WebFaction
Community site: login faq
1
1

This guide is for CentOS 6 servers. For CentOS 7, see this related guide.

Apache is installed at "/usr/sbin/httpd" and includes many modules, PHP support, etc.

I'd like to run a private instance of this server using my own "httpd.conf" file. Primarily, I want this to run under a separate SSH User account, served via a Custom Application (listening on port).

This is for security. If the application is hacked, the hacker would only gain access to that separate SSH user's home directory, and not everything else under my account.

This is different from the Granting Access to Specific Users documentation. It would be more secure, since in the same way one of the users I've granted access to could still make use of CGI processes running as my main user to execute a PHP Shell, in the same way a hacker could.

asked 13 Aug '13, 22:39

ryans ♦♦
5.0k93160
accept rate: 43%

edited 25 Dec '15, 08:42


This is easy to do. First create a Custom Application (listening on port) and an SSH user from the Control Panel. Hook the application up to a domain with a website record and allow some time for the changes to take effect. If all is well, you should see a "502 Bad Gateway" error at that domain.

The "502 Bad Gateway" error appears because Nginx is trying to proxy HTTP requests to your private apache instance, but you don't have a private apache instance (yet). But you will.

Also, since this example will demonstrate virtualhosting, I assume that you set up at least two different domains in the aforementioned website record, such as "www.domain1.com" and "www.domain2.com", which will map to "app1" and "app2" respectively. This definitely isn't required, but it makes for a better example.

In this example, we will assume that the extra SSH User we created has username "mysshuser", and that the port assigned by the Control Panel is "77777":

Extra SSH User's username:    mysshuser
Custom Application's PORT:    77777

In the examples below, you will want to replace these values with your own.

The first thing to do is to make a directory for the apache code itself. Then we need to create a location for the application data. I like to keep the "webapps" convention, and I'm going to create two such applications in order to clearly demonstrate how VirtualHosting works in our private "httpd.conf" file.

Here are the commands to get this all set up, complete with a sample "httpd.conf" file configured to serve these two applications on their respective domains.

PORT="77777"

DOMAIN1="www.domain1.com"
APP1="app1"

DOMAIN2="www.domain2.com"
APP2="app2"

cd $HOME
mkdir -p $HOME/logs/user
mkdir -p $HOME/private_apache
mkdir -p $HOME/webapps
mkdir -p $HOME/webapps/${APP1}
mkdir -p $HOME/webapps/${APP2}
cd $HOME/private_apache
mkdir -p bin conf logs
cd $HOME/private_apache/bin
cat << "EOF" > start
#!/bin/bash

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

exec /usr/sbin/httpd -f "$MYDIR/../conf/httpd.conf" -k start # -D FOREGROUND
EOF
cat << "EOF" > stop
#!/bin/bash

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

exec /usr/sbin/httpd -f "$MYDIR/../conf/httpd.conf" -k stop
EOF
cat << "EOF" > restart
#!/bin/bash

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

$MYDIR/stop
sleep 3
$MYDIR/start
EOF
chmod 755 start stop restart
cd $HOME/private_apache/conf
mkdir extra
cd $HOME/private_apache/conf/extra
cat << "EOF" > httpd-autoindex.conf
#
# Directives controlling the display of server-generated directory listings.
#
# Required modules: mod_autoindex, mod_alias
#
# To see the listing of a directory, the Options directive for the
# directory must include "Indexes", and the directory must not contain
# a file matching those listed in the DirectoryIndex directive.
#

#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#
IndexOptions FancyIndexing HTMLTable VersionSort

# We include the /__________wficons__________/ alias for FancyIndexed
# directory listings. If you do not use FancyIndexing, you may comment
# this out.
#
Alias /__________wficons__________/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions.  These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/__________wficons__________/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/__________wficons__________/text.gif) text/*
AddIconByType (IMG,/__________wficons__________/image2.gif) image/*
AddIconByType (SND,/__________wficons__________/sound2.gif) audio/*
AddIconByType (VID,/__________wficons__________/movie.gif) video/*

AddIcon /__________wficons__________/binary.gif .bin .exe
AddIcon /__________wficons__________/binhex.gif .hqx
AddIcon /__________wficons__________/tar.gif .tar
AddIcon /__________wficons__________/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /__________wficons__________/compressed.gif .Z .z .tgz .gz .zip
AddIcon /__________wficons__________/a.gif .ps .ai .eps
AddIcon /__________wficons__________/layout.gif .html .shtml .htm .pdf
AddIcon /__________wficons__________/text.gif .txt
AddIcon /__________wficons__________/c.gif .c
AddIcon /__________wficons__________/p.gif .pl .py
AddIcon /__________wficons__________/f.gif .for
AddIcon /__________wficons__________/dvi.gif .dvi
AddIcon /__________wficons__________/uuencoded.gif .uu
AddIcon /__________wficons__________/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /__________wficons__________/tex.gif .tex
AddIcon /__________wficons__________/bomb.gif core

