Re: [Server-devel] Moodle/Server configuration for static IP external access
On Thu, Jun 18, 2009 at 10:19 AM, Martin Langhoff wrote: > On Thu, Jun 18, 2009 at 3:59 PM, Dave Bauer wrote: > > Most Moodle installs are available to the internet. Does it really make > > sense to rely only on Moodle being on the internal network to provide > > security? > > You are right, and a lot of my pre-OLPC work has been in making the > largest of those installations work smoothly in scale, security, > performance, customisations... In those cases, Moodle is a webapp. > > In this case, however. Moodle is the central UI for most things XS. > Some things XS change how the XS behave. > > For example, I am drafting a bit of code that will let you configue > eth0 and 'domain_config' from a Moodle-based UI. So on first boot, the > XS comes up in a special mode that lets you set those 2 things. > > Once this work is done, you no longer need to login as root. Ever. > Cool, maybe a switch to turn this off would be useful for those who are running a different configuration. Dave > > On the other hand, it'd be serious trouble if Moodle started listening > on the public address. Right now Moodle seems to be reasonably meek... > but I haven't thought that through actually, it may have risks too. > > The bottom line is: > > Services that are on the LAN address have not been > designed to be on the WAN address -- many (most?) > of them are a security risk if exposed to the WAN > today. As the XS evolves, _more_ services will pose > a risk if exposed to the WAN. > > So -- put your test/dev machines on the LAN to play with things. The > XS will hand out DHCP leases to non-XOs, you can create "normal" user > accounts in Moodle (from the 'course creator'-blessed XO) so that > things work. Using non-Sugar XMPP clients (mostly) works too if you're > on the LAN. > > hth, > > > > m > -- > martin.langh...@gmail.com > mar...@laptop.org -- School Server Architect > - ask interesting questions > - don't get distracted with shiny stuff - working code first > - http://wiki.laptop.org/go/User:Martinlanghoff > -- Dave Bauer d...@solutiongrove.com http://www.solutiongrove.com ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Moodle/Server configuration for static IP external access
On Thu, 2009-06-18 at 16:19 +0200, Martin Langhoff wrote: > On Thu, Jun 18, 2009 at 3:59 PM, Dave Bauer wrote: > > Most Moodle installs are available to the internet. Does it really make > > sense to rely only on Moodle being on the internal network to provide > > security? > > You are right, and a lot of my pre-OLPC work has been in making the > largest of those installations work smoothly in scale, security, > performance, customisations... In those cases, Moodle is a webapp. > > In this case, however. Moodle is the central UI for most things XS. > Some things XS change how the XS behave. > > For example, I am drafting a bit of code that will let you configue > eth0 and 'domain_config' from a Moodle-based UI. So on first boot, the > XS comes up in a special mode that lets you set those 2 things. > Just had a thought, couldn't we do something with xs-named.conf.in where it could source lets say /etc/sysconfig/network looking for forwarders=? We already have to fiddle with hostname in that file anyway... > Once this work is done, you no longer need to login as root. Ever. > > On the other hand, it'd be serious trouble if Moodle started listening > on the public address. Right now Moodle seems to be reasonably meek... > but I haven't thought that through actually, it may have risks too. > > The bottom line is: > >Services that are on the LAN address have not been >designed to be on the WAN address -- many (most?) >of them are a security risk if exposed to the WAN >today. As the XS evolves, _more_ services will pose >a risk if exposed to the WAN. > > So -- put your test/dev machines on the LAN to play with things. The > XS will hand out DHCP leases to non-XOs, you can create "normal" user > accounts in Moodle (from the 'course creator'-blessed XO) so that > things work. Using non-Sugar XMPP clients (mostly) works too if you're > on the LAN. > > hth, This is where iptables may come in handy, you could allow access to the local lan, reachable by the external address, only from a pre-defined set of ipaddresses. I'll work something up if there is interest. The other alternative is to use a vpn solution, to gain access to services available on the LAN. Just a thought, Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Moodle/Server configuration for static IP external access
On Thu, Jun 18, 2009 at 3:59 PM, Dave Bauer wrote: > Most Moodle installs are available to the internet. Does it really make > sense to rely only on Moodle being on the internal network to provide > security? You are right, and a lot of my pre-OLPC work has been in making the largest of those installations work smoothly in scale, security, performance, customisations... In those cases, Moodle is a webapp. In this case, however. Moodle is the central UI for most things XS. Some things XS change how the XS behave. For example, I am drafting a bit of code that will let you configue eth0 and 'domain_config' from a Moodle-based UI. So on first boot, the XS comes up in a special mode that lets you set those 2 things. Once this work is done, you no longer need to login as root. Ever. On the other hand, it'd be serious trouble if Moodle started listening on the public address. Right now Moodle seems to be reasonably meek... but I haven't thought that through actually, it may have risks too. The bottom line is: Services that are on the LAN address have not been designed to be on the WAN address -- many (most?) of them are a security risk if exposed to the WAN today. As the XS evolves, _more_ services will pose a risk if exposed to the WAN. So -- put your test/dev machines on the LAN to play with things. The XS will hand out DHCP leases to non-XOs, you can create "normal" user accounts in Moodle (from the 'course creator'-blessed XO) so that things work. Using non-Sugar XMPP clients (mostly) works too if you're on the LAN. hth, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Moodle/Server configuration for static IP external access
