ApacheSoftwareFoundation HTTP Server project (often called Apache) is taking advantage of the Internet Web server, it takes up more than 60% of market share.
Apache server is increasingly popular part of the LAMP software configuration. LAMP is a free software program that is in Linux?, Apache, MySQL and PHP and other open source technologies built Web platform. In this article, you will learn a use mod_proxy module and multiple back-end server to improve the security of the LAMP. I will discuss the advantages and disadvantages, and provides a sample configurations. PHP and Apache: security challenges in the face of a LAMP administrators is providing complete all of the PHP system, while ensuring that all users of the system to provide a secure environment. Use PHP's safe mode is the one technology, but it also unduly restricting the users, and after this facility enabled, some PHP application will not be able to play a role. PHP security at the root of the problem is that most Apache servers are configured. Because most Apache configuration run in special www-data user ID, the Web site for hosting all of the users default must ensure that the user can read the file. Therefore, the system of all other users can access a user has access to all the Web files; therefore, the system is independent of the original and you will become a security vulnerability to attack your Web site's breakthrough. If the file or directory must be set to www-data user writable, this situation will be more serious. By using the CGI program, such as Perl and Python, and other popular languages program, you can use the suEXEC mechanism to eliminate some of the issues. Simply put, suEXEC uses a special intermediate program to program owner's user ID execute CGI programs. (For more details see reference links in the article. ) This is a very effective mechanism has been used for many years. However, when using mod_php module hosting, PHP page as part of the main Apache process. Therefore, they inherit all of the Apache process, and they perform on the file system and any work required as users perform. www-data In more than one user ID to run Apace for the problem described above, the obvious solution is to require a user domain of all requests from one only have this user credentials instance of Apache. Apache can be configured to startup gets any user credentials. For each user is assigned a separate Internet-visible IP address/port combination of simple settings, this approach can solve the problem. For more complex settings (where IP address is precious), this method is invalid. When a single Apache instance can control a specific IP address/port combination, you can only use virtual hosts, this is an Apache system widely used a technique. This eliminates that belong to multiple users, multiple domains using the same IP address/port combination possibilities. Apache2.0 introduces multiple processing module (multiprocessingmodule, MPM) concept. In the basic package offers MPM Apache2.0 has an experimental module perchild, it can be a distributor thread is assigned to the IP address/port combination, and pass the request to the individual user's credentials to run the child thread, thereby achieving multiple user ID of the virtual host. Unfortunately, perchild remained is experimental, it may not be able to play a role, and formal publications from Apache2.2 Apache distribution. Prior to this, recognizing that still need a stable functioning with the perchild MPM, similar to the Apache community began to develop many MPM to compensate for this lack. MetuxMPM and process-oriented peruser are efforts in that direction. (On MetuxMPM and for more information, see peruserMPM references). One solution: mod_proxy although no formal ApacheMPM can directly provide multiple user ID of the virtual host, but can still be configured and managed through some Apache system implements this behavior. The core of this approach is to use the mod_proxy module concept, this module (plus other features) so that Apache can use the page requests to other servers, and pass the response back to the requesting client. Listing 1-Basic request forwarding reverse proxy configuration example ProxyRequestsOfProxyPass/foohttp://foo.example.com/barproxypassreverse/foohttp://foo.example.com/bar the code in Listing 1 is a simple example, it will be a host of/foo hierarchy under any page request to the corresponding page of http://foo.example.com/bar. For example, to request the page/foo/index.htm would be forwarded to http://foo.example.com/bar/index.htm. You can use this principle to solve the problem. Sample scenario Let's consider a scene: the Apache administrator must be two separate clients to establish both domains. A customer is online venture, very concerned about online security. The other is a personal account, he in site security, more generous, may be unsafe code uploaded to this stationPoints. Therefore, the Apache administrator must take steps to isolate the two sites. Therefore, administrators have two domains: www.startup.tld, it belongs to an online venture (user IDstartup); and www.reckless.tld, it belongs to the individual (user IDnimrod). To solve this problem, the administrator decides to use the mod_proxy solution. Administrator to assign each user a separate Apache instance, the instance is running on the user's own user ID, use the private IP address/port combination, and use mod_proxy solution through a facade Server provides both the access the user's domain, the server runs as www-data uses a public IP address/port combination. Figure 1 illustrates the entire scene. The example in Figure 1. scene Apache version recommended for example application configuration for each element, the Apache administrator should use table 1 lists the version of Apache. Table 1-sample application uses the Apache version element causes Apache version facade Server Apache2, running the worker or the mod_proxy module eventMPMApache2 made important improvements. Worker and eventMPM is threaded, helping to reduce the memory overhead of a facade server. Back-end server, or run Apache1.3 preforkMPM of Apache2Apache administrators must be aware of the PHP module should not be run in a threaded environment. These two solutions for PHP module provides an environment based on process. Backend Apache instance configuration list 2 and list 3 of the code fragment demonstrates the standard Apache configuration of basic differences. Should you need to add them to the appropriate configuration, such as the PHP function here ignored. 2. online venture Enterprise Apache configuration # StuffeveryApacheconfigurationneedsServerTypestandaloneLockFile/var/lock/apache/accept.startup.lockpidfile/var/run/apache.startup.pidServerNamenecessaryevil.startup.tldDocumentRoot "/home/startup/web" # EssentialmodulesLoadModuleaccess_module/usr/lib/apache/1.3/mod_access.so # WhichusertorunthisApacheconfigurationasUserstartupGroupstartup # Thismustbeoffelsethehostisn'tpassedcorrectlyUseCanonicalNameOf # TheIP/portcombinationtolistenonListen127.0.0.2: 10000 # Usingname-basedvirtualhostingallowsyoutohostmultiplesitesperIP/portcomboNameVirtualHost127.0.0.2: 10000
No comments:
Post a Comment