[nycbug-talk] apache: securing each virtural host

[pete wright]

> Sorry bout the top-posting.
>
heh....np
>
> ..I think im sadly coming to think that I really do need to run a 
> seperate
> jail with its own apache server running in it.
> i can see this becoming an absolute mess to manage..
> i wouldn't want to even think about upgrading a kernel...
>

fortunately you don't have to worry about upgrading the kernel/world 
too much if you are tracking -STABLE, and frankly I don't think you'd 
want to be messing with building world/kernel's on production boxen 
anyway....

personally I think that running a jail for each account will be less of 
an administrative issue in the long run.  sure there might be some more 
upfront coding involved to get things setup, but you have isolated each 
user which makes things easier to monitor and administrate.

let's say you have 20 users now, and in a year you have 60 users on 
that same box and things are getting slow.  if each user has their own 
jail it's just a simple matter of tar'ing their $HOME...moving it to 
the new host and untar'ing the site.  you've actually built a pretty 
scalable system from the get go.  and that's not even taking into 
account the added security of such a system....

i've actually started kicking this same concept around for managing 
application server farms, but that's another issue all together ;)

-p

~o0OO0o~
Pete Wright
pete at nomadlogic.org
www.nomadlogic.org
freenode.net: nomadlogic_