Re: [vqadmin] Problem with virtual hosts

Mon, 01 Dec 2003 23:26:16 -0800

On Dec 1, 2003, at 20:00, Andrea Riela wrote: 

Normally vqadmin is accessible from all virtual hosts.
Example:
http://domain1/cgi-bin/vqadmin/vqadmin.cgi
http://domain2/cgi-bin/vqadmin/vqamdin.cgi
http://domain3/cgi-bin/vqadmin/vqadmin.cgi

I would avoid that. I would that only my first domain could have an access
for vqadmin.

Now I use an hoax: in my httpd.conf, in the specific vh, I've

<VirtualHost 192.168.0.11:80>
   ServerName domain1
   Port 80
   DocumentRoot /var/www/htdocs
   ErrorLog logs/default-error_log
   CustomLog logs/default-access_log combined
   <Directory "/var/www/cgi-bin/vqadmin">
               deny from all
               Options ExecCGI
               AllowOverride AuthConfig
               Order deny,allow
   </Directory>
</VirtualHost>

In this case, the vqadmin responds only for this vh, but if I try to connect
from domain2 http://domain2/cgi-bin/vqadmin/vqadmin.cgi
I receive a vqadmin error: Authentication failed, username unknown ...
And not an apache error (like page not found) ...

Why?
Could I have an apache error instead of this vqadmin message?

you have a common cgi-bin directory shared between all of your web sites. this is almost always a bad idea, i don't know why the apache guys haven't changed it so that this is not the default anymore.

to change it so that each site has its own cgi-bin (which is how it should be on most multi-site servers)...

- the global "ScriptAlias /cgi-bin/" line needs to be commented out.

- inside of each site's DocumentRoot directory, create a cgi-bin directory and copy only the scripts that the site uses into there. the permissions should be 755 and it should be owned by the userid who owns the DocumentRoot directory (the client's userid, in the case of a web site maintained by your client.)

- in each site's <VirtualHost> block, add these lines:

    <Location /cgi-bin/>
      Options +ExecCGI
    </Location>

making these changes, go into each site which SHOULD have access to the vqadmin stuff and create a symlink to the directory where it currently sits. (my server's directory layout is probably not the same as yours, which means you'll have to adjust paths below...)

    # cd /www/domain1/htdocs/cgi-bin
    # ln -s /var/www/cgi-bin/vqadmin vqadmin

and in the httpd.conf <VirtualHost> block, the "Options +ExecCGI" which you added above should be changed to read "Options +ExecCGI +FollowSymLinks" (if that's not already a global option.)

restart the web server and test everything.

if you don't change your server to use separate cgi-bin directories, http://{ALL}/cgi-bin/{ANYTHING} will be the same on all of your web sites. there is no way around this.

the rest of the message is specific to apache and has nothing to do with vqadmin or mail... i just figured i'd throw it in as a reference for the curious- this is how i configure all of my apache servers, some of which are serving over 300 sites at once.

the directory layout looks something like this:

/www/domain1/error_log
/www/domain1/docs/
/www/domain1/docs/cgi-bin/
/www/domain1/docs/cgi-bin/vqadmin -> /www/vqadmin (symbolic link)
/www/domain2/error_log
/www/domain2/docs/
/www/domain2/docs/cgi-bin/
/www/vqadmin/

the config looks something like this:

<Directory />
  Options       FollowSymLinks
</Directory>

<Directory /www/*/docs/cgi-bin>
  Options       +ExecCGI
</Directory>

<Directory /www/vqadmin>
  Options       +ExecCGI
</Directory>

NameVirtualHost 1.2.3.4:80

<VirtualHost 1.2.3.4:80>
  ServerName    www.domain1
  ServerAlias   domain1
  DocumentRoot  /www/domain1/docs
  ErrorLog      /www/domain1/error_log
  CustomLog     /weblogs/current/domain1 combined
</VirtualHost>

<VirtualHost 1.2.3.4:80>
  ServerName    www.domain2
  ServerAlias   domain2
  DocumentRoot  /www/domain2/docs
  ErrorLog      /www/domain2/error_log
  CustomLog     /weblogs/current/domain2 combined
</VirtualHost>

my "CustomLog" lines point to a "/weblogs/current" directory for a reason- some of my servers handle 200 to 300 sites, and cutting the log files went from five minutes downtime to about six seconds by setting it up this way. the cut script looks something like this:

#!/bin/sh

cd /weblogs

    /etc/init.d/apache stop
    mv current cut
    mkdir -m 700 current
    /etc/init.d/apache start

    /usr/local/sbin/calculate-web-stats /weblogs/cut
    rm -rf /weblogs/cut

the calculate-web-stats script mulls over the files in /weblogs/cut and is free to take as long as it needs, because the server isn't stopped while it's chewing on the numbers. the time delay between shutting down the server and starting it back up is usually less than a tenth of a second- the only appreciable delay is the time it takes to actually parse the httpd.conf file and set things up, which is usually no more than about five seconds.

the idea of using the "ip_address:port" in the <VirtualHost> line is a good one... it allows the server to be able to start up and serve pages for the other domains whenever one domain's DNS gets changed to point elsewhere, or expires by mistake. this happened to me once- a client forgot to renew their domain name, verisign shut it off, and apache couldn't restart because it couldn't resolve the name. i have 185 clients' web sites down because of this joker- needless to say it didn't happen again.

anyway... enough rambling for one night...

-----------------------------------------------
| John Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/        <[EMAIL PROTECTED]> |
-----------------------------------------------

Attachment: PGP.sig
Description: PGP signature

Reply via email to