A little about setting up the VPS and about the script to add users
Last Saturday, I wrote in the comments on Habré “well, one of these days I will publish my script,” and this came the other day. SUDDENLY.
Link to the script.
')
Before setting up, I firmly decided that my VPS would be a security stronghold. I wanted for each domain in the system to have its own user. It is very neat and adds a little safety. Began to consider options, they turned 5:
I let Nginx out from under nginx: nginx, add the user nginx to the group for each user that is created for the domain. I put 750 permissions on all directories in / home / in order for nginx to read the files, but it doesn't need any more - it only gives statics.
A separate user is created for each domain. To make it easier to look at the created domains, I call users in reverse notation, for example, hshhhhh.hahrahabr.ru will turn into ru_habrahabr_hshhhhh. It becomes extremely convenient when several third-level domains are started up on a server. Unfortunately I didn’t come to this right away and it was a dreary thing to rename.
Apache launches a worker from under the user who owns the domain, which means he can only see his home directory and system files. In any case, there will not be much strangers on my world.
Now, in fact, for the sake of which everything was started and therefore I will immediately make a reservation:
The script does the following:
At the same time, passwords are stored in clear form in the home directory of the root - well, if there is access there, then why hide the passwords?
And this script does not allow the newly created user to connect via ssh, it must be done by hand and I do not see any sense in automating this process.
The control link to the script.
UPD : forgot to add 2 useful config files to nginx.
UPD2 from some mike@danilenko.name about an interesting feature of mpm-itk:
UPD3 : But Kuzmich says that:
Just like in the series! Shock! Intrigue! Investigations!
Link to the script.
VPS setup in general
')
Before setting up, I firmly decided that my VPS would be a security stronghold. I wanted for each domain in the system to have its own user. It is very neat and adds a little safety. Began to consider options, they turned 5:
- Proxy ngingx for one fcgi daemon running from under the root. This is an excellent solution, but it works only in single-domain versions, I also wanted something like a shared one, but it turned out that through one process it was possible to reach any domain on the server. Does not fit.
- For each user in the system, run your cgi process and constantly keep them in memory, proxy nginx to them. I doubted such a decision and did not want to implement it (perhaps I had some objective considerations, but I do not remember). But on the other hand someone equand told me in the comments that this solution shows itself very well. I will believe him, but I will check on the next version.
- In freebsd, they say, there is a magic thing “Jail” that solves all problems. But it is freebsd. Does not fit.
- Chroot'ing each domain. I decided not to do because of the bulkiness and deadness of the VPS.
- I chose a traditional and disgusting performance solution with nginx + apache, but under Apache I use the mpm-itk module for security. It behaves well, but the performance is nearing the level of a pumpkin: 20 simultaneous requests to the dynamics of the server are enough :).
About the organization of users and domains
I let Nginx out from under nginx: nginx, add the user nginx to the group for each user that is created for the domain. I put 750 permissions on all directories in / home / in order for nginx to read the files, but it doesn't need any more - it only gives statics.
A separate user is created for each domain. To make it easier to look at the created domains, I call users in reverse notation, for example, hshhhhh.hahrahabr.ru will turn into ru_habrahabr_hshhhhh. It becomes extremely convenient when several third-level domains are started up on a server. Unfortunately I didn’t come to this right away and it was a dreary thing to rename.
Apache launches a worker from under the user who owns the domain, which means he can only see his home directory and system files. In any case, there will not be much strangers on my world.
About the script
Now, in fact, for the sake of which everything was started and therefore I will immediately make a reservation:
- I perfectly understand that I am a bylokloder and pkhpshnik.
- I wrote a script for myself and was not going to show it to anyone at all.
- Based on the first two points, I weakly decided not to suffer and wrote it on pkhp instead of bash. In light of the latest topics from abnormal programming, I am ashamed, but I will not rewrite.
- My knowledge of English is at an extremely high level and therefore errors in the comments are inevitable.
- I know that with quotes and strings I have hell there, but I will not rewrite again.
The script does the following:
- Required to enter a domain name, for example “mysite.ru”.
- Displays the future username, home directory and username in mysql.
- It offers to create a user, checks if there is such in the system. If yes, it will die, and if not, it will create a home directory, create public_html in it, create index.html and write the domain name there, and then assign the correct owner and rights to the entire home directory.
- Asks whether to create a rule for nginx. If yes, then take the template, replace the variables in it with the correct paths and put the rule for nginx in sites-availible. Then he will ask if this rule is enabled for nginx and, if so, it will create a symlink in sites-enabled and tell nginx to re-read the configuration.
- He will do the same for Apache, and he can create a rule for Apache even if he refuses to make a rule for nginx. On the one hand, there is a flaw, but on the other hand, it may come in handy (not yet).
- Ask if you want to create a database, cut the username to 16 characters, check for the existence of such in mysql and, if there is, torture until you enter a unique name. Will create a database and prescribe accesses.
- Save all passwords (for ssh and mysql) to a file, then quit.
At the same time, passwords are stored in clear form in the home directory of the root - well, if there is access there, then why hide the passwords?
And this script does not allow the newly created user to connect via ssh, it must be done by hand and I do not see any sense in automating this process.
The control link to the script.
UPD : forgot to add 2 useful config files to nginx.
UPD2 from some mike@danilenko.name about an interesting feature of mpm-itk:
I myself host several sites of adjacent offices on our server with ours, and also decided to try mod_itk during the transition from FreeBSD to Ubuntu. even in spite of its inhibition, it was not relevant to me because the load on the sites is not big at all, this module has one big disadvantage, it is described in some foreign resources.
When using keep-alive in Apache, a robot, for example, from Yandex, coming to index sites, walks all sites on the same IP at a time. But since the rights are different, then by going to the xxx.ru website, having promoted it, he goes to the yyy.ru website ... and the Apache does not give him because he already works with the rights xxx.ru :(
This is solved only by disabling keep-alive in the Apache ... maybe when working as a backend, this is not so bad, but for example, for me, he then gives static to individual forks.
UPD3 : But Kuzmich says that:
The problem has been fixed about six months ago, as described in the documentation, the connection is now closed in these cases.
Just like in the series! Shock! Intrigue! Investigations!
Source: https://habr.com/ru/post/130547/
All Articles