You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by re...@hush.com on 2003/07/21 17:33:16 UTC
[users@httpd] Secure Apache VirtualHost
Hi lists,
I'm trying to setup a basic web hosting server for use with 200+ sites.
I've done the usual setup of mail+ftp+apache+mysql, with proftpd configured
with chroots to each "virtual site"'s root, so users can't browse through
to other people's hosted sites.
Directory structure is /home/hosting/www.sitehere.com/www
Every site has its own group, every user is part of this group
Problem though -- apache runs as user 'httpd', which requires every site
to have read-all access. Even though every user on the system has a
false shell set, so they can't ssh/telnet in, it means anybody who has
a reasonably basic knowledge of php or perl to write a simple script
to list and show files in other directories they have read access to
- which are other people's sites!
Seeing as most sites these days are database driven it potentionally
means that they could view another site's php/perl source, where the
username, password, and database are defined. They could then write
their own script to modify that database directly!
Surely there's some way to stop users in an apache 'virtual host' from
being able to view other hosted site's files?
Ideas?
Thanks
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Configuration Questions
Posted by David Blomstrom <Ge...@geobop.com>.
At 11:09 PM 7/21/2003 -0400, you wrote:
>If you want to make c:/sites as your root tree, you should change
>DocumentRoot variable to: DocumentRoot c:/sites.
>That will serve the pages in the address: http://www.server.com without the
>"virtual directory"
>
>Is it more understandable for you now?
Thanks. I think I'll be able to figure it out now. One of the things that
threw me off was a problem I was having with Dreamweaver that I finally fixed.
Thanks for your help.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Configuration Questions
Posted by Jeff Cohen <su...@gej-it.com>.
Answer for question 1:
I think I answered this thread before, in order to create a "virtual
directory" (=a directory which is in a different location than the root
directory of the site\server) you should make a "pointer" to it where you
say: Alias /sites c:/sites that will mean that whoever is going to go to
http://www.server.com/sites will actually be viewing the content of c:/sites
on your server.
If you want to make c:/sites as your root tree, you should change
DocumentRoot variable to: DocumentRoot c:/sites.
That will serve the pages in the address: http://www.server.com without the
"virtual directory"
Is it more understandable for you now?
Answer for questions 2:
LoadModule status_module modules/mod_status.so
That will tell the apache web server, load this module next time you start
(start means re-read the config files).
The quotation that you mentioned just explaining that win32 user do not have
to recompile the apache source like *nix user due to the fact that win32 are
in most cases has the same variables for the system itself, so when a module
will look for a DLL file, win32 system knows to point and process the
request within the DLL folder which is in most cases is
c:\%WIN_DIR%\system32 .
That means that a win32 user do not *HAVE* to recompile apache's source
tarball from scratch every time he wants to add a new module, because the
modules in apache's source are for multiple systems and each system has it's
own system files, config, or variables.
Hope I helped you in away to understand it :)
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: David Blomstrom [mailto:GeoBear@geobop.com]
> Sent: Monday, July 21, 2003 3:57 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Configuration Questions
>
> I've been rereading the instructions for configuring Apache for Windows at
> http://httpd.apache.org/docs-2.0/platform/windows.html, but I'm still
confused.
>
> The first thing I want to get squared away is all the "root" commands.
This
> is what's listed in my conf file:
>
> ServerRoot "C:/Program Files/Apache Group/Apache2"
> DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"
>
> My websites are stored on my C drive in a folder called sites - C:sites.
> Going back to square one, am I supposed to type some reference to C:sites
> in the conf folder, or do I just take care of that in Dreamweaver > Sites
>
> Edit Site?
>
> I'm also a little confused by this passage:
>
> "Apache for Windows contains the ability to load modules at runtime,
> without recompiling the server. If Apache is compiled normally, it will
> install a number of optional modules in the \Apache2\modules directory. To
> activate these or other modules, the new LoadModule directive must be
used.
> For example, to activate the status module, use the following (in addition
> to the status-activating directives in access.conf):
>
> "LoadModule status_module modules/mod_status.so"
>
> Is this something I have to do or should do? If so, then do I simply
create
> a new line with the text
> LoadModule status_module modules/mod_status.so - presumably at the head of
> the list of LoadModule commands?
>
> Thanks.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Configuration Questions
Posted by David Blomstrom <Ge...@geobop.com>.
I've been rereading the instructions for configuring Apache for Windows at
http://httpd.apache.org/docs-2.0/platform/windows.html, but I'm still confused.
The first thing I want to get squared away is all the "root" commands. This
is what's listed in my conf file:
ServerRoot "C:/Program Files/Apache Group/Apache2"
DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"
My websites are stored on my C drive in a folder called sites - C:sites.
Going back to square one, am I supposed to type some reference to C:sites
in the conf folder, or do I just take care of that in Dreamweaver > Sites >
Edit Site?
I'm also a little confused by this passage:
"Apache for Windows contains the ability to load modules at runtime,
without recompiling the server. If Apache is compiled normally, it will
install a number of optional modules in the \Apache2\modules directory. To
activate these or other modules, the new LoadModule directive must be used.
For example, to activate the status module, use the following (in addition
to the status-activating directives in access.conf):
"LoadModule status_module modules/mod_status.so"
Is this something I have to do or should do? If so, then do I simply create
a new line with the text
LoadModule status_module modules/mod_status.so - presumably at the head of
the list of LoadModule commands?
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache vs Apache2
Posted by Michael Zwicker <ma...@ns.sympatico.ca>.
I don't think you can rename the folder... or at least you can't in
Unix. It messes stuff up.............. like apachectl.
David Blomstrom wrote:
> Another question... I read the following in some Dreamweaver
> instructions:
>
> "Apache's configuration details are held in text files, which you can
> edit with a standard Text Editor. The main configuration file is
> called httpd.conf, and if you installed the Apache web server to it's
> default location, the path to httpd.conf will be:
>
> "C:/Program Files/Apache Group/Apache/Conf/httpd.conf"
>
> On my computer, the path is
>
> C:/Program Files/Apache Group/Apache2/Conf/httpd.conf
>
> This presumably reflects the fact that I had two versions of Apache
> installed - 1.3 and 2.0 - though I uninstalled both and deleted
> remaining folders before reinstalling Apache 2.0. Is this a problem?
> If so, I can I fix it by simply going into Windows Explorer and
> renaming Apache2 to Apache?
>
> When I type http://localhost:8080/ into a browser, I get the Apache
> welcome page. I'm just trying to finish configuration so I can preview
> my website pages in Apache.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Apache vs Apache2
Posted by David Blomstrom <Ge...@geobop.com>.
Another question... I read the following in some Dreamweaver instructions:
"Apache's configuration details are held in text files, which you can edit
with a standard Text Editor. The main configuration file is called
httpd.conf, and if you installed the Apache web server to it's default
location, the path to httpd.conf will be:
"C:/Program Files/Apache Group/Apache/Conf/httpd.conf"
On my computer, the path is
C:/Program Files/Apache Group/Apache2/Conf/httpd.conf
This presumably reflects the fact that I had two versions of Apache
installed - 1.3 and 2.0 - though I uninstalled both and deleted remaining
folders before reinstalling Apache 2.0. Is this a problem? If so, I can I
fix it by simply going into Windows Explorer and renaming Apache2 to Apache?
When I type http://localhost:8080/ into a browser, I get the Apache welcome
page. I'm just trying to finish configuration so I can preview my website
pages in Apache.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Secure Apache VirtualHost
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, 21 Jul 2003 regenerate@hush.com wrote:
> Problem though -- apache runs as user 'httpd', which requires every site
> to have read-all access. Even though every user on the system has a
> false shell set, so they can't ssh/telnet in, it means anybody who has
> a reasonably basic knowledge of php or perl to write a simple script
> to list and show files in other directories they have read access to
> - which are other people's sites!
This is a basic problem that all virtual-hosting companies must face.
There is no easy solution. In general, giving scripting
(cgi/php/whatever) access to untrusted users is always going to be
dangerous.
Some things to consider:
- Ways to restrict scripts: php safemode, suexec or cgiwrap for cgi
scripts.
- Ways to isolate apache processes: run a separate instance of apache for
each host with a reverse proxy in front.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org