Apache & Nginx. Tied by one chain (part 2)

Last week, in the first part of this article, we described how the Apache and Nginx bundle in Timeweb is built. We are very grateful to the readers for their questions and active discussion! Today we will tell you how the availability of several PHP versions on one server is realized and why we guarantee the security of data to our clients.





Virtual Hosting (Shared-hosting) means that a single server, a plurality of client accounts. The account of one client, as a rule, contains several sites. Websites work both on ready-made CMS (for example, Bitrix) and on custom ones. Thus, the technical requirements for all systems are different, therefore, it is necessary to manage several PHP versions within one server.



We use Nginx as the main web server: it accepts all connections from the outside and serves static content. We proxy the rest of the requests further to the Apache web server. This is where the magic begins: for each PHP version, a separate Apache instance is started, listening on a specific port. This port is registered in the virtual host of the client site.



You can read more about the work of the Shared scheme in the first part of the article .





Shared schema



It is important to note that we put PHP packages under different versions, because usually all distributions have only one PHP version.



Safety first!



One of the main tasks of shared hosting is to ensure the security of customer data. Different accounts, being on one server, are independent and independent. How it works?



Site files are stored in the home directories of the users themselves, and the necessary paths are specified in the virtual host of the web servers. In doing so, it is important that the web servers, Nginx and Apache, have access to the final files of a specific client, since the web server is launched from only one user.



Nginx uses a security patch developed by the Timeweb team: this patch changes the user to the one specified in the web server config file.



Other hosting providers can solve this problem, for example, through manipulation with extended file system rights (ACL).



Apache uses the mpm-itk multiprocessing module . It allows each VirtualHost to run with its own user ID and group ID.



Thus, thanks to the operations described above, we get a secure isolated environment for each client. At the same time, we also solve the problems of scaling for Shared hosting.



You can read how the Apache and Nginx bindings are implemented in the first part of our article. In addition, an alternative configuration through the Dedicated scheme is also described there.



If you have any questions for our experts, write in the comments. We will try to answer everything or describe the solution to the problem in more detail in the following articles.



All Articles