Something I've wanted to do for some time (and have been talking about for far too long) is to get a "static and managed" service running on lug.org.uk's system. This will allow us to provision web applications for users in a way where we (lug.org.uk admins) control the installed app -- so we can do upgrades when necessary, and have them rolled out over the whole service.
The VM has been around for some time – it's called snm (Static 'n' Managed), and is referred to colloquially as S&M. I've finally got a couple of web apps up and running on it in the way I want. Here's how...
mpm-itk is an Apache "multi-processing module" – the thing that handles incoming requests. It differs from the usual ones in that it can run as a different uid/gid for each virtual host. This allows us to separate the file permissions of the different users, so that a compromise of one web app installation is less likely to affect the others.
mod_macro is a very handy module that does exactly what it sounds like it does – it allows you to define and use macros in your Apache config files. We use it to set up completely standardised configurations that can be rolled out with a single line of config for each user we provision.
We also want to prevent the users from installing and running their own web applications – this would rather defeat the point of having the S&M server in the first place.
We have a macro which defines the "base" configuration for all S&M provisioned services:
<Macro BaseVH $group_name> ServerName $group_name.lug.org.uk ServerAdmin firstname.lastname@example.org DocumentRoot /home/groups/$group_name/public_html/ # Set up global options <Directory /> # Prevent accidental mapping of files outside DocumentRoot Order Deny,Allow Deny from All # Prevent use of .htaccess AllowOverride None Options Indexes </Directory> # Set up the base home directory <Directory /home/groups/$group_name/public_html> Order Deny,Allow Allow from All Options +MultiViews # Permit more control over authentication through .htaccess AllowOverride AuthConfig </Directory> # Set up the CGI bin ScriptAlias /cgi-bin/ /usr/local/lib/cgi-bin/ <Directory /usr/local/lib/cgi-bin/> Order Deny,Allow Allow from All # We need only this option, and no others here Options ExecCGI # Don't do funny path-extension tricks AcceptPathInfo Off # Run as CGI SetHandler cgi-script </Directory> # Forbid PHP from running unless we tell it otherwise php_admin_flag engine off # Set UID/GID to run this VH under AssignUserID $group_name $group_name # Logging LogLevel warn ErrorLog /var/log/apache2/$group_name-error.log CustomLog /var/log/apache2/$group_name-access.log combined ServerSignature On </Macro>
The important bits here are the
AssignUserID directive to tell mpm-itk what to run the VH as, the
AllowOverride directives that stop people from doing weird things in .htaccess files, and the
php_admin_flag engine off directive, which turns PHP off globally. It will be turned on again for very specific directories, where it's needed.
The users only get write access to their own directories, so the cgi-bin directory is controlled by us. Again, this gives us the ability to manage everything that gets executed on this machine centrally. (Muahahahaha! The power!)
Now for the individual applications: The first app we're providing is DokuWiki.
<Macro DokuWiki $group_name> Alias /wiki/ /usr/local/share/dokuwiki/ <Directory /usr/local/share/dokuwiki/> Order Deny,Allow Allow from All Options +MultiViews +FollowSymLinks +Indexes php_admin_flag engine on php_admin_value open_basedir /home/groups/$group_name/:/usr/local/share/dokuwiki/ php_admin_value doc_root /home/groups/$group_name/public_html/ SetEnv WIKI_NAME $group_name SetEnv WIKI_DATA /home/groups/$group_name/dokuwiki-data/ </Directory> </Macro>
This does a bunch of different things:
open_basedir) that PHP will be allowed to read files from – attempt to read anything outside that list, and PHP will throw an error
Finally, we define a bunch of macros for the actual provisioning. These look something like this:
<Macro VHDokuWiki $group_name> NameVirtualHost *:80 <VirtualHost *:80> Use BaseVH $group_name Use DokuWiki $group_name </VirtualHost> </Macro>
There are (or will be) similar macros for other web applications and combinations, such as "DokuWiki plus [forum]". To provision a given configuration for a LUG, the only thing you need to put in the Apache configuration is:
Use VHDokuWiki lugname
That's all for the Apache configuration. Configuring and patching DokuWiki will come in part two…