Date: Sat, 1 Jun 2019 21:43:30 -0500 From: Kyle Evans <kevans@freebsd.org> To: David Mehler <dave.mehler@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: to jail or not to jail Message-ID: <CACNAnaE8XwgqcLksU8MEoWgYZ6qTJMvMNBcOo8bvgkCe7RAhdg@mail.gmail.com> In-Reply-To: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com> References: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 1, 2019 at 7:30 PM David Mehler <dave.mehler@gmail.com> wrote: > > Hello, > > I've got a newly installed FreeBSD 12 vps. It's going to be running a > web server/php hosting multiple sites, with letsencrypt tls > certificates for each. It's also going to be running an email server, > postfix, dovecot, rspamd, mysql database backend, again with the same > letsencrypt tls certificates. Previously I've had all this on one > host. > > What I'm wondering is if I should jail off these services, I've got a > zfs setup, still trying to wrap my head around that, and am wondering > should I run the database in one jail, the webserver/php in another > jail, and the email server in a third jail? If I do this how would I > get the tls certificates in to each jail, I'm looking for the maximum > automation. > I have a similar setup to this- DB, webserver/php, mail server is a good separation. My acme setup has a /usr/local/certs on the host that I've null mounted into the jails that need it, but I haven't quite worked out logistics for signaling my xmpp jail when webserver jail's updated the certs. Perhaps a flag file in /usr/local/certs that the host looks for would be sufficient. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaE8XwgqcLksU8MEoWgYZ6qTJMvMNBcOo8bvgkCe7RAhdg>