You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Patrick Best <Pa...@telus.com> on 2014/01/27 18:11:15 UTC

[users@httpd] Apache and CHROOT Filesystem Layout Best Practices

Hi Everyone;

Looking for some advice on CHROOT best practices with regards to my Apache 2.2.11 under Centos 6.5.   Specifcally, I am interested in FileSystem/Directory/FileStructure layout.  I run on Centos, but my question is distro-independent and I will extrapolate advice of users of other systems.  I require CHROOT, but am also aware of  "php_value open_basedir" protections for php scripts, etc.

I wish to run apache and vhosting using the integrated (as of 2.2.10) CHROOT and have experimented with a few configurations this far.  I wanted to approach the community to find a best practice with regards to CHROOT environment.

Is placing the "configuration and module etc-style " directories as well as "user content" directories inside the same CHROOT environment is a sane/safe practice?

In other words, which is the most acceptable way to specify things in httpd.conf (and thus arrange the filesystem/directorystructure/files accordingly) :

1)
(I have chosen this way for now.. not sure if correct)
ServerRoot "/data/etc/httpd"
ChrootDir /data/

2)
(This seems to mimic the URL pasted above's methodology)
ServerRoot "/someotherbasedir/etc/httpd"
ChrootDir /data/

3)
(I don't believe this is correct)
ServerRoot "/data/ "
ChrootDir /data/

4)
(I don't believe this is correct)
ServerRoot "/data/ "
ChrootDir /data/www

In all above cases the two directories mentioned contains :

/data/www -> contains vhost directories for serving content
/data/etc/httpd -> contains conf, logs, conf.d, and module directories.

Naturally, the chroot will have to have certain paths built in to support "php session" files (within the root), and PID files.  Probably some other things as well possibly.  The modules and logs currently link to the "real" filesystem by symbolic link.

I light up my server using the centos "service httpd start" command.  But as per the instructions at this (module-based-chroot, but still relevant) http://www.cyberciti.biz/tips/chroot-apache-under-rhel-fedora-centos-linux.html were correct, I've had to modify my services script to symbolicly link the PID file from the "real" filesystem into the "chrooted" filesystem for apache to quit without failure. :

/etc/init.d/httpd
stop() {
       /bin/ln -s $ROOT/var/run/httpd/httpd.pid /var/run/httpd/httpd.pid
....
...
}


Before I start my trip down the rabbit hole and make tonnes of accomadation like this, am I on the right path?  Another thing to consider is that I desire to occasionally do an apache "reload" (gracefully) to reload newly created vhost configuration files.   Should those "*VHOST*.conf" files be located within the chroot environment or outside of the environment?

Thank you.