Date: Tue, 12 Aug 2014 11:30:58 +0100 From: Norman Khine <norman@khine.net> To: Fbsd8 <fbsd8@a1poweruser.com> Cc: freebsd-questions@freebsd.org Subject: Re: correctly configuring PF with jailed environments Message-ID: <CAKgQ7UJ_6YK7aqgvagHBY9FeaQ-QAz_9WyH8eUF_WNHZWLgxtw@mail.gmail.com> In-Reply-To: <53E75F57.5040907@a1poweruser.com> References: <CAKgQ7UK%2BCA7fp9vkV=4t5t814PwjQeTDyDhQF_FJOU2zO-=7aw@mail.gmail.com> <53E75F57.5040907@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
i am using nginx and here is the nginx.conf file https://gist.github.com/nkhine/f620f8bdc0fb613b7b59 i am sharing the node application static files using nullfs as: # cat etc/fstab.www /usr/jails/basejail /usr/jails/www/basejail nullfs ro 0 0 /usr/jails/app/home/app/node-blade-boiler-template/public /usr/jails/www/var/www nullfs ro 0 0 and then in my nginx.conf i have https://gist.github.com/nkhine/f620f8bdc0fb613b7b59#file-gistfile1-txt-L122 i have set /var/www as the root for static files. this works the strange thing is that if you click twice on a link it loads quickly, but if you click only one time, it just takes time for the page to load. so i think the issue is with nginx and the proxy On Sun, Aug 10, 2014 at 1:02 PM, Fbsd8 <fbsd8@a1poweruser.com> wrote: > Norman Khine wrote: > >> hello, i have a web application running 3 jail environments one for Nginx >> Web server, one for MongoDB/Redis and one for my Node.js application >> >> this is my current pf.conf file >> >> https://gist.github.com/nkhine/d03ea23a749c47bcc4d0 >> >> this works, as there is no access to my node app nor any of the dbs from >> public interfaces. >> >> the rules come out as >> >> # pfctl -s rules >> scrub out log on igb0 all random-id min-ttl 15 set-tos 0x1c fragment >> reassemble >> scrub in log on igb0 all min-ttl 15 fragment reassemble >> scrub in all fragment reassemble >> >> i find that on my webserver i get timeouts and the html application does >> not >> >> load up quickly! >> >> also, are there any improvements i can make to this as to ensure a more >> secure environment? >> >> any advice much appreciated >> >> > I do not see this as a jail or pf problem. > Look at commenting out any mod_* from the httpd.conf file that the html > application does not use. Check that the 3 apache jails are not using the > same service port (80). Do not use the apache default directory location > for holding your html application files. Disable the pf firewall in rc.conf > and test if this speeds up apache. > > > > > -- %>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26) for c in ",adym,*)&uzq^zqf" ] )
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKgQ7UJ_6YK7aqgvagHBY9FeaQ-QAz_9WyH8eUF_WNHZWLgxtw>