What is the best way to allow users to publish their html?
I am a relative newcomer to the vps world and would appreciate any advice on how to securely allow users to upload their web site content.
I followed the Linode instructions on setting up apache2 on ubuntu karmic which resulted in having virtual domains web content under /srv/www/domain-name/public_html and all of those files are currently owned by root.
I need to figure out how to allow access to this directory structure or maybe better have each user publish to their /home directory and configure apache accordingly.
Then the question would be do I install a secure ftp server or force them to learn how to use winscp, etc.
Thanks in advance for any advice on this topic.
I am reading all of the great Linode documentation and user forum posts as fast as I can!
5 Replies
I ONLY have secure methods of accessing my server. No FTP or IMAP/POP/SMTP in the clear. if the password is set, it is encrypted. This requires a SSL Cert, which I first made a self signed one, but now am on the $30 GoDaddy Cert plan. I use this Cert for all my stuff and FORCE the method. It was tricky to setup but I feel well worth it.
So they use WinSCP on Windows or Fugu on Mac.
I setup the websites inside their home directories. For this example the user will be leroy and the site will be example.com
The directly looks like this:
/home/leroy/www/example.com/htdocs/
/home/leroy/www/example.com/logs/
I then setl the webserver to point the document root to the htdocs directory and the logs into the logs directory. For multiple sites I make multiple directories with the domain name.
Only once this bit me when the user deleted his logs directory, it dorked up the server. I could probably do some permission-fu to prevent this, but in several years this was my only problem.
I even set up my person sites this way, under my user account, the same way. So I only need to login as me to access my websites. Nothing is in the default location.
There is probably some security risk, but I don't know.
Should you decide to do so anyways, I recommend public-key authentication, and move SSH to another port.
You can have FTPS instead which is essentially FTP over SSL/TLS. For that you need a certificate which you can build yourself (google for openssl self signed certificate). That will allow you to encrypt the FTP command channel, or both command and data.
I strongly recommend you have local users per domain and setup FTP to use local user database. That way you should have the /home/
@Azathoth:
I recommend FTP only access for your users. If you want SFTP that's essentially FTP over SSH meaning you need to give them ssh access as well.
SSH access != having a shell. There are plenty of ssh_config(5) options to disable shells, port forwarding, all that other stuff besides ssh.