Difference between revisions of "Shared webhosting"
| m (Spelling fixes) | m (→The problem:   Grammar fixes) | ||
| Line 4: | Line 4: | ||
| == The problem == | == The problem == | ||
| − | One of the problems with shared webhosting (i.e. different people with each his/her own webpages) is that modern script languages such as PHP, Python or Perl are  | + | One of the problems with shared webhosting (i.e. different people with each his/her own webpages) is that modern script languages such as PHP, Python, or Perl are too powerful. For example take the following PHP script: | 
| <pre> | <pre> | ||
| Line 20: | Line 20: | ||
| </pre> | </pre> | ||
| − | With PHP you could use open_basedir to prevent this, but there are more ways. For example [http://mgeisler.net/php-shell/ PHP Shell], a script that is [http://mgeisler.net/downloads/phpshell/SECURITY often mis-used] by people with not-so-good intentions. Or think about the [http://www.f-secure.com/v-descs/santy_a.shtml Santy-worm] which mis-used phpBB. Again there is a solution in the form of safe_mode, but lots of PHP scripts break if you enable this. For Python, Perl or CGI-scripts there are no easy ways and you have to use wrappers or other tricks to chroot these. | + | With PHP you could use open_basedir to prevent this, but there are more ways. For example [http://mgeisler.net/php-shell/ PHP Shell], a script that is [http://mgeisler.net/downloads/phpshell/SECURITY often mis-used] by people with not-so-good intentions. Or think about the [http://www.f-secure.com/v-descs/santy_a.shtml Santy-worm] which mis-used phpBB. Again there is a solution in the form of safe_mode, but lots of PHP scripts break if you enable this. For Python, Perl, or CGI-scripts there are no easy ways and you have to use wrappers or other tricks to chroot these. | 
| == The solution == | == The solution == | ||
Revision as of 02:45, 13 November 2006
Contents
The problem
One of the problems with shared webhosting (i.e. different people with each his/her own webpages) is that modern script languages such as PHP, Python, or Perl are too powerful. For example take the following PHP script:
<?php
function get_content($filename) {
  $handle = fopen($filename, 'r');
  echo fread($handle, filesize($filename));
  fclose($handle);
}
get_content('/home/ppuk34/www/forum/config.inc.php');
?>
With PHP you could use open_basedir to prevent this, but there are more ways. For example PHP Shell, a script that is often mis-used by people with not-so-good intentions. Or think about the Santy-worm which mis-used phpBB. Again there is a solution in the form of safe_mode, but lots of PHP scripts break if you enable this. For Python, Perl, or CGI-scripts there are no easy ways and you have to use wrappers or other tricks to chroot these.
The solution
You can waste hours of time in securing all the possible things you don't want in your shared webhosting environment. And unless you are very familiar with all the things modern scripting languages can do, you probably miss dozens of alternative routes. In this process you frustrate your clients, because security always means that legitimate things break. As a side effect of your hard work, you can waste hours of extra time in educating your users. But in the end most users don't care about security, unless they are themselves victims of a compromised host. Learning the hard way is by far the most effective method. One possible solution is dedicated webhosting, but most users don't have the experience to maintain a server or it is way to expensive for them.
The main problem with shared webhosting is that by its very nature all files which are served through the web are public. Apache for example uses only one account to read all files. As said, you can use tricks with CGI wrappers to execute the scripting languages under its own credentials. However this kind of security depends on the wrappers ability to securely separate the users. We all know that if this is broken — and most often it will be broken — the result is a higher clearance on the underlying filesystem. For most systems you need more than one wrapper, so the number of possible security problems grow. The ultimate user separation is in the kernel and you can view the modifications OpenVZ has done in this light. Instead of CGI wrappers we go one step higher and give every user its own minimal server. In the rest of this article we describe how shared webhosting with OpenVZ could be implemented.
Minimal server
Create an VEx with your favorite distro. Give it an internal IP-address in one of the ranges 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16. Then strip away all unnecessary init.d scripts so only the bare minimum is started. That means as a minimum syslogd and ssh so the account holder can upload his/her files through SCP/SFTP in his/her own minimal server. For this to work you need to set up destination NAT on VE0 from high numbered ports to port 22 on the given private IP address:
dnat="-j DNAT --to-destination" iptables -t nat -P PREROUTING ACCEPT iptables -t nat -A PREROUTING -p TCP --dport 10122 $dnat 192.168.13.101:22 iptables -t nat -A PREROUTING -p TCP --dport 10222 $dnat 192.168.13.102:22 ...
The other thing you want for webhosting is of course a webserver as well. To minimize the amount of needed memory, we choose Lighttpd instead of the common Apache. Then configure the scripting language of your choice to run under this webserver. It is possible to use different languages/setups for different accounts as well. Also problematic CGI-scripts are not problematic anymore...
MySQL server
Most webhosting accounts use MySQL, but if you prefer another database server, go ahead. Create a new VEx with a lot more resources and again an internal IP-address. Now configure the accounts. As an extra security measure you can use the internal IP-address as well.
Proxy webserver
Because we have only one public IP-address, we need an trick to access every minimal server based on the hostname in the HTTP request. For SSH we used different ports, but that is not an option for websites. Again we create an VEx with an internal IP-address. On this server we install Lighttpd as well, because the proxying is very simple. If someone has an working example with Apache, please add. First we must forward port 80 to this server:
dnat="-j DNAT --to-destination" iptables -t nat -P PREROUTING ACCEPT iptables -t nat -A PREROUTING -p TCP -d <external IP-address> --dport 80 $dnat 192.168.13.11:80 iptables -t nat -A PREROUTING -p TCP --dport 10122 $dnat 192.168.13.101:22 iptables -t nat -A PREROUTING -p TCP --dport 10222 $dnat 192.168.13.102:22 ...
Then we create for every website an section in /etc/lighttpd/lighttpd.conf as follows:
$HTTP["host"] == "ve101.armorica.tk" {
  proxy.server  = ( "" => ( ( "host" => "192.168.13.101" ) ) )
}
You can map more names to the same IP-address if needed. The last step is to add mod_proxy to the server.modules section.
Other applications
Create for other applications as mail, make sure that the minimal servers use this one for sending mail from webpages, DNS etc. VEx as needed. The resulting server is shown in the figure above.


