On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet <dino_vl...@yahoo.com> wrote: > > Dear Freebsd people, > > To consolditae on resources I have configured a machine to run both a web and > database server (powering my database driven website). > > Due to security concerns I'm contemplating on introducing a jailed > environment on this machine and want to know if this would be feasible. I > have a few questions for the freebsd community regarding this approach and > hope someone would give me some advice. > > Is it advisable/wise/okay/clever to run a webserver on my host system and a > database server on my jailed system? The webserver will need to connect to > the database system on startup and update the database based on client access.
I would recommend either doing it the other way around (webserver inside the jail) or have both web and db inside separate jails. > > However, if a machine gets compromised, it would rather be the webserver, > therefore running the webserver in the jailed environment seems better to me. > But how could that be done, if the webserver requires to connect through > tcp/ip to the database server running on the host system? I thought that a > key-feature of a jailed system is that it can't access resources outside the > jail. > It *may* be possible to set your database software to listen on a unix socket inside the jail dir on the host. For example, if your webserver jail is in /usr/jails/httpd/ on the host, you may be able to have your database listen on a unix socket in, say, /usr/jails/httpd/tmp/. Inside the jail, you can point your web app to use the socket inside /tmp/. I'm not sure if this is possible as I never actually implemented it with my setup, but you can try. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
