RE: SuEXEC and CGI to two VirtualHosts
On Fri, 3 Jan 2003, Michael Olds wrote:
> <VirtualHost ~>
> ServerName name.of.host
> DocumentRoot "/www/user2/public_html"
> User name2 (a test name belonging to no other group than name2 Group,
> with no special privelages at all)
> Group name2
> ScriptAlias /cgi-bin-2/ "/www/user2/public_html/cgi-bin-2"
> <Directory "/www/user2/pulic_html/cgi-bin-2"
> AllowOverride None
> Order allow,deny
> Allow from all
> Options ExecCGI
> </Directory>
> </VirtualHost>
Well, I'm not sure you can do exactly what you want. I'll explain in the
virtual host section below.
SuEXEC has compiled in directories where it is allowed to run.
I just did apt-get install apache, then:
$ strings /usr/lib/apache/suexec | egrep '(public|var)'
/var/log/apache/suexec.log
/var/www
public_html
Ok, so I'll bet that's public_html for UserDir directories, and otherwise
/var/www. So I'll create a virtual host using SuEXEC in /var/www/mydocs
So I created a few files:
bumby:/var/www# ls -lR
.:
total 8
-rw-r--r-- 1 root root 4110 Aug 12 21:31 index.html
drwxr-xr-x 3 moseley moseley 37 Jan 3 19:15 mydocs
./mydocs:
total 4
drwxr-xr-x 2 moseley moseley 23 Jan 3 19:43 cgi-bin
-rw-r--r-- 1 moseley moseley 77 Jan 3 19:15 index.html
./mydocs/cgi-bin:
total 4
-rwxr-xr-x 1 moseley moseley 136 Jan 3 20:52 index.html
Note that that last "index.html" is really a CGI script.
# cat mydocs/cgi-bin/index.html
#!/usr/bin/perl -w
my $me = `whoami`;
my $date = scalar localtime;
print <<EOF;
Content-type: text/plain
Hello $me
The time is $date
EOF
Now for the apache httpd.conf file. I like short httpd.conf files. I
also typically build static Apache servers instead of using DSO. So in
this case I've left out all the LoadModule lines -- *you will need those*.
Anyway, this is a very trimmed down httpd.conf file -- you will probably
want to add more. But my feeling is you start out restrictive and with
the Apache defaults and only add in the stuff you need. With that said,
the debian package maintainer's setup is probably really good.
After apt-get install apache I then copied httpd.conf to httpd.conf.orig
and then started pruning httpd.conf.
BTW - running "apache -V" will give you most of the compiled in defaults
for paths and such.
Other than the trimmed modules section this is the httpd.conf that I
tested with:
moseley@bumby:~$ cat /etc/apache/httpd.conf
# Some basics
ServerRoot /etc/apache
ErrorLog /var/log/apache/error.log
LockFile /var/lock/apache.lock
PidFile /var/run/apache.pid
# Please keep this LoadModule: line here, it is needed for installation.
# LoadModule vhost_alias_module /usr/lib/apache/1.3/mod_vhost_alias.so
# LoadModule env_module /usr/lib/apache/1.3/mod_env.so
LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config.so
...
...
(above trimmed for this email, but you will need the modules you want to
use)
User www-data
Group www-data
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
CustomLog /var/log/apache/access.log combined
ServerName bumby
# First, we configure the "default" to be a very restrictive set of
# permissions.
<Directory />
AllowOverride None
Order allow,deny
Deny from all
</Directory>
NameVirtualHost *
<VirtualHost *>
ServerName bumby
DocumentRoot /var/www
<Directory /var/www/>
Options Indexes Includes FollowSymLinks MultiViews
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *>
ErrorLog /home/moseley/error.log
CustomLog /home/moseley/access.log combined
ServerName bill
User moseley
Group moseley
DocumentRoot /var/www/mydocs
<Directory /var/www/mydocs>
Allow from all
</Directory>
<Directory /var/www/mydocs/cgi-bin>
Options +ExecCGI
SetHandler cgi-script
</Directory>
</VirtualHost>
That's really a bad example, but I was lazy. It's a bad example because
one virtual host is within the other. You would really want to have each
virtual host that needs to run SuEXEC in a different tree:
DocumentRoot /var/www/hostone - one VirtualHost
DocumentRoot /var/www/hosttwo - another VirtualHost
The main point here is that they need to be under /var/www because that's
compiled into the suexec wrapper script.
BTW -- to test this I simple added "bill" to my /etc/hosts file:
moseley@bumby:~$ fgrep bill /etc/hosts
192.168.0.172 bumby bill foo
Instant virtual hosts!
--
Bill Moseley moseley@hank.org
Reply to: