0

I want to run several instances of apache2 (2.4 to be precise) with php 7 (libapache2-mod-php7.0) under debian stretch.

Is it more secure

  • to run every instance (with its own config) in its own unprivileged lxc container and confining the containers with apparmor
  • or to run several apache2 instances (having their own config) and confine each of them with apparmor (own profile for each instance).

The apache2 instances shouldn't be able to access each others configs or webroots, or other (unneeded) files/resources on the server even if the php scripts got exploited or replaced by arbitrary code.

I hope this is the correct stackexchange site for such a question. If not, feel free to move my question as appropriate.

Thilo
  • 203
  • 2
  • 10
  • 1
    Depends on what you want to protect against. I guess apparmor alone should be enough for most use cases and there will be some useful profiles for securing an apache available. – allo Feb 16 '17 at 22:17
  • The subdomains of the webapp I'm running can be sorted into different "security classes" depending on the intended audience and access level. I now want to prevent access from one security class (read: one apache2 instance) to other classes, even when one apache2 instance is forced into running some attacker controlled php code. I guess apparmor alone would be enough for this task? – Thilo Feb 16 '17 at 22:45
  • 1
    Probably, but it may be a bit harder to create profiles for two apaches (where most are defined for one security group), while lxc just means running two lxc instances. I would just experiment a bit. – allo Feb 17 '17 at 22:55
  • Another option would be to use apache's mod_apparmor this way I would only have to confine one apache2 instance and could define distinct apparmor rules for different paths or virtual hosts. http://wiki.apparmor.net/index.php/Mod_apparmor – Thilo Feb 20 '17 at 14:13
  • 1
    I didn't know this existed. Looks like this would be the best choice, as it's the best integration with apache and probably avoids some pitfalls. – allo Feb 20 '17 at 15:14

0 Answers0