Ubuntu – Correctly setup apache virtual hosts with multiple users

Apache2usersvirtualhost

Thanks in advance for any help you may provide. I've self taught myself using linux (ubuntu), apache, virtual hosts and a few bits with regards to security, though I've yet to put these all together seamlessly.

I've also learnt the hard way from mistakes made in the past with regards to not setting up user accounts and sites/virtualhosts correctly. I ssh into the server as root (I know, very bad), and created all the virtual hosts and files manually, thus all being owned by root. I've had an old version of joomla exploited and malicious spam code inserted in all my other virtual hosts.

I'm in the process of moving to a new server and am looking for the correct steps to follow with regards to setting up virtual hosts and users accounts that can access them. Because we use 3rd party software, we have on a occasion needed someone else to ftp into the site to investigate their website files.

Our current server is version 10.04, however the new server is version 12.04. All website files are setup under

/home/www/site1.com

/home/www/site2.com

/home/www/site3.com

etc

In short, I guess this is what I'm after.

How do I correctly setup a virtual host and user, so that it only has access to its own files, and not any other virtual host on the server. For example, should that site get exploited with malicious code, it can't infect other sites on the server
How would I setup users so that they can only ftp into their given files and not access any of the other sites.

As mentioned before, there are numerous articles detailing how to do any one of these steps, but nothing that brings them seamlessly together.

Really appreciate the help anyone can offer. Please feel free to ask for any additional information you may need to give advise. I'm currently following tutorials to setup chroot, however I fear I'm not doing this correctly as I've picked up a few inconsistencies along the way. Am also investigating jailkit.

Best Answer

Since question is the top search result in google when asked "apache virtual host separate user", I'd like to give a more elaborate answer based on this answer. My answer does not cover the usecase of PHP and CGI (you would use suPHP). It focuses on PHP when used as an apache module.

You can use the apache module apache2-mpm-itk. It is available for the current version of apache 2.4. It comes with the directive AssignUserID. This directive defines the user and group a virtual host's request is handled with. This is an example of the apache site configuration I ended up with:

<VirtualHost *:80>
ServerName www.site1.com
DocumentRoot /home/www/site1.com
AssignUserID site1 www-data
php_admin_value open_basedir /home/www/site1.com
...
</VirtualHost>

Of course, this does only improve security as long as the individual DocumentRoots are owned by their respective users and are not group accesible. For further PHP-related security, scripts are jailed in the DocumentRoot with the open_basedir restriction. As for the backend file access, I prefer SFTP with chroot.

Note: apache2-mpm-itk is currently incompatible with Apache's http2 module.

Related Solutions

Ubuntu – Recommended workflows for Apache virtual hosts

When I had to do shuch things I proceed creating a VirtualHost whit a wildcard name:

Choose a fancy domain name like 'example.com' for localhost
Place it in /etc/hosts file as 127.0.0.1 *.example.com
Install and activate mod_rewrite

create a wildcard VirtualHost in apache sites directory:

<VirtualHost 127.0.0.1:80>
  DocumentRoot /default/path
  ServerName example.com
  ServerAlias *.example.com
  RewriteEngine On
  UseCanonicalName Off

  RewriteCond %{HTTP_HOST} ^(.*).example.com
  RewriteCond /srv/%1/ -d
  RewriteRule ^(.+)   %{SERVER_NAME}$1 [C]
  RewriteRule ^([^.]+)\.example\.com/(.*) /srv/$1/$2 [L]
</VirtualHost>

Now you can place any folder under /srv/ and it will be the root for <foldername>.example.com

This is borrowed from memory, it could need some more minor adjustments and it may conflict with any other rewrite rules each webapp would have. But it fits me for my webapp testing needs.

Ubuntu – How to setup “name based” virtual hosts using Ubuntu 12.04

This is more of an apache configuration question, than a Ubuntu one.

Yes, you may run multiple virtual servers on one host, each serving separate content, provided that they all map (e.g. via DNS) to the same server.

The official documentation on how to create virtual servers (version 2.2 but this feature hasn't fundamentally changed between versions) can be found here:

httpd.apache.org/docs/2.2/vhosts/

The short answer is you need to:

define your virtual hosts
include some mapping between your host names and the content they serve

This is done by adding a virtual host clause to some apache config file, e.g. under /etc/apache2/sites-available/000-add-my-virtual-hosts (name designed specifically to precede the 000-default name in alphabetic order)

NameVirtualHost *:80

<VirtualHost *:80>
    ServerName hostname1.mydomain.com
    DocumentRoot /home/www/hostname1
</VirtualHost>

<VirtualHost *:80>
    ServerName hostname2.mydomain.com
    DocumentRoot /home/www/hostname2
</VirtualHost>

Note that you may also need to add links from /etc/apache2/sites-enabled/ to /etc/apache2/sites-available if the site you need is already in the latter but not the former.

EDIT 1:
After reading the man page for a2dissite, it becomes clear that all it does is removing the symlink from /etc/apache2/sites-enabled/. The key is to understand that the order in which these configs are processed can affect the end result. The default site is called 000-default in order to be loaded first. If it matches all sites, i.e. acts as a 'anything else' wildcard, then you won't see the others. Try renaming the link to have a higher number like 999-default so it is loaded last (after the other sites matched).

EDIT 2: To your updated question: yes, it is necessary to rename or delete the default site because its config file name starts with '000' making it load first and 'take-over' due to the wildcard matching. I suppose the documentation can be improved on this point.

EDIT 3: The order in which server names appear, its importance and more is documented on this apache page in the section Name-based vhost One of the relevant sentences says:

The first vhost on this list (the first vhost in the config file with the
specified IP address) has the highest priority and catches any request to
an unknown server name or a request without a Host: header field.

and later under Observations:

... the ordering of name-based vhosts for a specific address set is significant.
The one name-based vhosts that comes first in the configuration file has the
highest priority for its corresponding address set.

Best Answer

Related Solutions

Ubuntu – Recommended workflows for Apache virtual hosts

Ubuntu – How to setup “name based” virtual hosts using Ubuntu 12.04

Related Question