user.p0d.org

bits release in progress

lighttpd

Tags web

We are (most probably) moving from lighttpd 1.4.26 to nginx. Here are some notes of our setup, for the posterity.

Mass virtual hosting

We were using mod_evhost as an elegant solution to our "mass virtual hosting" problem.

The relevant line of lighttpd.conf is:

evhost.path-pattern = "/home/vhost/%0/%3/root/"

Hardly simpler.

And we had a directory tree like:

# tree /home/vhost
/home/vhost/
┊
├─ example.com
│   ├─ root -> /home/user1/directory
│   ╰─ www
│       ╰─ root -> /home/user1/directory
├─ example.net
│   ├─ root -> /home/user1/another-directory/web
│   ╰─ www
│       ╰─ root -> /home/user1/another-directory/web
├─ p0d.org
│   ┊
│   ├─ root -> /home/user2/web/p0d.org
│   ├─ user
│   │   ╰─ root -> /home/user2/web/user.p0d.org/www
│   ╰─ www
│       ╰─ root -> ../root
├─ pariscotedazur.com -> pariscotedazur.fr
╰─ pariscotedazur.fr
    ├─ root -> /home/user3/web/pariscotedazur.fr
    ╰─ www
        ╰─ root -> ../root

The base (/home/vhost) rights were:

chmod 0770
chown vhost:vhost

This enabled all unix users in the "vhost" group to create their directories describing their DNS configuration, and adding a symlink to their document root in any fashion they like.

Jail

Obviously lighttpd was put in a chroot as soon as possible. That meant to have in lighttpd.conf:

server.chroot = "/srv/lighttpd/jail"
server.username = "httpd"
server.groupname = "httpd"
server.pid-file = "/srv/lighttpd/lighttpd.pid"
server.upload-dirs = ( "/tmp" )
server.document-root = "/www"
server.errorlog = "/var/log/error.log"
accesslog.filename = "/var/log/access.log"
userdir.path = "www"
userdir.exclude-user = ( "root" )
userdir.basepath = "/home"

The directory tree was:

# mount | grep lighttpd
/lib64 on /srv/lighttpd/jail/lib type none (ro,bind)
/srv/jail/home on /srv/lighttpd/jail/home type none (rw,bind)
/srv/jail/tmp on /srv/lighttpd/jail/tmp type none (rw,bind)
/srv/mysqld/var/run/mysql on /srv/lighttpd/jail/var/run/mysql type none (ro,bind)
/usr/lib64 on /srv/lighttpd/jail/usr/lib type none (ro,bind)
/usr/local/etc on /srv/lighttpd/jail/usr/local/etc type none (ro,bind)
/usr/local/lib64 on /srv/lighttpd/jail/usr/local/lib type none (ro,bind)
roarfs on /srv/lighttpd/jail/etc type fuse.roarfs (rw,allow_other)
roarfs on /srv/lighttpd/jail/usr/local/bin type fuse.roarfs (rw,allow_other)

# tree -d /srv/lighttpd
/srv/lighttpd/
╰─ jail
   ├─ bin
   ├─ dev
   ├─ etc
   ├─ home
   ┊  ╰─ ...
   ├─ lib
   ├─ lib64 -> lib
   ├─ tmp
   ┊  ╰─ ...
   ├─ usr
   ┊  ╰─ ...
   ├─ var
   ╰─ www

Note

The fuse file system roarfs is a Read-Only Alterable Replica File System made by Maz for our needs, it should be made publicly available soon (a note will be posted on this page).