The next iteration of our shared web hosting service


#1

The next version of Debian, version 10, Buster, is due out around the middle of 2029 and we should aim to have the next generating of our Webarch Secure Hosting platform ready to roll out for then.

This is a thread to consider what things we need to change / update compared with what we have running on Debian 9, Stretch.

Some ideas:

  • Hosting accounts to be described and provisioned using Ansible rather than text files and shell scripts. Also make maximum use of public Ansible roles.
  • MySQL socket access to be setup for all users (root has this by default on Debian 9) so applications can connect to the database(s) without passwords.
  • Consider running Apache with ITK MPM on port 80 only (we can’t ditch Apache and switch to php-fpm since so many applications depend on .htaccess files so I think we need to stick with mod_php) with a Nginx reverse proxy on port 443, this would enable Ngnix level micro-caching and also HTTP/2 (HTTP/2 can’t be used with ITK MPM).
  • Currently each hosting account can have multiple VirtualHost's however only one type of VirtualHost config can be used per account, for example you can’t have a /home/user/sites/wordpress site and a /home/user/sites/mediawikisite with the respective WordPress and MediaWiki Apache configs — it would be nice to change this however we also need to consider how we are going to describe and sell hosting accounts… I don’t have a good answer for this at the moment.

Any other ideas / suggestions?


#2

If we can avoid using mpm itk or mod_ruid2 and just use core Apache modules I think that would be a good thing (we could then enable HTTP/2 for example) and I think it might be possible if we use suEXEC for CGI and SSI and mod_proxy_fcgi and php-fpm for PHP (see this post on mixing fastcgi and suexec). There might be some complications with the directory structure needed for this and perhaps we might chroot all the users not just SSH users.

The www-data user (Apache) would have to be a member of all the individual users groups (assuming the home directories are 0750 and root:username) and we could perhaps also use access control lists.

Not running mod_php would have the advantage of solving the issue we have had with file descriptors / sockets and another thing we could do to help reduce the number of file descriptors used by Apache is to use one VirtualHost for port 80 and redirect all traffic to port 443.