[arch-general] need advices for the perfect web toolbox
Dear list, currently following the Sun certified web component developer course, I want to set up a http web server @ home to practice. I plan to virtualize a Arch server on my Arch box. I know we can talk about pro/con for hours, but I am interested in knowing your advices about the following apps: -http server : Apache or Nginx (curious to test the later) -container for my servlets : Tomcat ? -secure ftp server : ??? maybe a mail server: ??? I guess ssh will be the best way to talk to the server. Maybe other stuffs I forgot? What is the most common and simple way to secure the whole stuff without loosing too much responsiveness? Thank you for your advices. Regards.
[2012-12-14 12:51:20 +0100] arnaud gaboury:
I want to set up a http web server @ home to practice. I plan to virtualize a Arch server on my Arch box.
So you want to run a Web server inside a virtual machine?
-container for my servlets : Tomcat ? -secure ftp server : ??? maybe a mail server: ???
Then, what are those things for?
What is the most common and simple way to secure the whole stuff without loosing too much responsiveness?
Virtual machines are very secure, responsive enough for your needs, and fast enough too if you have hardware support. Now this mailing list is not the place for opinion polls. However the wiki will give you all the information you need about Web servers, FTP servers, mail servers, etc. For instance: https://wiki.archlinux.org/index.php/Category:Virtualization -- Gaetan
On Dec 14, 2012 1:21 PM, "Gaetan Bisson" <bisson@archlinux.org> wrote:
[2012-12-14 12:51:20 +0100] arnaud gaboury:
I want to set up a http web server @ home to practice. I plan to virtualize a Arch server on my Arch box.
So you want to run a Web server inside a virtual machine?
-container for my servlets : Tomcat ? -secure ftp server : ??? maybe a mail server: ???
Then, what are those things for?
What is the most common and simple way to secure the whole stuff without loosing too much responsiveness?
Virtual machines are very secure, responsive enough for your needs, and fast enough too if you have hardware support.
Now this mailing list is not the place for opinion polls. However the wiki will give you all the information you need about Web servers, FTP servers, mail servers, etc. For instance:
https://wiki.archlinux.org/index.php/Category:Virtualization
-- Gaetan
As I am not in the IT industry, I thought I could benefit from the community user experiences. That's the way I understand the community notion. Will deal by my own.
[2012-12-14 16:41:44 +0100] arnaud gaboury:
As I am not in the IT industry, I thought I could benefit from the community user experiences. That's the way I understand the community notion.
Sure, but unless you have more specific requirements, the wiki is the most suited community resource available to get general purpose answers. -- Gaetan
On Friday 14 Dec 2012 12:51:20 arnaud gaboury wrote:
I plan to virtualize a Arch server on my Arch box.
what i don't understand is why you want to take the extra step of virtualization? you can as well run web- and other servers on your main arch instance. re. security, just have them listen to your local domain only, what's the problem with that? -- phani.
On Friday 14 Dec 2012 12:51:20 arnaud gaboury wrote:
currently following the Sun certified web component developer course, I want to set up a http web server @ home to practice. I plan to virtualize a Arch server on my Arch box.
Personally, I wouldn't bother virtualising. Certainly not just for playing around with web servers. You could do that if you want to learn about virtualisation and security, though.
I know we can talk about pro/con for hours, but I am interested in knowing your advices about the following apps: -http server : Apache or Nginx (curious to test the later)
I a big Nginx fan. It's really light, simple to set up, and blazingly fast. There are some more advanced features that it lacks, but I very much doubt you'll need anything like that.
-container for my servlets : Tomcat ?
If you're using Java, Tomcat or Jetty seem to be your main options. I like the look of Jetty, but I have very limited Java deployment experience and haven't actually tried Jetty. I have used Tomcat, though, and found it a bit inflexible in its configuration for the particular app I was deploying. If you're going the Java route, you want to get this set up and working before you worry about Apache / Nginx.
-secure ftp server : ???
OpenSSH (SFTP?)
maybe a mail server: ???
Postfix has always served me well (forwarding on mail to root from cron jobs, sending out mail to users from apps, etc...) It's pretty easy to set up, but there's plenty of flexibility to play with if you want to customise it. Does your app need to send e-mail?
I guess ssh will be the best way to talk to the server.
Yes, always.
Maybe other stuffs I forgot?
If you're looking into security, think about a firewall. It gives you some extra reassurance that only specific traffic is going in and out. I like Shorewall.
What is the most common and simple way to secure the whole stuff without loosing too much responsiveness?
What are you thinking of, here? Arch doesn't come with any big security holes that anyone knows of, so it really depends on what you've installed and the way you've configured it. If you want to go all-out, you could eventually look into AppArmor / SELinux, Tripwire, etc... I've always felt that was overkill for my work, so I've never tried them. I definitely wouldn't bother if you're just starting out. Paul
On Dec 17, 2012 11:55 AM, "Paul Gideon Dann" <pdgiddie@gmail.com> wrote:
On Friday 14 Dec 2012 12:51:20 arnaud gaboury wrote:
currently following the Sun certified web component developer course, I want to set up a http web server @ home to practice. I plan to virtualize a Arch server on my Arch box.
Personally, I wouldn't bother virtualising. Certainly not just for
around with web servers. You could do that if you want to learn about virtualisation and security, though.
I know we can talk about pro/con for hours, but I am interested in knowing your advices about the following apps: -http server : Apache or Nginx (curious to test the later)
I a big Nginx fan. It's really light, simple to set up, and blazingly fast. There are some more advanced features that it lacks, but I very much doubt you'll need anything like that.
-container for my servlets : Tomcat ?
If you're using Java, Tomcat or Jetty seem to be your main options. I
the look of Jetty, but I have very limited Java deployment experience and haven't actually tried Jetty. I have used Tomcat, though, and found it a bit inflexible in its configuration for the particular app I was deploying. If you're going the Java route, you want to get this set up and working before you worry about Apache / Nginx.
-secure ftp server : ???
OpenSSH (SFTP?)
maybe a mail server: ???
Postfix has always served me well (forwarding on mail to root from cron jobs, sending out mail to users from apps, etc...) It's pretty easy to set up, but there's plenty of flexibility to play with if you want to customise it. Does your app need to send e-mail?
I guess ssh will be the best way to talk to the server.
Yes, always.
Maybe other stuffs I forgot?
If you're looking into security, think about a firewall. It gives you some extra reassurance that only specific traffic is going in and out. I like Shorewall.
What is the most common and simple way to secure the whole stuff without loosing too much responsiveness?
What are you thinking of, here? Arch doesn't come with any big security holes that anyone knows of, so it really depends on what you've installed and
playing like the
way you've configured it. If you want to go all-out, you could eventually look into AppArmor / SELinux, Tripwire, etc... I've always felt that was overkill for my work, so I've never tried them. I definitely wouldn't bother if you're just starting out.
Paul
Paul, a big thank for your very detailed list At least one clear answer. Until now, here is what I did: 1- virtualized arch on my Arch with qemu/libvrt 2-installed lighttpd (for a start, maybe easier than Nginx), tomcat7,openssh. Now my issue is to connect guest host to its domain naime. Did register public static IP to my domain naime seller. I am looking to avoid web - - > router ––> host ––> http guest server. I am scratching my head to figure out how to avoid the host forwarding. My router can assign the IP to one of the machine. Unfortunately, I did not use br0,bridge, but vibr0 on NAT and the router can't see the guest. The guest is getting its IP from host httpcd. Not a good way I think. It will generate too much forwarding. Any help would be appreciated. Regards
On Monday 17 Dec 2012 12:34:42 arnaud gaboury wrote:
Now my issue is to connect guest host to its domain naime. Did register public static IP to my domain naime seller. I am looking to avoid web - - > router ––> host ––> http guest server. I am scratching my head to figure out how to avoid the host forwarding. My router can assign the IP to one of the machine. Unfortunately, I did not use br0,bridge, but vibr0 on NAT and the router can't see the guest. The guest is getting its IP from host httpcd. Not a good way I think. It will generate too much forwarding.
If your guest is behind NAT, there's no way you can avoid forwarding. I still think you're making life hard for yourself. Virtualisation is an added complication here. But if you're dead set on it, you'll need to change the network interface so that the guest is directly visible on the same physical network as the host, so the guest gets its IP directly from the router. I don't know how that's done with qemu, I'm afraid. Sorry I can't help any more with this. Paul
I think I will manage with bridging. As for the virtualization, I didn't want to set up all this stuff on my box, for safety reasons. It took time to configure correctly my Arch and don't want to break anything with new stuff. Breaking a virtualized machine is more simple :-) On Mon, Dec 17, 2012 at 12:57 PM, Paul Gideon Dann <pdgiddie@gmail.com> wrote:
On Monday 17 Dec 2012 12:34:42 arnaud gaboury wrote:
Now my issue is to connect guest host to its domain naime. Did register public static IP to my domain naime seller. I am looking to avoid web - - > router ––> host ––> http guest server. I am scratching my head to figure out how to avoid the host forwarding. My router can assign the IP to one of the machine. Unfortunately, I did not use br0,bridge, but vibr0 on NAT and the router can't see the guest. The guest is getting its IP from host httpcd. Not a good way I think. It will generate too much forwarding.
If your guest is behind NAT, there's no way you can avoid forwarding. I still think you're making life hard for yourself. Virtualisation is an added complication here. But if you're dead set on it, you'll need to change the network interface so that the guest is directly visible on the same physical network as the host, so the guest gets its IP directly from the router.
I don't know how that's done with qemu, I'm afraid. Sorry I can't help any more with this.
Paul
On Mon, Dec 17, 2012 at 12:34 PM, arnaud gaboury <arnaud.gaboury@gmail.com>wrote:
2-installed lighttpd (for a start, maybe easier than Nginx),
Having recently made the switch from lighttpd to Nginx, I can tell you both seem to be of equal (and quite low) complexity to setup. I had some difficulties to make Lighttpd behave nicely with Ramaze (a Ruby framework). But you may not encounter those bugs on your Java road. -- Cédric Girard
participants (5)
-
arnaud gaboury
-
Cédric Girard
-
Gaetan Bisson
-
Paul Gideon Dann
-
phanisvara