Virtualhost security configuration

Virtualhost security configuration

Post by Martial Riou » Wed, 01 Sep 1999 04:00:00



Hi guys,

    Do you have any experiences with virtual webhosting for mass?

  if you answer yes to this question maybe you can help us!

We want to build a large virtual web hosting solution for our web
devlopers but we want to keep
a secure system. We want to build a complete web devlopemnt system with
apache and ( ssi, mod_php, mod_perl,  mysql, msql).

The problem
If we configure web server with a specific user.group like www how we
can setup each virtualhost section
to give CGI and PHP work and be secure between dev1 and devn if all
users have different user.group.

Devlopers 1
<virtualhost 127.0.0.1>
dev1.localhost
</virtualhost>
......
Devlopers N
<virtualhost 127.0.0.1>
devn.localhost
</virtualhost>

Any idea are welcome!

--
______________________________________________________________

                                http://www.cgi.ca
Le Groupe CGI Inc.              Tel: +1-514-383-1611 x2085
Gestion Des Technologies        Fax: +1-514-383-7234
______________________________________________________________
Linux a day linux always (MRX)

 
 
 

Virtualhost security configuration

Post by Rasmus Lerdo » Thu, 02 Sep 1999 04:00:00


Quote:>    Do you have any experiences with virtual webhosting for mass?

>  if you answer yes to this question maybe you can help us!

>We want to build a large virtual web hosting solution for our web
>devlopers but we want to keep
>a secure system. We want to build a complete web devlopemnt system with
>apache and ( ssi, mod_php, mod_perl,  mysql, msql).

There are different ways to do this.  Any server-module install is going
to be an issue.  mod_perl, mod_php, mod_include (ssi), etc.  The problem
being that all requests will end being run as the same user.  mod_php
has a safe-mode setting that handles this, but if you have any non-PHP
scripting options on the same server, it doesn't help you.

The most secure solution is to run separate Apache httpd pools for each
virtual host and run each pool as its own user id.  It takes a few more
resources, but really not as many as most people think.  But, each pool
will need its own IP.  You can get around this with a big of
redirection trickery from a main server listening on port 80 and
shoving requests off to the individual pools listening on other ports,
but if you have the ip space, just give each pool its own ip.

If you don't like the sound of running individual httpd pools your only
other real solution is to only run CGI-based stuff through a cgi wrapper
like suExec.  This of course rules out mod_perl and mod_include.  You
can set up straight perl cgi and compile php as a cgi as well and run it
this way.  But, the overhead of forking all these perl and php requests
end up taking more resources than running separate server pools where you
can embed both perl and php directly in your httpd server processes.

-Rasmus