Webspace for Flarum

SMalt

Yolo
There is ssh access, but without composer. I have moved an existing installation as a test. The backend composer function recognizes the valid composer.json in the public directory of flarum. Flarum works.
But a base installation from scratch will fail. Also an upgrade.
Too bad there is no other way to install flarum. If webhosts are excluded it will harm this good project.

clarkwinkelmann

Valeyard SMalt if you can run php via SSH, you can download the Composer phar package and run it as a standalone php executable. The commands are easier to type when Composer is installed globally but it's not a requirement.

Composer is just a PHP software in the end. The main reason we don't have Composer built into the Flarum web GUI (yet) is because the amount of memory and resources needed are often not available to the web process, but are available to the command line. And the same hostings where you can't adjust the amount of web resources are often the same ones that don't allow command line access, which automatically rule them out for any Composer-based package management even if we had a GUI available.

Valeyard

clarkwinkelmann Composer is just a PHP software in the end. The main reason we don't have Composer built into the Flarum web GUI (yet) is because the amount of memory and resources needed are often not available to the web process, but are available to the command line.

Oh right, thanks for the clarity.

Valeyard

I'm transposing this response from another thread as it has to do with security:

clarkwinkelmann And the same hostings where you can't adjust the amount of web resources are often the same ones that don't allow command line access, which automatically rule them out for any Composer-based package management even if we had a GUI available.

I for one don't want it in the admin gui - forum admins are not server admins. We need security by design.

This is why with email for example the SRS (Sender Rewriting Scheme) allows you to authenticate emails you forward, even though you're not an authorised party and could be spoofing the SRS if you were determined enough to. It's hardly a 100% secure scheme - however the security is in the fact that only the server administrator has the ability to set it up.

In a similar way you don't want forum admins who have a different skill set to a server admin to have the ability to run back-end commands that may break something or may create problems or security vulnerabilities. Also if someone hacks an administrator's account (which is far more likely than hacking the server) then if they have access to running any commend-line back-end commands that's a serious problem for security, even if it is limited to only PHP & Composer. They could discover your database password, and then dump the database and steal it. Note that the MyBB RCE exploit patched in v1.8.30 required administrative access to the forum to exploit and it was graded as a HIGH RISK security vulnerability.

If you ever wish to have the ability to upgrade core or plugins or to install new ones, it should be done through a non-core extension that explicitly installs and upgrades the extensions and does nothing else. If such an extension were to be created it could be bundled with the Softaculous version of Flarum and should be self-uninstallable for those who wish to remove it and use SSH. Furthermore it should create an extra userclass called "Server Admin" and rename regular admins to "Forum Admin" and then that way you can separate which of your Forum Admins can have access to that extension/functionality.

I know that sounds like a lot, but doing it any other way is a bad idea IMHO.

SMalt

clarkwinkelmann if you can run php via SSH, you can download the Composer phar package and run it as a standalone php executable.

Unfortunately this is exactly not possible, besause they don't have access to Composer in the jailed SSH.

Composer itself is available and can be clicked in the customer backend (PLESK). If a valid composer.json is recognized, the composer runs.
As I said, I was able to move an existing Flarum installation from a vserver to the webspace in the test environment.
What content does a composer.json need to get a Flarum base installation? Is that even possible?

CyberGene

Valeyard you dismiss SiteGround on the grounds of using a custom control panel. Have you heard of a security breach of their custom panel so far? Recommending against a service just because they use a custom solution that you assume makes it insecure is a long shot IMO.

What I can say is there’s no power on earth that can make me use A2 again who use the “recommended” cPanel. There’s more to a hosting than some vague theories. And even the most audited software is not immune from security breaches.

luceos

CyberGene I agree with you. I've built and maintained a custom in-house control panel for over 5 years and it has never seen one single security breach. I must say the tech behind it was rather excellent and based on the enormous experience the CTO back then had though. Each server connected had a little daemon that could execute very specific tasks (set up a website, configure a user etc) which it has to retrieve from the control panel , the control panel could only ping that server to start executing tasks. Using an encrypted connection with certificate verification made it even better. Not all custom built things are bad. I can't imagine a party like siteground relying on a poorly secured control panel honestly.

I also like to point out that CloudLinux is a great OS for running servers with hosting. It isolates websites perfectly, better than the usual Linux. You can't just access another docroot even if that is set to be 7777.

clarkwinkelmann

SMalt if you have access to php command in the jailed SSH (can try running php -v to verify), you can download the Composer executable and run php /path/to/composer.phar [command]. I would be very surprised if the host gives access to php but somehow fingerprints executable files to detect Composer. If php isn't available via SSH then indeed there will be no way to run Composer this way.

SMalt

clarkwinkelmann

Then the question of the topic creator is answered. Bitpalast is not suitable for Flarum.

MikeJones

almalino AWS lightsail

I am on EC2, whats the difference between AWS lightsail vs EC2?

luceos

MikeJones lightsail seems to be the hosting for dummies 🙈 With EC2 you have more control, but it is also more complex. Lightsail seems to group services (database, redis etc) onto one node for instance, with EC2 this is up to you. EC2 as such looks more like a bare VM hosting service, whereas lightsail takes away much of that gritty server management.

disclaimer: I have zero experience with either of those, but that's what I gathered from https://aws.amazon.com/free/compute/lightsail-vs-ec2/

almalino

luceos
Sounds pretty much correct. I am an expert in normal AWS/EC2 as I use them at work. But for my own servers I use lightsail. The reason?

Lightsail is twice cheaper for the same service. Sure you can "reserve" EC2 for 3 years to get the same price or use "Savings plan". But as a person I am not ready to commit to 3 years "reservation" and prefer Lightsail billing model that is just 2 times cheaper.
Lightsail has all mandatory bare bones for EC2/RDS = easy server start with multiple OSes, elastic IP, snapshots, SSH etc. It is more than enough to host Flarum.

IMHO using EC2 for Flarum is like using a sledgehammer to crack a nut

luceos

almalino Lightsail has all mandatory bare bones for EC2/RDS = easy server start with multiple OSes, elastic IP, snapshots, SSH etc. It is more than enough to host Flarum.

It's like docker-compose then, but without the files and just a ux for easier management? Thanks for the clarification.

almalino

luceos It is sounds like docker compose but at the end of the day you get virtual EC2 Linux server where you can do whatever you want. You have full access rights to it. And UI allow to attach IP/Domain to it and make snapshots/recover/reboot

I do most of the stuff by SSH to the EC2 instance on lightsail.

« Previous Page