[BlueOnyx:26677] Re: Web Site with URL /login

Michael Stauber mstauber at blueonyx.it
Mon Dec 18 14:38:02 -05 2023 

Hi Taco,

I gave it some thought. There are complications such as we don't know for sure if admin.<servername> is still available when we introduce this new feature. Also: what about SSL? Do we roll the SSL for this into the AdmServ certificate? Possible, but if the DNS for the admin.<whatever> doesn't have A records yet, the GUI cert will not renew.

So the choice option would be: This becomes an optional feature. The serverAdmin can set up whatever Vsite he wants to use for this. And on the GUI page where you configure access to the GUI you can then enable mod_proxy access of that Vsite to the GUI. SSL for that Vsite? Will be handled as if that Vsite was still a regular Vsite via the existing SSL management pages. So the work flow would be: You create admin.server.tld and configure SSL. Then you go to Server Settings / Maintenance / GUI and from a pulldown that shows a list of Vsites present on the sever you select the Vsite you want to be the admin Vsite. WHen you do that and save, the proxy config to redirect /web of the chosen Vsite via mod_proxy_ssl is generated and activated.

As for the mod_proxy configuration: The 5211R GUI ONLY supports port 81 (HTTPS) and port 444 is redirected straight to port 81. So the mod_proxy setup on the new admin domain would do HTTPS 443 ---SSL-Proxy---> Port 81 (HTTPS).

There are a few more minor issues, but this is doable in a pretty flexible way. As for internal URLs in the GUI: AFAIK the only hard coded URLs are external URLs like to the BlueOnyx website, the shops and the wiki. Anything else is relative to the document root. 

There might be just one catch that I need to verify: CodeIgniter 4 has the FQDN it runs on hard coded into the config and this is set by a constructor. But this should not be an issue as far as the proxy is concerned. But I'll check that out.

Anyway: I'm writing this on the balcony of our rented apartment at the Caribbean coast and this is my first day of holidays in two years. Work on the new BlueOnyx GUI will continue in the first week of January.

In the meantime: Merry Christmas and a Happy New Year to all of you!


On December 18, 2023 10:46:48 AM GMT-05:00, Taco Scargo via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
>Hi Chris,
>
>I understand where you are coming from with your VPN remark.
>But a normal site admin (hosting customer) should not be bothered with setting up a VPN to just make a change or a user to change his/her password.
>
>Some of my users sometimes complain they cannot connect to port 81 when on a very closed off network.
>
>Opening up admserv on a site url is up to the person maintaining the BlueOnyx instance.
>If you don’’t want that, don’t set it up.
>
>It also would allow different admin hostnames for e.g. the reseller functionality.
>
>Best regards,
>
>Taco
>
>> On 18 Dec 2023, at 15:14, Chris Gebhardt - VIRTBIZ Internet via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
>> 
>> Hi Taco,
>> 
>>> Allowing to map a vsite to the admin url: I have tried to do this with reverse proxy, but unfortunately the admin ui still uses some hard links in various places, mostly to select https/81 http/444, whereas I think all links should be relative anyway. 
>> I agree that relative links are preferred with almost any architecture.   Limited exceptions apply, of course.
>> 
>>> some enterprise and airport/hotel/airplaine wifi networks sometimes restrict port numbers.
>>> This would allow e.g. creating an “admin.yoursite.com”  or something similar.
>> Just a note on this:  VPN should be absolutely mandatory for sysadmin work.  I don't touch an asset without being either onnet or via VPN and often if remote, VPN to remote desktop on localnet.   I realize you're raising a bit of a different issue, but nobody should be relying on public wifi networks to manage (or restrict) your traffic.  
>> 
>> If you are properly secured behind a VPN then you will bypass many of the headaches you've mentioned.  
>> 
>> 
>> 
>> 
>>> My request is to just get rid of the code that selects the port number and protocol.
>>> Imho, that is not needed anymore.
>> I disagree. 
>> 
>> Having the service on a different port keeps it gapped from the public-facing web services.   And that's fairly standard with the other control panels I'm familiar with that rely on their own http server (and therefore a unique port).   While that may present the occasional obstacle, the benefits outweigh the inconvenience.
>> 
>> -- 
>> Chris Gebhardt
>> VIRTBIZ Internet Services
>> Access, Web Hosting, Colocation, Dedicated
>> www.virtbiz.com <http://www.virtbiz.com/> | toll-free (866) 4 VIRTBIZ
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20231218/07c8682a/attachment.html>

More information about the Blueonyx mailing list