From owner-freebsd-questions@freebsd.org Sun Jun 2 02:43:44 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26B6A15A8038 for ; Sun, 2 Jun 2019 02:43:44 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BDC678789A for ; Sun, 2 Jun 2019 02:43:43 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 58BE64469 for ; Sun, 2 Jun 2019 02:43:43 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-lf1-f47.google.com with SMTP id a9so9497458lff.7 for ; Sat, 01 Jun 2019 19:43:43 -0700 (PDT) X-Gm-Message-State: APjAAAV39xynHPHs572bqHnUyKWBUe2QfBhKlo8gUnj7gpu9SdOq/dCF O7JXvnRFpH0aM3N8Oqt6Ymd+auS0ku3EzsZJN0w= X-Google-Smtp-Source: APXvYqycuUj1vBQtwL+z7kXr0dQc0Rl2OSt2+qxZqloJFZxFycmYr8HzYrbgXKLUgkiC3JWc0S7urNKV+Ls7uAyiJis= X-Received: by 2002:a19:9156:: with SMTP id y22mr4431932lfj.43.1559443421785; Sat, 01 Jun 2019 19:43:41 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kyle Evans Date: Sat, 1 Jun 2019 21:43:30 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: to jail or not to jail To: David Mehler Cc: freebsd-questions Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: BDC678789A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.974,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jun 2019 02:43:44 -0000 On Sat, Jun 1, 2019 at 7:30 PM David Mehler wrote: > > Hello, > > I've got a newly installed FreeBSD 12 vps. It's going to be running a > web server/php hosting multiple sites, with letsencrypt tls > certificates for each. It's also going to be running an email server, > postfix, dovecot, rspamd, mysql database backend, again with the same > letsencrypt tls certificates. Previously I've had all this on one > host. > > What I'm wondering is if I should jail off these services, I've got a > zfs setup, still trying to wrap my head around that, and am wondering > should I run the database in one jail, the webserver/php in another > jail, and the email server in a third jail? If I do this how would I > get the tls certificates in to each jail, I'm looking for the maximum > automation. > I have a similar setup to this- DB, webserver/php, mail server is a good separation. My acme setup has a /usr/local/certs on the host that I've null mounted into the jails that need it, but I haven't quite worked out logistics for signaling my xmpp jail when webserver jail's updated the certs. Perhaps a flag file in /usr/local/certs that the host looks for would be sufficient. Thanks, Kyle Evans