Running multi sites on one(non virt) machine

From: Rod-Lists 
------------------------------------------------------
What is the best practices on /www directory structure.
Also what is best practices on directing traffic to the different sites?
Redirect to subdomains with masking? Reverse proxy and alt ports(nginx)? Virtual ports with apache?

=============================================================== From: Lynn Dixon ------------------------------------------------------ Virtual hosts in apache are awesome. Put each sites web root in their own directory. I have multiple users with their own domains and I keep their Web root in their home directory. Selinux is your friend for this. I can explain further if you need.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I prefer virtual users to system users, so I don't use home directories, but I do have a separate wwwroot for each site/domain: /var/www-vhosts: /var/www-vhosts/domain1.com /var/www-vhosts/domain2.com /var/www-vhosts/domain3.com Figure that out before you start fscking around with DNS rewriting/masking, reverse proxies, etc. None of those are going to help your friend's two year old unpatched WordPress installation from being hacked btw..... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRxzWIAAoJEMP+wtEOVbcdWf4H+wf/zqTXj3GnmlLIMk3q5njf J3TTgTBsApHH9aH0M2O0WC8QPeAUOyXIEC8QrjUp6unmTMBWY/edFU9JFjc/3Dnd ilKsMbvI/gtCOFjlKTftaIv5neXRfWKBPOnQOrNEKlhRT3b4o8aUkSqxMEgX1Ofh 5R45lTaO6/DQF20F51zmbe+IH9x2sdeI+QWbpBi1YHUDrHQW6rN1fTddEUiMc4H8 Rdub3yvij3uZzSW5K/Mum8KXDlqYP+JI4cO7ZNB7i/UFlOAXLomu4cCdX6ZLm5Cp Q2f+tzE04yfpnxfdZnx0qnIzZNlxv32dRp3e+4UfhTePxrh73nTpI88NMUxKmCo= =tLBa -----END PGP SIGNATURE-----

=============================================================== From: Rod-Lists ------------------------------------------------------ nginx calls virtual hosts server blocks. Still debating which one to go with. I hear nginx rocks on statics . But no info on dynamic sites. ----- Lynn Dixon wrote:

=============================================================== From: Rod-Lists ------------------------------------------------------ I like that approach dave. BTW check your spam filter. I sent you something off list. ----- Dave Brockman wrote:

=============================================================== From: Jason Brown ------------------------------------------------------ I like the way virtualmin (A webmin addon) handles this, even if I don't always use the software. You can use it for configuration, then shut it down when not needed if it's overhead is in the way. In short, each website / apache virtual host gets it's own user, unless it is a sub-server under and existing user. It's a good data segmentation model. For web site setup operations it is also a useful learning tool, change an option and see what it did in the configuration file(s). etckeeper + git is your friend here. --Jason

=============================================================== From: Matt Keys ------------------------------------------------------ Thanks for the tip on etckeeper! Tripwire / OSSEC hash files and tell you if the hash has changed but they don't give you the actual change. This should work much better! Regards, Matt

=============================================================== From: David White ------------------------------------------------------ I'm digging up an old thread. Originally, I searched my Chugalug archives for OSSEC, but this email thread (ironically) brings up the real reason I was searching for OSSEC - figuring out a better way to secure my shared webserver infrastructure. Because right now, the single shared server I operate is anything but secure other than a few scripts monitoring for file hash changes and having password auth turned off, only relying on key-based auth, and blocking IP addresses that repeatedly try to brute force the machine (I also manage dedicated servers which is obviously much more preferable, security-wise). I really need a way to separate permissions and visibility from 1 user's directory to another's (user X shouldn't be able to see user Y's stuff when they login via sFTP). Even though I have my user's stuff separated in different directories, any user - if they wanted to and knew how, could navigate *up* the directory tree and then over into another user's folder. Permissions are set so that they can't actually edit the files, but reading the files is bad enough... This has always been in the back of my mind as an issue I need to deal with - and I hate cPanel, and refuse to use it. I'll take a look at the Webmin idea, as well as Apache vhosts... I think I remember looking into that a year or two ago, and not getting anywhere with it. I'll try another attempt.

=============================================================== From: AverageSecurityGuy ------------------------------------------------------ user's directory to another's (user X shouldn't be able to see user Y's = stuff when they login via sFTP). Even though I have my user's stuff = separated in different directories, any user - if they wanted to and = knew how, could navigate up the directory tree and then over into = another user's folder.=20 reading the files is bad enough... This has always been in the back of = my mind as an issue I need to deal with - and I hate cPanel, and refuse = to use it. chmod 700 doesn=92t work? -- Stephen Haywood Owner, ASG Consulting CISSP, OSCP 423.305.3700 asgconsulting.co

=============================================================== From: William Roush ------------------------------------------------------ I've always had some problems with chroot and it's (understandable) permission limitations... Mainly with a deploy which a user can edit their chrooted folder, and not sub folders of the chroot, leads to headaches because I have to support changes in workflow to handle that. William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Ed King ------------------------------------------------------ give each sftp user their own chroot folder=0A=0A=0A=0A=0A

=============================================================== From: David White ------------------------------------------------------ I've also always had issues with chroot, mainly because the chroot leads to a major headache in keeping system files up-to-date. From my experience, anyway, you basically have to create an entire mini-Linux system in the chroot in order to provide the functionality for users to be able to login (SSH binaries and their dependencies, etc....). chroot 700 isn't a bad idea, except that both Apache and the User needs to be able to read the files. Maybe I could play around with groups and group memberships, though.... that's not a bad idea.

=============================================================== From: William Roush ------------------------------------------------------ To be honest I'd throw Serv-U at it and call it a day. :\ William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Eric Wolf ------------------------------------------------------ You hate cPanel buy what do your customers think of it?

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

=============================================================== From: David White ------------------------------------------------------ The good thing is that only about 2-3 of my clients actually use sFTP. All of my other clients just go through me to make updates to their website (and thus, I haven't even created user accounts for them). I'll take a look at Virtual Users, Apache vhosts, and what-not. Thanks for the suggestions.

=============================================================== From: Benjamin Stewart ------------------------------------------------------ mini-Linux system in the chroot in order to provide the functionality for users to be able to login (SSH binaries and their dependencies, etc....). One technique I've heard of (but haven't tried) is to create one "mini-Linux" master directory, and then link to it for each jail. That way there's only one place to update.

=============================================================== From: Justin McAteer ------------------------------------------------------ For running an application like sFTP in a constrained file and resource spa= ce in a way that is more powerful and yet simpler/easier than chroot=2C che= ckout Docker (docker.io). It transparently handles all of the problems to w= hich you are referring about system level dependencies and versions by usin= g layered file systems AuFS or Btrfs. It allows you to create and control what almost looks like a complete virtu= al machine for each application=2C but in a way that works much more like '= chroot'. Thanks=2C=0A= Justin McAteer=0A= Tel: (256) 694-9195 =

=============================================================== From: "Alex Smith (K4RNT)" ------------------------------------------------------ I'd just use Solaris Zones, it creates a completely compartmentalized operating system zone, so that even if someone *does* manage to compromise the account through... say a buggy version of WordPress, the rest of the system, and other users, would not be compromised. This feature is also available on the Illumos (nee OpenSolaris) distributions, including OmniOS, SmartOS, OpenIndiana, OpenSXCE, Martux, Nexenta, etc. " ' With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on we=E2=80=99re all damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode "The Drumhead" - Alex Smith - Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA y ce, in port al my ving IP e). ew my use This for the on git

=============================================================== From: Rod ------------------------------------------------------ nginx calls virtual hosts server blocks. -- Using Opera's mail client: http://www.opera.com/mail/

=============================================================== From: William Roush ------------------------------------------------------ I really need to brush up on running a UIless Solaris box, we got a Nexenta system at work and I'm tempted to run with an Illumos system in my homelab when I get around to doing that... William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: "Alex Smith (K4RNT)" ------------------------------------------------------ Lemme know when you do that, I might be able to lend assistance. There is plenty of documentation online for working with Zones, and while I'm not an expert with it, I'll help you out. :) " ' With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on we=E2=80=99re all damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode "The Drumhead" - Alex Smith - Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA On Mon, Mar 17, 2014 at 1:35 PM, William Roush wrote: y e ll r . ay s nce, gin ps pport eal my aving IP e se). s new my o use This use ad is s ion e + git