Improve LAMP security with Apache Proxy commands (1)

In this article, Nick Maynard describes a method to improve the security of LAMP Settings Using the mod_proxy module of Apache. This article focuses on Linux. However, some principles can also be applied to other operating systems.
Apache Software Foundation's HTTP server project is usually called Apache) is a Web server that is dominant on the Internet today, and occupies more than 60% of the market share. Apache servers are part of the increasingly popular LAMP software configuration. LAMP is a free software program in Linux? A Web platform built on open source technologies such as Apache, MySQL, and PHP. In this article, you will learn how to use the mod_proxy module and multiple backend servers to improve LAMP security. I will discuss the advantages and disadvantages of this method and provide a configuration example.
PHP and Apache: Security Challenges
One challenge for LAMP administrators is to provide all the features of the complete PHP system while ensuring a secure environment for all users of the system. Using the Security Mode of PHP is a technology that achieves this goal, but it also excessively limits users, and some PHP applications cannot play a role after the facility is enabled.
The root cause of PHP security problems lies in the configuration methods of most Apache servers. Because most Apache configurations run under the special www-data User ID, all users hosting the Web site must ensure that this user can read their files by default. Therefore, all other users on the system may access all the Web accessible files of a user. Therefore, security vulnerabilities that are not related to you on the system will become a breakthrough in attacking your Web site. If the file or directory must be set to writable by the www-data user, this situation will be more serious.
By using CGI programs, such as programs written in popular languages such as Perl and Python, you can eliminate part of the impact of this problem when using the suEXEC mechanism. To put it simply, suEXEC uses a special intermediate program to execute the CGI program with the user ID of the program owner. For more details, see the link of the article in the reference documents .) This is a very effective mechanism that has been in use for many years.
However, when the mod_php module is used for host hosting, the PHP page is executed as part of the Apache main process. Therefore, they inherit all the creden of the Apache process, and any work they perform on the file system must be executed as www-data users.
Run Apache under multiple user IDs
For the problem described above, the obvious solution is to require that all requests to a user domain come from an Apache instance with only the creden。 of this user. Apache can be configured to obtain any user creden。 at startup. This method can solve the problem by assigning a single combination of Internet-visible IP addresses and ports to each user.
This method is not valid for more complex settings. When a single Apache instance can control a specific combination of IP addresses and ports, only virtual hosts can be used. This is a widely used technology in Apache systems. This eliminates the possibility of making multiple domains of multiple users use the same IP address/port combination.
Apache 2.0 introduces the multiprocessing module and MPM. There is an experimental module perchild In the MPM provided by the Basic Apache 2.0 package. It can allocate a distributor thread to an IP address/port combination, the request is sent to the sub-thread running under the individual user's creden。 to implement the virtual host under multiple user IDs. Unfortunately, perchild is still experimental and may not be useful. It was deleted from the official Apache release package when Apache 2.2 was released. Previously, the Apache community began to develop a number of MPM to make up for this deficiency, recognizing that a stable MPM similar to perchild is still needed. MetuxMPM and process-oriented peruser are working in this direction. For more information about MetuxMPM and peruser MPM, see references ).
One solution: mod_proxy
Although no formal Apache MPM can directly provide virtual hosts under multiple user IDs, it can still be implemented in the Apache system through some configuration and management. The core concept of this method is to use the mod_proxy module, which adds other functions) to enable Apache to forward page requests to other servers and pass the response back to the original client sending the request.
Listing 1. reverse proxy configuration example for basic request forwarding:

ProxyRequests OffProxyPass /foo http://foo.stcore.com/barProxyPassReverse /foo http://foo.stcore.com/bar

The code in Listing 1 is a simple example that forwards requests to any page under the/foo hierarchy of a host to the corresponding page of The http://foo.example.com/bar. For example, requests to the/foo/index.htm page are forwarded to http://foo.example.com/bar/index.htm. This principle can be used to solve the problem.
Example scenario
Let's consider one scenario: the Apache administrator must create two domains for two separate customers. A customer is an online startup enterprise and is very concerned with online security. Another is an individual customer who is loose in site security and may upload Insecure code to the site. Therefore, the Apache administrator must take measures to isolate the two sites.
Therefore, the Administrator has two domains: www. startup. tld, which belongs to the online startup enterprise user ID startup) and www. reckless. tld, which belongs to the personal user ID nimrod ). To solve this problem, the Administrator decided to use the mod_proxy solution. The Administrator gives each user a separate Apache instance. This instance runs under the user's own user ID and uses a private IP Address/port combination, the mod_proxy solution provides access to the two users' domains through a facade server. The server runs as www-data and uses a combination of public IP addresses and ports. Figure 1 illustrates the entire scenario.

Figure 1. Scenario example
Recommended Apache version
For each element in the sample application configuration, the Apache administrator should use the Apache version listed in Table 1.