FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-30-2011, 01:22 AM
Trey Dockendorf
 
Default Running Apache sites as separate users

I had a recent request to improve security on my web servers by having each
website use a different user to run the hosting service. So
example1.comhas it's own Apache instance running as apache1 and then
example2.com has its own instance of Apache as apache2. Is this even
possible or realistic? I understand the idea of how that would be secure,
much like creating a virtual machine to segregate services. The only way I
can think how this is done is to chroot each website. What makes this
request even stranger is that each website will be managed by the same CMS
and code base. So with that being the case, I don't see how this is
possible. Any ideas or insight are very welcome.

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 01:31 AM
John R Pierce
 
Default Running Apache sites as separate users

On 09/29/11 6:22 PM, Trey Dockendorf wrote:
> I had a recent request to improve security on my web servers by having each
> website use a different user to run the hosting service. So
> example1.comhas it's own Apache instance running as apache1 and then
> example2.com has its own instance of Apache as apache2. Is this even
> possible or realistic? I understand the idea of how that would be secure,
> much like creating a virtual machine to segregate services. The only way I
> can think how this is done is to chroot each website. What makes this
> request even stranger is that each website will be managed by the same CMS
> and code base. So with that being the case, I don't see how this is
> possible. Any ideas or insight are very welcome.

afaik, its only possible to use multiple instances of apache if you have
multiple IP addresses, each one bound to a different address, or use
different ports for each site (which would require specifying the ort
as part of the URL)

I'd strongly question the rationale behind this request. sounds like
half-thinking to me.



--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 01:48 AM
Dennis Jacobfeuerborn
 
Default Running Apache sites as separate users

On 09/30/2011 03:31 AM, John R Pierce wrote:
> On 09/29/11 6:22 PM, Trey Dockendorf wrote:
>> I had a recent request to improve security on my web servers by having each
>> website use a different user to run the hosting service. So
>> example1.comhas it's own Apache instance running as apache1 and then
>> example2.com has its own instance of Apache as apache2. Is this even
>> possible or realistic? I understand the idea of how that would be secure,
>> much like creating a virtual machine to segregate services. The only way I
>> can think how this is done is to chroot each website. What makes this
>> request even stranger is that each website will be managed by the same CMS
>> and code base. So with that being the case, I don't see how this is
>> possible. Any ideas or insight are very welcome.
>
> afaik, its only possible to use multiple instances of apache if you have
> multiple IP addresses, each one bound to a different address, or use
> different ports for each site (which would require specifying the ort
> as part of the URL)
>
> I'd strongly question the rationale behind this request. sounds like
> half-thinking to me.

I wonder if SELinux/sVirt can be used for something like this. sVirt was
created to isolate running virtual machine instances from one another.
Something similar should be possible for virtual hosts at least in theory.

Regards,
Dennis
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 02:35 AM
Lucian
 
Default Running Apache sites as separate users

On Fri, Sep 30, 2011 at 2:22 AM, Trey Dockendorf <treydock@gmail.com> wrote:
> I had a recent request to improve security on my web servers by having each
> website use a different user to run the hosting service. *So
> example1.comhas it's own Apache instance running as apache1 and then
> example2.com has its own instance of Apache as apache2. *Is this even
> possible or realistic? *I understand the idea of how that would be secure,
> much like creating a virtual machine to segregate services. *The only way I
> can think how this is done is to chroot each website. *What makes this
> request even stranger is that each website will be managed by the same CMS
> and code base. *So with that being the case, I don't see how this is
> possible. *Any ideas or insight are very welcome.

Is there a specific requirement to run different http servers? Because
if there is not then you can just use Suexec+fastcgi.
Otherwise, just use Apache to proxy stuff to backend servers (can be
anything from apache to nginx).

HTH
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 09:47 AM
Hakan Koseoglu
 
Default Running Apache sites as separate users

On 30 September 2011 02:22, Trey Dockendorf <treydock@gmail.com> wrote:
> I had a recent request to improve security on my web servers by having each
> website use a different user to run the hosting service. *So
> example1.comhas it's own Apache instance running as apache1 and then
> example2.com has its own instance of Apache as apache2. *Is this even
> possible or realistic? *I understand the idea of how that would be secure,
Easily doable with an other instance of Apache acting as the proxy.
This Apache can be yet an other "can't do anything"-style locked-down
instance which only proxies virtual hosts to separate Apache
instances.

You can set up as many Apaches running on separate internal ports
(i.e. 127.0.0.1:8881, 127.0.0.1:8882 etc). and then use proxypass to
forward virtual servers. I use a similar setup at home where
locked-down virtual machines run all by themselves and the
front-facing Apache simply matches the VirtualHost name and passes it
down. The only thing I can't do is using a separate certificate for
HTTPS for every one of them.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 10:47 AM
Craig White
 
Default Running Apache sites as separate users

On Fri, 2011-09-30 at 10:47 +0100, Hakan Koseoglu wrote:
> On 30 September 2011 02:22, Trey Dockendorf <treydock@gmail.com> wrote:
> > I had a recent request to improve security on my web servers by having each
> > website use a different user to run the hosting service. So
> > example1.comhas it's own Apache instance running as apache1 and then
> > example2.com has its own instance of Apache as apache2. Is this even
> > possible or realistic? I understand the idea of how that would be secure,
> Easily doable with an other instance of Apache acting as the proxy.
> This Apache can be yet an other "can't do anything"-style locked-down
> instance which only proxies virtual hosts to separate Apache
> instances.
----
absolutely
----
> You can set up as many Apaches running on separate internal ports
> (i.e. 127.0.0.1:8881, 127.0.0.1:8882 etc). and then use proxypass to
> forward virtual servers. I use a similar setup at home where
> locked-down virtual machines run all by themselves and the
> front-facing Apache simply matches the VirtualHost name and passes it
> down.
----
absolutely
----
> The only thing I can't do is using a separate certificate for
> HTTPS for every one of them.
----
probably not with CentOS 5.x - possibly with CentOS 6.x but I haven't
installed it to check.

