You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rod Roark <ro...@sunsetsystems.com> on 2001/10/24 03:00:32 UTC
Name based virtual hosting
I hope y'all don't mind my posting here as I'm not an Apache developer.
However I think this may be of interest anyway, and only you guys are
likely to know the answer.
I'm aiming to be a sort of ISP, providing, among other things, name
based virtual hosting. I.e., there's just one IP address.
The problem, of course, is how do you give your users access to PHP,
servlets, CGI, etc. and still keep them somewhat secure from each
other's potential mischief. Multiple httpd instances are not really
an answer because then only one user gets port 80.
I did come up with a possible solution. However I'm not sure if it's
complete garbage, mildly useful, or really interesting. That's where
you come in.
My "virtual hosts" section of httpd.conf looks something like this:
NameVirtualHost *
<VirtualHost *>
ServerName www.somename.com
DocumentRoot /opt/www/users/somename_ThisIsASecret
...
</VirtualHost>
<VirtualHost *>
ServerName www.anothername.com
DocumentRoot /opt/www/users/anothername_ThisIsAnotherSecret
...
</VirtualHost>
Then, /opt/www/users looks like this:
drwx--x--x root root .
drwxrwx--- some apache somename_ThisIsASecret
drwxrwx--- another apache anothername_ThisIsAnotherSecret
You get the idea. Nobody can list the contents of /opt/www/users,
but users can get into their own directory if they know its name.
Obviously it behooves them to keep the name secret.
Also httpd.conf is set to be readable only by root. It turns out
this works because apache starts up with root permissions.
How well would this scheme work? Is there some obvious way that
nefarious users can poke around inside Apache to get other
documentroot names?
TIA for your wisdom....
-- Rod