We are a small web development business and we offer free hosting for all our clients..
When we started, we decided that it was best to isolate each client (domain) inside their own FreeBSD jail so if a web application get compromised, then it is contained and cannot affect our other clients..
So far, we have 21 jail all running their own webserver and version of php but all sharing 1 common database (also in a jail).
This setup sounded like a good idea at the time but as we are starting to grow, we found a few issue with it and struggling with managing it all...
So the question is this:
Can domain isolation be achieve in hiawatha using
WrapCGI = jail_mydomain.co.uk
Wrap = jail_mydomain.co.uk ; /usr/local/www/mydomain.co.uk ; 80:80
php_admin_value[open_basedir] = /usr/local/www:/usr/local/php/7.0/lib/php
Am I correct to think that If I set WrapCGI then the hacker cannot go out of the path specified in cgi-wrapper.conf?
Can you offer any advise on how to run secure web environment?