Best practice for web server setup?

Hi All,

I am wondering if anyone can point me in the right direction for setting up my company web server..

The basics are that I am setting up an Ubuntu 10.04 web server on a Linode 512.. The server will run our internal web based applications and database being accessible from all our business locations.. It will also at some point in the future host the company website with a customer portal so customers can manage their requirements themselves (in other words the site will link to the company database on the server).. I don't expect any real volume through the server at all, certainly not thousands of hits per day..

In addition to this I want to setup a development site for continued development and testing of the applications and website that can then be copied to the live site when testing is complete..

So I will probably have something like three virtual servers being www.dom.tld, internal.dom.tld and dev.dom.tld..

No need for email or ftp or any other services really at this point..

Setting up the Ubuntu box and using "tasksel" to create the LAMP server is easy enough.. What I am looking at more specifically is setting up the virtual hosts for the various sites..

Is it recommended to create user accounts for each function, i.e internal, www and dev, and then setup a public_html directory in each home directory and get Apache to serve the files from there? or should I just create subdirectories of /var/www and put them all there to avoid problems running the sites (permissions etc.. )??

Or would I be better off with something like ISPconfig to create the sites and manage the server?

Any suggestions or things to look out for would be appreciated..

14 Replies

The guide in the library covers virtual hosts. With only a few sites, ISPConfig is overkill.

http://library.linode.com/lamp-guides/u … .04-lucid/">http://library.linode.com/lamp-guides/ubuntu-10.04-lucid/

> Setting up the Ubuntu box and using "tasksel" to create the LAMP server is easy enough.

+1 for this. I don't think this gets mentioned enough.

@glg:

The guide in the library covers virtual hosts. With only a few sites, ISPConfig is overkill.

http://library.linode.com/lamp-guides/u … .04-lucid/">http://library.linode.com/lamp-guides/ubuntu-10.04-lucid/

So as per the guide you recommend having the web files all under /var/www rather than in the home directories of individual users?

@wipeout:

@glg:

The guide in the library covers virtual hosts. With only a few sites, ISPConfig is overkill.

http://library.linode.com/lamp-guides/u … .04-lucid/">http://library.linode.com/lamp-guides/ubuntu-10.04-lucid/

So as per the guide you recommend having the web files all under /var/www rather than in the home directories of individual users?

The guide suggests /srv/www, the idea being that /srv would be it's own mount point.

I personally have my web files in /home/ it's mainly personal preference.

On my oldest servers, it's /var/www. Since the reasoning behind /srv was explained to me, I've mostly done /srv/www on my deployments, but a larger deployment I inherited uses /home/www. I have found that it doesn't make a lick of difference, and even if you forget where which is, figuring it out and correcting isn't a big delay.

Just don't do something crazy like /usr/local/www or /www or, god forbid, /something/html.

The 'pedia has a good table summarizing the Filesystem Hierarchy Standard, a document which has effectively removed all barriers to compatibility between different platforms and distributions, and has caused more and bloodier wars than anything else in the history of Linux:

http://en.wikipedia.org/wiki/Filesystem … y_Standard">http://en.wikipedia.org/wiki/FilesystemHierarchyStandard

@hoopycat:

I have found that it doesn't make a lick of difference.

Ok, so far so good, but then you say…

@hoopycat:

Just don't do something crazy like /usr/local/www or /www

If it doesn't make a bit of difference, then why is /www bad?

@hoopycat:

http://en.wikipedia.org/wiki/Filesystem … y_Standard">http://en.wikipedia.org/wiki/FilesystemHierarchyStandard
Huh, there's at least one mistake on that page (mistakes? In wikipedia? Say it ain't so!)

/usr/local need not be local to the machine; the standard merely says "locally". I was part of the original FSSTND group (yeah, you can blame me if you want) and there we'd said "local" was along the lines of "local to the admin" so it could be site-local or machine-local or whatever; it was out of the control of the OS distributor and up to the local admins as to what they wanted to do with it.

I admit we could have been a little bit clearer on that :-)

Thanks for the replies and discussion.. Think I am going to go with public_html directories under home directories and see where that leads.. :)

I'm new to Linode as well and the same question occurred to me while setting my server up - I'm glad people are talking about it. Though I'm comfortable with the CLI and config files, I've used mostly cPanel so I'm used to serving sites from /home/user-name/public_html).

I asked in IRC and someone mentioned (as was said here) it's basically a matter of preference… but then said in regard to /home/user-name/public_html, that it "requires traverse rights for everyone into home directories, which might be worse off security-wise", and didn't end up explaining further. Are there security implications for running sites from inside the user's home directory versus /srv/www? If I made /srv/www/user-name the home directory, would that cause the same issue? I'm mostly hoping for my users to be able to SFTP in and end up at the right place to work with the website files, and not have to jump around to another part of the file system after connecting. Would a symlink from their home dir into the website files be a good move?

Directly related to the question of folder structure for serving websites, is what are the appropriate user:group and permissions that the website folder should be running under, to ensure proper security and functionality? Should users be added to the www-data group or anything like that?

Anyhow, again glad people are discussing this question right when I was wondering about it myself.

Thanks in advance for your advice!

@jzimmerlin:

> Setting up the Ubuntu box and using "tasksel" to create the LAMP server is easy enough.

+1 for this. I don't think this gets mentioned enough.

tasksel is going to install Apache with it's default, memory hungry, config.

I would definitely recommend using the LAMP StackScript to deploy your base LAMP stack. It will configure Apache/MySQL to use a much more reasonable amount of memory.

@JshWright:

tasksel is going to install Apache with it's default, memory hungry, config.

I would definitely recommend using the LAMP StackScript to deploy your base LAMP stack. It will configure Apache/MySQL to use a much more reasonable amount of memory.

Good point. I always have to tune my Apache config, which isn't really a big deal, but worth noting.

Davidn, the permissions thing was also an issue I was trying to solve.. I think I have the answer which is to use mpm-itk which allows you to specify in the virtual host config which user and group to run the files as.. I haven't tested it yet but think it should work..

http://library.linode.com/web-servers/a … ing_module">http://library.linode.com/web-servers/apache/php-cgi/ubuntu-10.04-lucid#enablingthequotitkquotmessagepassing_module

> I asked in IRC and someone mentioned (as was said here) it's basically a matter of preference… but then said in regard to /home/user-name/public_html, that it "requires traverse rights for everyone into home directories, which might be worse off security-wise", and didn't end up explaining further. Are there security implications for running sites from inside the user's home directory versus /srv/www? If I made /srv/www/user-name the home directory, would that cause the same issue? I'm mostly hoping for my users to be able to SFTP in and end up at the right place to work with the website files, and not have to jump around to another part of the file system after connecting. Would a symlink from their home dir into the website files be a good move?

Stick your web files in /home/ and set up sftp jails http://library.linode.com/security/sftp-jails/

That way your users will automatically be shown their home directory when they log in and can't wander around the file system.

> Directly related to the question of folder structure for serving websites, is what are the appropriate user:group and permissions that the website folder should be running under, to ensure proper security and functionality? Should users be added to the www-data group or anything like that?

No the default umask for your users will be 022 which means the owner can read/write and others/group can just read, the others reading will allow the web server to do it's job.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct