Server Structure News EMAIL .. chat here!
-
Here's the circular I sent out .. tips and so on appreciated.
##########
* Users and Groups
* Web Directory
* Stackscripts
* Nginx version
* PHP update##Users and Groups
Up to now, vpsBible's setup of users and groups has not been as scalable as it might be and, procrastination aside, this is an issue I have been toying with. Here are the changes I have made and would recommend all of you to consider implementing or at least to be aware of, particularly if you have a few sites with various web applications. First some theory ..
#Who owns the web files?
You should. Not the webserver, not any other user. This is a security thing.
Then again, the web server often needs access to read and write web files.
So. Short of implementing relatively complicated "security in depth" strategies (such as chroot'ing, suPHP and Grsecurity kernel hardening .. all of which the bible will be addressing, by the way), here is my recommendation ..
Make a third party group such as "webmasters" your web files' group owner and add trusted users such as Nginx or Apache to that group, and perhaps add members of your web development team.
Now we have a structure like this:-
type perms user group
file 644 USER webmasters
dir 755 USER webmastersNOTE: some file permissions can be reduced and, in the case of database-connecting configuration files, that's better. (vpsB's wp-config.php is "040".) Always test applications with "least privilege permissions" and elevate from there as required. 777 permissions are never acceptable.
There is a useful permissions calculator at Guvnr:-
Permissions calculator - http://guvnr.com/chmod.html
#Implementing Users, Groups and Permissions
To add users such as Nginx (www-data) to webmasters do this:-
sudo usermod -a -G webmasters www-data
Then, to ensure the correct permissions to your web directory do this:-
sudo find /path/to/public_html/ -type d -exec chmod 755 {} \;
sudo find /path/to/public_html/ -type f -exec chmod 644 {} \;
sudo find /path/to/public_html/ -exec chown -R USER:webmasters {} \;.. changing the paths and your username. Then tweak individual special files to lower permissions.
Anyway, the above is a more scalable multi-site solution.
##Web Directory
I have changed this too, again to be more scalable for those who add sites and new human users with their own sites. The web directory used to be at:-
/home/public_html
I have changed this to:-
/home/USER/public_html
Both the above changes are now reflected in all vpsBible docs.
If you want to keep to /home/public_html, fine, just replace any future vpsB mentions of /home/USER/public_html with /home/public_html. You can use both, by the way .. your web server will find whatever root directive is mentioned in your virtual host files.
##Nginx Version
We're at 0.7.67 now so if you haven't upgraded in a few versions you may like to recompile. This guide will show you how:-
Upgrade to Nginx Latest Version with ZERO Downtime - http://vpsbible.com/web-servers/upgrade-nginx/
At some stage I'll be turning that tutorial into a script to automate this process.
##PHP update
The PHP-FPM script can be improved. This is more important than anything else in the bible right now.
I'm playing with new code now and will introduce this in early August, reflecting all relevant docs and along with a script to automatically recompile.
##Stackscripts
While writing, you may like to know that the existing stackscripts (LEMP Ubuntu and LEMP Debian) have had their corresponding notes totally rewritten and are hopefully much clearer. They have a new modular format too so are more easily maintained which helps us all, particularly with a growing library.
#Authentication key problems
Also I have added "Lite" equivalents to these stacks, so that now you can run the scripts without the authentication key option to make the install easier and without the possibility of getting locked out .. in that case I strongly recommend (for most) adding the authentication key afterwards and disabling password terminal login (see any script's notes).
#New Scripts
There are also new scripts for LAMP now, using Apache. No cringing! I intend to run benchmarking between Apache and Nginx in due course although this is not a priority.
The "Stackscripts Index Page" - http://vpsbible.com/vps-setup-guides/stackscripts/stackscripts-index/ - contains 7 scripts so far and explains the differences. That index is now linked directly from the Stacks' box on the homepage. The index page itself needs a little work but the stacks are pretty hot and massive time-savers.
Posted 1 year ago # -
Anonymous
UnregisteredMaybe stick the commands in this email / post so people don't have to go looking for how to "Make a third party group such as "webmasters"?
Great email though!
Posted 1 year ago # -
sure Andy:-
addgroup webmasters
Posted 1 year ago #
Reply
You must log in to post.
Want HTML?
a blockquote code em strong ul ol liPlace code between backticks `codeHere`
You've got it.