Support

thbar · #1 09-25-2006, 04:06 AM

Hi!

I'm willing to learn more about the recommended way(s) to setup the various accounts and rights etc on a LSWS+Rails deployment platform.

Here's my configuration:
- ubuntu 6.06 on a dedicated box
- capistrano 1.2.0 and rails 1.1.6
- the latest LSWS / free edition is up and running (I'm about to install the LSAPI gem), running as nobody (the default in the LSWS installation), on ports 8088 and 7080 (default)
- SSH and LSWS admin access is restricted by IP

I'm using an admin user (= one who sudoes on demand) under capistrano.

Should I create a custom user instead of nobody ? Should I use suExec ? Is there anything else recommended ?

Any tips / caveats are most welcome!

cheers

Thibaut

xing · #2 09-25-2006, 09:10 AM

1) Security through minimal configuration possible to reduce human/system errors.

Remove any and all unused external application, and listeners.

2) Instead of nobody use a custom user like "lsws" just for ease of management sake. There could be other processes on the system running as nobody.

3) Use suEXEC. Create a user just for ruby/rails.

http://www.litespeedtech.com/support...api_php_suexec

4) Block ANY and ALL administrative urls/links/paths to your general applicatioin via the public port/listener. For example, if your ruby app binds http://toast.com/admin/ to the admin interface, block access to it via context rules or remove /admin/ routing completedly from the rail app.

Just because the admin panel is password protected doesn't mean it's secure.

Security is different for everyone so mix and match your personal paranoia with practical solutions. Paranoia is not a bad word when it comes to security. =)

thbar · #3 09-25-2006, 09:27 AM

Hi Xing

thanks a lot for the whole list, it's really appreciated!

One last question before I proceed: how would you recommend to setup the access rights of the rails code under that setup ? Should the files be owned by the dedicated rails user you describe ?

cheers

Thibaut

mistwang · #4 09-25-2006, 09:53 AM

All files can be owned by the rails user or only let a few directories to be owned by rails user to give better security.

When LSWS start a Rails app in SuEXEC mode, it uses the owner of public folder, so, you can create a user for each of your rails application if you want, and you need to make 'public', 'log', 'tmp' owned by the user you created, other folder can be owned by root or other user as long as it is readable to the rails user. It will give you the best security.

xing · #5 09-25-2006, 09:55 AM

Yes. The easiest way is to create a new user each ruby app. For example, "rblog" if it's a ruby rails blog. Just do chown -R rblog:rblog on the root directory of the rails app. If suEXEC is properly configured, the ruby process will launch as "rblog".

thbar · #6 09-26-2006, 02:30 AM

Perfect. Thanks!

Thibaut

thbar · #7 09-26-2006, 08:35 AM

Quote:

Originally Posted by xing

4) Block ANY and ALL administrative urls/links/paths to your general applicatioin via the public port/listener. For example, if your ruby app binds http://toast.com/admin/ to the admin interface, block access to it via context rules or remove /admin/ routing completedly from the rail app.
ons. Paranoia is not a bad word when it comes to security. =)

Is it fine if I have firewall rules to forbid access to the litespeed admin except for a few trusted IP addresses, and if I have IP restrictions as well under the litespeed admin context ?

cheers

Thibaut

thbar · #8 09-26-2006, 09:01 AM

I've also created a new Rails context (same values as the one created by EasyRailsWithSuEXEC, but with URI = '/admin' and IP restrictions, and placed it first in the chain).

Is that what you meant ?

thanks!

Thibaut

mistwang · #9 09-26-2006, 11:57 AM

Quote:

Is it fine if I have firewall rules to forbid access to the litespeed admin except for a few trusted IP addresses, and if I have IP restrictions as well under the litespeed admin context ?

That's fine.

Quote:

I've also created a new Rails context (same values as the one created by EasyRailsWithSuEXEC, but with URI = '/admin' and IP restrictions, and placed it first in the chain).

If you rails application is mounted at URI '/', URI '/admin' probably does not work if you just add it as "Rails" context, you need to add a "static" context with URI "/admin", add access rules, "ErrorDocument 404 /dispatch.lsapi" in "Apache style configruation".
Anyway, if '/admin' is password protected, you don't have to do that.