Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: neutral (hermes.apache.org: local policy)
Message-ID: <001501c50a1a$e0099900$0205000a@pinocio>
From: "postmaster" <postmaster@jail1.itlegion.ru>
To: <users@httpd.apache.org>
Date: Thu, 3 Feb 2005 21:04:59 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="koi8-r";
	reply-type=original
Content-Transfer-Encoding: 7bit
Subject: [users@httpd] Secure hosting setup via proxy

Hi!

I am trying to setup a secure hosting system using FreeBSD and Apache.
Users will be able to use cgi, php, ssi and connect to mysql. 
Each user has his own system account and can loging using ftp and ssh2
to administer his own site. Site homedir is user's home dir. It contains
all the data for the site in one place. Basically, the structure like this:
/hosts/
/hosts/hostname.com/
/hosts/hostname.com/htdata
/hosts/hostname.com/cgi-bin
/hosts/hostname.com/logs
/hosts/hostname.com/tmp
/hosts/hostname.com/var
/hosts/hostname.com/mysql

So, i I need that all programs (cgi or php) be executed by the user who
is the owner of the site. For example host_user and host_group.
SUexec does not do what i need because php (or some other built-in
language) executes under the apache user and group, not  the virtual
host user and group. So, the only way is to run a separate apache 
for each site. But, i have only one IP (real ips are used in jail-type
hosting, but these site are cheeper type hosting). Of course, cannot
use port based virtual hosts becauase nobody will want a site with url
http://www.domain.dom:5633 :)

So, the only solution i have found is to build proxing system where
one HTTP is a front-end proxy and all real user server are running 
on port based host each in separate httpd.

So, i setup some virtual host www.domain.dom on proxying server
to proxy to www.domain.com:10002

And it works perfectly, except one problem. The problem is that
i cannot get right logs for the site. 
I mean, on the proxy server for the virtual host access.log contain
correct client ip, so i can just give user this log as a reall access log,
so the owner of the site can analyze log for statistics. Access.log 
of the www.domain.com:10002 always shows the proxy ip address
as the client address which makes it useless for statistics purpose or
security monitoring or auth based on ip.
So, problem with access can be solved using log substitution trick.
But error.log on www.domain.com:10002 also shows proxy ip
as client address and i see no way to substitute it or solve the problem,
because only the real site writes into error log (i can be apache messages
or scripts printing to stderr for debugging and monitoring).

Now the question:

Is there way to solve the problem with error.log? 
Or, maybe there is some other solution for the overall problem 
for building more or less secure hosting on 1 ip w/o jails? 
Or maybe there is some module which can proxy requests 
between front-end server and real servers w/o loosing client IP?

Thank you in advance.
Best regards

--
Artem Kuchin


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org