NuSphere MySQL: Free Beer in a Tall Glass - page 2
Integrated web development in a box.It was very nice, on the other hand, to have the integration between Perl, MySQL, Apache, PHP, and OpenSSL all handled automatically. There are quite a few little details that Just Work (tm) with this software, and what seems to add the final bit of polish are the administrative tools that at first seemed extraneous to me. NuSphere comes with Webmin, an HTTP daemon that runs independently of Apache and provides a (password protected) interface for managing a local or remote Linux or UNIX system with a web browser. Webmin worked quite well in my testing once I ran its configuration script from the command line (from /usr/local/nusphere/webmin) so that it knew I had Caldera Linux instead of Red Hat. Also included is phpMyAdmin, a very slick front end to MySQL that allows databases and tables to be created, modified, renamed, and even populated from a web browser. Personally, I'm comfortable writing SQL statements directly, but I was impressed with how easy phpMyAdmin is to use. It's very intuitive, and though NuSphere didn't write it they were wise to include it on the disk.
Two sample web sites and numerous test scripts are automatically installed with the NuSphere environment. The test scripts are primitive but useful confidence tests of the basic installation, ranging from "Hello, World" and phpinfo() to simple CGI forms. The sample web sites include a meeting room scheduler (which is robust enough to use in production for a small company) and a shopping cart demonstration. The latter is not what I would call production- ready, but it is a useful demo of the basic technique.
Documentation is part of the value of NuSphere's packaging of applications that would otherwise be free. The documentation kit has some minor gaps, but is for the most part quite useful. Most notably, NuSphere comes with a softbound copy of the MySQL Reference, a 700+ page tome that would be welcome on many desks. Also included -- and useful -- are several of the pocket reference guides from O'Reilly and Associates. Apache, Perl 5, and PHP are all covered. There is also a Getting Started guidebook, specifically written for NuSphere. Alas, while it was mostly accurate and useful, this guidebook needs some correction in its details. For example, the directory where .rpm files are said to live is /mnt/cdrom/RPMS according to Getting Started, but on the disk I was sent it is actually /mnt/cdrom/Linux/RPMS. This is a small thing to most Linux administrators, but NuSphere is aimed at least partially toward people who are moving server environments to Linux or UNIX and who are not UNIX gurus. The Getting Started guide is fine as far as it goes, assuming a few technical corrections, but it really should be supplemented with a more detailed reference covering the interaction between Linux, Apache, Perl, and MySQL. This reference actually exists in an online format, but it would have been very helpful to see a printed copy as well.
SSL credentials are another area where the documentation is weak. To the company's credit, NuSphere comes out of the box with Secure Sockets Layer encryption configured and enabled. I had no trouble at all getting it working. But real SSL is more than just an encrypted connection -- it also involves two-way authentication of the machines and people at the end of that connection. NuSphere comes with a preconfigured, generic SSL certificate, but the documentation on how to get a real one is buried deep within one of the online manuals -- it's there, but in my opinion this should be an area that is thoroughly and visibly documented, and perhaps even more automated.
Secure Sockets Layer uses the concept of a digital "certificate", issued by a trusted Certificate Authority (CA), to authenticate machine to machine. The strength of a certificate lies not in the certificate itself but in the reputation of the organization that issues or validates that certificate. NuSphere comes preconfigured with a bogus SSL certificate that works fine for testing. In order to run a real web site, though, administrators would need to create a new certificate. Depending on their needs, they can either have an established CA agree to back their new certificate (a process known as signing and accomplished with hash codes and public- key encryption), or they can sign the certificate themselves. The latter is enough for casual encryption to keep passwords from crossing the net in cleartext, but it is by no means acceptable for large-scale e-commerce.
In any case, the process of creating a certificate involves generating (and securely storing) a private/public key pair and then getting the public portion of that key (and the link to the applicable CA) into the user's browser. At runtime, then, the CA can be contacted to say to the browser, "Yes, the public key you have presented really is the public key of XYZ company." Instructions for doing most of this are online in the NuSphere documentation, but I think this should be made more visible to the user because it is very likely to be needed by companies interested in e-commerce. This is a small gripe with documentation that is otherwise pretty good.
I would have liked to see the default security be a little tighter,
with mandatory entry of real passwords by the installer instead of
just assigning defaults and then telling the user to change them.
Hopefully, though, anyone who's building a web e-commerce site will
know the importance of this without being told, whether they use a
tool like NuSphere to save installation time or they do it the old
fashioned way for maximum control. And integrating web configuration
with firewall settings in the administration screens would be a great
enhancement in a future version.