From owner-freebsd-questions@freebsd.org Mon Jun 3 10:19:34 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C350815AB953 for ; Mon, 3 Jun 2019 10:19:34 +0000 (UTC) (envelope-from SRS0=o76H=UC=perdition.city=julien@bebif.be) Received: from orval.bbpf.belspo.be (orval.bbpf.belspo.be [193.191.208.90]) by mx1.freebsd.org (Postfix) with ESMTP id 81D0770B07 for ; Mon, 3 Jun 2019 10:19:33 +0000 (UTC) (envelope-from SRS0=o76H=UC=perdition.city=julien@bebif.be) Received: from home.lan (unknown [77.109.103.113]) by orval.bbpf.belspo.be (Postfix) with ESMTPSA id 2B53F1D4FFC4; Mon, 3 Jun 2019 12:19:25 +0200 (CEST) Date: Mon, 3 Jun 2019 12:19:17 +0200 From: Julien Cigar To: David Mehler Cc: freebsd-questions Subject: Re: to jail or not to jail Message-ID: <20190603101917.GA76784@home.lan> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: 81D0770B07 X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of SRS0=o76H=UC=perdition.city=julien@bebif.be designates 193.191.208.90 as permitted sender) smtp.mailfrom=SRS0=o76H=UC=perdition.city=julien@bebif.be X-Spamd-Result: default: False [-7.78 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[mx1.bebif.be,mx2.bebif.be]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.95)[-0.955,0]; SIGNED_PGP(-2.00)[]; FORGED_SENDER(0.30)[julien@perdition.city,SRS0=o76H=UC=perdition.city=julien@bebif.be]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:2611, ipnet:193.191.192.0/19, country:BE]; FROM_NEQ_ENVFROM(0.00)[julien@perdition.city,SRS0=o76H=UC=perdition.city=julien@bebif.be]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[perdition.city]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[90.208.191.193.list.dnswl.org : 127.0.10.0]; IP_SCORE(-2.82)[ip: (-8.54), ipnet: 193.191.192.0/19(-4.27), asn: 2611(-1.26), country: BE(-0.00)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jun 2019 10:19:35 -0000 --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 01, 2019 at 08:30:31PM -0400, David Mehler wrote: > Hello, Hello, >=20 > I've got a newly installed FreeBSD 12 vps. It's going to be running a > web server/php hosting multiple sites, with letsencrypt tls > certificates for each. It's also going to be running an email server, > postfix, dovecot, rspamd, mysql database backend, again with the same > letsencrypt tls certificates. Previously I've had all this on one > host. >=20 > What I'm wondering is if I should jail off these services, I've got a > zfs setup, still trying to wrap my head around that, and am wondering > should I run the database in one jail, the webserver/php in another > jail, and the email server in a third jail? If I do this how would I > get the tls certificates in to each jail, I'm looking for the maximum > automation. >=20 I would highly suggest to jail everything, not only for the added security, but also for maintainability. Suggestion: - Script everything with some CMS (I highly recommend SaltStack) - Use ZFS (and clones) and two datasets per jail: one for the things you deploy with your CMS and one for the "data" (=3D things generated by the installed applications within the jail), with some nullfs mounts from the HOST into the jails. It will facilitate the updates a lot. At the end the goal is to be able to zfs destroy tank/jails/your_jail and re-create it from scratch with one command. - With VIMAGE, tagged VLANs, some orchestration tool (SaltStack), and ZFS snapshots send/receive your can achieve nearly real-time migration. - Use HAProxy and SNI, and manage certs from there. At work we have an orchestration script which 1) generate Let's Encrypt certificates in somejail (certbot.lan) and if it succeed 2) rsync them on the HAProxy nodes Julien > Thanks. > Dave. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" --=20 Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE7vn2l0to0nV7EWolsrs3EKIEI8AFAlz09CIACgkQsrs3EKIE I8A8Zw//bHYzptCtc4ID/uqK+8O5PQOFI5EkR35vFpPtvkljp0r0EW3qYoF9nUrx qZSz0/mjEnjqYkGns4vvIgaEckE+SrNWRumO3XDSIHX201cinljzxYh8jPtuN5h2 ZQeNA5EMk1jzXmNeupJ1G0SBfqBT1dCM3DwB/vIiedOLy2IT1lMufqLMAF1t9JTd kHPWF9iI3p4eU/vHXCGF0cbHemSKUoxzK6owFIgOKs6Ebm85cVbYQkRiiEltjxVU edKK6YrukIen1+PImQdYA/zcSDNdSovPcFDWO9jVQsjH8XM23Hn7QpuT5m4ZBKwe +2vDzUQHK4vc7Z7OJ1oFT2daW4QeKF4ZYd32LULP2TslRC/DDmtJm7SrkMs258td kmie65ZtKp3mbGkODq21+KUFcHHOolC1mBzgBPegGeCF6m4WvWfrFbZCKOari1bI 1tNyxLyLVtrOuZKQXYc+yyaBau3FVPc4gDFnSgdnjSgTA4sHm48SPGz0J8M/Ac/5 RWB/84I1kOMuqALbTK2oI6p5e1I5ww0Wojg+nwWzNlXqwacTQZvJ9aTbNcl5r3jR VLI+ZFEGaavKYKHOLNVp3NcTVRnS0XMqYPYzN9HMy6apIGR6hiqIsDHYAU4Bt8ZJ Sq6kHWCqbAjnrRU8cOJDr7bTsVq39dnV9f6hwJmoXb4P1UkFBSc= =ciqi -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND--