Date: Sun, 4 Aug 2002 16:15:21 +0200 From: Gabriel Ambuehl <gaml@buz.ch> To: isp@freebsd.org Subject: Wanted: transparent HTTP proxy, capable of mapping domains to ports (or the evergoing quest for suid execution of PHP scripts) Message-ID: <193190142171.20020804161521@buz.ch>
next in thread | raw e-mail | index | archive | help
Hello, in the ever going quest to get secure CGI/PHP (that basically means that PHP and CGI all have to run under the UID of the domain which is hard as long to achieve for PHP without PHP as standalone interpreter (slooow) as Apache MPM perchild doesn't (yet, hopefully) work on FreeBSd) we finally came up with something that would basically emulate the functionality of perchild. Basically, the idea is to run distinct Apache instance for every domain on some arbritrary port (say 2000+) and then have a transparent proxy on port 80 redirect the requests to the correct port. I.e. something like: 1) Outside Request arrives on port 80 2) Proxy parses URL and redirects the request to the correct port 3) Apache processes the data and sends it back to the proxy 4) Proxy sends back data to the client Now the Apache part is doable rather simply, actually. The trouble starts with the proxy which ideally should be pretty lightweight (and preferably NOT caching) (Apache mod_proxy seems like it could do the job but Apache isn't the fastest thing for such stuff) AND it needs to leave the source IP alone (so Apache can still log the data). I'm not even sure whether an userland proxy can achieve this (I remember going through a lot of trouble to get stunnel which supposedly supports transparent proxying running with our POP3 daemons) or whether this would be need to be implemented by means of a kernel module (probably a hack to ipnat could do it). I'd like to hear any comments on this as well as on other approaches to get PHP scripts running under the owner's uid. TIA & regards, Gabriel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?193190142171.20020804161521>