Website Isolation is a security feature that provides domain-level isolation within CageFS. It allows server administrators to isolate individual websites from each other, even when they belong to the same hosting account. This prevents cross-site attacks where a compromised website could access files or data from other websites on the same account.
When Website Isolation is enabled for a domain:
- Each isolated website runs in its own isolated environment
- PHP processes for isolated websites cannot access files from other websites
- Crontab entries are automatically scoped to their respective document roots
- Existing PHP processes are gracefully terminated and restarted in the isolated environment
| Package | Minimum Version |
|---|---|
| cagefs | 7.6.29-1 |
| lve (liblve) | 2.2-1 |
| lve-wrappers | 0.7.13-1 |
| alt-python27-cllib | 3.4.33-1 |
| Handler | Status |
|---|---|
| LSAPI | ✅ Supported (Recommended) |
| CGI | ✅ Supported |
| FPM | 🔜 Coming in future releases |
| FCGI | 🔜 Coming in future releases |
:::tip Warning Website Isolation currently supports LSAPI and CGI handlers only. FPM and FCGI support is planned for future releases :::
| Handler | Status |
|---|---|
| cPanel | ✅ Supported |
| Plesk | 🔜 Coming in future releases |
| DirectAdmin | 🔜 Coming in future releases |
| Integration Scripts* | ✅ Supported |
Follow these steps to enable Website Isolation for a domain:
1. Enable the feature server-wide (administrator only, one-time setup):
cagefsctl --site-isolation-allow
2. Enable isolation for a specific domain:
cagefsctl --site-isolation-enable <example.com>
3. Verify isolation is active:
cagefsctl --site-isolation-list
To disable isolation for a domain:
cagefsctl --site-isolation-disable <example.com>
cagefsctl --site-isolation-allow
Enables the Website Isolation feature server-wide. This must be executed by the server administrator before individual domains can be isolated.
Example:
# cagefsctl --site-isolation-allow
Website isolation was enabled server-wide.
Notes:
- Creates the feature flag at
/opt/cloudlinux/flags/enabled-flags.d/website-isolation.flag - Triggers a CageFS remount to apply necessary mount configurations
- Must be run with root privileges
cagefsctl --site-isolation-deny
Disables the Website Isolation feature server-wide and removes all domain isolation configurations.
Example:
# cagefsctl --site-isolation-deny
Website isolation was disabled server-wide.
Warning: This command will:
- Disable isolation for all currently isolated domains
- Remove all per-user isolation configurations
- Terminate and restart affected PHP processes
- Clean up token directories and overlay storage
cagefsctl --site-isolation-enable <domain> [<domain2> ...]
Enables Website Isolation for one or more specified domains.
Parameters:
| Parameter | Description |
|---|---|
<domain> |
Domain name to isolate (e.g., example.com) |
Example:
# cagefsctl --site-isolation-enable example.com
Website isolation was enabled for domain(s),
<example.com>
# cagefsctl --site-isolation-enable site1.com site2.com
Website isolation was enabled for domain(s),
site1.com,site2.com
Requirements:
- Website Isolation must be enabled server-wide first
- The domain must exist and be associated with a valid user account
- Must be run with root privileges
:::tip Note Currently, this command requires root execution. Future releases may allow end users to enable isolation for their own domains. :::
What happens when isolation is enabled:
- A unique website token directory is created
- Overlay storage directory is configured for the website
- User configuration is updated with the isolated domain
- If this is the first isolated website for the user, CageFS is remounted
- Existing PHP processes for the domain are terminated and restarted in isolation
cagefsctl --site-isolation-disable <domain> [<domain2> ...]
Disables Website Isolation for one or more specified domains.
Parameters:
| Parameter | Description |
|---|---|
<domain> |
Domain name to remove from isolation |
Example:
# cagefsctl --site-isolation-disable <example.com>
Website isolation was disabled for domain(s),
<example.com>
Requirements:
- Must be run with root privileges
:::tip Note Currently, this command requires root execution. Future releases may allow end users to disable isolation for their own domains :::
What happens when isolation is disabled:
- Domain is removed from the user's isolation configuration
- Mount configuration is regenerated
- PHP processes for the domain are restarted outside of isolation
- Token directories are cleaned up
cagefsctl --site-isolation-list [<username> ...]
Lists all users and domains that have Website Isolation enabled.
Parameters:
| Parameter | Description |
|---|---|
<username> |
(Optional) Filter results by specific user(s) |
Example - List all isolated domains:
# cagefsctl --site-isolation-list
Domains with enabled website isolation for user john:
example.com
mysite.org
Domains with enabled website isolation for user jane:
shop.example.com
Example - List isolated domains for specific user:
# cagefsctl --site-isolation-list john
Domains with enabled website isolation for user john:
example.com
mysite.org
Output when no domains are isolated:
# cagefsctl --site-isolation-list
No users with enabled Website isolation
cagefsctl --site-isolation-regenerate <username> [<username2> ...]
Regenerates the Website Isolation configuration for specified users. Use this command after manual configuration changes or when troubleshooting isolation issues.
Parameters:
| Parameter | Description |
|---|---|
<username> |
Username(s) to regenerate configuration for |
Example:
# cagefsctl --site-isolation-regenerate john jane
Regenerated configuration website isolation for users:
john
jane
When to use:
- After domain document root changes
- After domain renames or migrations
- When isolation configuration appears out of sync
- As part of troubleshooting steps recommended by support
"Website isolation is not enabled server-wide"
# Solution: Enable server-wide first
cagefsctl --site-isolation-allow
"Please specify existing domain name and try again"
- Verify the domain exists in the control panel
- Check that the domain is associated with a valid user account
Website Isolation integrates automatically with supported control panels. When domains are:
- Created: No automatic action (isolation must be explicitly enabled)
- Renamed: Isolation configuration is automatically updated
- Deleted: Isolation configuration is automatically cleaned up
- Document root changed: Configuration is regenerated via hooks