borchers@rainbow.nmt.edu (Brian Borchers) writes:
> The problem comes when it's time to rotate the logs. This normally
> requires restarting the web server. I could give each virtual host
> manager a sudo script that would restart the server. I'd rather find
> a cleaner solution.

That opens you up to the possibility of a DoS attack (and maybe other
security vulnerabilities) unless you're very careful, so a cleaner
solution is good.

> Any suggestions of a cleaner way to do this?
>
> What do the commercial web space providers do?

No idea what the commercial ones do, but on a box I have with a lot of
separately logged vhosts, the logrotate script for apache contains
logrotate instructions for each vhost's logfile, and uses shared
scripts on postrotate to restart the server.

In /etc/logrotate.d/apache:
/var/log/apache/vhost1/*.log {
weekly
missingok
rotate 4
compress
notifempty
create 640 root vhost1
sharedscripts
postrotate
/etc/init.d/apache reload > /dev/null
endscript
}
/var/log/apache/vhost2/*.log {
weekly
missingok
rotate 4
compress
notifempty
create 640 root vhost2
sharedscripts
postrotate
/etc/init.d/apache reload > /dev/null
endscript
}

And that's it. If your vhosted people want to do their own log
rotation, then they can tell *you* how many to keep, daily, weekly or
monthly, etc. and you can make the changes to the central file - no
need to have them all on the same parameters.

The file's from a Debian distribution, by the way, but I can't imagine
it'd be *much* different on any Unix/Linux distribution with a decent
logrotate program.

The postrotate script can probably be replaced with 'apachectl
graceful' or similar if you prefer, though I've not tested that.

You then make /home/vhost1owner/weblogs/ a symlink to
/var/log/apache/vhost1/ and set up permissions so they can read but
not write (already in the example).

--
Chris