From owner-freebsd-questions@FreeBSD.ORG Thu Aug 27 19:51:48 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51914106568E for ; Thu, 27 Aug 2009 19:51:48 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from blade2-ext.obspm.fr (blade2-ext.obspm.fr [145.238.186.8]) by mx1.freebsd.org (Postfix) with ESMTP id E498F8FC3C for ; Thu, 27 Aug 2009 19:51:47 +0000 (UTC) Received: from obspm.fr (pcjas.obspm.fr [145.238.184.233]) by blade2-ext.obspm.fr (8.13.8/8.13.8/SIO Observatoire de Paris - 15/11/07) with ESMTP id n7RJpiMx001067 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 27 Aug 2009 21:51:46 +0200 Date: Thu, 27 Aug 2009 21:51:45 +0200 From: Albert Shih To: APseudoUtopia Message-ID: <20090827195145.GA91653@obspm.fr> References: <27ade5280908261959q39aeab15ta300048b861a50f7@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <27ade5280908261959q39aeab15ta300048b861a50f7@mail.gmail.com> User-Agent: Mutt/1.5.20 (2009-06-14) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (blade2-ext.obspm.fr [145.238.186.20]); Thu, 27 Aug 2009 21:51:46 +0200 (CEST) X-Virus-Scanned: clamav-milter 0.95.2 at blade2-ext.obspm.fr X-Virus-Status: Clean Cc: freebsd-questions@freebsd.org Subject: Re: Information on Setting up a Jailed Webserver X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2009 19:51:48 -0000 Le 26/08/2009 à 22:59:34-0400, APseudoUtopia a écrit > Hello, > > I have a small site which runs PostgreSQL, Nginx, and PHP. I'm looking > into running nginx inside a jailed host on my server for security > reasons (eg, if there is a hole in a php script). > > The website root is actually a working copy of my subversion > repository. I have svnserve running through OpenVPN. My plan would be > to have svnserve and OpenVPN running on the "main" system, and > nginx/php running inside a jail. > > I was wondering if it would be somehow possible to run a command on > the main system that updates the svn working copy inside the jail for > nginx to serve. Would I need to do the "svn up" over tcp/ip from the > jail to the main system? Or can I somehow update it via > file://path/to/main/repo? I've never used or setup a jail before, so IMHO that's bad idea. Someday you maybe want to put your website in other machine, maybe you want to have two server to duplicate your website (just need rsync). If you want update you svn repository you can put in your subversion server in the hook-scripts something like wget http://your_website/some_where/update_repo > /dev/null and in your web serveur (jail or not) you create some script update_repo with cd /your_web_site_dir svn up You can add some deny in your apache conf to authorized only your svn serveur to make the wget > Also, how memory-intensive is a jail? I'm willing to run postgresql in If you have only 32Mo you can have some problem ;-) I run almost ~20 jail server on one physical server without any problem. Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26/06 86 69 95 71 Heure local/Local time: Jeu 27 aoû 2009 21:44:15 CEST