Adding Apache vhosts on evil.badthin.gs

[Andrew Harris]

Prompted by some questions by Jon Kelly, I thought I'd write something up on this so that it's common knowledge on how to add virtualhosts to the server that hosts all the ATX Hackerspace sites. So here it is.

Our LAMP stack on evil.badthin.gs is a FastCGI + suexec configuration, meaning that all scripts are run as individual users. For example, http://everhack.blog.atxhackerspace.org/ is run as the 'everhack' user, our helpdesk is run as 'atxhelpdesk', and our store and wiki are run as the 'atxhs' user. This allows us to minimize risk of compromise, so if everhack's blog gets compromised via an out of date WordPress plugin, our store and wiki will not be affected.

So say we want to add a vhost for "dicks.stalinplayschesswithsheep.com". First, we will need to create the user that we want to run the scripts as. I will create this as 'dicks'.

[root@evil ~]# adduser dicks

Next we want to generate the vhost config for this site. The vhosts are included from /etc/httpd/conf/vhosts/ upon startup.

[root@evil ~]# grep '^Include' /etc/httpd/conf/httpd.conf

Include conf.d/*.conf

Include conf/vhosts/*.conf

[root@evil ~]# 

So we'll create /etc/httpd/conf/vhosts/dicks.stalinplayschesswithsheep.com.conf.not, so that we can work on it without it being included until we're ready to rename it to dicks.stalinplayschesswithsheep.com.conf.

<VirtualHost 67.23.240.248:80>

    ServerAdmin r...@badthin.gs

    DocumentRoot /var/www/vhosts/dicks.stalinplayschesswithsheep.com/ 

    ServerName dicks.stalinplayschesswithsheep.com 

    ServerAlias www.dicks.stalinplayschesswithsheep.com

    CustomLog /var/log/httpd/vhosts/dicks.stalinplayschesswithsheep.com/access_log combined

    ErrorLog /var/log/httpd/vhosts/dicks.stalinplayschesswithsheep.com/error_log

    <IfModule mod_fcgid.c>

        SuexecUserGroup dicks dicks

        <Directory /var/www/vhosts/dicks.stalinplayschesswithsheep.com/>

            Options +ExecCGI

            AllowOverride All

            AddHandler fcgid-script .php

            FCGIWrapper /var/www/cgi-bin/dicks/php.fcgi

            Order allow,deny

            Allow from all

        </Directory>

    </IfModule>

</VirtualHost>

You can use this as a template, but please be sure to change the IP. We have four IPs available on this server, and I've been using 67.23.240.238 for the ATXHS sites. Also change these directives:

DocumentRoot

ServerName

ServerAlias

CustomLog

ErrorLog

SuexecUserGroup

Directory

FCGIWrapper

Make the modifications according to the same conventions that we use for the other vhosts. SuexecUserGroup will be the user we created earlier, ServerName will be the hostname for this vhost, ServerAlias will be any aliases we want to tack on to there (for example, www., or atxhs.org/atxhs.coop/atxhackerspace.org/atxdickspace.dicks) DocumentRoot, CustomLog, ErrorLog, and FCGIWrapper should be updated accordingly, and the DocumentRoot should be specified in the <Directory> block. Now create the paths so that this thing can actually work, and change permissions where required:

mkdir /var/www/vhosts/dicks.stalinplayschesswithsheep.com/

chown dicks. /var/www/vhosts/dicks.stalinplayschesswithsheep.com/

mkdir /var/log/httpd/dicks.stalinplayschesswithsheep.com/

[root@evil ~]# ls -ld /var/www/vhosts/dicks.stalinplayschesswithsheep.com/ /var/log/httpd/vhosts/dicks.stalinplayschesswithsheep.com/

drwxr-xr-x 2 root  root  4096 Sep 20 20:26 /var/log/httpd/vhosts/dicks.stalinplayschesswithsheep.com/

drwxr-xr-x 2 dicks dicks 4096 Sep 20 20:34 /var/www/vhosts/dicks.stalinplayschesswithsheep.com/

[root@evil ~]#

The last step is to create the wrapper script to make PHP/FastCGI work. This is very simple:

