Separating vhosts with Apache / PHP-FastCGI
I'm using Apache with PHP-FPM/FastCGI. I've seen some guides for securing Apache, and I think I've done most of it, but there's still a few things I'm unsure of.
Mainly how-to-separate/isolate vhosts? Currently, I can upload a php-shell and simply cd ../ all the way up to the root filesystem. I want every vhost to be contained within their DocumentRoot, and not be able to go outside of that. I've seen things with openbasedir, but also SecChrootDir by modsecurity. Has anyone done something like this? How should I do it?
My current directory-setup is:
Apache:
/etc/apache2/
vhosts:
/srv/www/DOMAIN/public_html/ <– DocumentRoot in the vhost config
/srv/www/DOMAIN/logs
PHP:
/etc/php5
The FPM one is in /etc/php5/fpm/ with the configs/pools in conf.d/ and pool.d/
I want to make sure the vhosts are properly separated and isolated so that they can only access /srv/www/domain/ and deeper, but nothing above that. At the same time, I don't want PHP to break, for example.
How should I do something like this?
Thanks!
3 Replies
This one is more for just Drupal, I just want something in general, and this one doesn't use vhosts. So it's not exactly what I want.
It's kinda strange there aren't many guides about this online. I thought that especially professional web hosters/resellers (with shared web hosting) would use things like this all the time to protect their hosting environments. After all, they don't want people being able to upload some kind of php shell and simply read out server files, or exploit it in any other way. Plus they add new vhosts all the time when a new customer registers, automatically even. It can't be that hard :/
