HOWTO: PerUser MPM with Apache2 (increased security)

Indeed. I put some files in /bin/ to make it easyer.

If your intrested in how to do it here we go

cd /bin/
nano httpd.start
Put the following code in that file
Code:
httpd
echo "HTTP has been started"

Then

nano httpd.stop
Put the following code in that file
Code:
apachectl stop
echo "HTTP has been stoped."

Now do
Code:
chmod +x httpd.stop
chmod +x httpd.start

Now to boot up or turn off httpd safely just type httpd.start or httpd.stop

Simple little guide if your lazy like me to remeber commands :P
 
The server is running Breezy at the moment as thats the latest stable.

When Dapper Server is stable I will dist-upgrade to that :)

But I wouldn't put Ubuntu Breezy, I would just say Debian.
 
The patch should be fixed now.

Charlie, would you like to make suggestions as to what to tidy up in the how-to?

Thanks,
Matt :)
 
In the httpd.conf change

Multiplexer apache apache

to

Multiplexer nobody nobody. This is because apache still has access to some peoples public_html directorys.

Put nobody doesn't.

Second thing, is when you have done the virtual hosts. You have to tell them to rewrite it there config by doing

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

Also, maybe a manual version for people which the patch didn't work for like me. but as you said you fixed it for my OS.

I didn't find it quite hard to do it manualy, It's just like cd apache-$version etc.. wget patch, patch it, ./buildconf, make, make install and it was done for me
 
Its worth it, I dont sussest doing it if your server isn't the highest of specs.

Im running a Quad Xeon 3.6ghz 4gb ddr

Copes with ease with open_basedir, big config of mod_security and this
 
Code:
[Sun Apr 23 13:34:26 2006] [warn] new file descriptor 1078 is too large; you probably need to rebuild Apache with a larger FD_SETSIZE (currently 1024)

Any ideas how to fix this? It pops up every so often. I know exactly what that means, but it should be killing the file descriptors

Any ideas?
 
I advise people not to do this if they dont know what there doing..

There are LOTS of bugs in this, and I mean loads..

I am testing it on a dev box, If it was on an actul hosting box with people on it, I think they would complain.
 
After installing and adding to httpd.conf PerUser module , and in /usr/local/directadmin/data/templates/custom/... adding to files above the <VirtualHost> section

Processor |USER| |GROUP|

Always get error, after restarting appache -

Syntax error on line 19 of /usr/local/directadmin/data/users/user/httpd.conf:Invalid command 'Processor', perhaps mis-spelled or defined by a module not included in the server configuration

But I followed step by step HOWTO instructions. What can be a problem?

I use FreeBSD 6.x and Apache 2.x
 
Smoothly; are you sure Apache is using PerUser?

Charlie; I've updated the How-To, although I'd personally prefer to chown the user directories to user:user rather than use the 'nobody' user, which can cause security headaches.

Matt
 
Not surprising as it's beta software; the more people that test it the better, however. If you send bug reports to the author, it helps us all.

Matt
 
thoroughfare, I followed exactly HOWTO.

-------------------------------------------------------------------------
cd /usr/local/directadmin/customapache/
wget -nc http://www.retroweb.net/pub/DirectA...ruser-mpm.patch
patch -p1 < DirectAdmin-build-httpd-peruser-mpm.patch
-------------------------------------------------------------------------

After that I did in /etc/httpd/conf/httpd.conf -

-------------------------------------------------------------------------
<IfModule peruser.c>
ServerLimit 256
MaxClients 256
MinSpareProcessors 2
MaxProcessors 10
MaxRequestsPerChild 1000
ExpireTimeout 1800
Multiplexer apache apache
</IfModule>
-------------------------------------------------------------------------


And so on following instructions ....
But after restarting apache I get error .
It's look like Apache really not using peruser, but how I can exactly check it? And maybe I need to add some lines in httpd.conf like "Load module peruser ...." ?
Here the patching output -

-------------------------------------------------------------------------
# patch -p1 < DirectAdmin-build-httpd-peruser-mpm.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- build Tue Apr 4 11:06:21 2006
|+++ build.new Wed Apr 5 08:47:14 2006
--------------------------
Patching file build using Plan A...
Hunk #1 succeeded at 1947 (offset 46 lines).
done
--------------------------------------------------------------
 
charliecreed said:
Code:
[Sun Apr 23 13:34:26 2006] [warn] new file descriptor 1078 is too large; you probably need to rebuild Apache with a larger FD_SETSIZE (currently 1024)

Any ideas how to fix this? It pops up every so often. I know exactly what that means, but it should be killing the file descriptors

Any ideas?
step 3 of this guide will increase your FD_SETSIZE globally (for all compiles after the change)
http://help.directadmin.com/item.php?id=9

John
 
I have installed peruser on Apache 2.2.3
Now:
Code:
[root @ moon conf] # / usr/local/apache2/bin/httpd-V
Server version: Apache/2.2.3
Server built: Nov 4 2007 01:40:40
Server Module's Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 32-bit
Server MPM: Peruser
   threaded: no
     forked: yes (variable process count)

But the each process are being runned under apache user.
phpinfo said that uid / gid is apache.
In error_log nothing about it ...
Can you help?
 
Anyone using this on freeBSD in a work environment? It sounds a dream!
 
Back
Top