Securing a multi-user Apache Web Server

As part of refining my Apache web server which runs multiple sites I’ve create a user account, database account and home folder per site so for example the site example.com has a user account example, a database account example and a web folder located at:

/home/example/public_html

The corresponding Apache VirtualHost for this site is:

<VirtualHost *:80>
        ServerAdmin admin@example.com
        ServerName www.example.com
        ServerAlias example.com
        ErrorLog /var/log/apache2/error.example.com.log
        LogLevel warn
        CustomLog /var/log/apache2/access.example.com.log combined
        DocumentRoot /home/example/public_html
        <IfModule mod_suexec.c>
                SuexecUserGroup example example
        </IfModule>
</VirtualHost>

Previously to ensure PHP scripts worked I had a Bash cron job to loop over all the user’s public_html folders and set the owner on the public_html folder to the apache user www-data.

Not ideal.

So after a few hours of digging I managed to deploy a solution both secure and flexible, allowing users to logon and edit their web pages without permissioning headaches.

Assuming a basic Apache setup first install the Apache suPHP and suEXEC modules:

sudo apt-get install libapache2-mod-suphp apache2-suexec

Enable the modules:

sudo a2enmod suexec
sudo a2enmod suphp

The suPHP module replaces the Apache PHP4 and PHP5 modules. Having both active prevents suPHP from working properly so you’ll need to disable the PHP4 and PHP5 modules:

sudo a2dismod php4
sudo a2dismod php5

Finally you’ll want to set the permissions on the user folder:

find ~/public_html/ -type f -exec chmod 644 {} \;
find ~/public_html/ -type d -exec chmod 755 {} \;

To get this setup even better I’d ideally like to set those permissions to 600 and 700 respectively but that’s a job for tomorrow.

Addendum:

Awesome link which covers much of the above and then some.

 

Leave a Reply

Your email address will not be published. Required fields are marked *