I have 20 domains on a VPS running cPanel. One public_html is filled with code, the remaining 19 are symbolic links to that one. (For example, assets is a directory within public_html ... for the 19 others, there's a symbolic link to that directory in each each accounts public_html dir.)
It's all PHP / MySQL database driven, with content changing depending on the domain. It works like a charm, assuming cPanel has suExec enabled correctly, and assuming apache.conf does NOT have SymLinksIfOwnerMatch enabled.
However, every few weeks, my apache.conf is mysteriously overwritten, re-enabling SymLinksIfOwnerMatch, and disabling all 19 linked sites for as long as it takes for me to notice. Here's the offending line in apache.conf:
<Directory "/">
AllowOverride All
Options ExecCGI FollowSymLinks IncludesNOEXEC Indexes SymLinksIfOwnerMatch
</Directory>
The addition of SymLinksIfOwnerMatch disables the sites in a strange way ... the html is generated correctly, but all css/js/image in the html fails to load. Clicking any link redirects to /. And I have no idea why. I do have a few things in my .htaccess, which work fine when SymLinksIfOwnerMatch is not present:
<IfModule mod_rewrite.c>
# www.example.com -> example.com
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
# Remove query strings from static resources
RewriteRule ^assets/js/(.*)_v(.*)\.js /assets/js/$1.js [L]
RewriteRule ^assets/css/(.*)_v(.*)\.css /assets/css/$1.css [L]
RewriteRule ^assets/sites/(.*)/(.*)_v(.*)\.css /assets/sites/$1/$2.css [L]
# Block access to hidden files and directories
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
# SLIR ... reroute images to image processor
RewriteCond %{REQUEST_URI} ^/images/.*$
RewriteRule ^.*$ - [L]
# ignore rules if URL is a file
RewriteCond %{REQUEST_FILENAME} !-f
# ignore rules if URL is not php
#RewriteCond %{REQUEST_URI} !\.php$
# catch-all for routing
RewriteRule . index.php [L]
</ifModule>
I also use most of the 5G Blacklist 2013 for protection against exploits and other depravities. Again, all of this works great, except when SymLinksIfOwnerMatch gets added back into apache.conf.
Since I've failed to find the cause of whatever cPanel/security update is overwriting apache.conf, I thought there might be a more correct way to accomplish my goal using group permissions.
I've created a 'www' group, added all accounts to the group, and chmod -R'd the code source to use that group. Everything is 644 or 755. But doesn't seem to be enough. My unix isn't that strong. Do you need to restart something for group changes to take effect? Probably not. Anyways, I'm entering unknown territory.
Can anyone recommend the right way to configure a website for multiple sites using one codebase that doesn't rely on apache.conf?
