On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet <dino_vl...@yahoo.com> wrote:
> Dear Freebsd people,
> To consolditae on resources I have configured a machine to run both a web and 
> database server (powering my database driven website).
> Due to security concerns I'm contemplating on introducing a jailed 
> environment on this machine and want to know if this would be feasible. I 
> have a few questions for the freebsd community regarding this approach and 
> hope someone would give me some advice.
> Is it advisable/wise/okay/clever to run a webserver on my host system and a 
> database server on my jailed system? The webserver will need to connect to 
> the database system on startup and update the database based on client access.

I would recommend either doing it the other way around (webserver
inside the jail) or have both web and db inside separate jails.

> However, if a machine gets compromised, it would rather be the webserver, 
> therefore running the webserver in the jailed environment seems better to me. 
> But how could that be done, if the webserver requires to connect through 
> tcp/ip to the database server running on the host system? I thought that a 
> key-feature of a jailed system is that it can't access resources outside the 
> jail.

It *may* be possible to set your database software to listen on a unix
socket inside the jail dir on the host. For example, if your webserver
jail is in /usr/jails/httpd/ on the host, you may be able to have your
database listen on a unix socket in, say, /usr/jails/httpd/tmp/.
Inside the jail, you can point your web app to use the socket inside
/tmp/. I'm not sure if this is possible as I never actually
implemented it with my setup, but you can try.
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to