LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-18-2017, 02:58 PM   #1
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Need a good way for a web server to request a privileged task on another machine


I have a "secure, non-public," web server that is used by internal users. Now, they want to be able to request reloading of Apache configurations on a pool of remote machines.

I'm casting about now for a secure way to do that, without having to create a demon expressly for this purpose. Can "systemd" be of assistance in some way? Or, is "xinit" still around, and able to launch a process when a particular port is touched?

The users need to be able to request the action but do not need to wait around while the work is done. Scheduled tasks are a possibility, as is using a database which in this case all machines-of-interest could be made to see.

I'm looking for something, ideally, "off the open-source shelf," that could be pressed into service relatively quickly.
 
Old 07-18-2017, 03:57 PM   #2
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 9 Stretch
Posts: 2,308
Blog Entries: 8

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
My first thought is to use ssh with passwordless key authentication to a user that is restricted by wrapper to just the command to restart apache. Thus, whenever this ssh user is "hit", it will run the command to restart apache (and no other).

This seems, to me, far more secure than just restarting apache whenever anyone knocks on a particular port. With ssh, an attacker would need to have already compromised the key to activate the apache restart.

So, each of the remote machines would be set up with this custom user, restricted to only be able to restart apache (via ssh). And it would use key based authentication. Perhaps for simplicity, the same key for all remote machines.

Something like apachebouncer, with /home/apachebouncer/.ssh/authorized_keys with something like:

Code:
command="systemctl restart apache2",no-port-forwarding,no-x11-forwarding,no-agent-forwarding KEY_TYPE KEY COMMENT
On the "mastermind" server, the script initiated by the internal users hits each of those machines in turn, with commands like:

Code:
ssh apachebouncer@remotemachine1
ssh apachebouncer@remotemachine2
ssh apachebouncer@remotemachine3
ssh apachebouncer@remotemachine4
ssh apachebouncer@remotemachine5
 
1 members found this post helpful.
Old 07-19-2017, 09:05 AM   #3
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,718

Rep: Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037
Take a look at Rundeck you can create "jobs" based on a number of critera which you can permission on a user by user basis.

Jobs can have a number of steps that include steps that run on the "local" Rundeck server, or (more often!) run on the "target" machine.

You can also do things like find the target nodes by wildcard, or present a pick list menu of targets to run on etc.

Jobs are HIGHLY configurable, so there's a little bit of effort needed to learn the best way to define your jobs but it's well worth it for and user-facing system.
 
Old 07-19-2017, 05:59 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 1,415

Rep: Reputation: 481Reputation: 481Reputation: 481Reputation: 481Reputation: 481
Also Webmin. You can setup users with specific privileges; the users login and do what you've authorized them to do.
Also can give you, as the admin, a very useful web interface for just about any task.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to forward request from IBM HTTP server to IIS web server SleepyFace Linux - Newbie 1 09-13-2013 07:27 PM
How does a Virtual Machine get a web serving request? resetreset Linux - Newbie 1 01-23-2011 05:26 AM
Is it good to install web caching server under virtual-machine ??? fithy Linux - Software 3 09-08-2008 04:42 PM
Writing Request Data to Web Server lucky6969b Programming 1 12-20-2005 10:43 PM
How2 let apache2 forward the request to another web-server on another machine boomy Linux - Software 9 12-04-2005 03:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration