I have 3 different PHP applications (maybe more in the future) I’d like to run on my account, each for a different service (all low-volume stuff for just me or a few friends). I want to keep these applications siloed from each other, so a security breach of one won’t compromise all the data from another (2 of them are applications under active development by a very small team, so I’m not at all confident that they’re bulletproof, security-wise). The easiest solution is to create a different user for each application and turn on Enhanced Security for each user. Once I do that, though, PHP applications won’t work, so I can either turn off Enhanced Security or create a new sub-domain for each user/service. Turning off Enhanced Security is apparently a short-term solution that will be disabled soon, so I don’t think I can consider that a good, long-term option (and even if it wasn’t going away, I need to be really careful about permissions, so it’s a complicated option that will probably require a good deal of long-term maintenance).
Giving each service its own user account and subdomain works really well for siloing, but now I’d like to add SSL to the services. To turn on SSL, though, I need a separate IP address and SSL certificate for each domain, which runs about $45-60/year, per domain. So for 3 services, 2 of which I can get by with a self-signed cert, I’m looking at $150/year on top of my current (shared hosting) hosting charges. Every additional application I decide to run is another $45 or $60 per year to add SSL.
Is there anything I’m missing, or is the answer just, “SSL + siloed applications = expensive?” Is there some way to silo PHP applications from each other but allow them to run on the same domain (I don’t mind paying once to “turn on” SSL, it’s the paying again for each additional application that stretches my pocketbook)? Or is there some other way of doing things I haven’t thought of? Or is the Enhanced Security wiki page wrong and it’s okay, long-term, to use multiple user accounts and remapped subdirectories to run separate PHP applications under one domain (with the caveat that any compromised account, or other users, can access the rest of my data if it figures out the path to the other remapped subdirectories)?