From owner-freebsd-questions@FreeBSD.ORG Tue Oct 13 15:38:06 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3A22106566B for ; Tue, 13 Oct 2009 15:38:06 +0000 (UTC) (envelope-from apseudoutopia@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.27]) by mx1.freebsd.org (Postfix) with ESMTP id 57F9F8FC08 for ; Tue, 13 Oct 2009 15:38:06 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 9so5139eyd.9 for ; Tue, 13 Oct 2009 08:38:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=L1MmjBNzQGdkKeSthfm+uFMlXnhHKCdtZqw+ayfzyyE=; b=TWmhlb9onfv4F/lY2BetNsbTDa3XkPDfpK9l19WKR9u+ipzNmZJQz9ayrxc/IisJbO QtLV/TB8/tLYMK9033cxa0lGZOssH+tsQmXl4cQnSP2opU0ukjFVprmKvg8xI/sEpIk/ ZMAqzO6TFpIlnvneKQ75sQ4f46MAe95zV0RbQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=WEYlldhZVY29TqPk2zyh1KmS1SHZfLmizKZV32QOE3AWrFPn6o888c/xDr1azkgUKI cZn0OHkGR9QdTg6XVhwWCyJnEcR9H7KZICj+Okkh6p98I/Ea4al5IVKT9Ai592Mar/54 qBEhewDpiRzNppRbu5H+XwPSTuzFuxZyexsGM= MIME-Version: 1.0 Received: by 10.216.89.11 with SMTP id b11mr2557248wef.171.1255448285311; Tue, 13 Oct 2009 08:38:05 -0700 (PDT) In-Reply-To: <815964.80537.qm@web51104.mail.re2.yahoo.com> References: <815964.80537.qm@web51104.mail.re2.yahoo.com> From: APseudoUtopia Date: Tue, 13 Oct 2009 11:37:45 -0400 Message-ID: <27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3@mail.gmail.com> To: Dino Vliet Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: freebsd jail: web and database server config questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2009 15:38:06 -0000 On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet wrote: > > Dear Freebsd people, > > To consolditae on resources I have configured a machine to run both a web= and database server (powering my database driven website). > > Due to security concerns I'm contemplating on introducing a jailed enviro= nment on this machine and want to know if this would be feasible. I have a = few questions for the freebsd community regarding this approach and hope so= meone would give me some advice. > > Is it advisable/wise/okay/clever to run a webserver on my host system and= a database server on my jailed system? The webserver will need to connect = to the database system on startup and update the database based on client a= ccess. I would recommend either doing it the other way around (webserver inside the jail) or have both web and db inside separate jails. > > However, if a machine gets compromised, it would rather be the webserver,= therefore running the webserver in the jailed environment seems better to = me. But how could that be done, if the webserver requires to connect throug= h tcp/ip to the database server running on the host system? I thought that = a key-feature of a jailed system is that it can't access resources outside = the jail. > It *may* be possible to set your database software to listen on a unix socket inside the jail dir on the host. For example, if your webserver jail is in /usr/jails/httpd/ on the host, you may be able to have your database listen on a unix socket in, say, /usr/jails/httpd/tmp/. Inside the jail, you can point your web app to use the socket inside /tmp/. I'm not sure if this is possible as I never actually implemented it with my setup, but you can try.