From owner-freebsd-isp Sun Aug 4 7:14:55 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F73637B400 for ; Sun, 4 Aug 2002 07:14:52 -0700 (PDT) Received: from iota.root-servers.ch (iota.root-servers.ch [193.41.193.195]) by mx1.FreeBSD.org (Postfix) with SMTP id 0030B43E65 for ; Sun, 4 Aug 2002 07:14:50 -0700 (PDT) (envelope-from gaml@buz.ch) Received: (qmail 4156 invoked from network); 4 Aug 2002 14:14:49 -0000 Received: from dclient217-162-128-229.hispeed.ch (HELO gaxp1800) (217.162.128.229) by 0 with SMTP; 4 Aug 2002 14:14:49 -0000 Date: Sun, 4 Aug 2002 16:15:21 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.60q) Educational Reply-To: Gabriel Ambuehl X-Priority: 3 (Normal) Message-ID: <193190142171.20020804161521@buz.ch> To: isp@freebsd.org Subject: Wanted: transparent HTTP proxy, capable of mapping domains to ports (or the evergoing quest for suid execution of PHP scripts) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, in the ever going quest to get secure CGI/PHP (that basically means that PHP and CGI all have to run under the UID of the domain which is hard as long to achieve for PHP without PHP as standalone interpreter (slooow) as Apache MPM perchild doesn't (yet, hopefully) work on FreeBSd) we finally came up with something that would basically emulate the functionality of perchild. Basically, the idea is to run distinct Apache instance for every domain on some arbritrary port (say 2000+) and then have a transparent proxy on port 80 redirect the requests to the correct port. I.e. something like: 1) Outside Request arrives on port 80 2) Proxy parses URL and redirects the request to the correct port 3) Apache processes the data and sends it back to the proxy 4) Proxy sends back data to the client Now the Apache part is doable rather simply, actually. The trouble starts with the proxy which ideally should be pretty lightweight (and preferably NOT caching) (Apache mod_proxy seems like it could do the job but Apache isn't the fastest thing for such stuff) AND it needs to leave the source IP alone (so Apache can still log the data). I'm not even sure whether an userland proxy can achieve this (I remember going through a lot of trouble to get stunnel which supposedly supports transparent proxying running with our POP3 daemons) or whether this would be need to be implemented by means of a kernel module (probably a hack to ipnat could do it). I'd like to hear any comments on this as well as on other approaches to get PHP scripts running under the owner's uid. TIA & regards, Gabriel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message