Setting up my storage VPS. Am I re-inventing the wheel?
Instead of re-inventing the wheel, what’s the best way to setup a very basic storage VPS for 2-3 users? I want some files to be accessible over HTTP (public and private folder) while others only over SFTP. I was thinking of setting up a simple nginx installation with openssh, which should look like this:
/var/www/public where every user is allowed to upload public files
/var/www/private/user1 where a user can store his private files, password protected
/home/user1 for files that will be accessible through SFTP only.
Obviously, other users aren’t able to access each other files, except for public files… and that’s where I’m currently stuck on.
@ElliotJ helped me out on IRC but I’m afraid I did something wrong because it’s not working like it should. JElliot advised me to make a symlink from /var/www/private/john to /home/john/www, so that John can only access his own or public files. But still, John can access files from everyone.
John is not root, he’s a normal user and only owns (chowns) folders /home/john/www (/var/www/private/john), /var/www/public and /home/john .
Am I making it harder that it is or is this the way to go?
Thanks.
Comments
What do you mean 'access'?
Being able to see that they exist != Access. Clarify more on that first.
I would setup a control panel and give everyone an account. You can specify quotas including traffic and bw.
It will be easier and more error-proof.
EHCP looks cool for debian and clones., have a short tutorial on how to install in the prometeus board.
you can install virtualmin to do that, with all modules, httpd, ftp, ssh, etc
or just install a pureftpd server to grant FTP access, you can specify where is the DIR of each user.
Maybe implementing this in some manner might help you:
https://github.com/Self-Evident/OneFileCMS
Suggesting a control panel on LET? Where have we gone!
You only need a few low traffic accounts? How big is the VPS?
I'd probably just run 3 separate nginx servers if you what you're trying doesn't work out easily.
You could use samba. It's pretty straight forward to split the shares the way you want it here.
Well, he does need http.
A control panel will give users ftp and http, scp might be offered too.
It can be done many ways, I was thinking easy and graphical is the best
He wouldnt ask if he was linux guru, i think.
I'd take a more traditional approach to a multi-user setup. Use useradd & passwd to create users with home directories, e.g.
/home/user1
/home/user2
Ensure that user homes are not world-readable. Ownership would be (for example) user1:user1 and permissions 751.
Then create their public_html root directories, and configure their webspace (subdomains or domains):
/home/user1/public_html
/home/user2/public_html
These public_html directories would be owned (for example) user1:user1 and permissions 755.
"Private" html could be:
/home/user1/private_html
/home/user2/private_html
These private_html directories would be owned (for example) user1:www-data and permissions750.
If you're using nginx, you'd have to pre-configure web authentication in each virtual host. The username/password could be stored at (for example) /home/user1/.htpasswd, owned by user1, so he/she could modify it (point your users to something like http://www.htaccesstools.com/htpasswd-generator/).
For a "shared" directory:
If this shared directory is to be web-browseable, create another virtual host (subdomain...) and point its root to /home/shared. And in this virtual host, you may want to disable scripts, e.g. php, pl, cgi, etc.
You can then enable user quotas....
heads up for @sleddog's suggestion
Thanks for all the suggestions!
Being able to see that they exist != Access. Clarify more on that first.
Sorry about that. I meant that I also do not want them to be able to see each other private files.
It will be easier and more error-proof.
EHCP looks cool for debian and clones., have a short tutorial on how to install in the prometeus board.
Thanks for the suggestion. I looked into it but I think it's a bit overkill for what I'm trying to accomplish here. I see you can also setup mail accounts, databases etc with EHCP, which I won't be doing. Just simple file storage and serving
https://github.com/Self-Evident/OneFileCMS
Very neat script! Amazing how powerful php can be with just one file. It's not quite what I'm looking for in this situation, but it will surely come handy in the future! Thanks for the sugesstion!
I'd probably just run 3 separate nginx servers if you what you're trying doesn't work out easily.
Yeah, just 2-3 accounts. 200GB of space. Purely for file storage and serving.
3 seperate nginx servers, of do you mean 3 seperate 'sites'/subdomains, like @sleddog describes?
Haha you're right about that
I'm just another Linux noob, grateful for all the help I'm getting over here!
Thanks, I like this one the most. Very basic without any eyecandy or other fuzz.
I started setting everything up as you described, but made a slight adjustment. Every user now has 3 dirs:
shared
public_html
private_html
Users do not need to have a seperate public_html folder. If they want to share public files, they'll just have to upload it to the shared folder. So I deleted the public_html folder.
This confused me a little. Users won't get a separate domain or subdomain.
User's private_html folders should just be accessible (password protected) via domain.com/private/user.
The public/shared folder is accessible over domain.com/public
Do I still need to setup another virtual host to accomplish this, or should I edit the current default host file?
Thanks!
User's private_html folders should just be accessible (password protected) via domain.com/private/user.
The public/shared folder is accessible over domain.com/public
I would use subdomains for the private html as it provides better separation of accounts and simplifies the nginx configuration, but you can probably get either approach to work.
It was to mean that you'd create a virtual host for shared.example.net, for example, and make it's root at /home/shared. With that, the shared files would live at http://shared.example.net.
chmod and chown everything and secure the private http folders
Thanks for the clarification!
I'm really close to what I want now.
I was able to chroot people to /home/%username, the problem is the public folder is in /home/www/public, so ofcourse it doesn't have access to that folder.
So I chrooted everyone to /home, but if I want to browse to the public folder through filezilla, it complains it cannot find the directory, although it works through mc.
Error: Directory /john/public: no such file or directory
/john/public is a symlink to /home/www/public
A hard link was not possible. This error occured after setting up chrooted directories like this (/etc/ssh/sshd_config)
Match User john
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
@Freek
did you use mount --bind?
And ChrootDirectory should be /home/%u (make sure to have OpenSSH 5.3, there have been some chroot bugs in the past)
No, but I just tried 'sudo mount --bind /home/www/public /home/john/public' but sadly made no difference.
Changed, makes users chroot into /home/username again.
@Freek said: Changed, makes users chroot into /home/username again.
But do make their home directories simply / or the chroot will try reaching /home/USERNAME/home/dir
I just re-read this three times but I don't understand what you mean?
I am still having issues, the best way to describe them is using an example:
I have these folders:
/home/freek/private_www
/home/freek/public_www
/home/freek
/home/john/private_www
/home/john/public_www
/home/john
How can I make the folder /home/john/private_www and /home/freek/private_www show up in my webserver in one folder? e.g. domain.com/private/ contains both /john and /freek.
Same goes for public.
I find it very hard to explain what I mean, so I hope you guys get it.
I tried solving it with symlinks, like so:
/home/freek/private_www --> Symlink to /home/www/private/freek
/home/freek/public_www --> Symlink to /home/www/public
/home/freek
/home/john/private_www --> Symlink to /home/www/private/john
/home/john/public_www --> Symlink to /home/www/public
/home/john
/home/www/private/john
/home/www/private/freek
/home/www/public
But that was a big nono as filezilla went mental as soon I clicked one of those symlinks.
Something simple like this shouldn't be so hard, should it? I already spent like 2 hours on it, ridiculous for something basic like this.