Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "ExtendingPrivilegeSeparation" page has been changed by jmcg. The comment on this change is: Grammar and wording fixes. Restructuring for readability. Preparing to extend with mod_macro samples. I think this wiki page needs a better name :). http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation?action=diff&rev1=2&rev2=3 -------------------------------------------------- ##acl MoinPagesEditorGroup:read,write,delete,revert All:read #format wiki #language en + + == Introduction == - This '''DRAFT''' httpd setup is inspired by [[http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy|DifferentUserIDsUsingReverseProxy]]. However it takes the idea a couple of steps further, and describes other, everyday aspects one might stumble upon. It's been tested for more than a year now, is very stable, scalable and most imporantly: secure. - The first deviation from [[http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy|DifferentUserIDsUsingReverseProxy]], is to run all backends on high-ports (as it has only later been added). This has two consequences: - 1. All backends can be started and run as unprivileged users, no privilege escalation can happen from malicious scripts executed by httpd. - 2. The frontend never executes third party code, it's security concerns are confined within the limits of the Apache HTTPd. - Furthermore we shall demonstrate how to secure PHP applications without [[http://ilia.ws/archives/18_PHPs_safe_mode_or_how_not_to_implement_security.html|safe-mode]]. + This httpd setup is inspired by [[http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy|DifferentUserIDsUsingReverseProxy]]. + However it takes the idea a couple of steps further, and describes other, + everyday aspects one might stumble upon. It's been tested - in production - for many years now, + is very stable, scalable and most imporantly: secure. + + The first deviation from [[http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy|DifferentUserIDsUsingReverseProxy]], + is to run all backends on high-ports (as it has only later been added). + This has two consequences: + + 1. All backends can be started and run as unprivileged users, + no privilege escalation can happen from malicious scripts executed by httpd. + 2. The frontend never executes third party code, it's security concerns + are confined within the limits of the Apache HTTPd. + + Furthermore we shall demonstrate how to secure PHP applications without + [[http://ilia.ws/archives/18_PHPs_safe_mode_or_how_not_to_implement_security.html|safe-mode]]. + == Bare minimum == + A great deal of the configurations is shared accross all the instances of httpds, so we'll show it here: + {{{ ServerRoot "/opt/es" ServerAdmin [email protected] @@ -61, +77 @@ Include etc/apache/extra/httpd-languages.conf Include etc/apache/extra/httpd-default.conf }}} - With this simple config any host can serve static content at the very least. If it's not supposed to do any more than that, it will do it without any kludge. This is all it needs to perform the task. + + With this simple config any host can serve static content at the very least. + If it's not supposed to do any more than that, it will do it without any kludge. + This is all it needs to perform the task. + == Frontend == + {{{ # include base config - Include /opt/esetc/apache/httpd.conf + Include /opt/es/etc/apache/httpd.conf Include /opt/es/etc/apache/extra/httpd-proxy.conf Include /opt/es/etc/apache/extra/httpd-deflate.conf - #Include /opt/es/etc/apache/extra/httpd-cache.conf + Include /opt/es/etc/apache/extra/httpd-cache.conf # only the proxy does CustomLogging! Include /opt/es/etc/apache/extra/httpd-log.conf # listen to UID @@ -82, +103 @@ PidFile "/var/opt/es/apache/proxy/proxy.pid" LockFile "/var/opt/es/apache/proxy/proxy.lock" - ErrorLog "|/opt/es/bin/rotatelogs -l /var/opt/es/apache/proxy/error_log.%Y%m%d 86400" + ErrorLog "/var/opt/es/apache/proxy/error_log" - CustomLog "|/opt/es/bin/rotatelogs -l /var/opt/es/apache/proxy/access_log.%Y%m%d 86400" vhostcombined env=!dontlog + CustomLog "/var/opt/es/apache/proxy/access_log" vhostcombined env=!dontlog ServerName borscht @@ -91, +112 @@ <VirtualHost *:80> ServerName esotericsystems.at:80 - ProxyPass / http://127.0.0.1:8001/ disablereuse=on + ProxyPass / http://127.0.0.1:8001/ ProxyPassReverse / http://127.0.0.1:8001/ </VirtualHost> <VirtualHost *:80> ServerName omfzd.tld:80 - ProxyPass / http://127.0.0.1:8002/ disablereuse=on + ProxyPass / http://127.0.0.1:8002/ ProxyPassReverse / http://127.0.0.1:8002/ </VirtualHost> # etc... @@ -109, +130 @@ SSLCertificateFile "/opt/es/etc/certs/server.insecure.org.cert" SSLCertificateKeyFile "/opt/es/etc/certs/private.insecure.org.key" - ProxyPass / http://127.0.0.1:8003/ disablereuse=on + ProxyPass / http://127.0.0.1:8003/ ProxyPassReverse / http://127.0.0.1:8003/ </VirtualHost> # etc.. }}} - We'll skip the explanation of the obvious, and come straight to the {{{CustomLog}}}. We only log in the front-end. And even here, we only have '''one''' {{{CustomLog}}}, effectively reducing the number of open handles. - You might notice the use {{{:80}}} in the {{{ServerName}}}, this has proved to be a workaround for some applications, wel'll see more of this in the backends. + We'll