[log in to unmask] on 17/03/2000 07:58:51 PM

>we're taking our first baby steps for placing apache into
>production and i've got some questions....  how are other
>sites allowing various application groups to tie into
>apache?  that is, on my crash-n-burn system, i've been
>modifying the ../htdocs/index.html file to hook in different
>things.  that's fine for just me, but not in production.
>are you doing something like
>http://your.system/~MGR.<account>/?  that's quite doable but
>it seems a bit unsophisticated to me.  of course, i
>certainly don't want folks literally placing files in the
>apache account -- so what's the trick here?  links, i should
>think, but...?             - d

We put our own conf directory in our application account, with the
document root, etc, set to the application account.

We altered the security for the APACHE account to allow read and
execute outside of the account.

We run the httpd from a job logged on to the application account.

Benefits:

  We get the UDCs and especially file equations for the application
  account.

  We run httpd as a particular user in the application account, so
  normal security applies within the account.

  CGI scripts run as that user.

  No additional ACDs are necessary.

We also run a duplicate copy of the httpd, on a different port, using
another copy of the conf files, in a test account, separate from the
production application account.  The only difference is about 10 lines
in the conf files.

This allows access to both the production and test environments (on a
single box) by using different ports.

The shear number of ACDs necessary in a system with thousands of files
to allow server.apache to access the necessary files, along with
needing file equations (note, they apply to ALL CGI processes, none are
process local) made it easier to run the httpd as an application
account user.

Rick Gilligan
Senior Software Specialist
Computer And Software Enterprises, Inc.
E-mail: [log in to unmask]