I know with Ubuntu 10.04 LTS, I have no problem whatsoever with SSL
virtual hosts and different certificates on the same IP but that does
rely upon users only using SNI compliant web browsers. Not the sort of
thing I would do for a commercial site but I do this for internal and/or
employee only web sites. The thing to note is that all the current web
browsers are SNI compliant/capable and anyone using an old web browser
at this point have some serious security issues. Just about all the web
browsers < 2 years old are SNI capable.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 02:15 PM
Jerry McAllister
 
Default Running Apache sites as separate users

On Thu, Sep 29, 2011 at 08:22:59PM -0500, Trey Dockendorf wrote:

> I had a recent request to improve security on my web servers by having each
> website use a different user to run the hosting service. So
> example1.comhas it's own Apache instance running as apache1 and then
> example2.com has its own instance of Apache as apache2. Is this even
> possible or realistic? I understand the idea of how that would be secure,
> much like creating a virtual machine to segregate services. The only way I
> can think how this is done is to chroot each website. What makes this
> request even stranger is that each website will be managed by the same CMS
> and code base. So with that being the case, I don't see how this is
> possible. Any ideas or insight are very welcome.

Used to do that a lot on FreeBSD. It was just a virtual host.
We used separate IPs for each virtual host, but there are ways
to do it with name based virtual hosts. I think name based VH
didn't work with https though.

I don't know if CentOS can do it though.

////jerry

>
> Thanks
> - Trey
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 03:06 PM
 
Default Running Apache sites as separate users

Jerry McAllister wrote:
> On Thu, Sep 29, 2011 at 08:22:59PM -0500, Trey Dockendorf wrote:
>
>> I had a recent request to improve security on my web servers by having
>> each website use a different user to run the hosting service. So
>> example1.comhas it's own Apache instance running as apache1 and then
>> example2.com has its own instance of Apache as apache2. Is this even
>> possible or realistic? I understand the idea of how that would be
>> secure, much like creating a virtual machine to segregate services.
>> The only way I can think how this is done is to chroot each website.
>> What makes this request even stranger is that each website will be
>> managed by the same CMS and code base. So with that being the case,
>> I don't see how this is possible. Any ideas or insight are very welcome.
>
> Used to do that a lot on FreeBSD. It was just a virtual host.
> We used separate IPs for each virtual host, but there are ways
> to do it with name based virtual hosts. I think name based VH
> didn't work with https though.

I think Trey needs to push back - *IF* I understand him correctly, it
sounds like duplicate websites, but running as different users. That, to
me, literally makes no sense...mmmm, unless a) the source of the request
doesn't understand what he wants, or b) there's something illegal going
on, and users going to a different site have different things happening,
based on data/database content.

Clarifications would be helpful.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 03:21 PM
Les Mikesell
 
Default Running Apache sites as separate users

On Fri, Sep 30, 2011 at 10:06 AM, <m.roth@5-cent.us> wrote:
>>
>>> I had a recent request to improve security on my web servers by having
>>> each website use a different user to run the hosting service. *So
>>> example1.comhas it's own Apache instance running as apache1 and then
>>> example2.com has its own instance of Apache as apache2. *Is this even
>>> possible or realistic? *I understand the idea of how that would be
>>> secure, much like creating a virtual machine to segregate services.
>>> The only way I can think how this is done is to chroot each website.
>>> What makes this request even stranger is that each website will be
>>> managed by the same CMS and code base. *So with that being the case,
>>> I don't see how this is possible. *Any ideas or insight are very welcome.
>>
>> Used to do that a lot on FreeBSD. *It was just a virtual host.
>> We used separate IPs for each virtual host, but there are ways
>> to do it with name based virtual hosts. *I think name based VH
>> didn't work with https though.
>
> I think Trey needs to push back - *IF* I understand him correctly, it
> sounds like duplicate websites, but running as different users. *That, to
> me, literally makes no sense...mmmm, unless a) the source of the request
> doesn't understand what he wants, or b) there's something illegal going
> on, and users going to a different site have different things happening,
> based on data/database content.
>
> Clarifications would be helpful.

Yes, a real 'user' oriented concept could use the public_html
directory out of their home directory. But since a CMS is mentioned,
the data may in fact all live in a database with the link controlling
permissions based on the web server's configuration where the db
login/password is set up. So besides the reverse proxy to multiple
web servers it might also need multiple databases set up, each with a
different name and credentials.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-30-2011, 03:58 PM
Drew
 
Default Running Apache sites as separate users

> I think Trey needs to push back - *IF* I understand him correctly, it
> sounds like duplicate websites, but running as different users. *That, to
> me, literally makes no sense...mmmm, unless a) the source of the request
> doesn't understand what he wants, or b) there's something illegal going
> on, and users going to a different site have different things happening,
> based on data/database content.

The way I interpreted it he want's it setup so each domain
(example1.com, example2.com, etc) to each runs it's own Apache server
under an unprivileged login (apache1, apache2, etc). Chroot's should
accomplish that easy enough. He then wants to use the same CMS
(Joomla, Wordpress, etc) on each site. My assumption is he's hosting
several CMS sites and want's each isolated so a compromise of one
won't compromise the others.

What is confusing is what he means by 'codebase?' Does he want each
chroot to have it's own independent copy? Or does he want to share the
CMS core files across all instances?


--
Drew
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org