WebFaction
Community site: login faq

This guide is for CentOS 7 servers. For CentOS 6, see this related guide.

Apache is installed at "/usr/sbin/httpd" and includes many modules, PHP support, etc.

I'd like to run a private instance of this server using my own "httpd.conf" file. Primarily, I want this to run under a separate SSH User account, served via a Custom Application (listening on port).

This is for security. If the application is hacked, the hacker would only gain access to that separate SSH user's home directory, and not everything else under my account.

This is different from the Granting Access to Specific Users documentation. It would be more secure, since in the same way one of the users I've granted access to could still make use of CGI processes running as my main user to execute a PHP Shell, in the same way a hacker could.

asked 25 Dec '15, 08:40

ryans's gravatar image

ryans ♦♦
5.0k42856
accept rate: 43%


This is easy to do. First create a Custom Application (listening on port) and an SSH user from the Control Panel. Hook the application up to a domain with a website record and allow some time for the changes to take effect. If all is well, you should see a "502 Bad Gateway" error at that domain.

The "502 Bad Gateway" error appears because Nginx is trying to proxy HTTP requests to your private apache instance, but you don't have a private apache instance (yet). But you will.

Also, since this example will demonstrate virtualhosting, I assume that you set up at least two different domains in the aforementioned website record, such as "www.domain1.com" and "www.domain2.com", which will map to "app1" and "app2" respectively. This definitely isn't required, but it makes for a better example.

In this example, we will assume that the extra SSH User we created has username "mysshuser", and that the port assigned by the Control Panel is "77777":

Extra SSH User's username:    mysshuser
Custom Application's PORT:    77777

In the examples below, you will want to replace these values with your own.

The first thing to do is to make a directory for the apache code itself. Then we need to create a location for the application data. I like to keep the "webapps" convention, and I'm going to create two such applications in order to clearly demonstrate how VirtualHosting works in our private "httpd.conf" file.

Here are the commands to get this all set up, complete with a sample "httpd.conf" file configured to serve these two applications on their respective domains.

PORT="77777"

DOMAIN1="www.domain1.com"
APP1="app1"

DOMAIN2="www.domain2.com"
APP2="app2"

cd $HOME
mkdir -p $HOME/logs/user
mkdir -p $HOME/private_apache/var/run
mkdir -p $HOME/webapps
mkdir -p $HOME/webapps/${APP1}
mkdir -p $HOME/webapps/${APP2}
cd $HOME/private_apache
mkdir -p bin conf logs
cd $HOME/private_apache/bin
cat << "EOF" > start
#!/bin/bash

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

exec /usr/sbin/httpd -f "$MYDIR/../conf/httpd.conf" -k start # -D FOREGROUND
EOF
cat << "EOF" > stop
#!/bin/bash

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

exec /usr/sbin/httpd -f "$MYDIR/../conf/httpd.conf" -k stop
EOF
cat << "EOF" > restart
#!/bin/bash

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

$MYDIR/stop
sleep 3
$MYDIR/start
EOF
chmod 755 start stop restart
cd $HOME/private_apache/conf
mkdir extra
cd $HOME/private_apache/conf/extra
cat << "EOF" > httpd-autoindex.conf
#
# Directives controlling the display of server-generated directory listings.
#
# Required modules: mod_autoindex, mod_alias
#
# To see the listing of a directory, the Options directive for the
# directory must include "Indexes", and the directory must not contain
# a file matching those listed in the DirectoryIndex directive.
#

#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#
IndexOptions FancyIndexing HTMLTable VersionSort

# We include the /__________wficons__________/ alias for FancyIndexed
# directory listings. If you do not use FancyIndexing, you may comment
# this out.
#
Alias /__________wficons__________/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions.  These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/__________wficons__________/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/__________wficons__________/text.gif) text/*
AddIconByType (IMG,/__________wficons__________/image2.gif) image/*
AddIconByType (SND,/__________wficons__________/sound2.gif) audio/*
AddIconByType (VID,/__________wficons__________/movie.gif) video/*

AddIcon /__________wficons__________/binary.gif .bin .exe
AddIcon /__________wficons__________/binhex.gif .hqx
AddIcon /__________wficons__________/tar.gif .tar
AddIcon /__________wficons__________/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /__________wficons__________/compressed.gif .Z .z .tgz .gz .zip
AddIcon /__________wficons__________/a.gif .ps .ai .eps
AddIcon /__________wficons__________/layout.gif .html .shtml .htm .pdf
AddIcon /__________wficons__________/text.gif .txt
AddIcon /__________wficons__________/c.gif .c
AddIcon /__________wficons__________/p.gif .pl .py
AddIcon /__________wficons__________/f.gif .for
AddIcon /__________wficons__________/dvi.gif .dvi
AddIcon /__________wficons__________/uuencoded.gif .uu
AddIcon /__________wficons__________/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /__________wficons__________/tex.gif .tex
AddIcon /__________wficons__________/bomb.gif core

AddIcon /__________wficons__________/back.gif ..
AddIcon /__________wficons__________/hand.right.gif README
AddIcon /__________wficons__________/folder.gif ^^DIRECTORY^^
AddIcon /__________wficons__________/blank.gif ^^BLANKICON^^

#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /__________wficons__________/unknown.gif

#
# AddDescription allows you to place a short description after a file in
# server-generated indexes.  These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz

#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes. 
ReadmeName README.html
HeaderName HEADER.html

#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing.  Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
EOF
cd $HOME/private_apache/conf
cat << "EOF" > httpd.conf
LoadModule mpm_event_module          /usr/lib64/httpd/modules/mod_mpm_event.so
#LoadModule mpm_worker_module         /usr/lib64/httpd/modules/mod_mpm_worker.so

LoadModule remoteip_module           /usr/lib64/httpd/modules/mod_remoteip.so
LoadModule dav_module                /usr/lib64/httpd/modules/mod_dav.so
LoadModule dav_fs_module             /usr/lib64/httpd/modules/mod_dav_fs.so
LoadModule authz_core_module         /usr/lib64/httpd/modules/mod_authz_core.so
LoadModule authz_host_module         /usr/lib64/httpd/modules/mod_authz_host.so
LoadModule authz_groupfile_module    /usr/lib64/httpd/modules/mod_authz_groupfile.so
LoadModule authz_owner_module        /usr/lib64/httpd/modules/mod_authz_owner.so
LoadModule authz_user_module         /usr/lib64/httpd/modules/mod_authz_user.so
LoadModule mime_module               /usr/lib64/httpd/modules/mod_mime.so
LoadModule dir_module                /usr/lib64/httpd/modules/mod_dir.so
LoadModule rewrite_module            /usr/lib64/httpd/modules/mod_rewrite.so
LoadModule proxy_module              /usr/lib64/httpd/modules/mod_proxy.so
LoadModule proxy_connect_module      /usr/lib64/httpd/modules/mod_proxy_connect.so
LoadModule proxy_http_module         /usr/lib64/httpd/modules/mod_proxy_http.so
LoadModule proxy_ftp_module          /usr/lib64/httpd/modules/mod_proxy_ftp.so
LoadModule auth_basic_module         /usr/lib64/httpd/modules/mod_auth_basic.so
LoadModule auth_digest_module        /usr/lib64/httpd/modules/mod_auth_digest.so
LoadModule authn_file_module         /usr/lib64/httpd/modules/mod_authn_file.so
LoadModule cgid_module               /usr/lib64/httpd/modules/mod_cgid.so
LoadModule alias_module              /usr/lib64/httpd/modules/mod_alias.so
LoadModule autoindex_module          /usr/lib64/httpd/modules/mod_autoindex.so
LoadModule deflate_module            /usr/lib64/httpd/modules/mod_deflate.so
LoadModule setenvif_module           /usr/lib64/httpd/modules/mod_setenvif.so
LoadModule headers_module            /usr/lib64/httpd/modules/mod_headers.so
LoadModule log_config_module         /usr/lib64/httpd/modules/mod_log_config.so
LoadModule include_module            /usr/lib64/httpd/modules/mod_include.so
LoadModule expires_module            /usr/lib64/httpd/modules/mod_expires.so
LoadModule env_module                /usr/lib64/httpd/modules/mod_env.so
LoadModule actions_module            /usr/lib64/httpd/modules/mod_actions.so
LoadModule negotiation_module        /usr/lib64/httpd/modules/mod_negotiation.so
LoadModule speling_module            /usr/lib64/httpd/modules/mod_speling.so
LoadModule access_compat_module      /usr/lib64/httpd/modules/mod_access_compat.so
LoadModule unixd_module              /usr/lib64/httpd/modules/mod_unixd.so


ServerName 127.0.0.1:PLACEHOLDER_PORT
ServerRoot PLACEHOLDER_HOME/private_apache
DefaultRuntimeDir PLACEHOLDER_HOME/private_apache/var/run
ScriptSock cgid.sock
Listen 127.0.0.1:PLACEHOLDER_PORT
KeepAliveTimeout 3
KeepAlive Off
MaxRequestsPerChild 5000
Timeout 60
PidFile PLACEHOLDER_HOME/private_apache/logs/httpd.pid
TypesConfig /etc/httpd/conf/mime.types
LogLevel warn
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog PLACEHOLDER_HOME/logs/user/privateApache_access.log combined
ErrorLog PLACEHOLDER_HOME/logs/user/privateApache_error.log


<VirtualHost 127.0.0.1:PLACEHOLDER_PORT>
  ServerName PLACEHOLDER_DOMAIN1
  #ServerAlias www.PLACEHOLDER_DOMAIN1
  DocumentRoot PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP1
  DirectoryIndex index.html index.htm index.cgi index.php
  ProxyPreserveHost on
  AddDefaultCharset utf-8

  Options +ExecCGI
  AddHandler cgi-script .cgi
  Alias /cgi-bin/php56.cgi /home/php-cgi/php56.cgi
  Action php56-cgi /cgi-bin/php56.cgi
  AddHandler php56-cgi .php
  SetEnv PHP_INI_SCAN_DIR PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP1

  Include PLACEHOLDER_HOME/private_apache/conf/extra/httpd-autoindex.conf
  <Directory PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP1>
    AllowOverride all
    <FilesMatch \.ht(access|passwd)>
      Require all denied
    </FilesMatch>
    <FilesMatch (\.user\.ini|php\.ini)>
      Require all denied
    </FilesMatch>
    <FilesMatch \.php$>
      SetHandler php56-cgi
    </FilesMatch>
  </Directory>
</VirtualHost>

<VirtualHost 127.0.0.1:PLACEHOLDER_PORT>
  ServerName PLACEHOLDER_DOMAIN2
  #ServerAlias www.PLACEHOLDER_DOMAIN2
  DocumentRoot PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP2
  DirectoryIndex index.html index.htm index.cgi index.php
  ProxyPreserveHost on
  AddDefaultCharset utf-8

  Options +ExecCGI
  AddHandler cgi-script .cgi
  Alias /cgi-bin/php56.cgi /home/php-cgi/php56.cgi
  Action php56-cgi /cgi-bin/php56.cgi
  AddHandler php56-cgi .php
  SetEnv PHP_INI_SCAN_DIR PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP2

  Include PLACEHOLDER_HOME/private_apache/conf/extra/httpd-autoindex.conf
  <Directory PLACEHOLDER_HOME/webapps/PLACEHOLDER_APP2>
    AllowOverride all
    <FilesMatch \.ht(access|passwd)>
      Require all denied
    </FilesMatch>
    <FilesMatch (\.user\.ini|php\.ini)>
      Require all denied
    </FilesMatch>
    <FilesMatch \.php$>
      SetHandler php56-cgi
    </FilesMatch>
  </Directory>
</VirtualHost>
EOF
sed -i "s^PLACEHOLDER_HOME^${HOME}^g" httpd.conf
sed -i "s^PLACEHOLDER_PORT^${PORT}^g" httpd.conf
sed -i "s^PLACEHOLDER_DOMAIN1^${DOMAIN1}^g" httpd.conf
sed -i "s^PLACEHOLDER_APP1^${APP1}^g" httpd.conf
sed -i "s^PLACEHOLDER_DOMAIN2^${DOMAIN2}^g" httpd.conf
sed -i "s^PLACEHOLDER_APP2^${APP2}^g" httpd.conf
echo "Hello world from App 1" > $HOME/webapps/${APP1}/index.html
echo "Hello world from App 2" > $HOME/webapps/${APP2}/index.html

Now you should be able to access your two applications from the private Apache instance. Logs for the private apache instance are in $HOME/logs/user.

Next, in order to keep the apache instance running in case it crashes or the server is rebooted, we need to set up a crontab entry:

cd $HOME
crontab -l > tmp_current_crontab
cat << EOF >> tmp_current_crontab
# For Private Apache Instance:
*/20 * * * * $HOME/private_apache/bin/start >/dev/null 2>&1 &
EOF
crontab tmp_current_crontab
rm tmp_current_crontab

Now, start the private apache instance:

$HOME/private_apache/bin/start

Hope that helps!

permanent link

answered 25 Dec '15, 08:49

ryans's gravatar image

ryans ♦♦
5.0k42856
accept rate: 43%

Thanks Ryan, I've tried this and it works great on CentOS 7!

(25 Dec '15, 14:39) pjrobertson pjrobertson's gravatar image

This is fantastic... works as described. Any pointers for getting SSL to run using private Apache via httpd.conf? Thanks!

(14 Jul, 04:33) alanmiller alanmiller's gravatar image

Alanmiller, this instance runs on the backend, behind the nginx proxy.

The nginx proxy handles ssl termination, so you do not need to define anything in your httpd.conf file.

If you create an https enabled website record using the panel and link it with your private apache, you should be ok.

(14 Jul, 09:04) iliasr ♦♦ iliasr's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×221
×12
×11

question asked: 25 Dec '15, 08:40

question was seen: 1,471 times

last updated: 14 Jul, 09:04

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2017 PARAGON INTERNET GROUP LIMITED
WEBFACTION IS A SERVICE OF PARAGON INTERNET GROUP LIMITED
REGISTERED IN ENGLAND AND WALES 7573953 - VAT REGISTRATION NUMBER 182147021
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM