Russian version
Add to Del.icio.us
English version
Digg It!

 Old-School dkLab | Constructor | dkLab Apache: virtual hosts with privileges of separated users 

Site map :: Project Orphus :: Constructor


2007-02-31

Download the dkLab Apache:
dklab_apache_34_rew_lim_rus_ssl_vh_fork_2005-12-04.tgz

The dkLab Apache is a patched Apache distibution for those who plan to use Apache web-server in Unix (Linux, FreeBSD etc.) to serve multiple separated sites working under different, fully separated and independent Unix users. It does not have some lacks of analogs, e.g.: does not require to install any OS kernel modules nor disable setuid; works correctly and intelligently with KeepAlive turned on and MaxRequestsPerChild > 1.

Practically it is the Apache 1.3.34 with "by hand" patched core. Here is some abilities of these patches:

  • Run different virtual hosts with privileges of different Unix users. The user assigned to some virtual hosts is specified in standard Apache directives: User and Group. All scripts, including mod_php scripts, CGI etc. work with privileges of specified user and group and cannot gain access to files belong to other virtual host. Let's forget PHP's safe_mode and its file permissions problems!
  • Ability to create virtual hosts using domain templates: abc.example.com -> /home/example/abc. Using the standard directive DocumentRoot you may refer to the corresponding part of a domain name, e.g.: /home/example/$-3+ (this sample will be "interpolated" to /home/example/abc). Just create a directory to add a new virtual domain to your site!
  • Apache module mod_rewrite is protected from getting caught in an endless loop. Now unwary or malevolent .htaccess directives cannot gain all CPU resources and kill the server.

This distribution also includes the following popular modules:

  • Module mod_limitipconn: ability to limit the number of simultaneous connections from a single IP address.
  • Module mod_charset - support for "on the fly" encoding conversion in any output stream.
  • Module mod_ssl - support for SSL protocol.

In the !CONFIG subdirectory inside the distribution you may find useful utilities and configuration examples for mass hosting. E.g. it is handy to use !CONFIG/configure to build the Apache; this script asks some questions and configures all the modules above.

Attention! If you find a bug in the dkLab Apache distribution or have a note for the author, please read Known bugs and notes below before reporting a bug. Possibly your problem is described already. If you are a professional C-Unix programmer and have any idea how to improve the distribution, I am glad to colloborate and (especially) - receive some code.

Usage

The dkLab Apache does not define any additional configuration directives, its usage should be clear by intuition. Here is a sample how one could create 2 virtual hosts working under separated Unix users (including mod_php permission separation, of course):

Listing 1
# Limit by-clients resource usage .
RLimitCPU 12 12
RLimitNPROC 15 15
RLimitMem 20000000 20000000

# You may freely enable these directives, wow!
MaxRequestsPerChild 100
KeepAlive On

# Limit the number of connections (standard mod_limitipconn directives).
<Files ~ ".*">
  MaxConnPerIP 15
  NoIPLimit image/*
</Files>

# Account dklab.ru
<VirtualHost *:80>
    ServerName dklab.ru
    ServerAlias dklab.ru *.dklab.ru
    User dklab
    Group dklab
    # If not present, $-3+ is interpolated to "www" string.
    DocumentRoot /home/dklab/domains/$-3+
    ScriptAlias /cgi/ /home/dklab/domains/$-3+/../../cgi/
    ErrorLog /home/dklab/account/log/error_log
    CustomLog /home/dklab/account/log/access_log common
</VirtualHost>

# Account denwer.ru
<VirtualHost *:80>
    ServerName denwer.ru
    ServerAlias denwer.ru *.denwer.ru
    User denwer
    Group denwer
    DocumentRoot /home/denwer/domains/$-3+
    ScriptAlias /cgi/ /home/denwer/domains/$-3+/../../cgi/
    ErrorLog /home/denwer/account/log/error_log
    CustomLog /home/denwer/account/log/access_log common
</VirtualHost>

The above sample demonstrates 2 operations: VirtualHost to user binding and definition of a "dynamic" DOCUMENT_ROOT calculated based on the host domain name. Here $-3+ means "get a part from the right ($-) of the third (3) part of a domain name and further (+) insert it to the specified position". Thys syntax is described more detail in the mod_vhost_alias documentation (but note that instead of % you should use $ in the dkLab Apache).

Please note that if the expression $-3+ does not match any part of a domain name, it is replaced by "www" substring, not "". E.g. it is correct for the name dklab.ru in samples above - this name has no "third part from the right", that's why requests to dklab.ru will go to /home/dklab/domains/www - the same as for www.dklab.ru.

Known bugs and notes

Of course the dkLab Apache is not perfect. It just works fine without any warranty. Here are some problems known at the time.

  • More resource usage compared to standard Apache: an overhead of 1 addifional fork call exists for each new KeepAlive connection. (Pay attention that this fork call is performed in the background, asynchronously, but not in the time the connection is ready; it speeds up the connection processing greatly comparing to other known solutions.) Unfortunately even Apache 2.2 architecture does not have any tools to spread connections between dynamically created Apache daemons, so we cannot workaround this overhead in the future.
  • If there are two requests arrived to different virtual hosts inside a single KeepAlive connection, the second request will return empty responce. But practically this should never happen in most browsers, and search bots are enough smart too to repeat the request in a couple of seconds. (Ideally instead of empty responce some headers should be sent: Retry-After: 0, Refresh: 0 and 503 Service unavailable, but I have no luck to implement this yet. If you have done this - please send me the patch.)
  • Some mod_rewrite directives throws up $-3+ macros when your use %{DOCUMENT_ROOT} directly in an expression. But most likely you will not see this, because these cases are very exotic.

Conclusions

If you plan to create your own shared hosting but do not want to get problems from cPanel or other systems which separate different virtual hosts very foozle, the dkLab Apache allows you to do it easily. It will also be useful if you have a number of different projects inside one machine and do not want to take the risk of all projects when one of them is hijacked.

Practically, the dkLab Apache is stable enough for production version: it is used many years in a couple of heavy loaded servers.





Dmitry Koterov, Dk lab. ©1999-2014
GZip
Add to Del.icio.us   Digg It!   Reddit