Date: Sun, 02 Jun 2019 07:20:35 +0000 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: "David Mehler" <dave.mehler@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: to jail or not to jail Message-ID: <47ac2c3b-d6c5-457e-8874-47590a22c6b7@www.fastmail.com> In-Reply-To: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com> References: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Jun 2019, at 00:34, David Mehler wrote: > Hello, > > I've got a newly installed FreeBSD 12 vps. It's going to be running a > web server/php hosting multiple sites, with letsencrypt tls > certificates for each. It's also going to be running an email server, > postfix, dovecot, rspamd, mysql database backend, again with the same > letsencrypt tls certificates. Previously I've had all this on one > host. > > What I'm wondering is if I should jail off these services, I've got a > zfs setup, still trying to wrap my head around that, and am wondering > should I run the database in one jail, the webserver/php in another > jail, and the email server in a third jail? If I do this how would I > get the tls certificates in to each jail, I'm looking for the maximum > automation. My approach has been to jail all the things, and run haproxy & do TLS stripping within that. I then redirect traffic into the appropriate app jail based on either HTTP host headers (HTTPS only) or SNI fields (generic TLS wrapped TCP services). This gives me one place to open to the internet, with very nice logging and internal stats, and only 1 place to update TLS certificates with lets encrypt. I also look after a few more complicated setups, where we use wild card ACME generated certs (DNS-01 auth) and ansible fiddles with the DNS, then propagates the new certificates to all the cluster nodes that need it. IMO this is the nicest of all the setups, but it is somewhat more complicated. A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47ac2c3b-d6c5-457e-8874-47590a22c6b7>