Thank you! That was very helpful.

Hi Varun, thanks for the kind words.

You are correct, to setup another site you would add another file to sites-enabled (or to sites-available and link it to sites-enabled). Web browsers send a “Host:” header, which tells apache which website (dns host) the client is looking for, which it uses to determine which vhost to serve by matching ServerName or ServerAlias.
(the sites-* directories are just a Debian convention for structuring configuration, you could just as easily add another vhost to an existing file)

As you are proxying a site and not running a php or specific apache module, have you considered nginx? Nginx was built for proxying and does it more efficiently than apache does, and is what I’d personally recommend for this purpose.

Cheers!

But lets assume a different scenario (and I’m doing this as a good to know for myself and a guide to someone who might later visit this page and browse through comments, which I never normally do until I read all the ones here and they were just a big help!):
So if I was trying to setup two websites, I’m assuming I would need to add another config in the sites enabled folder and have that picked up by the apache2.conf that’s basically doing the overall configuration?

Great! Glad to hear you got it sorted.

Hi @Alex

Thanks for your detailed response.

Well I tested this: http://olivier.sessink.nl/jailkit/jailkit.8.html

And it works like a charm. Though it took time to figure out the right way, but once found, it was a cake walk!

Interesting though, he too is from NL :)

In that case… not really. Simplest way would be to copy in bash and passwd, add an alias called rbash to bash, and set shell to rbash. As the numerous articles will no doubt tell you, you can use ldd to determine the libraries that are required.

Another solution might be to run a separate ssh daemon on a different port, with configuration which would force the shell to passwd, so you can use sftp unimpaired on the default daemon. Not sure of the specific config you’d need, but the man pages should have all the info.

Alternatively you could setup a web daemon which, when sent the correct credentials, would run chage -M in the background. This would mean the user would be prompted to change it on the next login, something that the SFTP protocol supports. That’s getting into dev territory though, and requires authentication and sanitisation of user input for it to be secure. Also, maybe it would simply be easier for this web daemon to update the password itself (although this carries more risk security wise).

Thanks @Alex for your response!

Clarification: The user is allowed to login through SFTP and jailed in the designated directory. Additionally the user should also be able to login through SSH and change his password. These two settings are required simultaneously!

You’re right, this is somewhat beyond the scope of this article! :)

If you want the user to only be able to change their password, I would set their login shell to /usr/bin/passwd – this is much simpler than setting up a chroot.