You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mihai RUSU <di...@roedu.net> on 2002/02/11 16:14:44 UTC

secure apache virtualhost configuration for ISPs

Hi

I am facing the task to develop and implement a system/configuration for a
apache based web hosting server. Because we want to give our users access
to run CGI, Perl, Bash, JSP, PHP scripts I am very concerned about the
security implications.

We will use a NameVirtualHost setup on ONE ip address. I think that a
acceptable configuration whould be to have apache chroot and setuid
properly for every request depending on the virtualhost to which the
request refers. Example:

www.host1.com
www.host2.com

User nobody

NameVirtualHost 1.2.3.4

<VirtualHost 1.2.3.4:80>
 User 30000
 ServerName www.host1.com
 ServerAlias host1.com
 DocumentRoot /www/www.host1.com/
 CustomLog /www/www.host1.com/logs/access_log
 ErrorLog  /www/www.host1.com/logs/error_log
</VirtualHost>

<VirtualHost 1.2.3.4:80>
 User 30001
 ServerName www.host2.com
 ServerAlias host2.com
 DocumentRoot /www/www.host2.com/
 CustomLog /www/www.host2.com/logs/access_log
 ErrorLog  /www/www.host2.com/logs/error_log
</VirtualHost>

the files in /www/www.host1.com ar owned by 30000 (inluding the directory
itself) and the /www/www.host1.com has 700 permissions
this also aplies for /www/www.host2.com but with the userid 30001

I know that in a standard suexec configuration (please corect me if I'am
wrong) suexec would setuid to 30000 for every CGI request for that
VirtualHost. I would like to have suexec chroot in /www/www.host1.com too.
Also I think that having PHP builtin Apache would make run .php scripts as
the main User and not the suexec/virtualhost one...
Also I have a great deal of concern about the .jsp security too. I don't
have any ideea if Tomcat allows access to local filesystem, exec local
commands etc...

Does anyone have some relatively secure configuration for a setup like
this? Or some URL/HOWTO about this?

Thanks

----------------------------
Mihai RUSU
"... and what if this is as good as it gets ?"


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org