Apache mass virtual hosting & suexec & fcgid

Question

I followed Falco's tutorial and everything now works as expected for 2 users (e.g. john and alice) with their relevant directories (/var/www/john and /var/ww/alice).

Now, I want to go to the next level: instead of defining different vhosts at /etc/apache2/sites-available/<username> and restarting Apache, I need dynamically configured mass virtual hosting (http://httpd.apache.org/docs/2.2/vhosts/mass.html). Say, my DNS server has records for: another.site.example.com, I want it's home directory to be at /var/www/another.site/web.

The problem is all these configuration settings for suexec and mod_fcgid. I ended to this draft of my httpd.conf (or should I create a file like /etc/apache2/sites-available/mass_virtual ?):

NameVirtualHost *:80

#default virtual host
<VirtualHost *:80>
  ServerName www.example.com
  ServerAlias example.com
  ServerAdmin webmaster@example.com
  DocumentRoot /var/www/root/web/

  <IfModule mod_fcgid.c>
    SuexecUserGroup web-admin web-admin
    <Directory /var/www/root/web/>
      Options +ExecCGI
      Options -Indexes
      AllowOverride All
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/root/php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

</VirtualHost>

#3rd-level subdomain virtual hosts
<VirtualHost *:80>
  UseCanonicalName Off
  ServerAlias *.example.com
  #problematic email!
  ServerAdmin webmaster@example.com
  #is this /var/www/another.site/web or /var/www/www.another.site/web for
  #a request for www.another.site.example.com ?
  VirtualDocumentRoot /var/www/%-3+/web

  <IfModule mod_fcgid.c>
    #problematic group and user!
    SuexecUserGroup web1 web1
    <Directory /var/www/*/web/>
      Options +ExecCGI
      Options -Indexes
      AllowOverride All
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/*/php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

</VirtualHost>

1. As you can see from the comments I have a problematic ServerAdmin webmaster@example.com, a SuexecUserGroup web1 web1 and a VirtualDocumentRoot /var/www/%-3+/web configuration!

2. Moreover, to ensure security I think IfModule shouldn't exist-if mod_fcgid can't load then neither should the server and,

3. instead of Alow from all, I think I should have Deny from all and open-up a php-library directory instead!

4. As I said, my intention is a request for www.another.site.example.com to be directed to user at /var/www/another.site/web but as I've read at "Using suEXEC" we can call suexec without the SuexecUserGroup directive in VirtualHost definitions but with the help of mod_userdir! So, what if a request for www.another.site.example.com is transformed transparently to www.example.com/~another.site with the help of mod_rewrite and then use mod_userdir to enable suexec???

Any ideas or directives that implement all these?

Thanks.

Answer 1

in practice the dynamic vhost feature is not optimal, because you are not flexible enough (.htaccess is in some cases not enough). use a script to generate the vhosts or use something like puppet to define the vhosts (https://github.com/puppetlabs/puppetlabs-apache).

btw: for your php setup i would use php-fpm (ondemand) with (mod_proxy_fcgi or mod_fastcgi). with php-fpm you don't need suexec - every user gets his own port or socket.