Siduction Forum

Siduction Forum => Software - Support => Topic started by: jaegermeister on 2015/11/09, 16:00:32

Title: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/09, 16:00:32
Hello Dev Team,

in order to provide a new service from my siduction main box, I had to install nginx.
To my utter surprise, port 80/tcp was already booked. It showed up that it's pywwetha server, which provides the pages of sidu-manual, occupying it.

Now, in order to dispose of standard port 80, of course I could edit /etc/pywwetha/pywwetha.conf manually, and then maybe try to also edit sidu-manual somewhere, but this would result in an uncustomized and unsupported config, also due to be wiped away at next package upgrade of the python server or manual.

Right now it's instead nginx being configured on port 81 :(, but there could also be further software, besides plain webservers, conflicting with pywwetha for port 80.

MY IDEA: wouldn't it be better to configurate by default pywwetha to serve sidu-manual files on some high port above 20000 or 30000 in order to avoid conflicts with software using port 80?

THX
Title: Re: sidu-manual and pywwetha on port 80
Post by: piper on 2015/11/09, 16:07:20
http://forum.siduction.org/index.php?topic=5880.0;topicseen
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/09, 16:26:42
Interesting answer.

So the real problem would be standard nginx config.
And this gets "solved" by introducing another problem, i.e. pywwetha struggling on port 80?

Looks like that the correct answer would be fixing both packages, not the status quo.

Plus, this is based on the hypothesis that someone should use necessarily a webserver to serve pages on the web. There are many other uses, e.g. serving files on the intranet, especially if one happens to consider that we're talking about a sid box which mostly works as a desktop (otherwise why worry with distro man pages) and not as a server 24/7.

Why should one be obliged to write a fixed address in webserver config, when he, for instance, can change the interface IP address depending on the projects he's working at or just wants to browse http://localhost/something by the same machine?

I disagree with the defaults.
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/09, 16:42:12
Also, please consider that this pretty basic config doesn't work when browsed by http://localhost (http://localhost) or http://127 (http://127).0.0.1, giving the error "refused connection".

Code: [Select]
user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    include            mime.types;
    default_type        application/octet-stream;
    index            index.html index.htm;
    keepalive_timeout    65;
    sendfile        on;
    server_tokens        off;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
   
   
        location / {
                root            /var/www/html;
                autoindex        on;
                autoindex_exact_size    on;
        }


    }
}
Title: Re: sidu-manual and pywwetha on port 80
Post by: melmarker on 2015/11/10, 01:58:43
Why should it work? I'm really interested in, i'm not so familar with webservers.
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/10, 09:50:04
If you for instance change port to 81 it works.
Same config.
Title: Re: sidu-manual and pywwetha on port 80
Post by: melmarker on 2015/11/10, 14:05:35 

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;


You get me wrong - why listen to 80? To be true, thats not that smart and you know the reasons. And things become worse. Next time one will install both apache and nginx - only one server will start. So please: Bind a server to a address and a port.
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/10, 16:16:39
Why listen to port 80?


Because it's a standard. For instance, browsers work without specifying it in the address.
I don't see any danger in running an intranet webserver on port 80. Of course on machines open to the internet which provide critical services authenticated and managed through http I usually avoid port 80 but... public servers, for instance, have to run on port 80, again, because that's the standard (imagine average Joe having to type http://google.com:62856 (http://google.com:62856)). And when the port is another  than 80, this usually gets serviced by the router/firewall with nat static routes, to a server which runs more defaults than possible (usually also port 80) on the LAN to a very high port number on the WAN. This is common network administrator practice. Having a different port on LAN doesn't add anything to security.


So, the usual main reason to change a port from default 80 is in the case that two concurrent servers are running. The logic criterion usually is: keep mainstream apps on standard defaults and provide special settings to special apps.


In our case sidu-manual is the special app, while nginx, Apache, whateverhttpd are the standard apps, candidates for port 80.
This would simplify life and do absolutely no harm to security: after all one's gotta configure his own server and there is no space for cut&paste  within the realm of security.
Title: Re: sidu-manual and pywwetha on port 80
Post by: melmarker on 2015/11/10, 16:58:42
hell, i give up
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/10, 17:59:31
Getting into practice: besides changing port number in pywwetha.conf, what else should be changed within sidu-manual package?
Title: Re: sidu-manual and pywwetha on port 80
Post by: melmarker on 2015/11/10, 18:12:10
the server part possibly - but that leads to some other activities

and btw, listen 127.0.0.foo:80 .. and [::foo]:80 with foo <> 86 will solve the problem with nginx, it will solve the problem with any other webserver too. and foo=1 will solve the problems with localhost
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/10, 18:33:56
The localhost part is OK.


What about a couple of local interfaces, say eth0 and eth1, whose address can change (especially eth1), depending on the project? For instance eth0 can be on dhcp (alas, in some networks it could be static dhcp) while eth1would always be 10.some.thing or 192.168.some.thing etc.


This means that if a machine hooked up to one of those networks wants to browse the files served I have to manually edit nginx.conf every time depending on my ip. Which is practically a hassle. And these ips do change really often, because that depends on the network I have to create (emulating foreign environments).


If sidu-manual already runs on 127.0.0.86, it would be great if it could run on some exotic high port too.


Then, I completely agree with you that a policy to enforce better configs in webserver could be needed, and this could be practically done by issuing a siduction package of those servers with better out of the box *.conf, even though, as we all know, there's no such thing as a sane default.



Title: Re: sidu-manual and pywwetha on port 80
Post by: melmarker on 2015/11/10, 19:20:39
The only sane default in case of debian would be a not configured service unable to start out of the box with all needed configurations as a sane, documented out suggestion. Nothing less, nothing more - a webserver should not start directly after installation. (nor any other non desktop service should)

The user (better sysadmin/webadmin) should be forced to set some basic values manually. But that will remain only a dream.
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/11, 00:30:49
Yes, no server providing "external" services should start by default after install, however this could also be milded by putting up the most harmless config possible: in case of webserver the school example is the config that just serves a static page with "hello world!", or a mailserver that just listens to 127.0.0.1:25.

Maybe more could be obtained by following the *BSD strategy, which is also providing config examples in a separate dir, although the netbsd way (just providing those and zero initial config) might be too extreme, annoying and, frankly, counterproductive in terms of user appeal. I believe that some configs with averagely sane defaults plus extra examples could be the right way.


This said, we still have on the table the port 80 conflict.
Title: Re: sidu-manual and pywwetha on port 80
Post by: piper on 2015/11/11, 00:31:16
eth0 and eth1

Does anybody still have this anymore ?

I thought enp0/wlp0 are standard now
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/11, 00:34:45
Being my du behind schedule, also kernel is.
Title: Re: sidu-manual and pywwetha on port 80
Post by: melmarker on 2015/11/11, 01:46:50
For your port 80 issue - i dont think this is exactly a (web)server problem - i think it should be solved before the ip:port/service thingy - and this lead to another mechanism - iptables i guess.

If this is feasable this would solve the problem i think - but i have absolutely no knowledge of iptables - one of the things i wanted to learn this year. But my plans  changed rapidly within a week in August - DebConf 2015 and bringing LXQt to debian.

Edit: if this is possible - we could only filter and handle this one address/port - but as i said - its a wild guess.
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/11, 12:54:53
Not really. I always adhere to KIS rule, the simpler - the better, and this especially applies to the criteria of a general fresh install vanilla config.

Adding a new element to complicate the equation, whose management is btw far away from being simple, in order to manage a conflict of two elements which can be easily settled by reconfiguring the local port of the non-standard one of them,  just adds clutter without hitting the target.

Btw, why is the IP:port security constraint wished for general webserver not also applied for pywwetha? Instead of getting across other services, it shoud just listen on requests *specifically* made on 127.0.0.86, thing which at the moment does not happen, thus generating this mess. Clearly, it's this python server poor on config side, but introducing iptables to fix its poor design would be too much.

The real solution to this problem, as already filed by musca http://bugs.siduction.org/issues/1800 (http://bugs.siduction.org/issues/1800) (funny that we came to the same conclusion independently in the same days!), is changing pywwetha default port and making sidu-manual point to it, or, at least, obliging pywwetha to somehow (no iptables) listen just on 127.0.0.86 without interferring with other IPs. This would be benefitting universally all users.

Should this not happen, alternatives would be:
- editing nginx.conf every time addresses change on interfaces
- apt-get purge sidu-manual pywwetha

Guess which one I would choose.
Title: Re: sidu-manual and pywwetha on port 80
Post by: melmarker on 2015/11/11, 16:47:58
erm - not really true - pywwetha listen to exactly 127.0.0.86 - therefore pywwetha claims ownership for this combination - and prevent other servers from starting because they want to handle the whole address range. And exactly this triggers the conflict.

And i'm not strictly against using :81 or 82 - but that means that local url with this port are fugly and this must be tested (also in any means of the real uwsgi?? server part :D) - and i don't know how much time for programming and testing is needed. So if it is easy to implement - and reliable - implement it, test it for the installer too and if manual and installer works reliable i'm happy to merge your changes.

To be true - i would prefer a solution without programming and testing, a local webserver with your needs is not the most common configuration for a desktop OS.

Edit: i would simply choose to remove pywwetha - the manual is available online. But the local manual make sense for live machines without internet connection or installed machines without internet connection at all. In this context i beg to understand my position and that i'm not that eager to 'fix' this.
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/11, 17:40:57
I am right now investigating.

As for the port, I completely agree with you that 81, 82, etc. wouldn't be the perfect solution. Something like 54321 could be more the right choice.
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/11, 17:54:09
It works here:

# diff /etc/pywwetha/pywwetha.conf.old /etc/pywwetha/pywwetha.conf
Code: [Select]
10c10
< port=80
---
> port=54321

# diff /usr/bin/sidu-control.old /usr/bin/sidu-control
Code: [Select]
57c57
<                       x-www-browser http://$VIRTHOST
---
>                       x-www-browser http://$VIRTHOST:54321
60c60
<                       www-browser http://$VIRTHOST
---
>                       www-browser http://$VIRTHOST:54321
Title: Re: sidu-manual and pywwetha on port 80
Post by: der_bud on 2015/11/12, 15:53:07
Quote from: piper on 2015/11/11, 00:31:16
eth0 and eth1

Does anybody still have this anymore ?

I thought enp0/wlp0 are standard now
AFAIK they are standard for new installations but ethX is kept on existing installations until Debian 10. You might want ;) to read
 /usr/share/doc/udev/NEWS.Debian.gz
 /usr/share/doc/udev/README.Debian.gz
Title: Re: sidu-manual and pywwetha on port 80
Post by: piper on 2015/11/13, 10:33:24
Quote from: der_bud
Quote from: piper on November 10, 2015, 06:31:16 PM (http://forum.siduction.org/index.php?topic=5886.msg48401#msg48401)eth0 and eth1

Does anybody still have this anymore ?

I thought enp0/wlp0 are standard nowAFAIK they are standard for new installations but ethX is kept on existing installations until Debian 10. You might want (http://forum.siduction.org/Smileys/default/wink.gif) to read
 /usr/share/doc/udev/NEWS.Debian.gz
 /usr/share/doc/udev/README.Debian.gz

Read ?

Does it have diagrams ?

Can't I be spoonfed  ;)
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/13, 11:16:57
Hello Sirs,


rather than going off-topic, two messages ago I have posted a *working* patch to the bug filed by musca.
Who is responsible to put that in place?
THX
Title: Re: sidu-manual and pywwetha on port 80
Post by: jaegermeister on 2015/11/24, 12:54:12
It looks that this topic got forgotten: is anybody taking care of patching?
THX