Support for user webspace

18 posts / 0 new
Last post
#1 Mon, 10/25/2010 - 23:12
hwy-admin

Support for user webspace

I am in the process of evaluating virtualmin as a replacement for an ISPConfig installation that we currently run. I have run up against a small problem in doing so.

Currently, our hosting server hosts a domain, the purpose of which is to give users a small amount of personal webspace, as most ISPs do.

So, each user may upload a website and view it at http://domain_name/~username

Our ISPConfig server does this by default and without any trouble. I have had difficulty in achieving the same with virtualmin. I have created a virtual server for a test domain and have created a couple of users under it. I have UserDir enabled and configured. It would appear to work for the admin user of the domain, but will not do so for the other users. It appears to me that in using http://domain_name/~adminuser, what I am getting is the webroot of the domain, rather than webspace belonging solely to the admin user.

I guess my question is, does virtualmin work in this fashion, or am I trying to make it work in a way in which it was not designed to? It would seem odd to me for it not to work in this manner as it is has been a standard configuration for ISPs for many years.

Cheers,

David.

Tue, 10/26/2010 - 00:26
andreychek

We generally recommend against using the http://domain.com~/username system... it's considered insecure, and even the makers of the Apache module that allows that recommend against it's use.

In place of that, what I'd recommend doing is setting up an alias... so your user could access their files using:

http://username.domain.com

You can have Virtualmin automatically setup an alias like the above for each new domain by going into System Settings -> Server Templates -> Default -> Virtual Server Creation, and set "Automatically create alias domain".

Would that do what you're after?

It is indeed possible to use the ~/username system if you'd truly prefer that, but the above is what we'd recommend.

-Eric

Wed, 10/27/2010 - 17:59 (Reply to #2)
hwy-admin

Hi Eric and others,

Thank you for your advice. In looking through virtualmin I noticed that I can create a user for a virtual server and in the "Quota and home directory settings" select "Subdirectory of server's home" and set it to public_html/username. It will create a directory for the user under the public_html directory for the domain. I can restrict the user to his home directory when using ftp, however without changing the permissions on the user's directory under public_html it is not accessible by browser. The permissions on the created directory are 700. Is there a reason for this? It would seem to me that this being a suggested use the permissions should at least allow the directory to be readable by the group? Is there somewhere that I can change the default permissions for such directories?

Cheers,

David.

Wed, 10/27/2010 - 23:18 (Reply to #3)
andreychek

Hi David,

Are you looking to setup an FTP upload user... a user who's primary purpose would be for uploading files, and doesn't require email?

If that's the case, you may want to have a peek at "Edit Mail and FTP Users" -> "Add a website FTP access user".

That will create a user who's home directory is under public_html.

-Eric

Thu, 10/28/2010 - 17:55 (Reply to #4)
Locutus

Sorry Eric, but at least in the GPL version that does not work for me.. When I specify a non-existing directory for a new FTP user, I get this error message:

"Failed to save mailbox : Home directory must be an existing directory for website FTP users"

When creating an Email/FTP user, I can specify a non-existing directory, and that will get created, relative to the server's home directory. And indeed ownership is set to "emailuser:domainuser", and the permissions to 700. Apparently, this feature is not supposed to be used for website users! Note e.g. that in the directory you specify there, a subdirectory "Maildir" is created. You probably do not want the email sent to that new user be accessible to the whole world via web browser. :)

Thu, 10/28/2010 - 19:13 (Reply to #5)
hwy-admin

Hi Eric,

I thought that I would try clarifying what we are looking to achieve. We have a subdomain which we use for our customer's personal webspace.

Currently each user has only ftp access under that subdomain, email is handled separately and on another server.

Each user can ftp files to their webspace and can access it via http://sub.domain/~username.

I am not now so worried about whether we can use the tilde format, I am happy if we can set it up http://sub.domain/username. I tried creating a "website FTP access user", but I too received an error when trying to create the user's directory under public_html. I did not receive that error when creating a Mail and FTP user, and the user's directory was created under public_html, however with permissions that made it inaccessible via web browser.

I am simply looking to be able to create users for a domain and allow them some personal space under that domain that is accessible to the web and they must be jailed within their own user space.

If these are simply features unavailable in the GPL version then our problems may be solved, we have decided to take out a Pro licence and now have it up and running and ready to use.

Cheers,

David.

*** further to the above

I have tried to set up an FTP user using the "Add a website FTP access user" link to the right of the Mail and FTP Users screen.

Under the "Quota and home directory settings" section I have selected "Website subdirectory"

I have tried the following as the input for that setting

public_html/username username

Each time I receive and error:

Failed to save mailbox : Home directory must be an existing directory for website FTP users

Cheers,

David.

Thu, 10/28/2010 - 19:27 (Reply to #6)
Locutus

One simple solution would be:

First, manually create the directory "~username" for the user, under "public_html".

Then create the user via "Add Website FTP access user" function, giving them the directory you previously created.

Then modify the ownership and permissions of the directory to "customeruser:domainmasteruser" and 750.

Thus the customer user has FTP read/write access to their subdirectory (and nothing else), while the webserver has read access and can serve the place. :)

Be aware though that, if you allow your customers to upload PHP stuff, the scripts get executed as the domain master user and potentially can attain access to all other customers' subdirectories. (This applies if you're using FCGId. If you're using the Apache mod_php, then PHP is running as the Apache user and potentially has access to all domains anyway, which you should only do if you trust all domain users on your system.)

Thu, 10/28/2010 - 19:42 (Reply to #7)
hwy-admin

We have thought of that, but we were hoping to be able to have virtualmin manage this without having to set it up manually. In ISPConfig, this just works without any manual intervention.

Cheers,

David.

Fri, 10/29/2010 - 04:38 (Reply to #8)
Locutus

Actually, I have suggested something similar a few days ago (a bit more general though; not especially ~homedir links, but managing Apache Aliases while auto-creating their target directories), and this is the third or fourth thread where a corresponding request comes up.

While I myself don't necessarily need that feature, maybe the coders can be bugged to implement it when sufficient users ask for it. ;)

Fri, 10/29/2010 - 18:55 (Reply to #9)
andreychek

Hi David,

After speaking with Jamie, one of the problems with the ~/username setup is that particular setup prevents the CGI/FCGID + suexec setup from working.

It may, however, work with mod_php, but that's a less secure setup.

An alternative that may do what you guys are after would be to create a new Virtual Server for each user account you guys have.

Let's say that your domain is "ispdomain.com", and that a customer came to you asking for the username "myuser".

To setup their account, you could create a new top-level Virtual Server named "myuser.ispdomain.com".

That would give the user a private email account, and also public web space they can access by going to "myuser.ispdomain.com".

If you wanted to create additional email mailboxes under their account, you could do that.

Also, if at some point in the future the user asks for their own domain name, it'd be simple to setup "customer_domain.tld" as an alias for "myuser.ispdomain.com".

Would that do what you're after?

-Eric

Mon, 11/01/2010 - 08:37 (Reply to #10)
mudgee.garry

Hi Eric & others, thanks for your advice, it is appreciated. :)

I thought I would try to clear this up a little.

We are an ISP, we provide Internet Access, we also do a number of other things, one been Domain deligation & Hosting.

The accounts/users in concern, get a free basic home page with there Internet Access account. Like all ISP's that have been around for awhile, this webspace was always provided as: ispdomain.com/~user This user been a unique unix user, nothing fancy.

The next service level, is a paid service, a sub domain, provided as: user.ispdomain.com to avail the customer of a budget priced way of personalization of web & email address.

The next level, the one we mostly all deal with: theredomain.com

We know this can be setup in a number of ways, as we have done so for the past 13yrs on a number of different linux servers. But now, as we are setting this up under Virtualmin Pro, we looking for the best way to achieve our goal utilizing the Virtualmin CP.

Accounts in concern, the old free basic personal webspace accounts, should not require DNS delegation or be provided with a free virtual domain. They do not need an email account, as this is handled on our ISPdomain mail server.

perhaps create a sub = my.ispdomain.com user webspace at my.ispdomain.com/user Redirect match to handle the 'my' & '~' for exiting/old url referencing, new accounts not required. If security is an issue, add 'php_value engine off' in Virtual hosts file for 'my.ispdomain.com'

Cheers Garry PS I work with David,

Wed, 10/27/2010 - 23:31 (Reply to #11)
andreychek

Hi David,

Are you looking to setup an FTP upload user... a user who's primary purpose would be for uploading files, and doesn't require email?

If that's the case, you may want to have a peek at "Edit Mail and FTP Users" -> "Add a website FTP access user".

That will create a user who's home directory is under public_html.

-Eric

Tue, 10/26/2010 - 03:31
Locutus

Hmm, is that maybe a Pro-only feature? I can't seem to find the template section "System Settings -> Server Templates -> Default -> New User Creation" in the GPL...

"username.domain.com" also rather sounds like a subdomain than an Alias.. Will it auto-create a VMin sub-server? Or an alias server with proper website redirects?

Tue, 10/26/2010 - 09:03
andreychek

Gah, I didn't mean "New User Creation", I meant "Virtual Server Creation". I'll correct that in my post.

It creates a Virtual Server Alias, which by default I believe would be using the ServerAlias Apache directive.

-Eric

Tue, 10/26/2010 - 10:32
Locutus

Pleas forgive me, but I also cannot seem to find a section named "Virtual Server Creation" in the server templates. :) Where is it supposed to be listed?

Tue, 10/26/2010 - 12:57
andreychek

Hrm, that may indeed be the case.

I'll talk to Jamie about making those options available in the GPL version.

In the meantime, I'll offer that for the use-case described above, it may actually make more sense to just create a Virtual Server named "username.ispdomain.com" rather than what I initially mentioned. If the user in question doesn't have a domain of their own, it's not possible to create an alias that points to it :-)

It is also possible to use the ~/username format, that's part of the Apache mod_userdir module, which simply isn't enabled by default. We don't recommend using it (and neither do the authors of the module :-), but it should work.

-Eric

Tue, 10/26/2010 - 14:33
andreychek

Okay, the feature of having an alias domain automatically be created for each new Virtual Server will be available in the next GPL Virtualmin version.

The biggest use of that feature is for performing testing of a site before DNS has been setup for it (ie, if the nameservers point elsewhere for the primary domain, you can still test it using that alias).

It's of course still possible to manually create an alias using "Create Virtual Server", this option just simplifies all that.

-Eric

Tue, 10/26/2010 - 16:38
Locutus

Good job there, once more! :)

Topic locked