I had a recent request to improve security on my web servers by having each website use a different user to run the hosting service. So example1.comhas it's own Apache instance running as apache1 and then example2.com has its own instance of Apache as apache2. Is this even possible or realistic? I understand the idea of how that would be secure, much like creating a virtual machine to segregate services. The only way I can think how this is done is to chroot each website. What makes this request even stranger is that each website will be managed by the same CMS and code base. So with that being the case, I don't see how this is possible. Any ideas or insight are very welcome. Thanks - Trey
On 09/29/11 6:22 PM, Trey Dockendorf wrote:> I had a recent request to improve security on my web servers by having each > website use a different user to run the hosting service. So > example1.comhas it's own Apache instance running as apache1 and then > example2.com has its own instance of Apache as apache2. Is this even > possible or realistic? I understand the idea of how that would be secure, > much like creating a virtual machine to segregate services. The only way I > can think how this is done is to chroot each website. What makes this > request even stranger is that each website will be managed by the same CMS > and code base. So with that being the case, I don't see how this is > possible. Any ideas or insight are very welcome.afaik, its only possible to use multiple instances of apache if you have multiple IP addresses, each one bound to a different address, or use different ports for each site (which would require specifying the :port as part of the URL) I'd strongly question the rationale behind this request. sounds like half-thinking to me. -- john r pierce N 37, W 122 santa cruz ca mid-left coast
On Fri, Sep 30, 2011 at 2:22 AM, Trey Dockendorf <treydock at gmail.com> wrote:> I had a recent request to improve security on my web servers by having each > website use a different user to run the hosting service. ?So > example1.comhas it's own Apache instance running as apache1 and then > example2.com has its own instance of Apache as apache2. ?Is this even > possible or realistic? ?I understand the idea of how that would be secure, > much like creating a virtual machine to segregate services. ?The only way I > can think how this is done is to chroot each website. ?What makes this > request even stranger is that each website will be managed by the same CMS > and code base. ?So with that being the case, I don't see how this is > possible. ?Any ideas or insight are very welcome.Is there a specific requirement to run different http servers? Because if there is not then you can just use Suexec+fastcgi. Otherwise, just use Apache to proxy stuff to backend servers (can be anything from apache to nginx). HTH
On 30 September 2011 02:22, Trey Dockendorf <treydock at gmail.com> wrote:> I had a recent request to improve security on my web servers by having each > website use a different user to run the hosting service. ?So > example1.comhas it's own Apache instance running as apache1 and then > example2.com has its own instance of Apache as apache2. ?Is this even > possible or realistic? ?I understand the idea of how that would be secure,Easily doable with an other instance of Apache acting as the proxy. This Apache can be yet an other "can't do anything"-style locked-down instance which only proxies virtual hosts to separate Apache instances. You can set up as many Apaches running on separate internal ports (i.e. 127.0.0.1:8881, 127.0.0.1:8882 etc). and then use proxypass to forward virtual servers. I use a similar setup at home where locked-down virtual machines run all by themselves and the front-facing Apache simply matches the VirtualHost name and passes it down. The only thing I can't do is using a separate certificate for HTTPS for every one of them.
On Thu, Sep 29, 2011 at 08:22:59PM -0500, Trey Dockendorf wrote:> I had a recent request to improve security on my web servers by having each > website use a different user to run the hosting service. So > example1.comhas it's own Apache instance running as apache1 and then > example2.com has its own instance of Apache as apache2. Is this even > possible or realistic? I understand the idea of how that would be secure, > much like creating a virtual machine to segregate services. The only way I > can think how this is done is to chroot each website. What makes this > request even stranger is that each website will be managed by the same CMS > and code base. So with that being the case, I don't see how this is > possible. Any ideas or insight are very welcome.Used to do that a lot on FreeBSD. It was just a virtual host. We used separate IPs for each virtual host, but there are ways to do it with name based virtual hosts. I think name based VH didn't work with https though. I don't know if CentOS can do it though. ////jerry> > Thanks > - Trey > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos