Date: Tue, 13 Oct 2009 11:37:45 -0400 From: APseudoUtopia <apseudoutopia@gmail.com> To: Dino Vliet <dino_vliet@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: freebsd jail: web and database server config questions Message-ID: <27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3@mail.gmail.com> In-Reply-To: <815964.80537.qm@web51104.mail.re2.yahoo.com> References: <815964.80537.qm@web51104.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet <dino_vliet@yahoo.com> wrote: > > Dear Freebsd people, > > To consolditae on resources I have configured a machine to run both a web= and database server (powering my database driven website). > > Due to security concerns I'm contemplating on introducing a jailed enviro= nment on this machine and want to know if this would be feasible. I have a = few questions for the freebsd community regarding this approach and hope so= meone would give me some advice. > > Is it advisable/wise/okay/clever to run a webserver on my host system and= a database server on my jailed system? The webserver will need to connect = to the database system on startup and update the database based on client a= ccess. I would recommend either doing it the other way around (webserver inside the jail) or have both web and db inside separate jails. > > However, if a machine gets compromised, it would rather be the webserver,= therefore running the webserver in the jailed environment seems better to = me. But how could that be done, if the webserver requires to connect throug= h tcp/ip to the database server running on the host system? I thought that = a key-feature of a jailed system is that it can't access resources outside = the jail. > It *may* be possible to set your database software to listen on a unix socket inside the jail dir on the host. For example, if your webserver jail is in /usr/jails/httpd/ on the host, you may be able to have your database listen on a unix socket in, say, /usr/jails/httpd/tmp/. Inside the jail, you can point your web app to use the socket inside /tmp/. I'm not sure if this is possible as I never actually implemented it with my setup, but you can try.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3>