apps hosted on the node that are deactivated
** removes links to apps hosted on the node that are deactivated
*** I don't know PHP... can we find someone who does?
*** I don't know PHP... can we find someone who does?  Brad?
*** Would have to reference the SQLite database which keeps track of the active and inactive web apps and modifies the output accordingly
*** Would have to reference the SQLite database which keeps track of the active and inactive web apps and modifies the output accordingly
** has to be mobile-friendly
** has to be mobile-friendly
* Install crypto.cat on my development instance
 
** requires PHP
* <strike>Install [https://github.com/Pita/etherpad-lite etherpad-lite] on my development instance</strike>
** will need its UI tweaked to be more mobile-friendly
** <strike>[http://slackbuilds.org/repository/13.37/network/node/ requires node.js, for which there exists a Slackpack]</strike>
** Create a crypto.cat Porteus package and check it into SVN
*** <strike>build a Slackpack of node.js, convert into Porteus package, check everything into SVN</strike>
* Install etherpad-lite on my development instance
** <strike>write an initscript that can start up Etherpad-lite when called by the control panel</strike>
** [http://slackbuilds.org/repository/13.37/network/node/ requires node.js, for which there exists a Slackpack]
** <strike>will have to be controlled by the control panel, store its configuration in a database</strike>
*** build a Slackpack of node.js, convert into Porteus package, check everything into SVN
** <strike>write a sub-config file for Apache that passes through the /pad URL to localhost:9001</strike>
** write an initscript that can start up crypto.cat when called but not at boot
** <strike>requires [http://npmjs.org NPM]</strike>
** will have to be controlled by the control panel, store its configuration in a database
*** <strike>that will need to be packaged and checked in separately, I think.</strike>
** write a sub-config file for nginx that passes through the /pad URL to localhost:9001
*** <strike>run it in verbose mode to keep an eye on it</strike>
** requires [http://npmjs.org NPM]
*** <strike>if it installs more stuff, we should bundle the whole mess into the NPM Porteus package</strike>
*** that will need to be packaged and checked in separately, I think.
** <strike>really should run as an unprivileged user</strike>
*** run it in verbose mode to keep an eye on it
** <strike>pay attention to the [https://github.com/Pita/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy reverse-proxy howto]</strike>
*** if it installs more stuff, we should bundle the whole mess into the NPM Porteus package
** <strike>have to start it by hand a few times to figure out how to automate and package it</strike>
** really should run as an unprivileged user
 
** really should listen on the loopback interface only
* <strike>install status.net on my development instance</strike>
** pay attention to the [https://github.com/Pita/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy reverse-proxy howto] for nginx!
** <strike>requires PHP, MySQL</strike>
** have to start it by hand a few times to figure out how to automate and package it
** <strike>PHP must have support for Curl, XMLwriter, MySQL, GD, mbstring, gettext (all required for status.net), SQLite (to read configuration databases)</strike>
* install status.neet on my development instance
** requires PHP, MySQL
** nginx must have URL rewriting available
** PHP must have support for Curl, XMLwriter, MySQL, GD, mbstring, gettext (all required for status.net), SQLite (to read configuration databases)
** [http://pelletiermaxime.info/2009/04/11/Laconica-On-Nginx.html nginx installation instructions!]
** will need to pre-configure it for security and usability
** will need to pre-configure it for security and usability
** need to make the mobile skin the default and erase the others to free up disk space
** <strike>Need to hack the mnml theme to be more mobile friendly.</strike>
** will need to write a sub-config file for nginx
** Delete the unneeded themes and add-ons to save space, reduce potential attack surface.
** configure for longer messages - 560 characters? 700 characters
** Add-ons are not enabled by default.  To turn one on you have to manually edit config.php and add lines for each one.  This is moderately safe.  Consider making config.php read-only with instructions for editing it later?
** <strike>will need to write a sub-config file for Apache</strike>
** <strike>configure for longer messages - 560 characters?</strike>
** configure to make it easy to set up accounts on a node - no e-mail verification
** configure to make it easy to set up accounts on a node - no e-mail verification
** enable image upload and display
** <strike>enable image upload and display</strike>
* Write a dependency manager for apps
** There is a subtle problem: the hostname of the node ($config['site']['server'] = 'name of node here';) must be set correctly in config.php for themes to display properly.  However, this requires that the clients have working DNS, which means three things:
** some web apps require MySQL, some don't
*** <strike>DNS (dnsmasq) must be functional on the node.</strike>
** only start MySQL if it's not running already for the ones that don't
*** <strike>Clients must have hostnames configured by the node.</strike>
* Write a web app that (de-)configures gateway mode for babeld.  I think it's a matter of pushing a route to 0.0.0.0 or not, have to read up on it.
*** <strike>Clients must have DNS configured as the node it got its information from so that hostnames can be resolved properly.</strike>
 
* <strike>Write a web app that (de-)configures gateway mode for babeld.  I think it's a matter of pushing a route to 0.0.0.0 or not, have to read up on it.</strike>
 
