also sprach Daniel Stone (on Tue, 02 Oct 2001 08:10:38PM +1000): > I think that a symlink from /var to /home is bad. Maybe if we stored it > under /home/www-data or such. that's one possibility, although i am more in favor of uniting sites into single directory hierarchies. what's the big point of having documents in /var/www and below, but cgi's in /usr/lib/apache/cgi-bin? and manuals in /usr/share..., and logs in /var/log/apache? i understand, there is the FHS, but a virtual site is a virtual site, in fact, any website is it's own site and doesn't really have anything to do with the host server except for a small number of cases. i think that /home/www-data or /home/apache is a reasonable idea, but somehow you need to fuse allowing users to edit their own pages, and protecting the apache installation against fuckups - because a single user who moves the directory corresponding to the webpage will make apache fail to start the next time. instead, i propose the following: any apache configuration only serves virtual sites, where the primary site (the actual server site) is the first, which means the default if no Host HTTP Request Header is transmitted. virtual hosts relying on Host headers bind to 0.0.0.0:80 only, IP virtuals bind to that IP. for every virtual site defined in apache's config (which i am currently reworking), there is one equinomial[1] directory under /home/apache/sites (chmod 2711, chown root.staff). e.g.: /home/apache/sites/pantsfullofunix.net and /home/apache/sites/debianplanet.org. permissions are then set according to who is administering the site, although i propose having an equinomial group for every site anyway, and 2775 permissions recursively . now, you can symlink out of a home directory, i.e. from ~madduck/web/pantsfullofunix.net to /home/apache/sites/pantsfullofunix.net. this pretty much ensures that when /home is up, apache will serve whatever is in these directories. furthermore, one could create /home/apache/common/{img,scripts,cgi-bin,whatever}, which could be (script-)aliased as /cgi-pub, scripts-pub, /img-pub, /whatever-pub server wide, and could contain common CGIs like counters or guestbooks and whatever kind of junk the people want. in addition, every /home/apache/sites/* directory has it's own cgi-bin, iff the owner so desires and the hostmaster allows it. this gives separate custom cgi control over each site while not limiting the cgi-pub access. very much the same approach can be taken with scripts, and even PHP capabilities and other stuff. all i am saying is: <VirtualHost> is your friend!!! and you can use it the same way with no negative consequences if you are only serving one site. lastly, i propose (even though i have not been able to implement this), to give every single site directory a 0750 root.site subdirectory "log", in which the error and access logs for that site are placed. this much works for my server, but what i also want is one centralized logfile for all in /var/log/apache. this allows users access to their logs, it keeps /var/log/apache and files clean, and it's a perfect way to handle multiple sites, especially because apache's cron.daily knows how to rotate any logfile no matter where it is, and because such a convention allows script access to logs via /home/apache/sites/*/log. here i propose that the directory is owned by root and grouped to the site group so that the webmasters have read-access to their logs, but noone else, which is all that you ever need. now, with this setup, which i have implemented on two productive servers so far, administration is bloody simple, and it makes sense! a virtual website does not have to melt in with the server FHS, it *could* have it's own FHS instantiation, but there is no need or point to log to /var/log (other than collectively), to serve from /var/www, or to execute CGIs from /usr/lib. lastly, to help other debian packages (like webalizer and others) to switch to a new convention, /var/www could very well be a symlink to /home/apache/sites/`hostname`.mydomain.com [1] no, this isn't a word. but it should be. you get the idea... > I think that it should remain that way, but hey, this is my main server: > daniel@piro:~% ls -l /var > lrwxrwxrwx 1 root root 9 Jul 4 09:48 /var -> > /home/var uhm, daniel, are you, uhm, okay? WHY? martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck -- perl -le '$_="6110>374086;2064208213:90<307;55"; \ tr[0->][ LEOR\!AUBGNSTY];print'
Attachment:
pgpAqY1t1xkis.pgp
Description: PGP signature