[nycbug-talk] apache: securing each virtural host
Thu Feb 3 12:06:44 EST 2005
On Feb 3, 2005, at 14:41, Dan Casey wrote:
> ----- Original Message -----
> From: "Marc Spitzer" <mspitzer at gmail.com>
> To: "nycbug" <talk at lists.nycbug.org>
> Sent: Thursday, February 03, 2005 8:20 AM
> Subject: Re: [nycbug-talk] apache: securing each virtural host
>> On Thu, 3 Feb 2005 10:03:08 -0500, Dan Casey <dcasey at bestweb.net>
>>> I have posted this question on alt.apache.configuration and several
>>> as well.. Nobody seems to have an answer as to how this is done. I
>>> account on a webserver that is using ensim cp. There server does
>>> what I
>>> trying to achieve.
>>> I know how to chroot apache, that's no problem.
>>> What I would like to do is lock each virtualhost to be able to see
>>> files only. The system that I have the account on was able to achieve
>>> using up about 20Mb per virtualhost.
>>> Example of why I am trying to achieve this.
>>> Say I have my web files in folders such as
>>> I would need to set the ServerRoot to /usr/local/virtual/
>>> The VirtualHost DocumentRoot's would be set to
>>> /usr/local/virtual/some-domain.com/www and so.
>>> A user executes a script in his browser.
>>> this script looks like so
>>> print "Content-Type: text/html\n\n";
>>> print `ls -la /';
>>> the contents on there screen would be the output of
>>> ls -la /usr/local/virtual/
>>> thus listing all the domains available on the server.
>>> I need to set this up so that that same script would return the
>>> ls -la /usr/local/virtual/some-domain.com/
>>> which would appear something like this:
>> I think you are confusing your terms, from what I see you do not want
>> a virtual host. What you want is a jail, on freebsd, or a xen virtual
>> machine, on netbsd 2. You do not want a virtual host, that would only
>> contain the web server stuff(docroot, cgi's, etc.).
>> Now if you do want virtual server, not virtual hosts, what OS are you
>> planning on doing this on?
> FreeBSD 5.3
> Well, VirtualHost reffering to the apache config.
> I want a jail-like setup. But not for apache as a whole.
> Apache will have several websites (NameBased VirtualHosts).
> Each User (1 perl website) will be able to there files only, in what
> appear to them as a server or filesystem.
> Now if it where just one site, a regular jail would be fine. But I
> want to
> keep each site seperate.
> I don't seem to understand how to achieve this with running a seperate
> for each site.
> Each jail would then need to run its own httpd.conf, and start its own
> By default apache opens 5 servers.
> say 50 websites / 50 jails * 5 servers = .... not an ideal situation :)
> I cannot imagine that this is the only way to achieve this affect.
You're asking for two mutually exclusive things, a single Apache
process can't live in 50 different jails at the same time.
There is probably a way to chroot before running a CGI, but that
doesn't help you isolate anything in-process like mod_php. To do that,
you actually do need to run an apache per user.
More information about the talk