Company description
Hi, if you are interested in how to create a web hosting service, go to https://eweb.net. As a matter of fact, only the lazy one did not write on the topic of virtual web hosting. It's good. The bad thing is that most of the information is very weakly structured and has no relation to the actual high-performance, safe and massive virtual web hosting. This article describes how to create a fully working system from scratch. TASKS
- create the most productive and at the same time secure webhosting
- allow mod_php to create files on behalf of the user, and not with web server rights
- protect users from each other
- protect the system from user intrusion
- protect the system from intrusion from outside
GENERAL SCHEME OF HOSTING BUILDING
As a web server, we will use Apache 1.3 with the mod_php module and the ability to run cgi scripts, as the most popular among webmasters. DBMS - MySQL 5.1.
For "advanced" clients, we will provide the gcc compiler for use. Do not be afraid to give the user access to the compiler - on a properly configured system, even if there is a compiler, nothing will break. We are building a properly configured system, so the entire software complex will be at the user's disposal.
To reduce the load on Apache, install an accelerated proxy server. From its many years of practice, the most suitable accelerator at the moment is nginx - a stable and high-quality multifunctional web server / accelerator.
Thus, at first, the request from the user goes to the nginx accelerator, which waits to receive all data and proxies the data to Apache only after it is fully received. This we reduce the load on Apache, which processes each request in a separate heavy process.
For truly safe work, it is necessary that the programs at the site of each client run from their user. For CGI scripts, this task is solved by configuring suexec. The PHP module, which by definition is part of Apache, runs with the rights of the user from which the web server is running. There is an alternative using suphp, but it loads the system very much and therefore this scheme is not applicable for mass web hosting.
We will choose a compromise option: PHP will work as an Apache module, and we will provide security with the settings of the file system and the PHP module.
It remains to solve the last problem, namely, the creation of files when mod_php works with the rights of the user who owns the site, and not with the rights of the web server. Referring to the manual for the mount command, from which it follows that to inherit the owner when creating objects inside the directory, you must mount the partition with the suiddir option.
FTP access should be provided only through virtual users. This requirement is due to the fact that FTP passwords are transmitted in an unencrypted form and are very easy to intercept. To eliminate the possibility of intrusion into the system via SSH, intercepting the password for FTP and virtual users are needed - not existing in the system, therefore, useless for a potential hacker.
Remember, all services collected in one place is nothing more than a test machine. In a real configuration, capable of servicing thousands of queries per second, the MySQL server must be on a separate machine. The same applies to the nginx accelerator. Attempting to put everything together on one physical server will dramatically reduce the speed of the entire software complex due to too high load on the disk system.