[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: advice request for shared hosting and security issue

On 06/24/2013 07:12 PM, Oğuz Yarımtepe wrote:
> If there is an howto for a sample vhost, it would be great.

Here's an example vhost:

        ServerName www.example.com
        DocumentRoot /var/www/example.com/subdomains.aufs/www/html
        ScriptAlias /cgi-bin /usr/lib/cgi-bin
        php_admin_flag engine off
        AddHandler php-cgi-wrapper .php
        Action php-cgi-wrapper /cgi-bin/sbox
        AddHandler python-cgi-wrapper .py
        Action python-cgi-wrapper /cgi-bin/sbox
        AddHandler ruby-cgi-wrapper .rb
        Action ruby-cgi-wrapper /cgi-bin/sbox
        AddHandler ruby-cgi-wrapper .pl
        Action ruby-cgi-wrapper /cgi-bin/sbox
        ErrorDocument 404 /sbox404/404.php
        ErrorDocument 400 /sbox404/406.php
        ErrorDocument 406 /sbox404/406.php
        ErrorDocument 500 /sbox404/406.php
        ErrorDocument 501 /sbox404/406.php
        Options +ExecCGI

As you can see, mod_php is completely disabled (since it is going to use
the CGI version inside the vhost chroot).

Then you would mount /var/www/example.com/subdomains.aufs/www this way:

mount -t aufs -o \
br:/var/www/sites/example.com/subdomains/www=rw:/path/to/your/template=ro \
none /var/www/sites/example.com/subdomains.aufs/www

You can see how to populate the template over here:

and here:

My patch for apache (for the AllowOverrideList support in Apache 2.2) is
available over here:

Note that it should be possible to use SBOX together with php-fpm, but I
haven't tried. Also, only php, perl, python and ruby scripts will be
executed by the wrapper, other types of content (image, html, css, etc.)
will use Apache normally, which is great for performances.


Thomas Goirand (zigo)

Reply to: