I frown at putting all of Perl into a chroot, but there isn’t really a good alternative. You could use FastCGI, run the Perl process outside of the chroot and leave its socket in /var/www, so that httpd/nginx only has access to the socket and there are no Perl guts inside the chroot to use, but the Perl script should really then be chrooted separately.
This gets much uglier with big things like Ruby on Rails.
The purpose of the perl-in-chroot portion of the article was more like ‘hey, this is how you would do it if you wanted to’. As I mentioned in the article itself, I only host static content.
Hopefully it'l eventually support something like proxying to a second http daemon, so for Perl you could chroot perl + Starman, and have httpd proxy to it
I frown at putting all of Perl into a chroot, but there isn’t really a good alternative. You could use FastCGI, run the Perl process outside of the chroot and leave its socket in
/var/www, so that httpd/nginx only has access to the socket and there are no Perl guts inside the chroot to use, but the Perl script should really then be chrooted separately.This gets much uglier with big things like Ruby on Rails.
The purpose of the perl-in-chroot portion of the article was more like ‘hey, this is how you would do it if you wanted to’. As I mentioned in the article itself, I only host static content.
Hopefully it'l eventually support something like proxying to a second http daemon, so for Perl you could chroot perl + Starman, and have httpd proxy to it