Date: Tue, 13 Oct 2009 16:44:47 +0100 From: krad <kraduk@googlemail.com> To: APseudoUtopia <apseudoutopia@gmail.com> Cc: Dino Vliet <dino_vliet@yahoo.com>, freebsd-questions@freebsd.org Subject: Re: freebsd jail: web and database server config questions Message-ID: <d36406630910130844k76d30f38m8320c23d249936fb@mail.gmail.com> In-Reply-To: <27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3@mail.gmail.com> References: <815964.80537.qm@web51104.mail.re2.yahoo.com> <27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/10/13 APseudoUtopia <apseudoutopia@gmail.com> > On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet <dino_vliet@yahoo.com> wrote: > > > > Dear Freebsd people, > > > > To consolditae on resources I have configured a machine to run both a web > and database server (powering my database driven website). > > > > Due to security concerns I'm contemplating on introducing a jailed > environment on this machine and want to know if this would be feasible. I > have a few questions for the freebsd community regarding this approach and > hope someone would give me some advice. > > > > Is it advisable/wise/okay/clever to run a webserver on my host system and > a database server on my jailed system? The webserver will need to connect to > the database system on startup and update the database based on client > access. > > I would recommend either doing it the other way around (webserver > inside the jail) or have both web and db inside separate jails. > > > > > However, if a machine gets compromised, it would rather be the webserver, > therefore running the webserver in the jailed environment seems better to > me. But how could that be done, if the webserver requires to connect through > tcp/ip to the database server running on the host system? I thought that a > key-feature of a jailed system is that it can't access resources outside the > jail. > > > > It *may* be possible to set your database software to listen on a unix > socket inside the jail dir on the host. For example, if your webserver > jail is in /usr/jails/httpd/ on the host, you may be able to have your > database listen on a unix socket in, say, /usr/jails/httpd/tmp/. > Inside the jail, you can point your web app to use the socket inside > /tmp/. I'm not sure if this is possible as I never actually > implemented it with my setup, but you can try. > you can do this but only if the the db is running on the host system. What you are doing then is open a big whole in the security of the system that will potentially let someone attack the host os via apache->mysql. What i have done on some systems is jail the db and apache in separate jails. and have a shared nullfs writable fs between them. Generally I found it better to make the connection go over ip and heavily wrap it. The added advantage of doing it over ip is that it keeps things separate, and it is far easier to migrate one of the jails onto another box in the future if you start running into capacity issues. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d36406630910130844k76d30f38m8320c23d249936fb>