AddIcon /__________wficons__________/back.gif ..
AddIcon /__________wficons__________/hand.right.gif README
AddIcon /__________wficons__________/folder.gif ^^DIRECTORY^^
AddIcon /__________wficons__________/blank.gif ^^BLANKICON^^

#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /__________wficons__________/unknown.gif

#
# AddDescription allows you to place a short description after a file in
# server-generated indexes.  These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz

#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes. 
ReadmeName README.html
HeaderName HEADER.html

#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing.  Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
EOF
cd $HOME/private_apache/conf
cat << "EOF" > httpd.conf
LoadModule rpaf_module               /usr/lib/httpd/modules/mod_rpaf.so
LoadModule dav_module                /usr/lib64/httpd/modules/mod_dav.so
LoadModule dav_svn_module            /usr/lib64/httpd/modules/mod_dav_svn.so
LoadModule dav_fs_module             /usr/lib64/httpd/modules/mod_dav_fs.so
LoadModule authz_svn_module          /usr/lib64/httpd/modules/mod_authz_svn.so
LoadModule authz_host_module         /usr/lib64/httpd/modules/mod_authz_host.so
LoadModule authz_groupfile_module    /usr/lib64/httpd/modules/mod_authz_groupfile.so
LoadModule authz_owner_module        /usr/lib64/httpd/modules/mod_authz_owner.so
LoadModule authz_user_module         /usr/lib64/httpd/modules/mod_authz_user.so
LoadModule log_config_module         /usr/lib64/httpd/modules/mod_log_config.so
LoadModule mime_module               /usr/lib64/httpd/modules/mod_mime.so
LoadModule dir_module                /usr/lib64/httpd/modules/mod_dir.so
LoadModule rewrite_module            /usr/lib64/httpd/modules/mod_rewrite.so
LoadModule proxy_module              /usr/lib64/httpd/modules/mod_proxy.so
LoadModule proxy_connect_module      /usr/lib64/httpd/modules/mod_proxy_connect.so
LoadModule proxy_http_module         /usr/lib64/httpd/modules/mod_proxy_http.so
LoadModule proxy_ftp_module          /usr/lib64/httpd/modules/mod_proxy_ftp.so
LoadModule auth_basic_module         /usr/lib64/httpd/modules/mod_auth_basic.so
LoadModule auth_digest_module        /usr/lib64/httpd/modules/mod_auth_digest.so
LoadModule authn_file_module         /usr/lib64/httpd/modules/mod_authn_file.so
LoadModule cgid_module               /usr/lib64/httpd/modules/mod_cgid.so
LoadModule alias_module              /usr/lib64/httpd/modules/mod_alias.so
LoadModule autoindex_module          /usr/lib64/httpd/modules/mod_autoindex.so
LoadModule deflate_module            /usr/lib64/httpd/modules/mod_deflate.so
LoadModule setenvif_module           /usr/lib64/httpd/modules/mod_setenvif.so
LoadModule headers_module            /usr/lib64/httpd/modules/mod_headers.so
LoadModule logio_module              /usr/lib64/httpd/modules/mod_logio.so
LoadModule include_module            /usr/lib64/httpd/modules/mod_include.so
LoadModule expires_module            /usr/lib64/httpd/modules/mod_expires.so
LoadModule env_module                /usr/lib64/httpd/modules/mod_env.so
LoadModule actions_module            /usr/lib64/httpd/modules/mod_actions.so
LoadModule negotiation_module        /usr/lib64/httpd/modules/mod_negotiation.so
LoadModule fastcgi_module            /usr/lib/httpd/modules/mod_fastcgi.so
LoadModule speling_module            /usr/lib64/httpd/modules/mod_speling.so

ServerRoot PLACEHOLDER_HOME/private_apache
Listen 127.0.0.1:PLACEHOLDER_PORT
NameVirtualHost 127.0.0.1:PLACEHOLDER_PORT
KeepAliveTimeout 3
KeepAlive Off
MaxRequestsPerChild 5000
Timeout 60
PidFile PLACEHOLDER_HOME/private_apache/logs/httpd.pid
TypesConfig /etc/httpd/conf/mime.types
LogLevel warn
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog PLACEHOLDER_HOME/logs/user/privateApache_access.log combined
ErrorLog PLACEHOLDER_HOME/logs/user/privateApache_error.log

# Control the max number of FastCGI processes:
# Set maxClassProcesses and maxProcesses to the same limit number. Leave procesSlack at 1.
# http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html
FastCgiConfig -maxClassProcesses 2 -maxProcesses 2 -processSlack 1

<VirtualHost 127.0.0.1:PLACEHOLDER_PORT>
  ServerName PLACEHOLDER_DOMAIN1
  ServerAlias www.PLACEHOLDER_DOMAIN1
  DocumentRoot PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP1
  DirectoryIndex index.html index.htm index.cgi index.php
  ProxyPreserveHost on
  AddDefaultCharset utf-8
  AddHandler cgi-script .cgi
  Alias /cgi-bin/php54.cgi /home/php-cgi/php54.cgi
  Action php54-cgi /cgi-bin/php54.cgi
  AddHandler php54-cgi .php
  SetEnv PHP_INI_SCAN_DIR PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP1
  Include PLACEHOLDER_HOME/private_apache/conf/extra/httpd-autoindex.conf
  <Directory PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP1>
    AllowOverride all
    <FilesMatch \.ht(access|passwd)>
      Deny from all
    </FilesMatch>
    <FilesMatch (\.user\.ini|php\.ini)>
      Deny from all
    </FilesMatch>
    <FilesMatch \.php$>
      SetHandler php54-cgi
    </FilesMatch>
  </Directory>
</VirtualHost>

<VirtualHost 127.0.0.1:PLACEHOLDER_PORT>
  ServerName PLACEHOLDER_DOMAIN2
  ServerAlias www.PLACEHOLDER_DOMAIN2
  DocumentRoot PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP2
  DirectoryIndex index.html index.htm index.cgi index.php
  ProxyPreserveHost on
  AddDefaultCharset utf-8
  AddHandler cgi-script .cgi
  Alias /cgi-bin/php54.cgi /home/php-cgi/php54.cgi
  Action php54-cgi /cgi-bin/php54.cgi
  AddHandler php54-cgi .php
  SetEnv PHP_INI_SCAN_DIR PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP2
  Include PLACEHOLDER_HOME/private_apache/conf/extra/httpd-autoindex.conf
  <Directory PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP2>
    AllowOverride all
    <FilesMatch \.ht(access|passwd)>
      Deny from all
    </FilesMatch>
    <FilesMatch (\.user\.ini|php\.ini)>
      Deny from all
    </FilesMatch>
    <FilesMatch \.php$>
      SetHandler php54-cgi
    </FilesMatch>
  </Directory>
</VirtualHost>
EOF
sed -i "s^PLACEHOLDER_HOME^${HOME}^g" httpd.conf
sed -i "s^PLACEHOLDER_PORT^${PORT}^g" httpd.conf
sed -i "s^PLACEHOLDER_DOMAIN1^${DOMAIN1}^g" httpd.conf
sed -i "s^PLACEHOLDER_APP1^${APP1}^g" httpd.conf
sed -i "s^PLACEHOLDER_DOMAIN2^${DOMAIN2}^g" httpd.conf
sed -i "s^PLACEHOLDER_APP2^${APP2}^g" httpd.conf
echo "Hello world from App 1" > $HOME/webapps/${APP1}/index.html
echo "Hello world from App 2" > $HOME/webapps/${APP2}/index.html

Now you should be able to access your two applications from the private Apache instance. Logs for the private apache instance are in $HOME/logs/user.

Next, in order to keep the apache instance running in case it crashes or the server is rebooted, we need to set up a crontab entry:

cd $HOME
crontab -l > tmp_current_crontab
cat << EOF >> tmp_current_crontab
# For Private Apache Instance:
*/20 * * * * $HOME/private_apache/bin/start >/dev/null 2>&1 &
EOF
crontab tmp_current_crontab
rm tmp_current_crontab

Now, start the private apache instance:

$HOME/private_apache/bin/start

Final note: If you're on a 32-bit server, not a 64-bit server, then the apache module paths will be incorrect. Replace "/usr/lib64" with "/usr/lib" in httpd.conf to fix it.

Hope that helps!

permanent link
This answer is marked "community wiki".

answered 14 Aug '13, 00:12

ryans ♦♦
5.0k93160
accept rate: 43%

edited 25 Dec '15, 08:58

@ryans, appreciate the write up on this. I was able to get it working.

One question though, I need to enable SSL - I'm getting

Invalid command 'SSLEngine'

when adding SSL to one of the virtual hosts. Also, I assume this apache instance would only be able to handle SSL, since it's having a single port proxied to it?

Thanks for any advice

(12 Apr '14, 11:20) lapomme

You do not need to handle HTTPS yourself, this is still going to be done by the front-end nginx - it will proxy traffic received via ports 80 and 443 to your Apache instance.

(12 Apr '14, 13:43) yulian

@yulian, your right, it works. Thanks!

(15 Apr '14, 16:40) lapomme

One thing to add @ryans - you should probably add:

SetEnv PHP_INI_SCAN_DIR PLACEHOLDER_HOME/webapps/PLACEHOLDER_APPX

to both the VirtualHost sections. Otherwise, any php.ini files you put in your document root won't be processed.

(20 Jul '14, 10:34) pjrobertson

Thanks, I've done so, both here and on the new CentOS 7 guide.

(25 Dec '15, 08:57) ryans ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×225
×12
×11

question asked: 13 Aug '13, 22:39

question was seen: 7,526 times

last updated: 25 Dec '15, 08:58

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM