Best way to sandbox Apache on Linux

Chroot jails can be really insecure when you are running a complete sandbox environment. Attackers have complete access to kernel functionality and for example may mount drives to access the "host" system.

I would suggest that you use linux-vserver. You can see linux-vserver as an improved chroot jail with a complete debian installation inside. It is really fast since it is running within one single kernel, and all code is executed natively.

I personally use linux-vserver for seperation of all my services and there are only barely noticeable performance differences.

Have a look at the linux-vserver wiki for installation instructions.

regards, Dennis


I second what xardias says, but recommend OpenVZ instead.

It's similar to Linux-Vserver, so you might want to compare those two when going this route.

I've setup a webserver with a proxy http server (nginx), which then delegates traffic to different OpenVZ containers (based on hostname or requested path). Inside each container you can setup Apache or any other webserver (e.g. nginx, lighttpd, ..). This way you don't have one Apache for everything, but could create a container for any subset of services (e.g. per project).

OpenVZ containers can quite easily get updated altogether ("for i in $(vzlist); do vzctl exec apt-get upgrade; done")

The files of the different containers are stored in the hardware node and therefore you can quite easily access them by SFTPing into the hardware node. Apart from that you could add a public IP address to some of your containers, install SSH there and then access them directly from the container. I've even heard from SSH proxies, so the extra public IP address might be unnecessary even in that case.


You could always set it up inside a virtual machine and keep an image of it, so you can re-roll it if need be. That way the server is abstracted from your actual computer, and any virus' or so forth are contained inside the virtual machine. As I said before, if you keep an image as a backup you can restore to your previous state quite easy.