On Wed, Nov 23, 2011 at 3:41 PM, Ken Dreyer <[email protected]> wrote:
> On Wed, Nov 23, 2011 at 1:16 PM, Aaron Knister <[email protected]> wrote: > > I've devised another approach, dropping the mpm-itk patches and using > suEXEC > > and fastcgi for php instead. > > I'm trying to research the same problem, but I haven't come up with a > working solution yet. I'm using mod_php, and I'd really like to move > to FastCGI for more safety / flexibility. > > > The one piece to the puzzle that I'm missing is having fastcgi > > obtain AFS tokens. Because the fastcgi processes aren't spawned by the > httpd > > worker handling the request waklog isn't able to pass along any > credentials. > > Are you using mod_fcgid ? Looking over > https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html , I was planning > to make the FcgidWrapper script run aklog (well, with k5start), and > use a slightly different FcgidWrapper for each vhost. > I've been testing with mod_fcgid. The module itself works well but as far as I can tell the wrapper script is executed by suexec meaning that the the uid/gid assigned to each vhost has to be able to read a key tab with its credentials. This could be achieved by splitting out the key tab on a per-vhost basis but I'm not keen on the idea of users being able to access the keytabs containing their site credentials. It seems like that's not something I'd want to disclose but perhaps it isn't that big of a deal. What do you think? > > I'm really only beginning to look into it, so I'd like to hear about > setups at other sites. There was a presentation at the European AFS > conference recently where one of the sites provides isolation by > running entirely separate Apache daemons... and I guess they use > mod_proxy to tie them all together? For my site, that would be a bit > painful for a few reasons, but that does sound like a solution that > "works". > > That does sound like a headache to configure and manage, but maybe it is a viable solution. > - Ken > -- Aaron Knister Systems Administrator Division of Information Technology University of Maryland, Baltimore County [email protected]
