I am new working with system.d and services on ubuntu/debian. I'm trying to serve multiple sites on the same Apache2.
viktor#viktor-i7-7700k:~$ ls -la /etc/apache2/
total 96
drwxr-xr-x 8 root root 4096 fev 3 16:13 .
drwxr-xr-x 133 root root 12288 fev 3 16:13 ..
-rw-r--r-- 1 root root 7224 ago 12 18:33 apache2.conf
drwxr-xr-x 2 root root 4096 fev 3 16:13 conf-available
drwxr-xr-x 2 root root 4096 fev 3 16:13 conf-enabled
-rw-r--r-- 1 root root 1782 jul 16 2019 envvars
-rw-r--r-- 1 root root 31063 jul 16 2019 magic
drwxr-xr-x 2 root root 12288 fev 3 16:13 mods-available
drwxr-xr-x 2 root root 4096 fev 3 16:13 mods-enabled
-rw-r--r-- 1 root root 320 jul 16 2019 ports.conf
drwxr-xr-x 2 root root 4096 fev 3 16:13 sites-available
drwxr-xr-x 2 root root 4096 fev 3 16:13 sites-enabled
I need to configure three instances of server to listen on ports 8081, 8082, and 8083 respectively. For example, on visiting http://host1.com:8081, http://host2.com:8082 and http://host3.com:8083 the HTML pages are in var /var/mysites/host1/index.html, /var/mysites/host2/index.html and /var/mysites/host3/index.html respectively should be rendered by default. Also, we should be able to start, to stop and restart the apache serer using the following commands:
sudo apache2ctl-host1 start; sudo apache2ctl-host2 start; sudo apache2ctl-host1 start;
sudo apache2ctl-host1 stop; sudo apache2ctl-host2 stop; sudo apache2ctl-host1 stop;
sudo apache2ctl-host1 restart; sudo apache2ctl-host2 restart; sudo apache2ctl-host1 restart;
To test my instances, it was required these conditions:
The Apache2 webserver installation is verified by running the dpkg --get-selections | grep apache2 command.
The server instances are started by running sudo apache2ctl-host1 start; sudo apache2ctl-host2 start; sudo apache2ctl-host3 start;
The port is verified by running the sudo lsof -i:8081 | grep apache2, sudo lsof -i:8082 | grep apache2and sudo lsof -i:8083 | grep apache2 commands.
Th HTML conted is fetched by running the curl host1.com:8081,curl host2.com:8082 and curl host3.com:8083 commands.
The page must not be a 403 or 404 error page, ie., the following commands must exit with non-zero code:
curl host1.com:8081 | grep 403\ Forbidden
curl host1.com:8082 | grep 403\ Forbidden
curl host1.com:8083 | grep 403\ Forbidden
curl host1.com:8081 | grep 404\ Not \ Found
curl host1.com:8082 | grep 404\ Not \ Found
curl host3.com:8083 | grep 404\ Not \ Found
Also, the HTML files /var/save/mysites/host1/index.html, /var/save/mysites/host2/index.html and /var/save/mysites/host3/index.html and the rendered HTML files snhoud be exactly same.
You should just use one apache and configure it to listen on 3 (or more) different ports using the "listen" option:
Listen 10080
Listen 10443
Listen 20080
Listen 20443
Then you can configure any virtualhost you need, to respond on a specific port:
<Virtualhost *:10080>
ServerName aDomain.com
#Other conf
</virtualhost>
<Virtualhost *:10443>
ServerName anotherDomain.com
#Other conf
</virtualhost>
<Virtualhost *:20080>
ServerName aThirdOne.Domain.io
#Other conf
</virtualhost>
<Virtualhost *:20443>
ServerName another.Domainof.any.kind
#Other conf
</virtualhost>
More details and configuration options can be found on the official documentation: https://httpd.apache.org/docs/2.4/vhosts/examples.html
Related
I am in the group root who owns a file and all the directories above. Why do I have no access to this file? CentOS 7
$ ls /etc/systemd/system | grep parts.service
ls: cannot access /etc/systemd/system/parts.service: Permission denied
-????????? ? ? ? ? ? parts.service
With SUDO:
$ sudo ls /etc/systemd/system | grep parts.service
-rw-rw-rw- 1 root root 563 Feb 13 09:59 parts.service
Checking for an ACL:
$ sudo getfacl /etc/systemd/system/parts.service
getfacl: Removing leading '/' from absolute path names
# file: etc/systemd/system/parts.service
# owner: root
# group: root
user::rw-
group::rw-
other::rw-
My groups:
$ groups
root wheel docker poweruser
Parent directories
drwxr-xr-x 155 root root 12288 Jul 17 09:04 etc/
drwxr-xr-x 4 root root 151 Nov 11 2019 systemd/
drw-rw-r-- 19 root root 4096 Jun 19 18:14 system/
sudo is used to verify that you are the user with which you are logged. you can access root files with your user, but you have to tell your PC that you want to acces files from the root group
I have folder in /media on ubuntu - shared from windows via fstab and cifs-utils. Can I share this folder to other user: "miki" (not root)
root#localhost:/media#
drwxr-xrwx 4 root root 4096 Nov 15 12:21 .
drwxr-xr-x 23 root root 4096 Nov 14 06:34 ..
drwxr-xr-x 2 padm root 0 Nov 15 09:34 Archive
drwxr-xrwx 2 root root 4096 Feb 25 2019 kekik
I have try with:
root#localhost:~# sudo chmod -R 757 /media/Archive/
but get:
chmod: changing permissions of '/media/Archive/': Permission denied
Find a solution:
need to modify /etc/fstab by changing:
//windowsServer/Archive /media/Archive cifs username=wundowsuser,password=somepass,uid=1000,iocharset=iso8859-1,rw,file_mode=0777,dir_mode=0777,vers=1.0 0 0
and change group of folder (must umont it first!)
sudo umount -l /media/Archive
sudo chown miki:miki /media/Archive/
It's a Centos 6 running apache server and vsftpd server. Problem is not about connection, it's about displaying folder from local_root directory.
Here is /etc/vsftpd/vsftpd.conf :
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this ou$
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you w$
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do AS$
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
## Heading ##
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
chroot_local_user=YES
local_root=/var/www
user_sub_token=$USER
Here is ls -l output in / folder :
[root#daniel /]# ls -l
total 98
dr-xr-xr-x. 2 root root 4096 2015-05-14 04:43 bin
dr-xr-xr-x. 5 root root 1024 2015-05-12 15:33 boot
drwxr-xr-x. 20 root root 3820 2015-06-05 02:30 dev
drwxr-xr-x. 103 root root 12288 2015-06-05 03:03 etc
drwxr-xr-x. 5 root root 4096 2015-05-08 06:54 home
dr-xr-xr-x. 11 root root 4096 2015-05-08 05:13 lib
dr-xr-xr-x. 9 root root 12288 2015-06-04 03:25 lib64
drwx------. 2 root root 16384 2015-05-08 04:13 lost+found
drwxr-xr-x. 2 root root 4096 2011-09-23 14:50 media
drwxr-xr-x. 2 root root 0 2015-06-05 02:29 misc
drwxr-xr-x. 2 root root 4096 2011-09-23 14:50 mnt
drwxr-xr-x. 2 root root 0 2015-06-05 02:29 net
drwxr-xr-x. 3 root root 4096 2015-05-08 05:13 opt
dr-xr-xr-x. 167 root root 0 2015-06-05 02:29 proc
dr-xr-x---. 10 root root 4096 2015-06-04 03:02 root
dr-xr-xr-x. 2 root root 12288 2015-05-24 03:34 sbin
drwxr-xr-x. 7 root root 0 2015-06-05 02:29 selinux
drwxr-xr-x. 2 root root 4096 2011-09-23 14:50 srv
drwxr-xr-x. 13 root root 0 2015-06-05 02:29 sys
drwxrwxrwt. 3 root root 4096 2015-06-05 03:28 tmp
drwxr-xr-x. 13 root root 4096 2015-05-08 05:04 usr
drwxr-xr-x. 22 root root 4096 2015-06-04 02:57 var
This folder is displayed in browser or ftp connection(ftp 192.168.1.10) but /var/www is not :(.
