On Thursday 28 May 2009, Alan McKinnon wrote:

> A chroot jail is of no real use to you here - it's a development tool and
> amazingly useful for gentoo installs, but has no real security or process
> separation benefits. So says Alan - not me, a different one.

OK, thanks for this to both of you! :)

> Your problem will be that only one apache instance can run on port 80.

That's no problem.  I can run the payment managing website on a different 
port.

> Your options:
> 1. Run the ecommerce apache on a different port.

Yep, SSL, different port.

> 2. Install a second NIC with a different IP and bind each apache to port 80
> on it's own nic.

How do you do this?

> 3. If you use separate mysqls, run them on different ports.

I'll need to run them using /usr/bin/mysql --options I guess, rather than 
using the /etc/init.d scripts, right?

> However, it's an e-commerce site so one must state the obvious:
>
> You must be out of your mind running an ecommerce site on the same machine
> as other php vhosts. Please give me the URL so I know never to buy there -
> I have no way of knowing what those vhosts are, who the webmaster is and
> how secure they are.

Is the fear that one of these apache vhosts installations will be compromised 
and then the ecommerce/payment website will get hacked from the inside?

> So I recommend option 4:
>
> Pony up the money for server #2

Hmm, yes that's what I was trying to avoid.  ;-)

Would running complete virtual servers to achieve separation be any/much 
better?
-- 
Regards,
Mick