On Thu, Jun 18, 2009 at 9:09 AM, Martin Langhoff wrote: > On Thu, Jun 18, 2009 at 3:03 PM, wrote: > >> Now with the a fixed internal IP I am able to map the actual external IP >> with it for external access. Change the apache httpd-xs.conf to listen to >> 192.168.1.30:80 as well as 172.18.0.1:80 Loaded the pafm application and >> external upload and download working well. >> >> I maybe missing something - but have issue of the moodle not displaying >> the graphics and format, etc while login prompt is shown. What aspect of >> /var/www/moodle/web/config.php or files should I modify for both normal >> external or internal moodle access? I want to open up for external access so >> that the team can play with the moodle to get familar with it. > > > I can't really recommend that. Moodle and other services should only be in > the internal network. Publishing it in the external network creates security > issues. > Most Moodle installs are available to the internet. Does it really make sense to rely only on Moodle being on the internal network to provide security? Dave > > If you still want to do it, the best way is to ensure that the "external" > users (external from the PoV of the XS) see the exact same DNS name for the > server. Once you do that, images, forms and links will work. > > cheers, > > > > m > -- > martin.langh...@gmail.com > mar...@laptop.org -- School Server Architect > - ask interesting questions > - don't get distracted with shiny stuff - working code first > - http://wiki.laptop.org/go/User:Martinlanghoff > > ___ > Server-devel mailing list > Server-devel@lists.laptop.org > http://lists.laptop.org/listinfo/server-devel > > -- Dave Bauer d...@solutiongrove.com http://www.solutiongrove.com ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Moodle/Server configuration for static IP external access
On Thu, Jun 18, 2009 at 3:34 PM, wrote: > What settings do I need to configure for this? Thanks You can shoot yourself in the foot, but I'm not sure how much I'll help ;-) The instructions start... "find the DNS server in the 'outer' network..." cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Moodle/Server configuration for static IP external access
>I can't really recommend that. Moodle and other services should only be in >the internal network. Publishing it in the external network creates security >issues. Yes, with a real school deployment this is a major concern. The XS I understand is designed for minimal maintence without this headache!! >If you still want to do it, the best way is to ensure that the "external" >users (external from the PoV of the XS) see the exact same DNS name for the >server. Once you do that, images, forms and links will work. What settings do I need to configure for this? Thanks ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Moodle/Server configuration for static IP external access
On Thu, Jun 18, 2009 at 3:03 PM, wrote: > Now with the a fixed internal IP I am able to map the actual external IP > with it for external access. Change the apache httpd-xs.conf to listen to > 192.168.1.30:80 as well as 172.18.0.1:80 Loaded the pafm application and > external upload and download working well. > > I maybe missing something - but have issue of the moodle not displaying the > graphics and format, etc while login prompt is shown. What aspect of > /var/www/moodle/web/config.php or files should I modify for both normal > external or internal moodle access? I want to open up for external access so > that the team can play with the moodle to get familar with it. I can't really recommend that. Moodle and other services should only be in the internal network. Publishing it in the external network creates security issues. If you still want to do it, the best way is to ensure that the "external" users (external from the PoV of the XS) see the exact same DNS name for the server. Once you do that, images, forms and links will work. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] Moodle/Server configuration for static IP external access
Now with the a fixed internal IP I am able to map the actual external IP with it for external access. Change the apache httpd-xs.conf to listen to 192.168.1.30:80 as well as 172.18.0.1:80 Loaded the pafm application and external upload and download working well. I maybe missing something - but have issue of the moodle not displaying the graphics and format, etc while login prompt is shown. What aspect of /var/www/moodle/web/config.php or files should I modify for both normal external or internal moodle access? I want to open up for external access so that the team can play with the moodle to get familar with it. Cheers >-Original Message- >From: Martin Langhoff [mailto:martin.langh...@gmail.com] >Sent: Tuesday, June 16, 2009 11:36 PM >To: tkk...@nurturingasia.com >Cc: 'Sameer Verma', 'Rodolfo D. Arce S.', 'XS Devel' >Subject: Re: [Server-devel] Server configuration for static IP instead of DHCP > >On Tue, Jun 16, 2009 at 5:25 PM, wrote: >> Maybe the WIKI need an update that include ... take a break and come back >> for the cache stuff > >Probably a strategic reboot is better, faster and clearer. You do need >it once you've set the domain. > >If you > >1 - install >2 - set the domain (which sets resolv.conf >3 - set the forwarders >4 - set ifcfg-eth0-local >5 - reboot > >everything 'just works'. Once I make 0.6 an official release -- soon! >I promise! -- we can update the install guide with this info. > >> Working normally..and I am amazed by the level of automation via the XS. >> Just registered 2 XOs via wireless. > >Great! > >> Now I need to see how the Moodle could be a mix of external users and XOs >> registered users. I use to have success login in with admin and the password >> supplied to add newlanguage options. Any changes? I have not been login with >> the combination recently? > >Use the first registered XO -- which has 'course creator' rights in >Moodle. It can create new "normal" accounts, which login with >username/password. > >If you want those accounts to be 'course creators' too, after creating >the accounts you can grant them the right from Users->Roles->Sitewide >roles (a standard Moodle procedure) > >hth, > > >m >-- > martin.langh...@gmail.com > mar...@laptop.org -- School Server Architect > - ask interesting questions > - don't get distracted with shiny stuff - working code first > - http://wiki.laptop.org/go/User:Martinlanghoff > ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
