to create the initial jail for php/apache, create the directory, cd into it, then extract the complete contents of those packages (apache, php, php-apache, etc.) into there. copies of the most recent versions of those packages are in /var/cache/pacman/pkg

besides the usual files that show up in ldd, also need:


limited user httpd process needs write access to (in the chroot):
/dev/null (chmod 666 this node)

note: /dev/null not being writeable will manifest as the server starting successfully with -X (debug mode), but during a normal startup attempt it will log "[crit] (13)Permission denied: apr_proc_detach failed"

note: if you start httpd directly (i.e. "chroot --userspec=user:group . usr/sbin/httpd" instead of using apachectl), the chroot jail does not need to have a shell in it. not having a shell might prevent php commands like system(), which might be a bonus or a detriment...

for perl apache, need to extract all related perl packages into the jail too

include tips about handling redirects and using exceptions to make them happen at the outer layer apache instead of the hidden one. (especially important for "force https" redirects, because the inner server can't tell that the original request came via https.)