[root@evil cgi-bin]# ll

total 32

drwxr-xr-x 2 atxhelpdesk atxhelpdesk 4096 Mar 15  2013 atxhelpdesk

drwxr-xr-x 2 atxhs       atxhs       4096 Jan  5  2013 atxhs

drwxr-xr-x 2 atxhswp     atxhswp     4096 Jan  5  2013 atxhswp

drwxr-xr-x 2 everhack    everhack    4096 Mar 15  2013 everhack

drwxr-xr-x 2 fauxfur     fauxfur     4096 Dec 24  2012 fauxfur

drwxr-xr-x 2 itwiki      itwiki      4096 Jan 19  2013 itwiki

drwxr-xr-x 2 testsmf     testsmf     4096 Jan 12  2013 testsmf

[root@evil cgi-bin]# ll everhack/

total 4

-rwxr-xr-x 1 everhack everhack 116 Mar 15  2013 php.fcgi

[root@evil cgi-bin]# cat everhack/php.fcgi 

#!/bin/sh

PHPRC=/etc

export PHPRC

export PHP_FCGI_MAX_REQUESTS=500

export PHP_FCGI_CHILDREN=4

exec /usr/bin/php-cgi

[root@evil cgi-bin]# 

This wrapper script is what makes suexec work, and it also allows us to set the PHP configuration to something else (for example, if a certain script requires a higher memory_limit in PHP than what I have set globally, which is 128M). You'll also notice that we can set the max FastCGI children and max number of requests each child process will serve in here, though I have not had to do this for anything yet. So let's just copy what's working for everyone else and modify the permissions as necessary.

cp -vR atxhs dicks

chown -vR dicks. dicks

[root@evil cgi-bin]# ll -a dicks

total 12

drwxr-xr-x  2 dicks dicks 4096 Sep 20 20:23 .

drwxr-xr-x 10 root  root  4096 Sep 20 20:23 ..

-rwxr-xr-x  1 dicks dicks  116 Sep 20 20:23 php.fcgi

[root@evil cgi-bin]# 

Now let's go back to our vhost config, move it back in place and see what happens.

[root@evil cgi-bin]# cd /etc/httpd/conf/vhosts/

[root@evil vhosts]# mv dicks.stalinplayschesswithsheep.com.conf.not dicks.stalinplayschesswithsheep.com.conf

[root@evil vhosts]# service httpd configtest

Syntax OK

[root@evil vhosts]# 

If configtest returns "Syntax OK", then proceed to run "service httpd graceful", and then make sure that the sites are still up. If you see any syntax errors, or anything other than "Syntax OK", put it back and try to figure out what went wrong.

Please always use configtest if you are making a change, as it serves as an early warning if anything is fucked up.

[root@evil vhosts]# echo "dicks" >> dicks.stalinplayschesswithsheep.com.conf 

[root@evil vhosts]# service httpd configtest

Syntax error on line 22 of /etc/httpd/conf/vhosts/dicks.stalinplayschesswithsheep.com.conf:

Invalid command 'dicks', perhaps misspelled or defined by a module not included in the server configuration

[root@evil vhosts]# 

Please also use graceful when actually restarting, for two reasons. One, it gracefully kills all the Apache subprocesses and restarts them with the updated config, so there's less downtime doing that than bouncing the service entirely. Two, it also tests the configuration, and will refuse to restart anything until it's fixed.

[root@evil vhosts]# service httpd graceful

apachectl: Configuration syntax error, will not run "graceful":

Syntax error on line 22 of /etc/httpd/conf/vhosts/dicks.stalinplayschesswithsheep.com.conf:

Invalid command 'dicks', perhaps misspelled or defined by a module not included in the server configuration

[root@evil vhosts]# ps fauxww | grep httpd

root      3333  0.0  0.0 182572  6924 ?        Ss   Aug17   1:19 /usr/sbin/httpd.worker

apache    8413  0.0  0.0 182572  3756 ?        S    Sep20   0:00  \_ /usr/sbin/httpd.worker

apache    8415  0.0  0.1 2165232 16724 ?       Sl   Sep20   0:03  \_ /usr/sbin/httpd.worker

apache    8418  0.0  0.1 2165232 16656 ?       Sl   Sep20   0:03  \_ /usr/sbin/httpd.worker

apache    8498  0.0  0.1 2165232 17452 ?       Sl   Sep20   0:03  \_ /usr/sbin/httpd.worker

root     13717  0.0  0.0 103244   816 pts/0    S+   15:20   0:00  |       \_ grep httpd

[root@evil vhosts]# 

[root@evil vhosts]# sed -i '/^dicks$/d' dicks.stalinplayschesswithsheep.com.conf 

[root@evil vhosts]# service httpd configtest

Syntax OK

[root@evil vhosts]# service httpd graceful

[root@evil vhosts]# 

So, configtest then graceful. 

And that's it! Any questions, please ask me.