Re: virtual hosting in apache and file locations

[Daniel Stone <daniel@sfarc.net>]

On Tue, Oct 02, 2001 at 12:43:43PM +0200, martin f krafft wrote:
> also sprach Daniel Stone (on Tue, 02 Oct 2001 08:10:38PM +1000):
> > I think that a symlink from /var to /home is bad. Maybe if we stored it
> > under /home/www-data or such.
> 
> that's one possibility, although i am more in favor of uniting sites
> into single directory hierarchies. what's the big point of having
> documents in /var/www and below, but cgi's in /usr/lib/apache/cgi-bin?
> and manuals in /usr/share..., and logs in /var/log/apache?

Single directory would be nice, but I'm willing to bet that FHS has
dictated these braindead locations.

> i understand, there is the FHS, but a virtual site is a virtual site,
> in fact, any website is it's own site and doesn't really have anything
> to do with the host server except for a small number of cases.
> 
> i think that /home/www-data or /home/apache is a reasonable idea, but
> somehow you need to fuse allowing users to edit their own pages, and
> protecting the apache installation against fuckups - because a single
> user who moves the directory corresponding to the webpage will make
> apache fail to start the next time.

IMHO, /home/apache is out, because you then run into trouble adding a
user called "apache". If it's going to be in /home (and I'm still gunning
for /var/www, although slightly different, see below), it must be
/home/www-data. Anything else would impede creation of users.

> instead, i propose the following: any apache configuration only serves
> virtual sites, where the primary site (the actual server site) is the
> first, which means the default if no Host HTTP Request Header is
> transmitted. virtual hosts relying on Host headers bind to 0.0.0.0:80
> only, IP virtuals bind to that IP.

Yeah, this is what I suggested. If I had just worded it normally, as
opposed to somewhat of a full-on policy statement, this would've been
more clear. Sorry.

(I'm pretty clear on how apache(2) handles virtual hosts, etc, BTW).

> for every virtual site defined in apache's config (which i am
> currently reworking), there is one equinomial[1] directory under
> /home/apache/sites (chmod 2711, chown root.staff). e.g.:
> /home/apache/sites/pantsfullofunix.net and
> /home/apache/sites/debianplanet.org. permissions are then set
> according to who is administering the site, although i propose having
> an equinomial group for every site anyway, and 2775 permissions
> recursively . now, you can symlink out of a home directory, i.e. from
> ~madduck/web/pantsfullofunix.net to
> /home/apache/sites/pantsfullofunix.net.

Sounds pretty good to me. I would, however, have the setup as follows:
/var/www - container. anything here should be moved to default/htdocs
/var/www/default - symlink to the default vhost
/var/www/site.name/htdocs - web root for site.name (e.g.
			    debianplanet.org)
/var/www/site.name/logs - logs for site.name
/var/www/site.name/cgi-bin - cgi stuff for site.name

No disagreements with the permissions, and /var/www/site.name can be a
symlink if you want to (I currently have this exact setup running on a
few production servers myself).

> this pretty much ensures that when /home is up, apache will serve
> whatever is in these directories.
> 
> furthermore, one could create
> /home/apache/common/{img,scripts,cgi-bin,whatever}, which could be
> (script-)aliased as /cgi-pub, scripts-pub, /img-pub, /whatever-pub
> server wide, and could contain common CGIs like counters or guestbooks
> and whatever kind of junk the people want.

This is a very good idea - /var/www/common, tho?

> in addition, every /home/apache/sites/* directory has it's own
> cgi-bin, iff the owner so desires and the hostmaster allows it. this
> gives separate custom cgi control over each site while not limiting
> the cgi-pub access. very much the same approach can be taken with
> scripts, and even PHP capabilities and other stuff. all i am saying
> is: <VirtualHost> is your friend!!! and you can use it the same way
> with no negative consequences if you are only serving one site.

Yeah, that's what I was proposing with
/usr/lib/cgi-bin/(default|site.name).

Virtual hosts are good. This should also allow us to nicely skirt around
FHS; AFAIK FHS makes no provision for virtual hosts. If we reintrepret
apache to having only virtual hosts, with one default host, then we can
say "aha, stuff FHS, we have virtual hosts. thpthpthpthpt".

> lastly, i propose (even though i have not been able to implement
> this), to give every single site directory a 0750 root.site
> subdirectory "log", in which the error and access logs for that site
> are placed. this much works for my server, but what i also want is one
> centralized logfile for all in /var/log/apache. this allows users
> access to their logs, it keeps /var/log/apache and files clean, and
> it's a perfect way to handle multiple sites, especially because
> apache's cron.daily knows how to rotate any logfile no matter where it
> is, and because such a convention allows script access to logs via
> /home/apache/sites/*/log. here i propose that the directory is owned
> by root and grouped to the site group so that the webmasters have
> read-access to their logs, but noone else, which is all that you ever
> need.

Yeah, I agree. I've implemented this, but with a slight change (I'm
running on *gack* RedHat in production, hope to change that soon):
/usr/local/apache/logs/site.name/(access|error).log: admin's copy of
site.name's logs, for posterity, stats, etc
/usr/local/apache/sites/site.name/logs/(access|error).log: user's copy

This also allows admins and users to take a different approach with log
rotation, and it also prevents shifty users doing anything dodgy :)

> now, with this setup, which i have implemented on two productive
> servers so far, administration is bloody simple, and it makes sense! a
> virtual website does not have to melt in with the server FHS, it
> *could* have it's own FHS instantiation, but there is no need or point
> to log to /var/log (other than collectively), to serve from /var/www,
> or to execute CGIs from /usr/lib.

Yeah :)

> lastly, to help other debian packages (like webalizer and others) to
> switch to a new convention, /var/www could very well be a symlink to
> /home/apache/sites/`hostname`.mydomain.com

That's more or less what I proposed with /var/www/default - it would be
a symlink to the default vhost.

> [1] no, this isn't a word. but it should be. you get the idea...

It's a damn cool word. I second its introduction to the English
language.

> > I think that it should remain that way, but hey, this is my main server:
> > daniel@piro:~% ls -l /var
> > lrwxrwxrwx    1 root     root            9 Jul  4 09:48 /var ->
> > /home/var
> 
> uhm, daniel, are you, uhm, okay?
> WHY?

daniel@piro:~% df -m
Filesystem           1M-blocks      Used Available Use% Mounted on
/dev/ide/host0/bus1/target0/lun0/part1
                          2496      1391      1105  56% /
/dev/ide/host0/bus0/target0/lun0/part1
                           191        67       124  35% /boot
/dev/ide/host0/bus1/target0/lun0/part3
                          4282      3463       818  81% /home
/dev/scsi/host0/bus0/target1/lun0/part1
                          2043      1243       800  61% /usr/local
/dev/ide/host0/bus0/target0/lun0/part2
                          1354         1      1353   1% /stable

Hmm, I've got a big, fat /stable sitting unused. I really should
use that up someday - when I made /var a symlink to /home/var, I
had a /stable chroot full of potato stuff.

:) d

(PS: Come on IRC. DanielS, OPN, #debian-devel).

-- 
Daniel Stone						    <daniel@sfarc.net>
<erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it
works completely, I just can't figure out where in my apartment it is.

Attachment: pgptSafdpacpp.pgp
Description: PGP signature