[nycbug-talk] apache: securing each virtural host
Thu Feb 3 13:33:17 EST 2005
> Sorry bout the top-posting.
> ..I think im sadly coming to think that I really do need to run a
> jail with its own apache server running in it.
> i can see this becoming an absolute mess to manage..
> i wouldn't want to even think about upgrading a kernel...
fortunately you don't have to worry about upgrading the kernel/world
too much if you are tracking -STABLE, and frankly I don't think you'd
want to be messing with building world/kernel's on production boxen
personally I think that running a jail for each account will be less of
an administrative issue in the long run. sure there might be some more
upfront coding involved to get things setup, but you have isolated each
user which makes things easier to monitor and administrate.
let's say you have 20 users now, and in a year you have 60 users on
that same box and things are getting slow. if each user has their own
jail it's just a simple matter of tar'ing their $HOME...moving it to
the new host and untar'ing the site. you've actually built a pretty
scalable system from the get go. and that's not even taking into
account the added security of such a system....
i've actually started kicking this same concept around for managing
application server farms, but that's another issue all together ;)
pete at nomadlogic.org
More information about the talk