Date: 03 Jan 2004 13:13:01 -0500 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: "Chris" <bsdnewbie@coolarrow.com> Cc: freebsd-questions@freebsd.org Subject: Re: Jails for websites Message-ID: <44ekugj3yq.fsf@be-well.ilk.org> In-Reply-To: <200401020729330294.07EE5925@coolarrow.com> References: <200401020729330294.07EE5925@coolarrow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Chris" <bsdnewbie@coolarrow.com> writes: > 5.1 Not generally advised for production use, but I'll assume you've read the release notes and so forth, and have reasons for using it. > I have a server with 5 public IP addresses, so I'm thinking I'll set > it up with one IP for the server (as a host) and the other 4 > assigned to 4 jails. The jails are for websites... > > From a security standpoint, wouldn't it be better to run four > instances of ftpd (one in each jail), as opposed to one instance on > the host server? Typically, yes. There may be situations where that's not the case. If you can use something more secure than FTP, you'll probably be safer, but that may not be a selling point for your customers. > And from a security standpoint, should I run apache from the host > server, where I can configure mod_security the way I want, or just > run individual apaches inside each jail and let the website owners > configure it the way they want? If you take the former option, the jails aren't gaining you as much as in the latter option. Again, though, it'll mostly come down to the deal between you and your customers. > I like the idea of running things inside the jail, and recognize > that if the webmaster of the site configures it wrong, it's their > problem not mine, but is the jail secure enough to allow them that > much access? Unless you configure it wrong. :-) Note that as the "owner" of the IP addresses, you will still have to deal with some complaints. > I have heard of hosting sites selling "virtual dedicated servers" by > giving someone root access to a jail, so I'm thinking jails are > fairly secure. Anyone with experience in this that can give me > advice? I don't have that sort of experience, but I know I've seen postings on this topic on this and other FreeBSD mailing lists. -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ekugj3yq.fsf>