Chroot jail of Nginx and php
Posted
by
sqren
on Server Fault
See other posts from Server Fault
or by sqren
Published on 2011-11-27T15:38:43Z
Indexed on
2011/11/27
17:55 UTC
Read the original article
Hit count: 567
I'm hosting multiple websites on one VPS, and want to chroot each website, eg. /chroot/website1 /chroot/website2
I'm using makejail, which is a highlevel tool, for creating the jails, and copying the libraries and dependencies. Easy peasy.
Each website will need nginx, php and mysql. For php I'm using php5-fpm which actually supports chroot by configuration, however I'm not using this (maybe I should?)
My question is which approach of the following three is the better:
1) Every website will have its own seperated instance of nginx, php and mysql. The downside is, that each webserver + php has to listen to a different port. I also need a "master" nginx web server in front of them, reverse proxying to the chrooted servers behind it. Probably most secure, but also most advanced.
2) I don't make any chroot jails manually. I setup one nginx web server, that proxies php requests to php-fpm, on different ports. I can have multiple php-fpm configurations each with is own chroot'ed folder. This is quite managable - however only php will be chrooted. Not the actual webserver. Is this secure enough. Also, I tried this option out, and it seems I will need to use TCP instead of sockets for connecting to MySQL.
3) You tell me ;)
I'm quite new to chroot jailing, so please correct me if I'm wrong in my assumptions. I've been reading all the tutorials I could find, however, I find the market for chroot guides very scarce. Any help or inputs much appreciated!
© Server Fault or respective owner