Re: advice request for shared hosting and security issue
On 06/24/2013 07:12 PM, Oğuz Yarımtepe wrote:
> If there is an howto for a sample vhost, it would be great.
Here's an example vhost:
<VirtualHost 1.2.3.4:80>
ServerName www.example.com
DocumentRoot /var/www/example.com/subdomains.aufs/www/html
ScriptAlias /cgi-bin /usr/lib/cgi-bin
php_admin_flag engine off
AddHandler php-cgi-wrapper .php
Action php-cgi-wrapper /cgi-bin/sbox
AddHandler python-cgi-wrapper .py
Action python-cgi-wrapper /cgi-bin/sbox
AddHandler ruby-cgi-wrapper .rb
Action ruby-cgi-wrapper /cgi-bin/sbox
AddHandler ruby-cgi-wrapper .pl
Action ruby-cgi-wrapper /cgi-bin/sbox
ErrorDocument 404 /sbox404/404.php
ErrorDocument 400 /sbox404/406.php
ErrorDocument 406 /sbox404/406.php
ErrorDocument 500 /sbox404/406.php
ErrorDocument 501 /sbox404/406.php
Options +ExecCGI
</VirtualHost>
As you can see, mod_php is completely disabled (since it is going to use
the CGI version inside the vhost chroot).
Then you would mount /var/www/example.com/subdomains.aufs/www this way:
mount -t aufs -o \
br:/var/www/sites/example.com/subdomains/www=rw:/path/to/your/template=ro \
none /var/www/sites/example.com/subdomains.aufs/www
You can see how to populate the template over here:
http://git.gplhost.com/gitweb/?p=dtc.git;a=blob;f=admin/create_sbox_bootstrap_copy;h=be51f47c40180079dde1f842f36d3f315e24bd2e;hb=3a2f4c82259e986aac4ed6b91088b5d6c321a72d
and here:
http://git.gplhost.com/gitweb/?p=dtc.git;a=blob;f=admin/update_sbox_bootstrap_copy;h=1e02fb47fc64d802b82956021fac6d8d600c9af5;hb=3a2f4c82259e986aac4ed6b91088b5d6c321a72d
My patch for apache (for the AllowOverrideList support in Apache 2.2) is
available over here:
http://archive.gplhost.com/debian/pool/squeeze/main/a/apache2/
Note that it should be possible to use SBOX together with php-fpm, but I
haven't tried. Also, only php, perl, python and ruby scripts will be
executed by the wrapper, other types of content (image, html, css, etc.)
will use Apache normally, which is great for performances.
Cheers,
Thomas Goirand (zigo)
Reply to: