From owner-freebsd-questions@freebsd.org Thu Jun 6 04:41:23 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1301915C24A1 for ; Thu, 6 Jun 2019 04:41:23 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9F37884013 for ; Thu, 6 Jun 2019 04:41:21 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wm1-x336.google.com with SMTP id t5so908363wmh.3 for ; Wed, 05 Jun 2019 21:41:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Uqr7SHcGO3aIGAI7+yqYdQMA8KNXGvI3U7qETMsYbLU=; b=vZOHRKTnlmS0fkVLhjDhyG6FdBgOlyX7vUhDp5nr9Xt69kLQVHJYfpstOKAQMUNFtB l8HVfBNEY6mt0auVUuLuh1mpaPbSw/KlHQ/8hjrlwH2+DpXObTsKzhyUSnbWm7drm83S AgAsn4MV5gt+GwIOK0qLNQgM2UEfsfM5qQa8lifwklMKZHIeRe77jJlC8hHro9Emh3k4 /oYleb5mfTTx1TQWT7/vU7goKpFYv5AsaRNvaoBzJ3NexBf+R4KSU6BRAKBaYXjQ0Nh5 pneqm7H8nYK813aUsqY4gUezdJQmtYVT1qod9q+jN11PBmQMVjRjzBArYzxgs/KGwpWq g24A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Uqr7SHcGO3aIGAI7+yqYdQMA8KNXGvI3U7qETMsYbLU=; b=DPFGrZ8+DTMrIC/zaAVU6im5B5gi3C8XhlRWVZVPpDQbNzXEVkc9zE5G3bGUl/vs9R Woq+i2mJghhRTVtbIoal6CuegBnqaPLAzitI13/1yZX+SZtznhzR1viOrUQb1b3fB3gK lOxcC3ssqLk0UR2tQDmNMgQ6IP0wAKfTFjQu7/TfkLIlsMrsIsOwiSU968iMylclwgBT eljSfe9vhIc5fEJCFvi7ktnmHoQAMZT9X6zRoRbr1S+SC/zmCIddNG5Gl+75/wdKHA1U df7kNXncbxcoaLowkj2BoKxRUKUvIU5hqMo0MjPlHqdt9EzkV6BhwCVBh8L/GIfQfbZQ ErPQ== X-Gm-Message-State: APjAAAXHe4ZPgA2WMsm4DEulEDeRAgUyu6XEs6HNPfJFeuXfcM7gVUAG GBuWTWD9+wjzJDtdni0+UEsFaP8Rprjcy6t5S5ar5x3K X-Google-Smtp-Source: APXvYqyw8Snvsd56a1D+sNb0dvYrPGXzrPYY9Hln4OtTUtCU6oUfaYsIJ8jtB53VYixVLC7SNskmbYwtQtPTjC9aZU0= X-Received: by 2002:a7b:cd84:: with SMTP id y4mr25712934wmj.41.1559796079214; Wed, 05 Jun 2019 21:41:19 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:adf:a709:0:0:0:0:0 with HTTP; Wed, 5 Jun 2019 21:41:18 -0700 (PDT) In-Reply-To: <20190603101917.GA76784@home.lan> References: <20190603101917.GA76784@home.lan> From: David Mehler Date: Thu, 6 Jun 2019 00:41:18 -0400 Message-ID: Subject: Re: to jail or not to jail To: Julien Cigar Cc: freebsd-questions Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 9F37884013 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=vZOHRKTn; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of davemehler@gmail.com designates 2a00:1450:4864:20::336 as permitted sender) smtp.mailfrom=davemehler@gmail.com X-Spamd-Result: default: False [-6.79 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.97)[-0.967,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[6.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.81)[ip: (-9.39), ipnet: 2a00:1450::/32(-2.33), asn: 15169(-2.30), country: US(-0.06)] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jun 2019 04:41:23 -0000 Hello, Thanks for your suggestions. That's way over my head. I don't have zfs going on this setup. I do have a /16 ipv6 host-address. So what I am needing help with and i'm sure these are beginner questions: 1. how do I divide the /64 ipv6 address so that each jail can have an ipv6 address as well as an ipv4 address. 2. I'm needing each jail to log to the host machine. I'm wanting to do this because I've got fail2ban going on the host and want to ban addresses that are hitting on the jails. Thanks. Dave. On 6/3/19, Julien Cigar wrote: > On Sat, Jun 01, 2019 at 08:30:31PM -0400, David Mehler wrote: >> Hello, > > Hello, > >> >> I've got a newly installed FreeBSD 12 vps. It's going to be running a >> web server/php hosting multiple sites, with letsencrypt tls >> certificates for each. It's also going to be running an email server, >> postfix, dovecot, rspamd, mysql database backend, again with the same >> letsencrypt tls certificates. Previously I've had all this on one >> host. >> >> What I'm wondering is if I should jail off these services, I've got a >> zfs setup, still trying to wrap my head around that, and am wondering >> should I run the database in one jail, the webserver/php in another >> jail, and the email server in a third jail? If I do this how would I >> get the tls certificates in to each jail, I'm looking for the maximum >> automation. >> > > I would highly suggest to jail everything, not only for the added > security, but also for maintainability. > > Suggestion: > - Script everything with some CMS (I highly recommend SaltStack) > - Use ZFS (and clones) and two datasets per jail: one for the things you > deploy with your CMS and one for the "data" (= things generated by > the installed applications within the jail), with some nullfs mounts > from the HOST into the jails. It will facilitate the updates a lot. > At the end the goal is to be able to zfs destroy tank/jails/your_jail > and re-create it from scratch with one command. > - With VIMAGE, tagged VLANs, some orchestration tool (SaltStack), and > ZFS snapshots send/receive your can achieve nearly real-time > migration. > - Use HAProxy and SNI, and manage certs from there. At work we have an > orchestration script which 1) generate Let's Encrypt certificates in > somejail (certbot.lan) and if it succeed 2) rsync them on the HAProxy > nodes > > Julien > >> Thanks. >> Dave. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > -- > Julien Cigar > Belgian Biodiversity Platform (http://www.biodiversity.be) > PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 > No trees were killed in the creation of this message. > However, many electrons were terribly inconvenienced. >