[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: minivend security model
****** message to minivend-users from Minivend Administrator <minivend@nterprise.net> ******
The below description is almost exactly how I've got our www server setup
(well, it does have a chrooted FTP server since I didn't want to mess with
the hassle of setting up a cron to scp files from the "upload area" to a
"live" webserver)...but I still haven't managed to get minivend to work
with CGIWRAP. I tried to search the 1998 archive on the subject but came
up empty-handed (if I get some time in the next few weeks I might consider
downloading the whole archive and creating a search engine for it). I can
get the simple/sample demos to work if I install minivend as root into the
webserver DOCROOT, but not if I install it as mvend and use CGIWRAP. The
httpd error log says "Premature end of script headers" (no output is
produced at all), and the minivend error log says
192.168.1.10 - - [17/December/1998:14:34:32 -0700] -
www.hostname.net/cgi-bin/cgiwrap/mvend/simple Undefined catalog:
www.hostname.net/cgi-bin/cgiwrap/mvend/simple
Since I'm ultimately going to make minivend available to virtual domain
customers, I used the www.hostname.net method of calling the
demo...changing minivend.cfg and catalogs/simple/catalog.cfg as documented
Even when I tried it w/o the www.hostname.net, it still didn't work.
Any suggestions greatly appreciated.
On Thursday December 17, 1998, Joe Hourcle <oneiros@dcr.net>
had this to say about "Re: minivend security model":
> To keep security holes to a minimum, you want yor secure server to run as
> few services as possible, In this case, we must have HTTPS (of course),
> and to keep minivend happy, we also need it having HTTP. (and minivend,
> it's technically a service)
>
> As for FTP/Telnet, I wouldn't even turn them on for the machine.
> use SSH, instead of telnet, and limit it to only the machines that need
> access to it. Naturally, only the system administrators should be the
> ONLY ones with accounts on the machine. The machine should not do SMTP,
> POP, IMAP, etc. It should be _solely_ a web server.
>
> instead of using FTP to move files, you should use SCP.
>
> (this would be of course, in an ideal environment. Realistically, there's
> a good chance that your server might need to do something else, if you're
> in a small shop. We're not using https for minivend, as we're not taking
> credit card info. The one reason we have https doesn't justify a whole
> new machine for it, however, almost all of the traffic going to it from
> the outside office is filtered, and there aren't too many services that
> are on the machine.)
>
> -----
> Joe Hourcle
> Digital Crescent, Inc.
>
> -
> To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list
--
John-David Childs (JC612) Enterprise Internet Solutions
Systems Administration http://www.nterprise.net
& Network Engineering 8707 E. Florida Ave #814 Denver, CO 80231
Individualists unite!
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
