From owner-freebsd-questions@freebsd.org Sun Jun 2 07:20:38 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 429C115AD67B for ; Sun, 2 Jun 2019 07:20:38 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2D0118DF8D for ; Sun, 2 Jun 2019 07:20:36 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 65F1121AF1; Sun, 2 Jun 2019 03:20:36 -0400 (EDT) Received: from imap6 ([10.202.2.56]) by compute7.internal (MEProxy); Sun, 02 Jun 2019 03:20:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=LoVPm+HsP+TLad4fqGF9PLPOrqV1 +65+COCGwSD0iaM=; b=D5+GV37rGe1Hez99OAXyyAD1whjsCRistZ3NC7JRC2qc fz8KVlO2Fj6j8KK79ncy4zmq/o5c+WCpPdeJmCnqBZ0JlYHrcXw9rTurJaIYjNQ2 xK4NPoxy++U83wnYmdUK1fcafY1bCzdlJbfjrVw4xZcesFXNo3K+pYKQZT0CstkL +iAA7c9+w3/YRTK0Z2MlU3/1/xyjwrrUiw6QAop0X0u3ERasHPbh5vdEdenH6kna +GvCykdeCttREmi+STofzHl9R4KONhIF/J7g04zEpgX8Nn9NWMhce2aNXhTQfIF+ onDCeAOideTOBo/1furnBLQkegZSINh9EhJu0dod9g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=LoVPm+ HsP+TLad4fqGF9PLPOrqV1+65+COCGwSD0iaM=; b=dEqx5mdB8Sb0ofYhO1JFhz kGX3pn5vNyxpGGdGUdlsxhOZZY9xY/k3zkfpii1G3E8zSNFS6tKbIE6TBzKFjDSj sKvSCyG9KD6qHpa4qRsCucytIC3qnvoTJA6V5guheGFjQapvbDjwZwO+NFdncu6K mDCFWR2PLljnQIALxdR1INSGFwXqO6LikTKUjXR7h9X1a69Zp54RnhymV6pxGnui PaiTCfLvtEfYs9o4wpfXrmWGrHjzDj2jSfaYmtUs+pNK02tXtrqMlBHkBi61va/y qaOuzTQKqofu/1YhO5Huigg5XnqBlIYZ0RLjVzHmtEpGK6QIw3PXmGMyqJERrbtA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudefgedguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfffgr vhgvucevohhtthhlvghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqe enucfrrghrrghmpehmrghilhhfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgrthen ucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6899E1400A0; Sun, 2 Jun 2019 03:20:35 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.6-555-g49357e1-fmstable-20190528v2 Mime-Version: 1.0 Message-Id: <47ac2c3b-d6c5-457e-8874-47590a22c6b7@www.fastmail.com> In-Reply-To: References: Date: Sun, 02 Jun 2019 07:20:35 +0000 From: "Dave Cottlehuber" To: "David Mehler" Cc: freebsd-questions Subject: Re: to jail or not to jail Content-Type: text/plain X-Rspamd-Queue-Id: 2D0118DF8D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm2 header.b=D5+GV37r; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=dEqx5mdB; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.28 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-6.00 / 15.00]; XM_UA_NO_VERSION(0.01)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.28]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: in2-smtp.messagingengine.com]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.88)[-0.876,0]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; IP_SCORE(-3.53)[ip: (-9.75), ipnet: 66.111.4.0/24(-4.68), asn: 11403(-3.15), country: US(-0.06)]; RCVD_IN_DNSWL_LOW(-0.10)[28.4.111.66.list.dnswl.org : 127.0.5.1]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm2,messagingengine.com:s=fm2]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[skunkwerks.at]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jun 2019 07:20:38 -0000 On Sun, 2 Jun 2019, at 00:34, David Mehler wrote: > Hello, > > I've got a newly installed FreeBSD 12 vps. It's going to be running a > web server/php hosting multiple sites, with letsencrypt tls > certificates for each. It's also going to be running an email server, > postfix, dovecot, rspamd, mysql database backend, again with the same > letsencrypt tls certificates. Previously I've had all this on one > host. > > What I'm wondering is if I should jail off these services, I've got a > zfs setup, still trying to wrap my head around that, and am wondering > should I run the database in one jail, the webserver/php in another > jail, and the email server in a third jail? If I do this how would I > get the tls certificates in to each jail, I'm looking for the maximum > automation. My approach has been to jail all the things, and run haproxy & do TLS stripping within that. I then redirect traffic into the appropriate app jail based on either HTTP host headers (HTTPS only) or SNI fields (generic TLS wrapped TCP services). This gives me one place to open to the internet, with very nice logging and internal stats, and only 1 place to update TLS certificates with lets encrypt. I also look after a few more complicated setups, where we use wild card ACME generated certs (DNS-01 auth) and ansible fiddles with the DNS, then propagates the new certificates to all the cluster nodes that need it. IMO this is the nicest of all the setups, but it is somewhat more complicated. A+ Dave