Example configuration of how to combine the security and restrictions of SuExec with the power and speed of mod_perl. For example, here is the delima: There are three webmasters on this unix machine: billy henry ralph We want hits to billy.com to be run as billy. We want hits to henry.com to be run as henry. We want hits to ralph.com to be run as ralph. They all want to take advantage of mod_perl features like PerlHandlers or Apache::Registry scripts, but all point to the same IP address: 10.11.12.13 All users wish to keep their sources private among themselves, so they remove all permissions for group and other for their home directories. [root@localhost /root]# chmod 0700 /home/* [root@localhost /root]# ls -ald /home/* drwx------ 4 billy billy 4096 Apr 02 12:00 /home/billy drwx------ 4 henry henry 4096 Apr 02 12:00 /home/henry drwx------ 4 ralph ralph 4096 Apr 02 12:00 /home/ralph [root@localhost /root]# Each user is responsible to turn on his own server and listen on his own designated port as follows: billy.com => 8001 henry.com => 8002 ralph.com => 8003
Each user will have his own server and configuration files. In Apache, this is done using the -f option. Each configuration file will contain the Listen directive with its corresponding port. Also, mod_perl must be enabled to utilize the Apache::DNAT feature. [billy@localhost billy]$ tail ~/conf/httpd.conf # Don't use the Port directive #Port 80 # Listen: Allows you to bind Apache to specific IP addresses and/or ports Listen 8001 <IfModule mod_perl.c> PerlModule Apache::DNAT PerlInitHandler Apache::DNAT </IfModule> [billy@localhost billy]$ httpd -f ~/conf/httpd.conf [billy@localhost billy]$ (The same goes for the other users, too.) No <VirtualHost> sections should be used. No special User directive or SuExec configuration is required.
As super user, turn on this DNAT server: [root@localhost /root]# suexec_mod_perl.pl --log_level=4 And to turn it off: [root@localhost /root]# kill `cat /var/log/dnat/dnat.pid`
apache, mod_perl, Net::DNAT, Apache::DNAT
To install Net::DNAT, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Net::DNAT
CPAN shell
perl -MCPAN -e shell install Net::DNAT
For more information on module installation, please visit the detailed CPAN module installation guide.