[Mono-list] mod_mono in a shared hosting envionment

'David Darville' ml at darville.vm.bytemark.co.uk
Mon Nov 28 05:59:34 EST 2005


On Wed, Nov 23, 2005 at 12:32:16PM -0800, Jesse Pasichnyk wrote:
> Hi David,
> 
> There have been several posts about this sort of thing in the past (from me
> and others), and I think the consensus is its probably better to run
> standalone xsp servers per site.  That way you can chroot the xsp (optional
> of course) as well as run it as the user who owns the site.  This would
> limit the problem of bad users or exploited sites doing too much damage.  I
> believe people also argue against mod_mono because that would tie the GC
> instance to the apache server in some sorts (I'm not aware of how that works
> though, someone else may be able to provide more reasoning behind it).  If
> you do choose to run separate xsp instances you could use mod_proxy to setup
> forward and reverse proxies to the xsp instance.  This could be initially
> just setup running xsp instances on ports of 127.0.0.1, but could be in the
> future scaled out to multiple application servers.

Currently I am working on a proxy to put between mod_mono and
mod-mono-server.exe, which executes the mod-mono-server.exe instances for
each customer, using seperate uid's for each domain, which does limit how much
one customer can access the files all other customers, but we still have
alot of customers who does not set proper permissions on their files, and
therefore there are still plenty of files beloging to other files which are
accessible.
And to eliminate that problem we need to be able to limit which files a
mono/mod-mono-server.exe instance can access, before we can implement it in
our production environment. And therefore I am now asking about the
possibility of souch a functionality getting implementes in
mono/mod-mono-server.exe.

---

David Darville


More information about the Mono-list mailing list