Score:0

LAMP Stack - Multiple Websites Isolation

jo flag

I would like to host multiple websites on a VPS (LAMP stack - Ubuntu 20.04 LTS). For security reasons, I'd like to properly isolate each website/vhost from each other and also prevent access to other/system files. This shall mitigate the risk of website visitors exploiting a vulnerability of one website to manipulate files of other websites or access arbitrary files on the system.

  1. Prevent access to other/system files:
    • Apache: The DocumentRoot directive specified in the virtual host config file of each website sets the directory from which Apache can serve files [1]. Is this sufficient to prevent Apache from accessing files outside of the DocumentRoot (e.g. /var/www/site1, /var/www/site2)? Because technically the Apache user (www-data) has read access to other files on the system as well. But I guess these are two different things? Meaning, Apache is programmed in a way to only serve files from specified directories to website visitors and Apache itself wouldn't serve any other files even though it has the required privileges to access/read other files on the system as www-data?
    • PHP: The open_basedir directive limits the files that can be accessed by PHP to the specified directory-tree [2]. Is it sufficient to set this directive to /var/www/site1 in the vhost config file of website 1 (/var/www/site2 respectively in the vhost file of website 2 etc.) to prevent PHP from accessing any files outside of these specified directories? Furthermore, if I limit PHP's access to files in this way, do I also need to specify directories other than the websites' root directory for PHP to work properly?
  2. Prevent websites from being able to access each other:
    • Apache: Is it possible to create isolated Apache processes/users for each website? When I did my research, the same Apache user was used for all vhosts. Does this mean for websites to be isolated from each other, Apache doesn't need to be separated?
    • PHP: From my understanding, separate PHP-FPM pools can be used for each website to completely isolate them from each other (isolated PHP environments). Is this correct? Would I also need to create folders for each website to store their respective PHP session data? Or is PHP session data isolated by default, i.e. unique to each website (unique to each domain and also subdomain)? I don't want a situation where two websites share the same session data. For example, if I have two subdomains sub1.example.com and sub2.example.com and both sites have WordPress installed, I don't want a user who logged in on sub1 to be automatically logged in on sub2 as well.

I'd be grateful if someone could tell me if these measures would be enough to securely isolate multiple websites hosted on one server - if not, please point out the things I've missed.

Lastly, I suppose using the same MariaDB database server for all websites is alright? For each website I would create a database and a respective database user.

Thank you in advance for any responses!

Score:0
za flag

In 2022 the almost perfect isolation is possible with Docker. I'd not bother with trying anything else, seriously. Everybody went this way, you will find a wide community and commercial support.

For instance, there is a Docker image with Wordpress already installed which was made by the Wordpress developers, so you can just use it and not bother with configuring PHP and Apache.

What you will need besides that is a reverse proxy which will detect requests to different websites and direct them to different containers.

I don't want a user who logged in on sub1 to be automatically logged in on sub2 as well.

This is entirely different kind of concern. It doesn't depend on isolation of processes from OS standpoint, rather it depends on the browser behavior when sending cookies (e.g. which cookies to send where). I suggest to ask about this part at Webmasters.

Tando avatar
jo flag
I have been looking into Docker as well since it looked like the easiest way to achieve isolation. But so far, I wasn't confident enough to say that I understood everything about it to be able to deploy a **secure** Docker container on a public facing server. Like how to pass credentials to Docker securely, security of Docker itself etc. Plus, keeping every container updated seems to be cumbersome. Creating Docker containers seems to be fairly easy but ensuring security of these containers seems to require much deeper knowledge.
Nikita Kipriyanov avatar
za flag
Keeping every container updated is actually the easiest, it is what made Docker so popular. You just replace the image with updated one, that's all (hooking up all the permanent resources that you did for its predecessor). From your concerns I see you did not invest enough into learning what Docker is and what it could do for you, so please, learn that. Really your question calls for it, it's like a definition of a problem that Docker initially attempted to solve (when it even hadn't called Docker) and it did that perfectly, that's what made it flourish.
Tando avatar
jo flag
Do you think Docker itself is secure enough overall (even if the Docker daemon runs as root)? It also seems like good practice to use non-root users _within_ each container. There are images by Bitnami which are configured this way by default. Do you happen to have any experience with these Bitnami images - if yes, can you recommend them?
Nikita Kipriyanov avatar
za flag
I ask you again to learn Docker. You are asking questions that are answered in its documentation. // No, I don't have any experience with Bitname images.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.