* <strike>Installed the pre-converted MySQL Porteus package from the distro-download archive.</strike>
* <strike>Installed the pre-converted MySQL Porteus package from the distro-download archive.</strike>
** Need to pre-configure MySQL for small-ish systems
** <strike>Need to pre-configure MySQL for small-ish systems</strike>
** Need to pre-harden MySQL
** <strike>Need to pre-harden MySQL</strike>
** Change the default password to something else.
** Change the default password to something else.
** Need to pre-create accounts, databases for all web apps and give them strong passwords.  They need to be ready to go when they're started up.
** Need to pre-create accounts, databases for all web apps and give them strong passwords.  They need to be ready to go when they're started up.
* Harden /etc/sysctl.conf!
* Harden /etc/sysctl.conf!
* In /network/wireless, do some kind of "please wait, this could take a while" popup.
[[Category:Byzantium]]

Latest revision as of 03:29, 4 April 2012

Stuff will be stricken out as I finish it. If anyone wants to jump in and help me with this, by all means do so, just put your initials at the end so I know who did what.

In no particular order, this is the stuff I want to accomplish:

  • Official Slackware g package
    • Default webroot is /srv/httpd/htdocs.
    • Will need to rework module to clear out /var/www. We won't need that stuff.
    • Custom config files are a given. I guess this pushes us back to using separate config files for each app.
    • Comment out authn*, authz*, dumpio_module, ldap_module, usertrack_module, proxy*, dav_module, status_module, cgi_module, status_module, cgi_module, dav_fs_module, vhost_alias_module, imagemap_module, userdir_module in /etc/httpd/httpd.conf.
    • Uncomment ssl_module.
    • Disable logging when everything is working.
    • /srv/httpd and /srv/www are symlinks to /var/www. Oh, well.
    • Look into setting up mod_chroot. There is an package on slackbuilds.org that could be built and converted.
    • Look into setting up mod_evasive. It's an anti-DoS, anti-bruteforce module.
  • Official Slackware PHP package.
    • php.ini - need to turn log_errors, ignore_repeated_errors off.
    • Look through the list of extensions in php.ini and turn all of the unnecessary ones off.
      • calendar, ldap.
  • Set Porteus up to set its hostname to the IPv6 address of the primary wireless interface of the node.
  • Write a PHP app that
    • displays a "Hello, User!" message
    • displays links to apps hosted on the node which happen to be active
    • removes links to apps hosted on the node that are deactivated
      • I don't know PHP... can we find someone who does? Brad?
      • Would have to reference the SQLite database which keeps track of the active and inactive web apps and modifies the output accordingly
    • has to be mobile-friendly
  • Install etherpad-lite on my development instance
    • requires node.js, for which there exists a Slackpack
      • build a Slackpack of node.js, convert into Porteus package, check everything into SVN
    • write an initscript that can start up Etherpad-lite when called by the control panel
    • will have to be controlled by the control panel, store its configuration in a database
    • write a sub-config file for Apache that passes through the /pad URL to localhost:9001
    • requires NPM
      • that will need to be packaged and checked in separately, I think.
      • run it in verbose mode to keep an eye on it
      • if it installs more stuff, we should bundle the whole mess into the NPM Porteus package
    • really should run as an unprivileged user
    • pay attention to the reverse-proxy howto
    • have to start it by hand a few times to figure out how to automate and package it
  • install status.net on my development instance
    • requires PHP, MySQL
    • PHP must have support for Curl, XMLwriter, MySQL, GD, mbstring, gettext (all required for status.net), SQLite (to read configuration databases)
    • will need to pre-configure it for security and usability
    • Need to hack the mnml theme to be more mobile friendly.
    • Delete the unneeded themes and add-ons to save space, reduce potential attack surface.
    • Add-ons are not enabled by default. To turn one on you have to manually edit config.php and add lines for each one. This is moderately safe. Consider making config.php read-only with instructions for editing it later?
    • will need to write a sub-config file for Apache
    • configure for longer messages - 560 characters?
    • configure to make it easy to set up accounts on a node - no e-mail verification
    • enable image upload and display
    • There is a subtle problem: the hostname of the node ($config['site']['server'] = 'name of node here';) must be set correctly in config.php for themes to display properly. However, this requires that the clients have working DNS, which means three things:
      • DNS (dnsmasq) must be functional on the node.
      • Clients must have hostnames configured by the node.
      • Clients must have DNS configured as the node it got its information from so that hostnames can be resolved properly.
  • Write a web app that (de-)configures gateway mode for babeld. I think it's a matter of pushing a route to 0.0.0.0 or not, have to read up on it.
  • Installed the pre-converted MySQL Porteus package from the distro-download archive.
    • Need to pre-configure MySQL for small-ish systems
    • Need to pre-harden MySQL
    • Change the default password to something else.
    • Need to pre-create accounts, databases for all web apps and give them strong passwords. They need to be ready to go when they're started up.
  • Harden /etc/sysctl.conf!
  • In /network/wireless, do some kind of "please wait, this could take a while" popup.
Retrieved from "https://wiki.hacdcserver.org/index.php?title=The_Doctor%27s_to-do_list&oldid=6990"