Isolating webapps on a server

ford prefect · 2019-10-18 07:15:22

Hi,

we are running a bunch of websites with different webapps on a headless arch server. Usual php-fpm and nginx-setup. After some unpleasant cross-infection from outdated wordpresses, we are looking for a way to isolate webapps.

We considered chroot-ed php-fpm instances per site, but that leads to high administration overhead (UID, extensive config etc - per web app). While not impossible it it tedious, error prone and requires lots of manual scripting (e.g. systemd units for startup mounting of sockets).

Another way is docker. Building a docker image based on php-fpm that handles the logic and talks to the global nginx seems feasible and scales well.
Since the wordpress webapps seem to be the most attacked, the idea would now be to build a generic wordpress image with the most up-to-date wordpress and base every wordpress instance on that.
The container filesystem could look like this:

/
/run
/webroot
/tmp

where /run contains the sockets for mysql and other things needed, /webroot contains the webapp (here wordpress) and tmp is available for application usage. There will be more filles and folders from the base container, but i omitted that for clarity.
The wordpress data would then be installed (e.g. via git) to /webroot and wp-config.php and wp-content would be omitted, being added later for every instance.
In this building process wp-content could be a volume making the data persistent, while wp-config.php is just copied into the container from a manually pre-filled file.

This is how far I have come in idea - not implemented yet.
Does this actually make sense, is it feasible like this? Are there other (better) ways?
(I have not worked with docker before, I might have misconceptions about how it works. If you spot one please advise.)

Thank you for reading until the end!
fp

progandy · 2019-10-18 07:49:52

No idea about docker, but even if you run without any chroot or container, isn't it standard to have a UID for each site and run a separate php-fpm instance for those UIDs?

ford prefect · 2019-10-18 07:52:50

Due to the overhead, we did not do it so far. And as I wrote I don't consider it a good solution. You may well convince me though…

progandy · 2019-10-18 08:15:06

I don't think it is necessarily better, I just wondered about the overhead. Run nginx with an UID that can only read not write to the vhosts. Then for each app, create an UID, create a database account, chown the webroot to the UID, add a new pool with that user to php-fpm.conf, configure the nginx vhost for the app to use that pool. That is what I consider minimum separation.

Of course a wordpress container is really convenient if you have to maintain multiple installations.

As for docker, this might be interesting: https://github.com/jwilder/nginx-proxy
If you don't have any docker infrastructure yet, maybe look at podman, buildah as well.

Last edited by progandy (2019-10-18 08:16:15)

Arch Linux

#1 2019-10-18 07:15:22

Isolating webapps on a server

#2 2019-10-18 07:49:52

Re: Isolating webapps on a server

#3 2019-10-18 07:52:50

Re: Isolating webapps on a server

#4 2019-10-18 08:15:06

Re: Isolating webapps on a server

Board footer