Setting up a shared SSL server
We recently got setup on a new dedicated server, RedHat/Linux6.2 w/Apache mod_ssl and OpenSSL. We are currently applying for a single SSL certification for our domain. We would like to set up our SSL cert so that we can allow our customers who wish to use our certificate, plus assign them their own ssl folder to upload HTML docs and custom cgi scripts on our server. I was told this can be done, by setting it up in the manner noted below. If someone has done this, could you please explain the best way to set this up and maintain good security on the server. Or is this not recommended, and should we apply for the multi-SSL cert??
Setting up a shared SSL server:
We run a seperate web server daemon for our ssl web server and it runs under
a user and group called ssl and ssl With this and coupled with creating
indivdual users for each ssl account the security can be completly secure.
So each directory off of /ssl/htdocs is owned by its own username and has
the group setting as ssl. This what makes it secure and allows the usage of
scripts to run, not to mention the group settings in the group file. now
thats not to say that it could not be made insecure, all it take is for
some account owner to alter their directory permission and wha la its now
their directory is potentially readable by others. I suppose that a script
designed to be used for malicious purposes could be used to try to read from
the other directories, but as we monitor the servers we have programs ie:
scripts that check for exploits every couple of hours and I would be
notified via email if this where to occur.
a user and group called ssl and ssl With this and coupled with creating
indivdual users for each ssl account the security can be completly secure.
So each directory off of /ssl/htdocs is owned by its own username and has
the group setting as ssl. This what makes it secure and allows the usage of
scripts to run, not to mention the group settings in the group file. now
thats not to say that it could not be made insecure, all it take is for
some account owner to alter their directory permission and wha la its now
their directory is potentially readable by others. I suppose that a script
designed to be used for malicious purposes could be used to try to read from
the other directories, but as we monitor the servers we have programs ie:
scripts that check for exploits every couple of hours and I would be
notified via email if this where to occur.
Mickalo
