You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Craig Daters <cr...@westpress.com> on 2003/10/29 16:09:21 UTC
[users@httpd] Apache Virtual Host
I have scoured the web for information on setting up the virtual host part
of Apache, and I have found lots of info, but nothing that shows me a clear
cut example of what I am after. I am hoping that someone here may be able to
help me. I am also posting this question to the User Support and Discussion
list at Apache.org. We'll see what turns up.
I have a stock RH9 install setup for our web server, and have added PHP and
MySQL as well. DNS services are all properly set up as well. For the purpose
of keeping a similar setup to how we had our website setup where we were
hosting previously, I created a user called 'westpress' to use for our main
website as opposed to using the default 'apache' user with RedHat's default
config.
User 'westpress' has it's own directory in the /home directory. (Incidently,
I will be setting up three other websites for employees and want them all to
be managed by the same Apache server.) So I will not be using the RH
configured DocRoot path of '/var/www/html'. Instead, I will be setting up
/home/*/public_html paths for everything
Initially on my RHL machine, Apache was configured to run as 'user apache'
and 'group apache'. I set up virtual host containers for 'westpress',
'jsdzyn' and 'teamtrailer'. I then restarted apache, and upon pointing my
browser to www.westpress.com, or www.jsdzyn.com etc...get error messages.
Now I understand why this is happening--the whole user and group permissions
thing. The many examples I have consulted (mainly apache.org and my trusty
O'Reilly Apache book) that show how to use the virtual host containers all
seem to be using the same user/group declaration in the conf file. So there
is never an issue like the one I encounter. I even tried to insert
user/group directives into the virtual host containers when I tried this a
year ago but that did not work then, I haven't tried it now thinking that I
would get the same results.
I want all three of these accounts to remain separate from each other with
their own working web server. The conf file refers to running apache as
'root' and that it will switch to the appropriate user when the page is
called. So, I changed the user/group option to be root, and when I restarted
apache all kinds of red flags went up! So I settled for changing the
user/group option to 'westpress', put all of the 'westpress.com' settings
into the main server config area, and for now 'jsdzyn.com' and
'teamtrailer.com' remains broken.
I recall trying to get this working almost a year ago or so, and seemed to
be getting somewhere, but had to abandon it due to the fact that I could not
get cgi scripts to work. Some kind of error that pointed to suexec or
something like that.
I guess I'm wondering how ISP's are able to provide these services. I'm sure
that they aren't running thousands of different webservers to accomplish
this. I just want to run a similar set up so that I can keep all three sites
running but separate.
When I tried this a year ago, I was running RH7.3 with their apache-1.3.27-2
rpm.
Now, I am using RH9 with their httpd-2.0.40-21.5 rpm of apache installed.
And I know that the virtual host container configs work, because when I
changed the user/group option to that specific user, there site would come
up when called.
Can anyone point me in the right direction?
Craig D.
--
Craig Daters (craig@westpress.com)
Systems Administrator
West Press Printing & Copying
1663 West Grant Road
Tucson, Arizona 85745-1433
USA
Tel: 520-624-4939
Fax: 520-624-2715
www.westpress.com
--
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Virtual Host
Posted by Richard Gration <ri...@zync.co.uk>.
Craig Daters wrote:
> I have scoured the web for information on setting up the virtual host part
> of Apache, and I have found lots of info, but nothing that shows me a clear
> cut example of what I am after. I am hoping that someone here may be able to
> help me. I am also posting this question to the User Support and Discussion
> list at Apache.org. We'll see what turns up.
>
> I have a stock RH9 install setup for our web server, and have added PHP and
> MySQL as well. DNS services are all properly set up as well. For the purpose
> of keeping a similar setup to how we had our website setup where we were
> hosting previously, I created a user called 'westpress' to use for our main
> website as opposed to using the default 'apache' user with RedHat's default
> config.
>
> User 'westpress' has it's own directory in the /home directory. (Incidently,
> I will be setting up three other websites for employees and want them all to
> be managed by the same Apache server.) So I will not be using the RH
> configured DocRoot path of '/var/www/html'. Instead, I will be setting up
> /home/*/public_html paths for everything
>
> Initially on my RHL machine, Apache was configured to run as 'user apache'
> and 'group apache'. I set up virtual host containers for 'westpress',
> 'jsdzyn' and 'teamtrailer'. I then restarted apache, and upon pointing my
> browser to www.westpress.com, or www.jsdzyn.com etc...get error messages.
> Now I understand why this is happening--the whole user and group permissions
> thing. The many examples I have consulted (mainly apache.org and my trusty
> O'Reilly Apache book) that show how to use the virtual host containers all
> seem to be using the same user/group declaration in the conf file. So there
> is never an issue like the one I encounter. I even tried to insert
> user/group directives into the virtual host containers when I tried this a
> year ago but that did not work then, I haven't tried it now thinking that I
> would get the same results.
>
> I want all three of these accounts to remain separate from each other with
> their own working web server. The conf file refers to running apache as
> 'root' and that it will switch to the appropriate user when the page is
> called. So, I changed the user/group option to be root, and when I restarted
> apache all kinds of red flags went up! So I settled for changing the
> user/group option to 'westpress', put all of the 'westpress.com' settings
> into the main server config area, and for now 'jsdzyn.com' and
> 'teamtrailer.com' remains broken.
>
> I recall trying to get this working almost a year ago or so, and seemed to
> be getting somewhere, but had to abandon it due to the fact that I could not
> get cgi scripts to work. Some kind of error that pointed to suexec or
> something like that.
>
> I guess I'm wondering how ISP's are able to provide these services. I'm sure
> that they aren't running thousands of different webservers to accomplish
> this. I just want to run a similar set up so that I can keep all three sites
> running but separate.
>
> When I tried this a year ago, I was running RH7.3 with their apache-1.3.27-2
> rpm.
>
> Now, I am using RH9 with their httpd-2.0.40-21.5 rpm of apache installed.
>
> And I know that the virtual host container configs work, because when I
> changed the user/group option to that specific user, there site would come
> up when called.
>
> Can anyone point me in the right direction?
>
> Craig D.
>
1.3 specific, but most should apply to 2.0 too
I can't answer all of your questions, but I can give you some pointers,
in no particular order ;-)
When you let RH install the webserver, you get a suexec enabled
webserver. As a security measure the username of the user allowed to
execute the suexec wrapper is compiled in and can't be changed at
runtime. If you don't use suexec, then changing the username that apache
runs as is not a problem, but if you do use suexec, then you can't
change it.
httpd runs as root initially, regardless of the User and Group
directives. These define which user it will run as when it drops its
root privs. Running as root is a nono, security wise.
One httpd parent process, one httpd.conf. If you can't configure your
virtual hosts using the directives that are available to you in the
VirtualHost containers then you're out of luck.
The user apache runs as MUST have read permissions on any directory it
serves content from. As home directories are created 700 on most Unix
systems, httpd will not be able to read content from home dirs by
default. If you're feeling adventurous you can change the group of
each home dir which has web content to <apache group> and change the
perms to 740. Off the top of my head I don't see that this leaves you
more open to abuse than the default situation.
I have heard of at least one ISP which runs multiple accounts on one
box, each with their own httpd.conf, but they do this by running each
one on its own IP, and they run multiple httpd processes, and they have
some funky chroot thing going on (you also get your own mail server, ftp
server, disk partition, etc).
HTH
Rich
--
Good government never depends upon laws, but upon the personal qualities
of those who govern. The machinery of government is always subordinate
to the will of those who administer that machinery. The most important
element of government, therefore, is the method of choosing leaders.
-- Frank Herbert, "Children of Dune"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Virtual Host
Posted by Robert Andersson <ro...@profundis.nu>.
Brian Dessent wrote:
> Note that there is a special case for CGI scripts when suexec is
> enabled. In this case, the CGI scripts run as the owner of the file and
> not as the apache user.
No, Suexec will run CGI programs under the user/group specified in the
SuexecUserGroup directive (Apache 2), see:
http://httpd.apache.org/docs-2.0/mod/mod_suexec.html#suexecusergroup
For Apache 1.3, it is from the User and Group directives, see:
http://httpd.apache.org/docs/mod/core.html#user
http://httpd.apache.org/docs/mod/core.html#group
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Virtual Host
Posted by Brian Dessent <br...@dessent.net>.
Craig Daters wrote:
>
> I have scoured the web for information on setting up the virtual host part
> of Apache, and I have found lots of info, but nothing that shows me a clear
> cut example of what I am after. I am hoping that someone here may be able to
> help me. I am also posting this question to the User Support and Discussion
> list at Apache.org. We'll see what turns up.
You really should leave Apache running as the user and group that Redhat
has everything configured for. The whole point is that this should be a
"nobody" account that can only read things that are publicly readable,
and have no access to anything else. I think you're confusing the
meaning of the User and Group directives. They specify under what
credentials the web server will run as. Apache can only run as a single
user and group, it cannot change based on what request comes in. So
there should only be a single User and Group directive, which applies to
everything. If you specify it more than once, the last one counts.
It sounds like the problem you are having is just a simple permissions
problem. You have to make sure that the public_html dir and all of its
contents are world-readable. Usually this means 644 for files and 755
for directories. There is no reason to go changing the user that Apache
runs as, just fix the permissions so that the files are visible by the
apache user.
Note that there is a special case for CGI scripts when suexec is
enabled. In this case, the CGI scripts run as the owner of the file and
not as the apache user. But it doesn't sound like you're doing CGI so
this probably is irrelevent.
You need to specify exactly what errors you're getting, as we can't help
you any more if all you can say is "There were errors." We need error
log entries, or at least a description of what happens.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache Virtual Host
Posted by Remo Mattei <re...@italy1.com>.
It's a permission issue. If you give the apache user the permission to run
as a group then you should be fine. So owned by the user, group is your
apache nothing to the rest except execute.
Good luck.
Remo Mattei
Network Security Engineer
cell 801-209-8554
email remo@italy1.com
-----Original Message-----
From: Craig Daters [mailto:craig@westpress.com]
Sent: Wednesday, October 29, 2003 8:09 AM
To: redhat-list@redhat.com
Cc: users@httpd.apache.org
Subject: [users@httpd] Apache Virtual Host
I have scoured the web for information on setting up the virtual host part
of Apache, and I have found lots of info, but nothing that shows me a clear
cut example of what I am after. I am hoping that someone here may be able to
help me. I am also posting this question to the User Support and Discussion
list at Apache.org. We'll see what turns up.
I have a stock RH9 install setup for our web server, and have added PHP and
MySQL as well. DNS services are all properly set up as well. For the purpose
of keeping a similar setup to how we had our website setup where we were
hosting previously, I created a user called 'westpress' to use for our main
website as opposed to using the default 'apache' user with RedHat's default
config.
User 'westpress' has it's own directory in the /home directory. (Incidently,
I will be setting up three other websites for employees and want them all to
be managed by the same Apache server.) So I will not be using the RH
configured DocRoot path of '/var/www/html'. Instead, I will be setting up
/home/*/public_html paths for everything
Initially on my RHL machine, Apache was configured to run as 'user apache'
and 'group apache'. I set up virtual host containers for 'westpress',
'jsdzyn' and 'teamtrailer'. I then restarted apache, and upon pointing my
browser to www.westpress.com, or www.jsdzyn.com etc...get error messages.
Now I understand why this is happening--the whole user and group permissions
thing. The many examples I have consulted (mainly apache.org and my trusty
O'Reilly Apache book) that show how to use the virtual host containers all
seem to be using the same user/group declaration in the conf file. So there
is never an issue like the one I encounter. I even tried to insert
user/group directives into the virtual host containers when I tried this a
year ago but that did not work then, I haven't tried it now thinking that I
would get the same results.
I want all three of these accounts to remain separate from each other with
their own working web server. The conf file refers to running apache as
'root' and that it will switch to the appropriate user when the page is
called. So, I changed the user/group option to be root, and when I restarted
apache all kinds of red flags went up! So I settled for changing the
user/group option to 'westpress', put all of the 'westpress.com' settings
into the main server config area, and for now 'jsdzyn.com' and
'teamtrailer.com' remains broken.
I recall trying to get this working almost a year ago or so, and seemed to
be getting somewhere, but had to abandon it due to the fact that I could not
get cgi scripts to work. Some kind of error that pointed to suexec or
something like that.
I guess I'm wondering how ISP's are able to provide these services. I'm sure
that they aren't running thousands of different webservers to accomplish
this. I just want to run a similar set up so that I can keep all three sites
running but separate.
When I tried this a year ago, I was running RH7.3 with their apache-1.3.27-2
rpm.
Now, I am using RH9 with their httpd-2.0.40-21.5 rpm of apache installed.
And I know that the virtual host container configs work, because when I
changed the user/group option to that specific user, there site would come
up when called.
Can anyone point me in the right direction?
Craig D.
--
Craig Daters (craig@westpress.com)
Systems Administrator
West Press Printing & Copying
1663 West Grant Road
Tucson, Arizona 85745-1433
USA
Tel: 520-624-4939
Fax: 520-624-2715
www.westpress.com
--
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org