WordPress on Qubes

[brandonm...@gmail.com]

Hi,

So I'm running Qubes on 2 different machines it's amazing. One thing I have never been able to figure out though is how to run WordPress to develop multiple sites.

I am familiar with Vagrant but it requires Virtualbox however since you can run HVM's you shouldn't need vVirtualbox.

Any assistance would be much appreciated.

Kind Regards,

[awokd]

On Sun, March 4, 2018 3:46 pm, brandonm...@gmail.com wrote:
> Hi,
>
>
> So I'm running Qubes on 2 different machines it's amazing. One thing I
> have never been able to figure out though is how to run WordPress to
> develop multiple sites.
>
> I am familiar with Vagrant but it requires Virtualbox however since you
> can run HVM's you shouldn't need vVirtualbox.

Don't have experience with Wordpress in particular, but in general you could:
1. Create new standalone VM based on debian-9 (or your favorite) template
2. Set up web server on it
3. Set up Wordpress on it
4. Follow
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes

[799]

Am 05.03.2018 1:34 nachm. schrieb "'awokd' via qubes-users" <qubes...@googlegroups.com>:

On Sun, March 4, 2018 3:46 pm, brandonm...@gmail.com wrote:
> One thing I have never been able to figure

out though is how to run WordPress to
> develop multiple sites.
> I am familiar with Vagrant but it requires Virtualbox

Don't have experience with Wordpress in particular, but in general you could:
1. Create new standalone VM based on debian-9 (or your favorite) template
2. Set up web server on it
3. Set up Wordpress on it
4. Follow
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes

I don't know what Vagrant is doing for you. If you give me a few hints what "setting up a development WordPress" looks like, I am pretty sure that we can script a solution that will do the provisioning for you.

Are you only asking for setting up new AppVMs with a webserver/WordPress in it which might be reachable from another AppVM or do you need additional tweaking within the WordPress installation?

[799]

[Yuraeitha]

I'm not entirely sure I understand the question though, maybe it's because of my lack of insight on this kind of development. But isn't what you seek just a matter of making multiple of VM's and run them next to each others? But you already seem aware of this right? So what is the question?

As for multiple VM's for development, you can take this a step further and isolate them in their own little Qubes network 'playground or sandbox', so that one or more VM's acts as a server, and the other VM's acts as a clients accessing your server(s), to see how the website behaves on different system environments. I've never gotten around to try this though, nor seen anyone do this separate network in practice, but it should be possible and is one of the things I got on my list to try on Qubes, but that I haven't gotten around to yet. It shouldn't be too hard to do though.

It remains uncertain what kind of unknown security attack vectors a separate network has on Qubes, I don't believe much security information has been shared on this kind of Qubes use-case. For example, if it's two completely isolated networks on Qubes, would it make a difference in terms of security? It should be possible to answer, but it's an answer we need from security researchers to answer as it's a deep and complex question. However, you most certainly don't want to allow inter-VN networking on your primary Qubes network though, if you can help it, as even with HVM/PVH removing the older inter-VM PV virt_mode attack exploits, a inter-VM network might still introduce other exploits or make more VM's vulnerable than just the ones you connect together. For example if it can use two VM's to attack sys-net/sys-firewall/sys-whonix/VPN's/etc. which is also an issue (like how the PV exploit happened), so you might want to make a completely separate Qubes network next to each others, with no ties in-between them, whatsoever. If you got another LAN port, all the better, though I'm not sure how far you need to go to maximize security here, this is something you need a security researcher like Joanna or an advanced developer like Marek to answer you. But it's vital you don't open up inter-VM networking on critical or remotely important VM's, and it might also be a bad idea to mix the two networks in general if the sys-firewall/etc. can be attacked from the inside-out, instead of outside-in attacks.

Think carefully if you do something like this, and some security aspects of it remains unknown for now. Possibly though, if you completely isolate the two networks, it seems feasible that you can do it without opening a caveat can of worms (in terms of security). The question remains though, at which point is enough isolation, can the networks share the same sys-net? or do they need each their own sys-net with each their own physical pass-through network card/cable?

At least if you have the same sys-net, and use two firewalls, then you're still protected by the firewalls between the two or more Qubes networks. Qubes is also if sys-net/sys-firewall will play nice with other firewalls/networks here.

Either way, here are some things to dive into if you want to develop this kind of things where you need network to see how it behaves. You might only need one computer to have multiple of isolated servers/clients.

[brandonm...@gmail.com]

Hi all,

Thanks so much for your responses.

So a bit more background as requested I run Qubes 3.2 basically Vagrant allows me to create hyper-vised environments for WordPress to run locally pulling from https//:github.com/Varying-Vagrant-Vagrants/ this creates the server environments etc.

I then run Variable VV which automates WordPress site creation this can be found here:

https://github.com/bradp/vv

I have never been able to get this to work on qubes essentially I want to create a VM where I can hold all my sites locally. Automate WordPress creation and then deploy to a staging or live site.

[Yuraeitha]

This should be all down to the Qubes firewall rules. The default firewall is essentially acting like a router hardware firewall, blocking all incoming signals, unless you yourself initiated it (similar to the general Linux firewall as well). So what you need to do is to pass the rules to allow your server to get through. But here on forward, nothing is official, you need to be careful and thnik carefully in order not to open up new security holes. Ask more people who have better insight in Qubes security for second opinions, etc.

You could quicly test it by making a clone of your server, and try tie it directly to your sys-net instead of sys-firewall. This is however very dodgy and never do it on something important or something you plan to keep afterwards, since it essentially has no firewall in that period of time.

But try make a clone of your Qubes server, and tie the clone to your sys-net, are you able to see the server now? Don't let it run too long either, just in case it can be used to attack other parts of Qubes (here is where you especially need a second opinion of a more knowledgeable person in Qubes security).

If it works, then you now saw first hand that it's sys-firewall blocking you. I once did something similar for some Syncthing connections when I first started learning Qubes, this made me succesfully open up Syncthing networking without changing the sys-firewall rules. Delete your testing clone once you confirmed it works.

Now you need to find out how to do this in a secure way, so that you don't open a can of worms down the road. I haven't seen this discussed before, but my thoughts are a second firewall here. Otherwise it might just be down to editing the existing sys-firewall. For that, you're in luck, there are a very detailed guide available for it; https://www.qubes-os.org/doc/firewall/ which also covers inter-VM connections, as well as server connections (who different things of course).

To me an ideal solution would be a second firewall in Qubes, similar to how DMZ isolation zones are made in highly secure networks. So in a way, you'd be DMZ'ing Qubes, which I think, would make perfect sense for something you want to do here. If you got a server, then that server should be kept under a different firewall altogether, albeit still on the same machine/Qubes.

While DMZ'ing Qubes seems to make good sense first, remember, I have never had this confirmed anywhere. It's critical you have a second opinion by someone skilled in Qubes security before you consider to take my advice here head on.

In practice though, I believe it should work pretty well. It's mostly the security thing I'm wondering about. It's been a while I read that long guide in the lnik though, maybe they made edits in it to include some of these thoughts? I'd have to read it again my self at some point. Maybe you'll find info in there to help answer some of these questions.

Also try check this out; https://github.com/Rudd-O/qubes-network-server
You might not need to use any of these installs/tools to cover your needs, but it might be a helpful read still to see alternative solutions.

Remember that second opinion of a skilled security person. That above guide is by no means Qubes official either, even though it looks quite interesting I gotta admit.