Creating new Apache config file from PHP

Question

my fellow programmers

I do have a question about Apache2 and PHP. Well, right now I'm trying to make a script that will create new "virtual hosts" from the PHP script, without using sudo command inside PHP.

The solutions with echo passwd | /usr/bin/sudo -S command echo passwd | /usr/bin/sudo -S command are not really secure, and I won't use something like that. Also, I've found the solution with a www-data ALL=(ALL) NOPASSWD: is as well not a solution.

Can someone please shed some light, which is the best solution for that, and what are the best protection measures? In case I need to use a sudo inside a PHP.

Of course, that script will have some part a making a new directory, cp-ing new site files inside a dir, etc...

Answer 1

This sounds like a incredible bad plan security wise. You have to edit apache config files and then reload or restart the apache2 server.

You could do it by editing the sudoers file to give the www-data user the right to reload apache and add a vhost configuration to apache that the www-data user has writing rights on.

Second option is to fake vhosts via php:

<?php
switch ($_SERVER['SERVER_NAME']) {
  case "site1.example.com" :
     require_once 'some_config_for_site_1.php';
     // load scripts from site1 folder.
     break;
  case "site2.example.com" :
     require_once 'some_config_for_site_2.php';
     // load scripts from site1 folder.
     break;
  default:
     http_response_code(404);
     break;
}


  

Answer 2

Ok, this is a really bad plan for this, but somehow this is the best solution for this.

To do this in a proper way, I'll use the bash script, and I'll call that script from PHP.

    $output = shell_exec("sudo /path/to/script/script.sh $SiteName $Domain");

script.sh

    #! /bin/bash

    #First parameter given by calling the script
    sitename=$1

    #Second parameter given by calling the script
    domain=$2
   
    #Directorium where are stored files of the web app
    dirlocation="/var/www/$sitename"
    
    #Creating a new directorium
    mkdir $dirlocation

    #Copying the defoult files of app to the just created dir
    cp -R /var/www/someapp/* $dirlocation
    
    #Creating the new configurationg file for Apache and VHost
    vhost_script="/etc/apache2/sites-available/$sitename.conf"
    cat > "${vhost_script}" << EOF
    <VirtualHost *:80>
        ServerName $domain
        DocumentRoot $dirlocation

        <Directory $dirlocation>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>
    </VirtualHost>
    EOF

    #Enabling the site in Apache
    a2ensite $sitename.conf
   
    #Reloading the Apache
    systemctl reload apache2.service

Also in order to do this from a PHP, I need to give www-data permission for running only that script with sudo. To do so open the sudoers file ( sudo visudo /etc/sudoers ) and add the following line

www-data ALL=(root) NOPASSWD: /path/to/script/script.sh

I know this is maybe not the best solution, but this is what I've found for this purpose.

Disclaimer: This is only a showcase of how to do this, also the bash script here is a really simple one.