From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1M9lZV-0001Kg-3X for garchives@archives.gentoo.org; Thu, 28 May 2009 19:47:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4C1A6E051C; Thu, 28 May 2009 19:46:56 +0000 (UTC) Received: from mail-ew0-f213.google.com (mail-ew0-f213.google.com [209.85.219.213]) by pigeon.gentoo.org (Postfix) with ESMTP id EB574E051C for ; Thu, 28 May 2009 19:46:55 +0000 (UTC) Received: by ewy9 with SMTP id 9so5249339ewy.34 for ; Thu, 28 May 2009 12:46:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; bh=trQPJvgym0VqZyekmL9L/Z4A8QLNm36Dpl+crWqcnTA=; b=I4E0xt0/RbwznbsBBibtrn026nhPyEmvoGZkbSw7SwJItyozsCaJiC2US/AE/IjrJl hzmdFvlGX5Z15yWi2XdkKh/BTs4DLga0cs46i4xKoi43rbb9QVmx/smheme3M1JVZw+5 nfhvOq5FFT30esQXZuNW656hw+b9lHQAmDhvw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :message-id; b=Iaw1FaYFFl8tuN20tLkadf5WGbIsthRyxO6SBZDRAR4Y6ESEcybWZcet/yPHJbopB7 4DXFg5g2UzCP0o5/3Tgsjydu7pWf9+JHOF4EOVccS7rs7BsZWWLA0BEx7/1xBMWJNHEj LLIyIJtIfA1pRL2qVsmRvnIc8e66WSBw9El6g= Received: by 10.210.18.18 with SMTP id 18mr1457425ebr.73.1243540015396; Thu, 28 May 2009 12:46:55 -0700 (PDT) Received: from nazgul.localnet (196-210-153-19-rrdg-esr-2.dynamic.isadsl.co.za [196.210.153.19]) by mx.google.com with ESMTPS id 24sm805840eyx.13.2009.05.28.12.46.54 (version=SSLv3 cipher=RC4-MD5); Thu, 28 May 2009 12:46:54 -0700 (PDT) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] [OT] Running two apaches and MySQLs on the same server Date: Thu, 28 May 2009 21:45:28 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.29-gentoo-r4; KDE/4.2.3; x86_64; ; ) References: <200905281957.19368.michaelkintzios@gmail.com> <200905282112.56754.alan.mckinnon@gmail.com> <200905282033.04206.michaelkintzios@gmail.com> In-Reply-To: <200905282033.04206.michaelkintzios@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200905282145.28558.alan.mckinnon@gmail.com> X-Archives-Salt: e18892c7-130b-402b-8db7-3d9878d2d6a2 X-Archives-Hash: ed5715cf14043f4b4809191450b9920f On Thursday 28 May 2009 21:33:02 Mick wrote: > On Thursday 28 May 2009, Alan McKinnon wrote: > > A chroot jail is of no real use to you here - it's a development tool and > > amazingly useful for gentoo installs, but has no real security or process > > separation benefits. So says Alan - not me, a different one. > > OK, thanks for this to both of you! :) > > > Your problem will be that only one apache instance can run on port 80. > > That's no problem. I can run the payment managing website on a different > port. > > > Your options: > > 1. Run the ecommerce apache on a different port. > > Yep, SSL, different port. > > > 2. Install a second NIC with a different IP and bind each apache to port > > 80 on it's own nic. > > How do you do this? It' sin the apache docs, called "IP based virtual hosts" if memory serves. Basically, you'll modify the standard apache init script and make a copy to be able to treat two apaches as separate apps. Instead of simply specifying the port, specify an IP and a port in the config. You must use different hostnames too obviously, and get this info into DNS. Start apache-1, start apache-2, voila > > 3. If you use separate mysqls, run them on different ports. > > I'll need to run them using /usr/bin/mysql --options I guess, rather than > using the /etc/init.d scripts, right? Yup, two configs, two init scripts, two instances. Just like apache. > > However, it's an e-commerce site so one must state the obvious: > > > > You must be out of your mind running an ecommerce site on the same > > machine as other php vhosts. Please give me the URL so I know never to > > buy there - I have no way of knowing what those vhosts are, who the > > webmaster is and how secure they are. > > Is the fear that one of these apache vhosts installations will be > compromised and then the ecommerce/payment website will get hacked from the > inside? Yes. You do not ever want people's credit card details exposed or stolen. You need to take extraordinary efforts or customers will not trust you. Any thought you ever have along the lines of "I don't need to do thing X as that will not happen" - beware, that's the very time that Murphy makes X happen... > > So I recommend option 4: > > > > Pony up the money for server #2 > > Hmm, yes that's what I was trying to avoid. ;-) > > Would running complete virtual servers to achieve separation be any/much > better? It's almost as good as separate hardware, especially if you have a good virtual machine system that gives you complete separation of network interfaces - either physical or virtual. If the box can handle the load, I say go with this approach. You have to have an enormous site with heaps of users to outrun an average modern server -- alan dot mckinnon at gmail dot com