Apache virtualhost configuration for hosting multiple domains

From Notes_Wiki

Home > CentOS > CentOS 6.x > Apache web server configuration > Apache virtualhost configuration for hosting multiple domains

In order to configure many different domain names like 'first.example.com' and 'second.example.com' on same apache web server we have to use NameVirtualHost and VirtualHost directives.

While configuring we have to first specify using NameVirtualHost directive that we are going to host multiple domain on particular IP address. If we are going to host multiple domains on all IP addresses of that server then we can use 'NameVirtualHost *:80' to specify that we want to host all following Virtual Host on all IP addresses.

Many '<VirtualHost> </VirtualHost>' tags can follow a single 'NameVirtualHost' specification, one tag per domain we want to host on server. For all VirtualHosts it is necessary to specify which NameVirtualHost section does this <VirtualHost> belongs by appending same '*:80' OR '<ip_address>:80' that we specified in NameVirtualHost.

Example configuration is:

NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin saurabh@example.com
    DocumentRoot /home/new/html
    ServerName new.sbarjatiya.com
    ErrorLog logs/new.sbarjatiya.com-error_log
    CustomLog logs/new.sbarjatiya.com-access_log combined
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin saurabh@example.com
    DocumentRoot /home/energy/html
    ServerName energy.sbarjatiya.com
    ErrorLog logs/energy.sbarjatiya.com-error_log
    CustomLog logs/energy.sbarjatiya.com-access_log combined
</VirtualHost>


Multi-homed server Virtual Hosting configuration

If you want to allow some domains like intranet.sbarjatiya.com only internally then you can use two NameVirtualHost entries. The '*:80' entries for hosts which should be accessible from everywhere and '<local_IP>:80' entries for internal hosts. For example:

NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin saurabh@example.com
    DocumentRoot /home/new/html
    ServerName new.sbarjatiya.com
    ErrorLog logs/new.sbarjatiya.com-error_log
    CustomLog logs/new.sbarjatiya.com-access_log combined
</VirtualHost>

NameVirtualHost 192.168.36.241:80

<VirtualHost 192.168.36.241:80>
    ServerAdmin saurabh@example.com
    DocumentRoot /home/new/html
    ServerName new.sbarjatiya.com
    ErrorLog logs/new.sbarjatiya.com-error_log
    CustomLog logs/new.sbarjatiya.com-access_log combined
</VirtualHost>

<VirtualHost 192.168.36.241:80>
     ServerAdmin saurabh@example.com
     DocumentRoot /home/intranet_test/html
     ServerName intranet.sbarjatiya.com
     ErrorLog logs/intranet.sbarjatiya.com-error_log
     CustomLog logs/intranet.sbarjatiya.com-access_log combined
</VirtualHost>

It is necessary to include entries of *:80 in <IP>:80 too otherwise those VirtualHosts wont work when server is accessed at the local IP. The first virtual host will open if client sends IP address instead of domain name. Hence, the most important or dummy virtual host should be specified in first <VirtualHost> that follows 'NameVirtualHost' declaration.


Virtual host security

Since apache needs to read the files and directories to be displayed, read and execute permission for 'others' is required on files to be hosted. This is a problem if multiple users have access to system even if only sftp/scp access as they can use this 'others' permission and read/copy all source files. What is worse is these files would have username, password to connect to databases.

To reduce the surface area of attack we follow below mentioned steps:

  1. Remove read permission from others for httpd.conf where virtual host configurations are defined. For this do
    1. chown root:apache /etc/httpd/conf/httpd.conf
    2. chmod 640 /etc/httpd/conf/httpd.conf
    3. Test with service httpd reload or service httpd restart to test that httpd is working.
    4. Now test with login from normal user that you can read /etc/httpd/conf/httpd.conf file
  2. Do not use HomeDir especially with name "public_html". If we use HomeDir directive then all users can guess the name of hosting directory inside home directory. Hence, do not use HomeDir directive and specify a different home directory name for each user.
    For example for user 'a' with domain 'a.xyz.com' DocumentRoot can be /home/a/secret1 and for user 'b' with domain b.xyz.com the DocumentRoot can be /home/b/another_secret. Till users a and b do not disclose their DocumentRoot paths it is not possible for others to guess the DocumentRoot.
    Also the home folders in this case should have user owner and group owner as users 'a' and 'b' respectively for their home folders and others should have only execute('x') and no read('r') permission on the home folders.
  3. Finally disable ssh access for users for additional safety. If sftp/scp access is required change their shell to 'rssh' (rssh needs to be installed using yum).
  4. We can also setup ssh secure chroot environment and setup selinux policies for each user for even better protection. But those advanced topics require lot of work.



Home > CentOS > CentOS 6.x > Apache web server configuration > Apache virtualhost configuration for hosting multiple domains