You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mihai RUSU <di...@roedu.net> on 2002/02/11 16:14:44 UTC
secure apache virtualhost configuration for ISPs
Hi
I am facing the task to develop and implement a system/configuration for a
apache based web hosting server. Because we want to give our users access
to run CGI, Perl, Bash, JSP, PHP scripts I am very concerned about the
security implications.
We will use a NameVirtualHost setup on ONE ip address. I think that a
acceptable configuration whould be to have apache chroot and setuid
properly for every request depending on the virtualhost to which the
request refers. Example:
www.host1.com
www.host2.com
User nobody
NameVirtualHost 1.2.3.4
<VirtualHost 1.2.3.4:80>
User 30000
ServerName www.host1.com
ServerAlias host1.com
DocumentRoot /www/www.host1.com/
CustomLog /www/www.host1.com/logs/access_log
ErrorLog /www/www.host1.com/logs/error_log
</VirtualHost>
<VirtualHost 1.2.3.4:80>
User 30001
ServerName www.host2.com
ServerAlias host2.com
DocumentRoot /www/www.host2.com/
CustomLog /www/www.host2.com/logs/access_log
ErrorLog /www/www.host2.com/logs/error_log
</VirtualHost>
the files in /www/www.host1.com ar owned by 30000 (inluding the directory
itself) and the /www/www.host1.com has 700 permissions
this also aplies for /www/www.host2.com but with the userid 30001
I know that in a standard suexec configuration (please corect me if I'am
wrong) suexec would setuid to 30000 for every CGI request for that
VirtualHost. I would like to have suexec chroot in /www/www.host1.com too.
Also I think that having PHP builtin Apache would make run .php scripts as
the main User and not the suexec/virtualhost one...
Also I have a great deal of concern about the .jsp security too. I don't
have any ideea if Tomcat allows access to local filesystem, exec local
commands etc...
Does anyone have some relatively secure configuration for a setup like
this? Or some URL/HOWTO about this?
Thanks
----------------------------
Mihai RUSU
"... and what if this is as good as it gets ?"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org