Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development
  Previous topic | Next topic 
Author Message
Nuvini
PostPosted: Tue Jul 03, 2012 11:48 am 
Offline
Senior Member

Joined: Fri Feb 17, 2012 8:20 pm
Posts: 365
Hi,

I'm using Apache with PHP-FPM/FastCGI. I've seen some guides for securing Apache, and I think I've done most of it, but there's still a few things I'm unsure of.

Mainly how-to-separate/isolate vhosts? Currently, I can upload a php-shell and simply cd ../ all the way up to the root filesystem. I want every vhost to be contained within their DocumentRoot, and not be able to go outside of that. I've seen things with open_basedir, but also SecChrootDir by mod_security. Has anyone done something like this? How should I do it?

My current directory-setup is:

Apache:
/etc/apache2/

vhosts:
/srv/www/DOMAIN/public_html/ <-- DocumentRoot in the vhost config
/srv/www/DOMAIN/logs

PHP:
/etc/php5
The FPM one is in /etc/php5/fpm/ with the configs/pools in conf.d/ and pool.d/

I want to make sure the vhosts are properly separated and isolated so that they can only access /srv/www/domain/ and deeper, but nothing above that. At the same time, I don't want PHP to break, for example.

How should I do something like this?

Thanks!
Top
   
Reply with quote  
Nuvini
PostPosted: Wed Jul 04, 2012 6:16 am 
Offline
Senior Member

Joined: Fri Feb 17, 2012 8:20 pm
Posts: 365
I found somehing that -I think- accomplishes what I want.. Well.. Almost:

http://www.makina-corpus.org/blog/insta ... ot-php-fpm

This one is more for just Drupal, I just want something in general, and this one doesn't use vhosts. So it's not exactly what I want.

It's kinda strange there aren't many guides about this online. I thought that especially professional web hosters/resellers (with shared web hosting) would use things like this all the time to protect their hosting environments. After all, they don't want people being able to upload some kind of php shell and simply read out server files, or exploit it in any other way. Plus they add new vhosts all the time when a new customer registers, automatically even. It can't be *that* hard :/
Top
   
Reply with quote  
loadavg
PostPosted: Wed Jul 04, 2012 6:24 am 
Offline
Senior Newbie

Joined: Tue Jun 28, 2011 5:48 pm
Posts: 7
Website: http://itspixelperfect.com
You be might interested in creating a custom FastCGI wrapper script that sets PHPRC to, e.g. /etc/php5/my-vhosts/vhost1.ini with the open_basedir setting in this PHP file.

_________________
load average: 0.07, 0.07, 0.13
Top
   
Reply with quote  
Nuvini
PostPosted: Sat Jul 07, 2012 5:09 am 
Offline
Senior Member

Joined: Fri Feb 17, 2012 8:20 pm
Posts: 365
<snip>

Well that was pretty pretty bad I suppose... For those wondering... When working with multiple PHP-FPM pools, don't close the </VirtualHost> too early :) :oops:
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Web Servers and Web App Development


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
RSS

Powered by phpBB® Forum Software © phpBB Group