This patch, primarily to hosting but also to provision, allows each site to store a port that its virtualhost should be associated with. This way, for instance, Aegir can manage sites that use SSL encryption without problems in the virtualhost template. In its current state it is implemented as a simple field in the hosting_site table that gets passed through to provision.

My next step will be to store a list of acceptable ports on a per web-server basis, and then on the UI for creating sites only allow selecting from the ports enabled for the associated server. This is only a UI change, and I was thinking of just storing the allowed values as a comma separated or serialized array in the web_server table.

However, I have also considered that maybe this should be made into an optional module, very similar to the aliases module. Provision would default everything to 80 as before if it didn't exist, otherwise the module would provide the correct port for the site. There would be a new table of ports associated with each web_server from which each site could choose one. This is probably a cleaner solution that I might try next.

Comments appreciated,
David

CommentFileSizeAuthor
#15 hosting.port_.5.patch19.47 KBDavid Goode
#9 hosting.port_.4.patch19.22 KBDavid Goode
#9 provision.port_.4.patch3.25 KBDavid Goode
#9 provision_apache_server.tpl_.php.txt220 bytesDavid Goode
#2 hosting.port_.3.patch16.79 KBDavid Goode
#1 hosting.port_.2.patch16.77 KBDavid Goode
provision.port_.patch1.25 KBDavid Goode
hosting.port_.patch6.3 KBDavid Goode
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

David Goode’s picture

David Goode CreditAttribution: David Goode commented
FileSize
hosting.port_.2.patch16.77 KB

Preliminary 2nd version that allows per-server settings. Use with caution, will test better tomorrow :-)

David Goode’s picture

David Goode CreditAttribution: David Goode commented
FileSize
hosting.port_.3.patch16.79 KB

new patch, minor mods

anarcat’s picture

anarcat CreditAttribution: anarcat commented

Thank you for this work. This will be very useful when implementing #394452: Full SSL support, so try to keep that in mind.. I like the idea of having this a separate module: I think it should be simple enough to tear it out in a separate module with proper use of form_alter (?). In the backend, $site_port could just be defaulted to 80 in the templates when not defined.

One thing that is not taken into account in your backend code is that nothing special is done for port 443 (while https:// is specified in the frontend), so that's kind of broken.

anything else missing so this can be "needs review"?

adrian’s picture

adrian CreditAttribution: adrian commented

I've been evaluating this for inclusion into a contrib module, and i'm having trouble seeing how to cleanly split it up.

Mostly because doing this the right way ( setting up available ports on the web server, and adding an optional port selection in the site creation form if there is more than one available port and the user has the right permissions), involves modifying the javascript we have.

Also, i'm working on adding a new directory in provision which allows you to override templates. You could add a conditional to the template to add the cert to the vhost if the port is 443. This is a bit of a ghetto way to do it, but it will work for our purposes.

adrian’s picture

adrian CreditAttribution: adrian commented

If we don't do this in a module, I'd still like to see conditionals around the user interface parts of this, that are only activated when the experimental feature for non-standard ports is enabled.

I'm willing to make that concession if the easiest way to include this functionality is via a patch and not a module. The very fact that this is so tricky illustrates that we need to look at the API surrounding the site node page.

adrian’s picture

adrian CreditAttribution: adrian commented

Also, we need to set up the NameVirtualHost entries somehow, so that probably means introducing a web server vhost file

will apache barf if we declare them multiple times?

hutch’s picture

hutch CreditAttribution: hutch commented

As long as each NameVirtualHost is different apache will accept them.
NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443

NameVirtualHost 5.6.7.8:80
NameVirtualHost 5.6.7.8:443
and so on

Each virtual host container will need to reflect this:

<VirtualHost 1.2.3.4:80>
...
</VirtualHost>

and so on

port 443 must have a specified ip address as the ssl cert is for a specific domain or *.domain

adrian’s picture

adrian CreditAttribution: adrian commented

BTW. provision already has a 'web_port' defaulted to 80, so we should change the parameter to that.

David Goode’s picture

David Goode CreditAttribution: David Goode commented
FileSize
provision_apache_server.tpl_.php.txt220 bytes
provision.port_.4.patch3.25 KB
hosting.port_.4.patch19.22 KB

Hey,

Now as per adrian's suggestions: 1) there is a permission to change the site port from default as well as a feature to enable overriding the default at all. The db changes are present regardless though. 2) platform verify now creates a little servername.server config file which has namevirtualhost directives for all supported ports. This may be redundant for port 80 with the default aegir site vhost file but that doesn't appear to be an issue for apache. Somewhat inelegant perhaps? We could remove the namevirtualserver *:80 from that file (copied/modified from hostmaster/apache2.conf.txt) if it doesn't have ramifications. Is the platform verify run after install, so that this line won't be necessary to access the site? 3) when changing allowed ports, the server creates verify tasks for all its platforms.

David

anarcat’s picture

anarcat CreditAttribution: anarcat commented

Okay, that's good. I still need to review the actual code but it makes sense in theory. Note that we will eventually migrate server-side settings to a server-wide config file (think /etc/aegir/config) so that you will not need to reverify all platforms.

Also, don't you need to make sure apache listens on the given port? In addition to NameVirtualHost, i feel you would need to add a Ports directive...

David Goode’s picture

David Goode CreditAttribution: David Goode commented

That's possible, but it depends how far we want to go with this? Honestly I wasn't totally sure of the necessity of the NameVirtualServer directive originally. We're never going to be able to change firewall settings, create dns records, etc for all these ports. To me, the user was responsible for setting them up, and then just telling Aegir about the available ports--it's more of an informational setting than one that aegir acts upon, and i was even thinking of trying to autodetect the ports on which apache was listening for the default value (command line ways to do this exist, but require sudo). Listen seems to fall under the user responsibility...namevirtualserver seemed borderline, but given that it's necessary and fairly harmless when duped, I went ahead with it.

David

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

Maybe it could be possible to just keep config templates ready to use valid SSL cert (when uploaded), but if no cert is uploaded, default self-signed will be used (like in Webmin) to avoid duplicating templates for SSL/noSSL and to avoid building another modules just to have conditional including valid/selfsigned cert?

And one more thing: also SSL is much simpler in Pound: http://drupal.org/node/394452#comment-1807564

~Grace

anarcat’s picture

anarcat CreditAttribution: anarcat commented

@david - i don't see how you would need to create DNS records for separate ports. Changing firewall settings could be desirable, but that would be in a separate module. My point is that we shouldn't define policy: it could be nice to allow arbitrary port, and let the admin decide what those proper ports should be, out of the box, per server. In other words, once you let the policy in the hands of the Admin, which controls Aegir mostly through the frontend, you should make Aegir apply that policy, through Ports/Listen and NameVirtualHosts. That may be a bit too advanced to start with and could start with just detecting the setting (and sudo is fine here).

@omega8cc - please keep SSL stuff in the ssl issue. :) This issue is about ports, which are required for SSL, but have a life of their own.

adrian’s picture

adrian CreditAttribution: adrian commented
Status: Needs work » Needs review

Testing now, it's looking very promising.

only small issue i have so far is that the port field is at the top of the list.

While it makes some conceptual sense to have it right below the domain field, I feel it is less usable there, because the field is populated based on fields underneath it.

So when filling out the form, if you change the platform it changes something you already thought you had filled in.

David Goode’s picture

David Goode CreditAttribution: David Goode commented
FileSize
hosting.port_.5.patch19.47 KB

Hey,

Quick new patch that puts it below platform.

David

adrinux’s picture

adrinux CreditAttribution: adrinux commented

@David Goode since you're obviously deep in code already...any idea how this will affect installing aegir on a non-standard port? See http://drupal.org/node/566410

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Needs work » Needs review

So these patches work well in my tests. So far I see only a few additions that could be made, and they are mostly aesthetic:

1) Links to the site from the Aegir frontend, such as the 'Site:' field at the top of task output, the 'Go to site' link in the Site view (node view) the 'Login url" one-time login reset hash, should add the custom port as a suffix if the port is not 80 or 443, and if 443 should change the http:// prefix to https://

2) The choice of port on site creation is currently single radio box: in my mind we should offer checkboxes and allow for the creation of multiple vhost entries (this will lead in to sites being accessible both via HTTP and over SSL)

Otherwise, great!

(Various edits: please ignore me, i'm clearly on drugs: you had already got the 'Go to site' link working sanely and I was checking the wrong url, and the link to the Site in task output is actually a link to the site node in Aegir, so is irrelevant here. Many apologies! So the only things that need to change are the onetime login url and the welcome email sent to the user.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Needs review » Needs work

I agree with 1) we shouldn't break the site link.

I also agree with point 2) although I don't think it's a blocker.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Needs review » Needs work

(removed, covered above in earlier comment)

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Needs work » Fixed

So I fixed the welcome link and committed that to CVS already. One thing I still not sure about is the "foo.server" file. Frankly, it doesn't seem like a good idea to me.

First, we already defined NameVirtualHost in the vhost file installed with Aegir

Second, it's not enough: I had to do a Listen directive to make sure apache would listen on that port.

Third, I think I would rather leave that to the admin than to let Aegir fiddle with those kind of configurations. It could easily lead to a serious denial of service attack (think Listen 22 or 25) if the Drupal is compromised. For me, the ports listened to (along with the NameVirtualHost directives) are part of the server configuration, and lay outside of Aegir.

Fourth, it's insecure: someone could create a "localhost.server" site and overwrite that file.

I would like to see the reverse: the "server verification" step (yet to be done) would check the apache configuration (apachectl -S) and would detect the ports it would be running as, and send that to the frontend.

I will still commit the code as is (with the fixes for the URL stuff), but I am considering reverting the server configuration part for now.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.