Date: Tue, 13 Oct 2009 11:37:45 -0400 From: APseudoUtopia <apseudoutopia@gmail.com> To: Dino Vliet <dino_vliet@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: freebsd jail: web and database server config questions Message-ID: <27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3@mail.gmail.com> In-Reply-To: <815964.80537.qm@web51104.mail.re2.yahoo.com> References: <815964.80537.qm@web51104.mail.re2.yahoo.com>
index | next in thread | previous in thread | raw e-mail
On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet <dino_vliet@yahoo.com> wrote: > > Dear Freebsd people, > > To consolditae on resources I have configured a machine to run both a web and database server (powering my database driven website). > > Due to security concerns I'm contemplating on introducing a jailed environment on this machine and want to know if this would be feasible. I have a few questions for the freebsd community regarding this approach and hope someone would give me some advice. > > Is it advisable/wise/okay/clever to run a webserver on my host system and a database server on my jailed system? The webserver will need to connect to the database system on startup and update the database based on client access. I would recommend either doing it the other way around (webserver inside the jail) or have both web and db inside separate jails. > > However, if a machine gets compromised, it would rather be the webserver, therefore running the webserver in the jailed environment seems better to me. But how could that be done, if the webserver requires to connect through tcp/ip to the database server running on the host system? I thought that a key-feature of a jailed system is that it can't access resources outside the jail. > It *may* be possible to set your database software to listen on a unix socket inside the jail dir on the host. For example, if your webserver jail is in /usr/jails/httpd/ on the host, you may be able to have your database listen on a unix socket in, say, /usr/jails/httpd/tmp/. Inside the jail, you can point your web app to use the socket inside /tmp/. I'm not sure if this is possible as I never actually implemented it with my setup, but you can try.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27ade5280910130837t29e9e6e9ibc0e32ffbee0eef3>