public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] [OT] Running two apaches and MySQLs on the same server
Date: Thu, 28 May 2009 21:45:28 +0200	[thread overview]
Message-ID: <200905282145.28558.alan.mckinnon@gmail.com> (raw)
In-Reply-To: <200905282033.04206.michaelkintzios@gmail.com>

On Thursday 28 May 2009 21:33:02 Mick wrote:
> On Thursday 28 May 2009, Alan McKinnon wrote:
> > A chroot jail is of no real use to you here - it's a development tool and
> > amazingly useful for gentoo installs, but has no real security or process
> > separation benefits. So says Alan - not me, a different one.
>
> OK, thanks for this to both of you! :)
>
> > Your problem will be that only one apache instance can run on port 80.
>
> That's no problem.  I can run the payment managing website on a different
> port.
>
> > Your options:
> > 1. Run the ecommerce apache on a different port.
>
> Yep, SSL, different port.
>
> > 2. Install a second NIC with a different IP and bind each apache to port
> > 80 on it's own nic.
>
> How do you do this?

It' sin the apache docs, called "IP based virtual hosts" if memory serves.

Basically, you'll modify the standard apache init script and make a copy to be 
able to treat two apaches as separate apps. Instead of simply specifying the 
port, specify an IP and a port in the config. You must use different hostnames 
too obviously, and get this info into DNS.

Start apache-1, start apache-2, voila

> > 3. If you use separate mysqls, run them on different ports.
>
> I'll need to run them using /usr/bin/mysql --options I guess, rather than
> using the /etc/init.d scripts, right?

Yup, two configs, two init scripts, two instances.
Just like apache.

> > However, it's an e-commerce site so one must state the obvious:
> >
> > You must be out of your mind running an ecommerce site on the same
> > machine as other php vhosts. Please give me the URL so I know never to
> > buy there - I have no way of knowing what those vhosts are, who the
> > webmaster is and how secure they are.
>
> Is the fear that one of these apache vhosts installations will be
> compromised and then the ecommerce/payment website will get hacked from the
> inside?

Yes.

You do not ever want people's credit card details exposed or stolen. You need 
to take extraordinary efforts or customers will not trust you.

Any thought you ever have along the lines of "I don't need to do thing X as 
that will not happen" - beware, that's the very time that Murphy makes X 
happen...

> > So I recommend option 4:
> >
> > Pony up the money for server #2
>
> Hmm, yes that's what I was trying to avoid.  ;-)
>
> Would running complete virtual servers to achieve separation be any/much
> better?

It's almost as good as separate hardware, especially if you have a good 
virtual machine system that gives you complete separation of network 
interfaces - either physical or virtual.

If the box can handle the load, I say go with this approach. You have to have 
an enormous site with heaps of users to outrun an average modern server

-- 
alan dot mckinnon at gmail dot com



  reply	other threads:[~2009-05-28 19:47 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-28 18:57 [gentoo-user] [OT] Running two apaches and MySQLs on the same server Mick
2009-05-28 19:12 ` Alan McKinnon
2009-05-28 19:33   ` Mick
2009-05-28 19:45     ` Alan McKinnon [this message]
2009-06-04 11:45       ` Ajai Khattri
2009-05-28 19:34   ` Jarry
2009-05-28 19:48     ` Alan McKinnon
2009-05-28 20:30       ` Jarry
2009-05-28 19:51   ` Stroller
2009-05-28 20:06     ` Alan McKinnon
2009-05-30 23:27       ` Mick
2009-05-31 17:16         ` Alan McKinnon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200905282145.28558.alan.mckinnon@gmail.com \
    --to=alan.mckinnon@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox