Re: Running Apache sites as separate users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, 2011-09-30 at 10:47 +0100, Hakan Koseoglu wrote:
> On 30 September 2011 02:22, Trey Dockendorf <treydock@xxxxxxxxx> wrote:
> > I had a recent request to improve security on my web servers by having each
> > website use a different user to run the hosting service.  So
> > example1.comhas it's own Apache instance running as apache1 and then
> > example2.com has its own instance of Apache as apache2.  Is this even
> > possible or realistic?  I understand the idea of how that would be secure,
> Easily doable with an other instance of Apache acting as the proxy.
> This Apache can be yet an other "can't do anything"-style locked-down
> instance which only proxies virtual hosts to separate Apache
> instances.
----
absolutely
----
> You can set up as many Apaches running on separate internal ports
> (i.e. 127.0.0.1:8881, 127.0.0.1:8882 etc). and then use proxypass to
> forward virtual servers. I use a similar setup at home where
> locked-down virtual machines run all by themselves and the
> front-facing Apache simply matches the VirtualHost name and passes it
> down.
----
absolutely
----
>  The only thing I can't do is using a separate certificate for
> HTTPS for every one of them.
----
probably not with CentOS 5.x - possibly with CentOS 6.x but I haven't
installed it to check.

I know with Ubuntu 10.04 LTS, I have no problem whatsoever with SSL
virtual hosts and different certificates on the same IP but that does
rely upon users only using SNI compliant web browsers. Not the sort of
thing I would do for a commercial site but I do this for internal and/or
employee only web sites. The thing to note is that all the current web
browsers are SNI compliant/capable and anyone using an old web browser
at this point have some serious security issues. Just about all the web
browsers < 2 years old are SNI capable.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux