I want to run several instances of apache2 (2.4 to be precise) with php 7 (libapache2-mod-php7.0) under debian stretch.
Is it more secure
- to run every instance (with its own config) in its own unprivileged lxc container and confining the containers with apparmor
- or to run several apache2 instances (having their own config) and confine each of them with apparmor (own profile for each instance).
The apache2 instances shouldn't be able to access each others configs or webroots, or other (unneeded) files/resources on the server even if the php scripts got exploited or replaced by arbitrary code.
I hope this is the correct stackexchange site for such a question. If not, feel free to move my question as appropriate.