[bitfolk] Confining PHP apps (Was: Re: Migrate away from Wor…

Top Page
Author: Andy Smith
Date:  
To: users
Old-Topics: Re: [bitfolk] Migrate away from Wordpress?
Subject: [bitfolk] Confining PHP apps (Was: Re: Migrate away from Wordpress?)

Reply to this message
gpg: Signature made Sat Jun 6 15:58:07 2020 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hello,

On Sat, Jun 06, 2020 at 04:35:44PM +0100, ed-bitfolk@??? wrote:
> bites you eventually as the disk cache has to be writable by the
> httpd process, which is bad. Maybe these days there's a way to
> protect that through SELinux, but it's just trouble I'd rather not
> have.


I run PHP things under mod_proxy_fcgi which makes all PHP for a
given vhost run as a specific user. That uses only features built in
to Apache and PHP so is pretty simple and reliable:

    https://www.binarytides.com/setup-apache-php-fpm-mod-proxy-fcgi-ubuntu/
    https://www.server-world.info/en/note?os=Debian_9&p=httpd&f=13


Alternatively, a container that runs mod_php that the main host's
web server acts as a proxy to also seems okay.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting