Question: apache and ftp config best practise?

Posted by Wayne on Fri 30 Sep 2005 at 12:05

Tags: , ,

I'm planning on removing the Windows based webservers. We host mutliple sites for various customers. My questions is what is the best way to set this up on Debian Sarge with Apache and FTP?

Do I keep the sites in /var/www/domain_name or do I put the sites within the ftp users directory?

Where do I put the FTP users directory, do I keep them in /home/customer/ or do I map the home directory to /var/www/domain_name?

I've setup apache before on a personnal basis so I did not need any ftp access. I'm just after some advise on "best practises" for setting up virtual hosts with FTP access within Debian.

many thanks in advance




Posted by Anonymous (213.164.xx.xx) on Fri 30 Sep 2005 at 12:37
Use vsftpd if you like your security.

Set up the websites in the format

Why username and not website? If you have several domain names pointing to the same web space, a username would be less confusing.

[ Parent | Reply to this comment ]

Posted by Anonymous (150.101.xx.xx) on Fri 30 Sep 2005 at 23:50
That's a fair enough comment, but then everytime you get a new domain to host you have to edit your Apache config again.

I set mine up like "VirtualDocumentRoot /home/htdocs/%0/htdocs" which means if the domain points to my server, and the directories exist, it's going to work.

[ Parent | Reply to this comment ]

Posted by Anonymous (213.164.xx.xx) on Sat 1 Oct 2005 at 10:45
But that's exactly the problem the /var/www/username approach is trying to solve - avoiding a separate directory for every new domain that points to the same website.

Are you using symlinks?

[ Parent | Reply to this comment ]

Posted by Anonymous (150.101.xx.xx) on Sun 2 Oct 2005 at 00:03
Yeah I do use symlinks for situations where is the same as

I reckon having to make a new entry into the Apache config and reloading is worse than needing a few extra directories per client which can be scripted.

Another way to do it would be to break up the requested domain even further. If I remember correctly (and I warn you I'm vague on this as I did it years ago) this can be done in Apache.
By doing something along these lines you could effectively point * to a specific directory, probably possible to take it even further.

Maybe someone can help with the config to do this, been too long since I configured Apache like this to remember. Here is the Apache howto for 1.3.x

[ Parent | Reply to this comment ]

Posted by Petyuska (62.201.xx.xx) on Fri 30 Sep 2005 at 13:35

i use apache for the http server, and i use
pure-ftpd-common package with the pure-ftpd-mysql package
in the mysql db you you can create user without a real system user
i use the /var/www/ structure, but the
/var/www/user structure is the best way, becouse i have user who have 2 site

i chroot the users...


[ Parent | Reply to this comment ]

Posted by Anonymous (63.20.xx.xx) on Sun 6 Jul 2008 at 05:45
Why not do both with symlinks

using directory layout of /var/www/

VirtualDocumentRoot /var/www/%0

make a symlink to /home/user/

and ftp chroot user to /home/user

this also makes it easy to disable a site without having to actually touch it's contents by rm'ing the symlink.

[ Parent | Reply to this comment ]

Posted by matej (158.193.xx.xx) on Fri 30 Sep 2005 at 16:50
it depends on many factors. most important factor is number of users & virtual hosts you are going to host, as well as other small questions - from "what about mail hosting" to "one ftp user = one site, or unlimited, or.." and similar.

"by hand" is most flexible configuration system I ever used. by flexibility I mean that you can configure every account to your wish, enable/disable services, add vhosts to one account, setup quotas or aliases any way you want. you can put home dirs wherever you wish, docroots as well, use symlinks or don't. there're so many options, each with its own set of pros and cons that I cannot enumerate them.

however, this system is hard to manage once number of users reaches 50 or 100 (if you write handful of scripts you can make it even over these numbers, sure).

(very) small providers, say <5k users, should either pretty fine tune their scripts inhouse, or try to find some isp-support software. there are some on,, ... (well, sf has 9 project in alpha planing state to 1 usable, I know). if you decide to go with some similar product, follow his rules. you'll save troubles later. larger providers cannot live without such system.

[ Parent | Reply to this comment ]

Posted by Wayne (82.144.xx.xx) on Fri 30 Sep 2005 at 17:04
[ View Weblogs ]
Hi Guys,

Thanks for the comments so far.

We have at least 1000 websites at the moment and intend to grow, all the mail is done already on seperate servers (Debian and Surgemail) so I'm just looking at web/ftp hosting at the moment


[ Parent | Reply to this comment ]

Posted by bsod (82.66.xx.xx) on Fri 30 Sep 2005 at 18:23
With this number of website, you want to take a look at :

(You can probably do the same thing with Apache 2).

The idea is that the filesystem used to find websites, not the conf file. You avoid editing the conf files everytime you add/change/delete a site (and you avoid restarting Apache).

For multiple address pointing to the same website, you can use symlinks.

With a proper configuration, you could consider this kind of setup :


which allow you to set-up ftp root to /whatever/sites/customer1-domain/ for customer1 ...

Have fun ;)

[ Parent | Reply to this comment ]

Posted by bsod (82.66.xx.xx) on Fri 30 Sep 2005 at 18:25
Oh, and whatever FTP server you use, it will find credentials in a database (via LDAP or directly).

You don't want to handle 1,000 accounts in a flat file or (worse) in system accounts.

[ Parent | Reply to this comment ]

Posted by matej (158.193.xx.xx) on Sat 1 Oct 2005 at 11:13
Look at and read it. then pick few ftp servers, such as vsftpd or proftpd already suggested and read its docs, make your choice. this is enough to understand and pick best layout for docroots and homedirs.

then, you'd look carefuly at libnss-mysql-bg and libpam-mysql, install them on some test machine and experiment with setup. I don't recomend ldap, I used open-ldap in several similar projects (~500k users) and it was not enough stable & flexible for us. for 1k users, mysql is far the best even on white boxes. however, I guess you'd have to make your mail servers compatible with this auth scheme (or vice versa).

[ Parent | Reply to this comment ]

Posted by simonw (84.45.xx.xx) on Mon 3 Oct 2005 at 18:43
[ View Weblogs ]
"We have at least 1000 websites at the moment"

I don't have the defintive answer....

We have a smaller number of sites on Apache at work, our main problem is that the previous admins got too clever, so it is likely we'll simply go back to one directory per site, although probably using Postgres as a database backend for passwords, and authentication data.

We will probably pull the website set up details from the database and create one virtual host file per end customer.

However I think there is a lot to be said for writing your own script that adds 1000 sites with unique UID, and GID, and sticks the website in ~/public_html, using /etc/passwd and /etc/group, and drops the website config in /etc/apache2/sites-available. I think sticking the log files in client home directory, and munging logrotate to do the right thing.

Yes this is grossly simple and inefficient, it is slow to start etc etc.

It isn't as elegant as the solutions with the different vhosts systems, but it is managable, you can customise sites on a per customer basis, and when you screw up you'll know how to fix it (unlike mod_rewrite).

Just don't be tempted to utilise the flexibility such a scheme offers too much to create an unmanageably complex solution, and where possible keep to regenerating the apache configs for each site from a database with a nice script.

I think the inability of Apache to pull config data directly from databases is a significant limitation, and I suspect the failure of so many good people to create a suitable vhost system means that Apache configuration doesn't live nicely in a simple database. Although I don't see immediate why it should be that much harder than any other software to do this well in Apache.

Of course if all your sites are trivially simple static pages, or all identical in requirements, then you probably can use vhosts, or mod_rewrite, or one of the other magic tools, but then you probably wouldn't have needed to ask.

vsftp is nice. We used proftpd when we need more flexibility, it looks like Apache but will pull authentication and quota data from a relation database (mod_sql etc).

FTP should die, unencrypted password etc etc. I'm wondering if offering Webdav is any better, but I've heard bad things about the Windows XP client. And then there would be the users to educate....

[ Parent | Reply to this comment ]

Posted by Anonymous (85.124.xx.xx) on Mon 3 Oct 2005 at 22:26
how about placing it below /srv/? [1]

[ Parent | Reply to this comment ]

Posted by w1d3 (147.32.xx.xx) on Sun 16 Oct 2005 at 01:39
[ View Weblogs ]
there is one issue (at least) - suEXEC docroot is set to /var/www in debian apache and apache2 packages.. so if you want to use suEXEC outside this directory you have to recompile apache - whis is in most cases only a useless complication

[ Parent | Reply to this comment ]

Posted by Anonymous (84.119.xx.xx) on Fri 7 Oct 2005 at 20:22

If you want some easy configuration you can use webmin with the module virtualmin.


[ Parent | Reply to this comment ]

Posted by Anonymous (72.136.xx.xx) on Wed 1 Feb 2006 at 22:13
thanks for telling me something i already know.

"if you want to live, breathe every 10 seconds"

more obvious sh*t you'd like to point out?

[ Parent | Reply to this comment ]

Posted by Anonymous (60.225.xx.xx) on Tue 16 May 2006 at 00:09
Oh come on just because someone isn't helpful it doesn't mean that you have the right to bash them you 1337 h4z0r!

Back to the topic... I too find LDAP isn't up to the hype (well at least for openldap).

[ Parent | Reply to this comment ]

Posted by Anonymous (213.190.xx.xx) on Mon 29 Oct 2007 at 11:56
Try using netscape based LDAP engines, not openldap!

Perhaps give red hat directory server a shot (I hate red hat and the alike, but I actually keep a server running red hat and the red hat directory server, and it seems steady to me)

[ Parent | Reply to this comment ]

Sign In







Current Poll

What do you use for configuration management?

( 147 votes ~ 0 comments )