Skip to content

Setting Up Web Isolation with Laravel Forge: A Complete Guide

If you're managing multiple applications on a single server, web isolation is a critical security feature you need to understand. In this tutorial, I'll walk you through setting up a web server with Laravel Forge, deploying a simple application, and implementing web isolation to keep your applications secure.

What You'll Learn

  • Creating a new server in Laravel Forge

  • Deploying a Laravel application

  • Setting up web isolation for enhanced security

  • Configuring the Laravel scheduler

  • Navigating your server via the Forge terminal

Creating Your Server

Let's start by creating a new server in Forge. I'll name mine "web host one" and select the Laravel PHP stack. For this tutorial, I'm using PHP 8.2.

Once you configure your server settings, click "Create Server." You'll immediately see a screen with your Forge credentials—make sure to save these in a secure location as you'll need them later.

What Forge Sets Up Automatically

While your server is being provisioned, Forge is busy installing everything you need for a production-ready Laravel application:

  • Ubuntu as the operating system

  • Nginx as the web server

  • PHP and all necessary libraries

  • Supervisor for process management

  • Firewall with sensible default rules

Once setup is complete, you can explore all these configurations in the Forge dashboard. Under the "Processes" tab, you'll find any running processes. The "Schedule" tab shows that Forge has already set up two scheduled tasks: one to update Composer and another to remove unused packages.

The PHP settings section is particularly useful—you can install or remove PHP versions with just a few clicks. Simply select the version you want and click "Install."

Understanding Forge's Built-in Features

The Observe section lets you monitor your server's health, view logs, and track activities. In the Settings tab, you can customize your server name, time zone, add notes, manage SSH keys, transfer ownership, or even delete the server if needed.

Under Network settings, you'll see that Forge has configured three default firewall rules: SSH connection, HTTP, and HTTPS. These give your server a secure baseline configuration right out of the box.

Deploying Your Application

Now for the fun part—let's deploy an application!

Click "New Site" and select Laravel as your project type. I'm using a test project for this demonstration. Here are my settings:

  • Repository: My test Laravel project

  • Forge Domain: web-server-one

  • Database: Not creating one for this demo

  • Composer Dependencies: Enabled

In the Advanced Settings, I'm disabling zero-downtime deployments and push-to-deploy for now.

Setting Up Web Isolation (Critical!)

Here's where web isolation comes in—this is a crucial security feature. When you enable web isolation, Forge creates a separate PHP-FPM pool for your application with its own dedicated user.

Why is this important? If one application on your server gets compromised, web isolation prevents that breach from affecting your other applications. Each application runs under its own user, creating a security boundary.

For the username, I use the application name to keep things consistent. Pro tip: Use the same naming convention across all your web servers for easier management.

After saving these settings, click "Create Site." Forge will now:

  1. Configure Nginx

  2. Clone your repository

  3. Copy your environment file

  4. Install dependencies

Once the site is created, I typically click "Deploy" to run a full deployment. This ensures Composer dependencies are installed, NPM packages are built, and the deployment script runs properly.

Testing Your Application

Let's visit the site to ensure everything works properly. Perfect! The application is running. In my test app, I can upload images and view scheduler logs.

Enabling the Laravel Scheduler

Since Forge detected this is a Laravel application, setting up the scheduler is incredibly simple:

  1. Go to the Schedule tab

  2. Click "Scheduler"

  3. Confirm you want to create it

  4. Click "Start Laravel Scheduler"

That's it! The scheduler is now running and will execute your scheduled tasks.

Exploring Your Server via Terminal

One of Forge's convenient features is terminal access directly from the console. Click the three dots menu and select "Launch Terminal."

Let me show you what web isolation looks like under the hood:

# View your applications
cd /home
ls

You'll see the Forge default user and the forgeapp user we created for web isolation.

If you navigate to the PHP-FPM configuration directory, you'll find separate configuration files:

cd /etc/php/8.2/fpm/pool.d
ls

You'll see:

  • www.conf - for the default Forge user

  • forgeapp.conf - for your isolated application

Opening the forgeapp.conf file shows the pool name, user, user group, and most importantly, the dedicated socket for this specific application.

Why Web Isolation Matters

Imagine you have a single server running:

  • A WordPress site

  • A Moodle instance

  • Your Laravel application

Without web isolation, if WordPress gets compromised through a plugin vulnerability, the attacker could potentially access your Laravel application or Moodle instance.

With web isolation enabled, each application runs under its own user with its own PHP-FPM pool. A compromise in one application stays contained to that application—your other services remain secure.

Key Takeaways

Setting up web isolation in Laravel Forge is straightforward and provides significant security benefits:

  1. Always enable web isolation when hosting multiple applications on the same server

  2. Use consistent naming conventions for your isolated users across servers

  3. Leverage Forge's automation for tasks like scheduler setup and deployments

  4. Each isolated application gets its own PHP-FPM pool, preventing cross-application compromises

Laravel Forge makes what used to be a complex server configuration process incredibly simple, while still giving you the security features you need for production applications.

Next Steps

Now that you understand web isolation, consider:

  • Setting up SSL certificates for your applications

  • Configuring automated backups

  • Adding monitoring and alerts

  • Creating additional sites with web isolation enabled

Want to see this process in action? Check out the full video tutorial on my channel! https://www.youtube.com/watch?v=MYgneIEg_LE

Published on October 2nd, 2025