Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by slive: http://wiki.apache.org/httpd/Recipes/Different_UserIDs_Using_Reverse_Proxy The comment on the change is: Move some back-end discussion into a common section. ------------------------------------------------------------------------------ }}} to start each host. + == Running unprivileged back-end hosts == + + If you use unprivileged ports for the back-end hosts (for example, replacing 81 and 82 above with 8001 and 8002) then you may choose to start these hosts directly under the less-privileged userids (host1user and hos2user) in place of root. This will allow you to give complete control of these back-end servers to a different administrator. This other administrator could then edit httpd.conf and manage log files and server restarts without needing root privileges. You may also choose to run the back-end hosts in a chroot environment, in a FreeBSD jail, or under other restricted permissions (using SELinux, for example). + == Alternative Proxy Configuration == + If back-end hosts might be added and removed frequently, it could be helpful to be able to do this without modifying the configuration of the front-end server. Here is an example config that allows back-end hosts to be added and deleted by editing a simple text database: - As an alternative to the above, a single proxy server can be set up using - a very simple httpd.conf file, which does not need to be changed to add or delete user servers: {{{ + Listen 80 ProxyRequests Off ProxyPreserveHost On RewriteEngine On - # A dbm map might be better if you had a lot of hosts + # A dbm map might be better if you have more than a few dozen hosts RewriteMap host txt:/usr/local/etc/apache22/host_to_ip RewriteMap tolower int:tolower @@ -88, +92 @@ </Directory> }}} - To add or delete a user server, it's only necessary to edit the host_to_ip file, which might look like this: + To add or delete a user server, simply edit the host_to_ip file, which might look like this: {{{ foo.com 127.0.0.1:8000 www.foo.com 127.0.0.1:8000 - bar.com 127.0.0.1:8001 www.bar.com 127.0.0.1:8001 }}} + Because the {{{ProxyPreserveHost}}} directive is used in place of {{{ProxyPassReverse}}} in this configuration, you need to ensure that the back-end hosts use the following (which is the default): - Alternatively, each user apache server could be started on a different loopback interface. That works nicely with FreeBSD jails. - - The individual servers can be started as the target user/group, and even in a chroot environment; if they are listening on a high port, there is no need to start them as root. You need to make sure that they have unique PidFile, ScoreBoardFile and (if you're using it) LockFile settings; these can be relative to the ServerRoot which avoids having to change the basic httpd.conf prelude. They must also include: {{{ UseCanonicalName Off }}}
