[07:09] <mettiu> what's the best way to configure a 18.04 php webserver with multi domain (each domain must have it's own sftp user)? i need to use a test webserver isolating different application. i've read about that online but never find a real clarification about the "good" way to do that (like hosting provider do, for example). thanks
[07:45] <blackflow> mettiu: the answer to that question is too broad, it'd take a lot of typing.... do you have a more specific question about it? but in short... one user per site. ssh with sftp-only chroot setup to user's $HOME. put the web server into the user's group. chmod 750 homedir. create a subdir per domain in $HOME. run php-fpm with a pool per user, running as that user.
[07:47] <blackflow> the subdir is important. with sftp chroot the user won't be able to create any files in their $HOME directly (because $HOME has to be owned by root, for sftp chroot). Standard names are ~/public_html   or   ~/htdocs   but it's just a convention.
[07:47] <mettiu> thanks blackflow, good info. one of the typical question is about "where to put the public_html" folder, in /var/www or user home. from what you say it's better to use the user's own home directory
[07:48] <blackflow> now I'd go even further with securing that thing down, but it requires you to have 100% control over what is being run in PHP, so you place an AppArmor and protect sites from each other, and block PHP from executing files it can modify.
[07:48] <blackflow> mettiu: yes, user home because of the chroot.
[07:50] <mettiu> thanks, blackflow.. are there books about that or is just experience? i'm a developer, and i want to increase my knowledge about the stack :)
[07:53] <blackflow> in my case, that's experience from running public sites for over 20 years, most of that as a managed hosting provider. And besides, it's not as if you have a million different ways to pull it off, if you start from the Least Privilege Principle and security-first.
[07:55] <mettiu> thanks blackflow, you put me on my way to better undestand :)
[07:56] <blackflow> mettiu: however, this is based on the "SFTP needed" premise. If you don't strictly need it, then I'd do it differently. In fact, in our use case we develop and control the web application, and thus it is deployed from git, PHP files owned by root. special RW dirs for "uploads". fpm unprivileged, AppArmor profile separating instances. full systemd service isolation of instances (one fpm master per
[07:57] <blackflow> site, not just many pools under single master).
[08:06] <mettiu> sure blackflow, it would be different
[11:52] <ybaumy> moin. any advice on how to solve that systemd-resolved mess once and for all? i would like to use docker but no container can resolve dns hosts.. i already read todo's on how to install other tools and  restore /etc/resolv.conf  to its original state.. so i removed the link for /etc/resolv.conf and added nameserver entries but now nothing resolves anymore
[11:52] <ybaumy> i am on 18.04
[13:51] <kklimonda> check /etc/nsswitch.conf and see if you have `hosts: files dns`
[15:27] <lordcirth> How can I configure the NFS client to refresh cache when it receives an ESTALE?
[15:32] <lordcirth> Hmm, apparently that's not what I actually need either
[20:03] <plongshot>  does 18.04 server come with any tools / utilities that can create an image (ie: clone) of the server it's intalled on and depoit it in the form of a tar.gz ?
[20:04] <plongshot> depoit\deposit
[20:14] <plongshot> I found an answer. ty
[21:23] <_KaszpiR_> dd ;D
[22:14] <plongshot> Are there any known challenges to using wildfly on ubuntu server 18.04?
[22:16] <plongshot> considering the fact that it's a rhel developed application and they use yum (a different package manager). So would there be any problem installing, configuring, using?
[22:41] <tomreyn> plongshot: well the primary issue will be that it's not available (via APT) in ubuntu
[22:42] <tomreyn> https://launchpad.net/~ilanddev/+archive/ubuntu/wildfly-15?field.series_filter=bionic may help there if that's an acceptable version