Chroot jail of Nginx and php

Posted by sqren on Server Fault See other posts from Server Fault or by sqren
Published on 2011-11-27T15:38:43Z Indexed on 2011/11/27 17:55 UTC
Read the original article Hit count: 567

Filed under:
|
|
|
|

I'm hosting multiple websites on one VPS, and want to chroot each website, eg. /chroot/website1 /chroot/website2

I'm using makejail, which is a highlevel tool, for creating the jails, and copying the libraries and dependencies. Easy peasy.

Each website will need nginx, php and mysql. For php I'm using php5-fpm which actually supports chroot by configuration, however I'm not using this (maybe I should?)

My question is which approach of the following three is the better:

1) Every website will have its own seperated instance of nginx, php and mysql. The downside is, that each webserver + php has to listen to a different port. I also need a "master" nginx web server in front of them, reverse proxying to the chrooted servers behind it. Probably most secure, but also most advanced.

2) I don't make any chroot jails manually. I setup one nginx web server, that proxies php requests to php-fpm, on different ports. I can have multiple php-fpm configurations each with is own chroot'ed folder. This is quite managable - however only php will be chrooted. Not the actual webserver. Is this secure enough. Also, I tried this option out, and it seems I will need to use TCP instead of sockets for connecting to MySQL.

3) You tell me ;)

I'm quite new to chroot jailing, so please correct me if I'm wrong in my assumptions. I've been reading all the tutorials I could find, however, I find the market for chroot guides very scarce. Any help or inputs much appreciated!

© Server Fault or respective owner

Related posts about apache2

Related posts about php