httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Gration <rich...@zync.co.uk>
Subject Re: [users@httpd] Apache Virtual Host
Date Wed, 29 Oct 2003 17:41:42 GMT
Craig Daters wrote:
> I have scoured the web for information on setting up the virtual host part
> of Apache, and I have found lots of info, but nothing that shows me a clear
> cut example of what I am after. I am hoping that someone here may be able to
> help me. I am also posting this question to the User Support and Discussion
> list at Apache.org. We'll see what turns up.
> 
> I have a stock RH9 install setup for our web server, and have added PHP and
> MySQL as well. DNS services are all properly set up as well. For the purpose
> of keeping a similar setup to how we had our website setup where we were
> hosting previously, I created a user called 'westpress' to use for our main
> website as opposed to using the default 'apache' user with RedHat's default
> config.
> 
> User 'westpress' has it's own directory in the /home directory. (Incidently,
> I will be setting up three other websites for employees and want them all to
> be managed by the same Apache server.) So I will not be using the RH
> configured DocRoot path of '/var/www/html'. Instead, I will be setting up
> /home/*/public_html paths for everything
> 
> Initially on my RHL machine, Apache was configured to run as 'user apache'
> and 'group apache'. I set up virtual host containers for 'westpress',
> 'jsdzyn' and 'teamtrailer'. I then restarted apache, and upon pointing my
> browser to www.westpress.com, or www.jsdzyn.com etc...get error messages.
> Now I understand why this is happening--the whole user and group permissions
> thing. The many examples I have consulted (mainly apache.org and my trusty
> O'Reilly Apache book) that show how to use the virtual host containers all
> seem to be using the same user/group declaration in the conf file. So there
> is never an issue like the one I encounter. I even tried to insert
> user/group directives into the virtual host containers when I tried this a
> year ago but that did not work then, I haven't tried it now thinking that I
> would get the same results.
> 
> I want all three of these accounts to remain separate from each other with
> their own working web server. The conf file refers to running apache as
> 'root' and that it will switch to the appropriate user when the page is
> called. So, I changed the user/group option to be root, and when I restarted
> apache all kinds of red flags went up! So I settled for changing the
> user/group option to 'westpress', put all of the 'westpress.com' settings
> into the main server config area, and for now 'jsdzyn.com' and
> 'teamtrailer.com' remains broken.
> 
> I recall trying to get this working almost a year ago or so, and seemed to
> be getting somewhere, but had to abandon it due to the fact that I could not
> get cgi scripts to work. Some kind of error that pointed to suexec or
> something like that.
> 
> I guess I'm wondering how ISP's are able to provide these services. I'm sure
> that they aren't running thousands of different webservers to accomplish
> this. I just want to run a similar set up so that I can keep all three sites
> running but separate.
> 
> When I tried this a year ago, I was running RH7.3 with their apache-1.3.27-2
> rpm.
> 
> Now, I am using RH9 with their httpd-2.0.40-21.5 rpm of apache installed.
> 
> And I know that the virtual host container configs work, because when I
> changed the user/group option to that specific user, there site would come
> up when called.
> 
> Can anyone point me in the right direction?
> 
> Craig D.
> 


1.3 specific, but most should apply to 2.0 too

I can't answer all of your questions, but I can give you some pointers,
in no particular order ;-)

When you let RH install the webserver, you get a suexec enabled
webserver. As a security measure the username of the user allowed to
execute the suexec wrapper is compiled in and can't be changed at
runtime. If you don't use suexec, then changing the username that apache
runs as is not a problem, but if you do use suexec, then you can't
change it.

httpd runs as root initially, regardless of the User and Group
directives. These define which user it will run as when it drops its
root privs. Running as root is a nono, security wise.

One httpd parent process, one httpd.conf. If you can't configure your
virtual hosts using the directives that are available to you in the
VirtualHost containers then you're out of luck.

The user apache runs as MUST have read permissions on any directory it
serves content from. As home directories are created 700 on most Unix
systems, httpd will not be able to read content from home dirs by
default. If you're feeling adventurous you can change the group of
each home dir which has web content to <apache group> and change the
perms to 740. Off the top of my head I don't see that this leaves you
more open to abuse than the default situation.

I have heard of at least one ISP which runs multiple accounts on one
box, each with their own httpd.conf, but they do this by running each
one on its own IP, and they run multiple httpd processes, and they have 
some funky chroot thing going on (you also get your own mail server, ftp 
server, disk partition, etc).

HTH
Rich

-- 
Good government never depends upon laws, but upon the personal qualities
of those who govern.   The machinery of government is always subordinate
to the will of those who administer that machinery.   The most important
element of government, therefore, is the method of choosing leaders.
                  -- Frank Herbert, "Children of Dune"



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message