Apache mass virtual hosting & suexec & fcgid

I followed Falco's tutorial and everything now works as expected for 2 users (e.g. john and alice) with their relevant directories (/var/www/john and /var/ww/alice).

Now, I want to go to the next level: instead of defining different vhosts at /etc/apache2/sites-available/<username> and restarting Apache, I need dynamically configured mass virtual hosting (http://httpd.apache.org/docs/2.2/vhosts/mass.html).
Say, my DNS server has records for: another.site.example.com, I want it's home directory to be at /var/www/another.site/web.

The problem is all these configuration settings for suexec and mod_fcgid.
I ended to this draft of my httpd.conf (or should I create a file like /etc/apache2/sites-available/mass_virtual ?):

NameVirtualHost *:80

#default virtual host
<VirtualHost *:80>
  ServerName www.example.com
  ServerAlias example.com
  ServerAdmin webmaster@example.com
  DocumentRoot /var/www/root/web/

  <IfModule mod_fcgid.c>
    SuexecUserGroup web-admin web-admin
    <Directory /var/www/root/web/>
      Options +ExecCGI
      Options -Indexes
      AllowOverride All
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/root/php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

</VirtualHost>

#3rd-level subdomain virtual hosts
<VirtualHost *:80>
  UseCanonicalName Off
  ServerAlias *.example.com
  #problematic email!
  ServerAdmin webmaster@example.com
  #is this /var/www/another.site/web or /var/www/www.another.site/web for
  #a request for www.another.site.example.com ?
  VirtualDocumentRoot /var/www/%-3+/web

  <IfModule mod_fcgid.c>
    #problematic group and user!
    SuexecUserGroup web1 web1
    <Directory /var/www/*/web/>
      Options +ExecCGI
      Options -Indexes
      AllowOverride All
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/*/php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

</VirtualHost>

As you can see from the comments I have a problematic ServerAdmin webmaster@example.com, a SuexecUserGroup web1 web1 and a VirtualDocumentRoot /var/www/%-3+/web configuration!
Moreover, to ensure security I think IfModule shouldn't exist-if
mod_fcgid can't load then neither should the server and,
instead of Alow from all, I think I should have Deny from all and open-up a
php-library directory instead!
As I said, my intention is a request for www.another.site.example.com to be directed to user at /var/www/another.site/web but as I've read at "Using suEXEC" we can call suexec without the SuexecUserGroup directive in VirtualHost definitions but with the help of mod_userdir! So, what if a request for www.another.site.example.com is transformed transparently to www.example.com/~another.site with the help of mod_rewrite and then use mod_userdir to enable suexec???

Any ideas or directives that implement all these?

Thanks.

Best Answer

in practice the dynamic vhost feature is not optimal, because you are not flexible enough (.htaccess is in some cases not enough). use a script to generate the vhosts or use something like puppet to define the vhosts (https://github.com/puppetlabs/puppetlabs-apache).

btw: for your php setup i would use php-fpm (ondemand) with (mod_proxy_fcgi or mod_fastcgi). with php-fpm you don't need suexec - every user gets his own port or socket.

Best Answer

Related Solutions

Apache2 Permission denied: access to / denied

Fcgid, suexec, and userdir

Related Topic