skip the explanation of the obvious, and come straight to the {{{CustomLog}}}. + We only log in the front-end. And even here, we only have '''one''' {{{CustomLog}}}, + effectively reducing the number of open handles. + You might notice the use {{{:80}}} in the {{{ServerName}}}, this has proved to be a + workaround for some applications, wel'll see more of this in the backends. + + In {{{ProxyPass} use {{{disableruse=on}}} as a workaround if you're affected by - {{{disableruse=on}}} is a workaround for [[https://issues.apache.org/bugzilla/show_bug.cgi?id=45362|PR#45362]] + [[https://issues.apache.org/bugzilla/show_bug.cgi?id=45362|PR#45362]] - We can also use the frontend as SSL Terminator, leaving the backend to concentrate on it's real business, not on encryption. + We can also use the frontend as SSL Terminator, leaving the backend to concentrate + on it's real business, not on encryption. + == Backends == - Everything can be a backend. Even though in the above example I've only shown {{{http://}}} for {{{ProxyPass}}}, this doesn't keep you from running mongrels, or tomcats (and thus to use {{{ajp://}}}) in the backend. + + Everything can be a backend. Even though in the above example I've only shown {{{http://}}} + for {{{ProxyPass}}}, this doesn't keep you from running mongrels, or Tomcats + (and thus to use {{{ajp://}}}) in the backend. As we're concentrating on Apache HTTPd, we'll show some examples with that, as well as it's peripherals. + + === Base Config === + - All backends have a certain config style in common, and we'll first show that (from a template) to outline the basic idea: + All backends have a certain config style in common, and we'll first show that + (from a template) to outline the basic idea: + {{{ # include base config Include /opt/es/etc/apache/httpd.conf @@ -144, +180 @@ # supply PID and lock file PidFile "/var/opt/es/apache/template.tld/pid" LockFile "/var/opt/es/apache/template.tld/lock" - ErrorLog "|/opt/es/bin/rotatelogs /var/opt/es/apache/template.tld/error_log.%Y%m%d 86400" + ErrorLog "/var/opt/es/apache/template.tld/error_log" <Directory /srv/web/template.tld> Options +MultiViews @@ -157, +193 @@ Include /opt/es/etc/apache/vhosts/template.tld/www-httpd.conf # Maybe Include some more (sub domains...) }}} - The baseconfig defines a {{{User}}} and a {{{Group}}}, our convention is to name it same as the {{{ServerName}}}. In the {{{Listen}}} directive we see that this convention is further translated to listening to this user's UID. + + The baseconfig defines a {{{User}}} and a {{{Group}}}, our convention is to name it same + as the {{{ServerName}}}. In the {{{Listen}}} directive we see that this convention is + further translated to listening to this user's UID. We have one ErrorLog per domain, but if you like to log per vhost, you can of course change it. - We then define some sane settings for {{{<Directory>}}} where our vhosts will be located, start off name-based vhosting and start including vhosts. + We then define some sane settings for {{{<Directory>}}} where our vhosts will be located, + start off name-based vhosting and start including vhosts. - Before looking into the vhosts, I'd like to dwell on the subject of structuring websites. We've chosen a rather simple setup: + Before looking into the vhosts, I'd like to dwell on the subject of structuring websites. + We've chosen a rather simple setup: + {{{ /srv/web/omfzd.tld |-- www @@ -175, +217 @@ |-- session `-- tmp }}} - First off: Discussing whether or not it's a good idea to have the default vhost be ''www.'' is moot. It's just a convention, you can name it whatever you like. - Putting each domain in one folder, and each of it's subdomains in a sub-folder thereof. This organization eases the structuring of configurations, the separation of privileges and also enables you to interface with other daemons such as an ftpd. + Discussing whether or not it's a good idea to have the default vhost be ''www.'' is moot. + It's just a convention, you can name it whatever you like. + + Putting each domain in one folder, and each of it's subdomains in a sub-folder thereof. + This organization eases the structuring of configurations, the separation of privileges + and also enables you to interface with other daemons such as an {{{OpenSSHd}}}. We also see here a {{{session}}} and a {{{tmp}}} directory. More on this soon! + === The VHosts === - We'll be using the same vhosts as in the front-end example to gradually increase complexity and show different aspects of the configurations. + + We'll be using the same vhosts as in the front-end example to gradually increase + complexity and show different aspects of the configurations. + + ==== Simple ==== + The most simple of vhosts serves static content and looks like this: + {{{ <VirtualHost 127.0.0.1:8001> ServerName http://esotericsystems.at:80 @@ -192, +245 @@ DocumentRoot "/srv/web/esotericsystems.at/www/htdocs" </VirtualHost> }}} + - Note that we're using {{{http://esotericsystems.at:80}}} as {{{ServerName}}}, this is very important for Redirects! + Note that again we're using {{{http://esotericsystems.at:80}}} as {{{ServerName}}}, + this is very important for Redirects! - Also some applications take this as a hint where they're really running on, because not many applications bother to check ''X-Forwarded-For''... + Also some applications take this as a hint where they're really running on, + because not many applications bother to check ''X-Forwarded-For''... + + ==== PHP ==== - PHP is not to be trusted. However running it in safe-mode is just a pain. As we've already taken care of privilege separation, we'll now go a step further and cut it off from the rest of the world using {{{open_basedir}}}. - But instead of sharing a common {{{/tmp/}}} for sessions and uploads, we separate those as well, as already hinted by the folder-structure: + PHP is not to be trusted. However running it in safe-mode is just a pain. + As we've already taken care of privilege separation, we'll now go a step + further and cut it off from the rest of the world using {{{open_basedir}}}. + + But instead of sharing a common {{{/tmp/}}} for sessions and uploads, + we separate those as well, as already hinted by the folder-structure: + {{{ <VirtualHost 127.0.0.1:8002> ServerName http://omfzd.tld:80 @@ -209, +272 @@ php_admin_value upload_tmp_dir /srv/web/omfzd.tld/www/tmp/ </VirtualHost> }}} - In {{{open_basedir}}} we have to include all the paths that our PHP application needs access. If for instance, you're serving a MediaWiki, your {{{open_basedir}}} line would look something like this: + + In {{{open_basedir}}} we have to include all the paths that our PHP application + needs access. If for instance, you're serving a MediaWiki, your {{{open_basedir}}} + line would look something like this: + {{{ php_admin_value open_basedir /srv/web/omfzd.tld/www/:/opt/es/share/pear/:/usr/bin/diff:/usr/bin/convert }}} - This would allow PHP access to {{{/usr/bin/diff}}}, but also to {{{/usr/bin/diff3}}} and other variations thereof! Please refer [[http://www.php.net/manual/ini.sect.safe-mode.php#ini.open-basedir|open_basedir documentation]] for more information, or to the [[http://www.php.net/manual/ini.list.php|php.ini documentation]] in general. - Another directive we could use here, is [[http://www.php.net/manual/configuration.file.php|PHPIniDir]]. It would enable us to have an unique per-domain (! Not per-vhost!) {{{php.ini}}}. + This would allow PHP access to {{{/usr/bin/diff}}}, but also to {{{/usr/bin/diff3}}} + and other variations thereof! Please refer [[http://www.php.net/manual/ini.sect.safe-mode.php#ini.open-basedir|open_basedir documentation]] + for more information, or to the [[http://www.php.net/manual/ini.list.php|php.ini documentation]] in general. + + Another directive we could use here, is [[http://www.php.net/manual/configuration.file.php|PHPIniDir]]. + It would enable us to have an unique per-domain (! Not per-vhost!) {{{php.ini}}}. + + ==== Complex ==== + - This example shows our SSL VHosts, it includes a sample for configuring mod_passenger as well as authentication: + This example shows our SSL VHosts, it includes a sample for configuring + [[http://www.modrails.com/|mod_passenger]] as well as authentication: + {{{ LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-2.2.2/ext/apache2/mod_passenger.so PassengerRoot /var/lib/gems/1.8/gems/passenger-2.2.2 @@ -243, +319 @@ </Location> </VirtualHost> }}} - Firs of all, the {{{ServerName}}} in this case is of course {{{https://insecure.org:443}}}, but even that doesn't help much with some applications ([[http://www.redmine.org/|Redmine]] in this case). - We thus set: + + Again the {{{ServerName}}} is {{{https://insecure.org:443}}}. Because even that doesn't help + much with some applications ([[http://www.redmine.org/|Redmine]] in this case), we set: + {{{ RequestHeader set X_FORWARDED_PROTO 'https' }}} + + '''in the frontend''' (because I thought it's a more appropriate place) as suggested - '''in the frontend''' (because I thought it's a more appropriate place) as suggested by their [[http://www.redmine.org/wiki/1/FAQ#Why-does-Redmine-use-http-links-when-I-want-it-to-use-https-links-in-Apache-SSL|FAQ]]. + by their [[http://www.redmine.org/wiki/1/FAQ#Why-does-Redmine-use-http-links-when-I-want-it-to-use-https-links-in-Apache-SSL|FAQ]]. - As the comments suggest, we disable mod_passenger for the Server Context. We only want it where we need it, in this case in {{{<Location /projects>}}}. + As the comments suggest, we disable mod_passenger for the Server Context. + We only want it where we need it, in this case in {{{<Location /projects>}}}. - And finally we can see that authentication requests can be required from the backend. The frontend will transparently put it through to the clients browsing your website. + And finally we can see that authentication requests can be required from the backend. + The frontend will transparently put it through to the clients browsing your website. - On the otherhand, if you have a backend which doesn't know how to deal authentication, but needs protection, you could do the authentication in the frontend. + On the otherhand, if you have a backend which doesn't know how to deal with authentication, + but needs protection, you can do the authentication in the frontend. - == Further Discussion == - Questions? - I should probably provide the script I use to start the backends. Which is essentially a wrapper {{{sudo}}} wrapper. + == Automation with mod_macro == --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