Also ls -l /var/www :
[root#daniel /]# ls -al /var/www
total 84
drwxrwxr-x+ 11 root root 4096 2015-06-04 05:32 .
drwxr-xr-x. 22 root root 4096 2015-06-04 02:57 ..
drwxrwxr-x+ 3 root root 4096 2015-05-22 06:09 site1.com
drwxrwxr-x+ 3 root root 4096 2015-05-22 05:30 site2.com
drwxrwxr-x+ 2 root root 4096 2015-06-02 05:59 cgi-bin
drwxrwxr-x+ 3 root root 4096 2015-05-20 05:55 error
drwxrwxr-x+ 2 root root 4096 2015-06-04 05:32 ftp
drwxrwxr-x+ 2 root root 4096 2015-05-22 03:55 html
drwxrwxr-x+ 3 root root 4096 2015-05-20 05:58 icons
drwxrwxr-x+ 3 root root 4096 2015-05-22 05:30 site3.com
drwxrwxr-x+ 2 root root 4096 2015-05-19 07:26 usage
And also selinux bools for ftp :
[root#daniel /]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
Sorry for this too long question, but I tried to expose all details you need to solve this problem.
Thanks in advance for your help!
Solution to your problem is:
setsebool -P allow_ftpd_full_access=1
In your vsFTPD conf file:
• chroot_local_user = YES
• allow_writeable_chroot=YES
I'm using nginx and php5-fpm on a Debian system.
I want my server to serve like so;
ip/index.html serves the static html page (or files) at the nginx web root
and likewise, ip/somefile.php (or index.php) serves PHP through php-fpm
ip/~user/index.html serves the static html page (or files) in /home/user/public_html
and likewise, ip/~user/somefile.php (or index.php) serves PHP through php-fpm
(where ip is either an IPv4 or IPv6 address).
Here is my configuration for nginx:
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name _;
root /usr/share/nginx/www;
index index.php index.html index.htm;
# Deny access to all dotfiles
location ~ /\. {
deny all;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
try_files $uri = 404; # Prevents exploit
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
}
# Serve user directories
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
autoindex on;
}
}
And for php-fpm:
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php5-fpm.sock
; Set listen(2) backlog.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 128
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0666
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; ... and more that doesn't matter, just defaults
Both static files and PHP work in nginx web root (ip/blah.html or ip/blah.php), static files also work in user directories (ip/~user/blah.html) however PHP is giving 404 in user directories.
Can someone help me fix my config?
Edit: some ls -las incase it's a permission issue.
kvanb#pegasus:~$ ls -la
total 32
drwxr-xr-x 3 kvanb sudo 4096 Jan 4 04:04 .
drwxr-xr-x 6 root root 4096 Jan 4 01:36 ..
-rw------- 1 kvanb kvanb 570 Jan 4 02:54 .bash_history
-rw-r--r-- 1 kvanb sudo 220 Jan 4 01:36 .bash_logout
-rw-r--r-- 1 kvanb sudo 3392 Jan 4 01:36 .bashrc
-rw-r--r-- 1 kvanb sudo 675 Jan 4 01:36 .profile
drwxr-xr-x 2 kvanb sudo 4096 Jan 4 03:41 public_html
-rw------- 1 kvanb sudo 3303 Jan 4 04:04 .viminfo
kvanb#pegasus:~/public_html$ ls -la
total 20
drwxr-xr-x 2 kvanb sudo 4096 Jan 4 03:41 .
drwxr-xr-x 3 kvanb sudo 4096 Jan 4 04:04 ..
-rwxr-xr-x 1 kvanb sudo 21 Jan 4 03:40 index.php
-rwxr-xr-x 1 kvanb sudo 20 Jan 4 03:09 info.php
-rw-r--r-- 1 kvanb sudo 4 Jan 4 03:41 test.html
kvanb#pegasus:/usr/share/nginx/www$ ls -la
total 20
drwxr-xr-x 2 root root 4096 Jan 4 03:28 .
drwxr-xr-x 3 root root 4096 Jan 4 01:34 ..
-rw-r--r-- 1 root root 383 Jul 7 2006 50x.html
-rw-r--r-- 1 root root 151 Oct 4 2004 index.html
-rw-r--r-- 1 root root 20 Jan 4 03:28 info.php
You'll need to add this rule before the initial php one:
# Serve user directories php files
location ~ ^/~(.+?)(/.*\.php)$ {
alias /home/$1/public_html;
autoindex on;
include /etc/nginx/fastcgi_params;
try_files $2 = 404; # Prevents exploit
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
}
This one matches all php files in the user directory, directing them through php-fpm. The php rule you have matches all these php files, but tries to find them in the wrong directory.
I came across this whilst trying to solve a similar problem. So I'll add the solution I found when I got to it. This was on Arch, but it is systemd related.
This solution is for my development machine, and for good reasons, you shouldn't run a public site from your /home folder.
I configured php-fpm and nginx to run as my user. Edit the following file, and remove the ProtectHome=true line
sudo vi /etc/systemd/system/multi-user.target.wants/php-fpm.service
Reload, and restart everything;
systemctl daemon-reload
systemctl restart nginx.service
systemctl restart php-fpm.service
Good day!
I have a linux sftp server located in VM. This VM has access to a GlusterFS storage, where sftp directories are located. Sftp works via OpenSSH server and chroots sftpusers group to sftp directories on GlusterFS storage. All worked well... After one moment I had got an issue...
Trying to create user:
# useradd -d /mnt/cluster-data/repositories/masters/test-user -G masters,sftpusers -m -s /bin/nologin test-user
Checking:
# cat /etc/passwd | grep test-user
test-user:x:1029:1032::/mnt/cluster-data/repositories/masters/test-user:/bin/nologin
# cat /etc/group | grep test-user
masters:x:1000:test-user
sftpusers:x:1005:test-user
test-user:x:1032:
Doing chown and chmod for home dir by hand:
# chown -R test-user:test-user /mnt/cluster-data/repositories/masters/test-user
# chmod -R 770 /mnt/cluster-data/repositories/masters/test-user
Checking:
# ls -la /mnt/cluster-data/repositories/masters/test-user
итого 16
drwxrwx--- 2 test-user test-user 4096 Окт 27 2013 .
drwxr-xr-x 13 root masters 4096 Окт 27 2013 ..
Adding another user to test-user's group:
# usermod -G test-user -a tarasov-af
# cat /etc/passwd | grep tarasov-af
tarasov-af:x:1028:1006::/mnt/cluster-data/repositories/lecturers/tarasov-af/:/bin/nologin
# cat /etc/group | grep tarasov-af
masters:x:1000:tarasov-af,test-user
sftpusers:x:1005:tarasov-af,test-user
lecturers:x:1006:tarasov-af
specialists:x:1008:tarasov-af
test-user:x:1032:tarasov-af
Login as tarasov-af:
sftp> cd masters/test-user
sftp> ls
remote readdir("/masters/test-user"): Permission denied
sftp> ls -la ..
drwxr-xr-x 13 0 1000 4096 Oct 26 21:30 .
drwxr-xr-x 6 0 0 4096 Oct 2 15:53 ..
drwxrwx--- 2 1029 1032 4096 Oct 26 21:53 test-user
I tried to login as tarasov-af into bash (usermod -s /bin/bash tarasov-af):
$ id
uid=1028 gid=1006
groups=1000,1005,1006,1008,1032
p.s. I guess this issue began after VM disk failed and I've got /etc/passwd and /etc/group broken, I've restored them from backups and all previous accounts works well, I have this issue only with new accounts.
I've found the reason of this issue: user tarasov-af has more than 16 secondary groups, first 15 groups work good, other -- don't work. I've set kernel.ngroups_max = 65535 in sysctl.conf on every computer in cluster (GlusterFS) and on sftp VM but nothing changed.
This issue goes to glusterfs client, it can't manipulate with more than 15 secondary groups.
# glusterfs --version
glusterfs 3.2.7 built on Sep 29 2013 03:28:05