Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 07-18-2017, 03:58 PM   #1
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173Reputation: 3173
Need a good way for a web server to request a privileged task on another machine

I have a "secure, non-public," web server that is used by internal users. Now, they want to be able to request reloading of Apache configurations on a pool of remote machines.

I'm casting about now for a secure way to do that, without having to create a demon expressly for this purpose. Can "systemd" be of assistance in some way? Or, is "xinit" still around, and able to launch a process when a particular port is touched?

The users need to be able to request the action but do not need to wait around while the work is done. Scheduled tasks are a possibility, as is using a database which in this case all machines-of-interest could be made to see.

I'm looking for something, ideally, "off the open-source shelf," that could be pressed into service relatively quickly.
Old 07-18-2017, 04:57 PM   #2
Senior Member
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 9 Stretch
Posts: 2,349
Blog Entries: 8

Rep: Reputation: 383Reputation: 383Reputation: 383Reputation: 383
My first thought is to use ssh with passwordless key authentication to a user that is restricted by wrapper to just the command to restart apache. Thus, whenever this ssh user is "hit", it will run the command to restart apache (and no other).

This seems, to me, far more secure than just restarting apache whenever anyone knocks on a particular port. With ssh, an attacker would need to have already compromised the key to activate the apache restart.

So, each of the remote machines would be set up with this custom user, restricted to only be able to restart apache (via ssh). And it would use key based authentication. Perhaps for simplicity, the same key for all remote machines.

Something like apachebouncer, with /home/apachebouncer/.ssh/authorized_keys with something like:

command="systemctl restart apache2",no-port-forwarding,no-x11-forwarding,no-agent-forwarding KEY_TYPE KEY COMMENT
On the "mastermind" server, the script initiated by the internal users hits each of those machines in turn, with commands like:

ssh apachebouncer@remotemachine1
ssh apachebouncer@remotemachine2
ssh apachebouncer@remotemachine3
ssh apachebouncer@remotemachine4
ssh apachebouncer@remotemachine5
1 members found this post helpful.
Old 07-19-2017, 10:05 AM   #3
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,838

Rep: Reputation: 1132Reputation: 1132Reputation: 1132Reputation: 1132Reputation: 1132Reputation: 1132Reputation: 1132Reputation: 1132Reputation: 1132
Take a look at Rundeck you can create "jobs" based on a number of critera which you can permission on a user by user basis.

Jobs can have a number of steps that include steps that run on the "local" Rundeck server, or (more often!) run on the "target" machine.

You can also do things like find the target nodes by wildcard, or present a pick list menu of targets to run on etc.

Jobs are HIGHLY configurable, so there's a little bit of effort needed to learn the best way to define your jobs but it's well worth it for and user-facing system.
Old 07-19-2017, 06:59 PM   #4
Senior Member
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,316

Rep: Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757
Also Webmin. You can setup users with specific privileges; the users login and do what you've authorized them to do.
Also can give you, as the admin, a very useful web interface for just about any task.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to forward request from IBM HTTP server to IIS web server SleepyFace Linux - Newbie 1 09-13-2013 08:27 PM
How does a Virtual Machine get a web serving request? resetreset Linux - Newbie 1 01-23-2011 06:26 AM
Is it good to install web caching server under virtual-machine ??? fithy Linux - Software 3 09-08-2008 05:42 PM
Writing Request Data to Web Server lucky6969b Programming 1 12-20-2005 11:43 PM
How2 let apache2 forward the request to another web-server on another machine boomy Linux - Software 9 12-04-2005 04:50 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:18 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration