Thanks Ewald- and thanks for the reminders re mod_deflate/mod_gzip :-) Look forward to seeing some more comments from you- if you have time.
Regards Julian On 11/28/05, Ewald Wasscher <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > Hi there- > > > > I'd like to set up a hobby web-server, and I'd appreciate any > > thoughts/feedback from this community on what I'm planning- below. > > > > The server will be for two domains. I'd like them to be as > > independant of each other as possible, running on the same machine. > > I'd like the maintainance to be as straight-forward as possible. > > There's also a small chance one of the domains may end up on it's own > > hardware one day. The machine will be on the end of a cable modem, in > > a DMZ, running it's own secondary firewall- probably using shorewall. > > > > I've looked at chroots, jails, vserver patches, bsd, solaris- with > > only the later having any support for managing software installed > > inside the 'jail'. But I couldn't find an answer to if solaris zones > > can also manage manually installed software- I'm guessing not (there > > are no solaris packages for lots of web apps.) > > > > Then I read about Xen- and thought that could be reasonable; > > virtualize the machine, install two instances of the OS; disk is > > cheap, and although everything will have to be down twice (updates > > etc), at least I can use the standard package management tools. > > > > My thinking is that up-to-date SELinux + hardened gcc + apache + > > mod_security is enough of a headache that the majority of script > > kiddies/crackers won't be bothered. > > AFAIK the grsecurity patch can't be applied to the current xen-sources, > so you'll lose quite some of the protection of the hardened gcc without > pax (grsecurity). > > > Anyone who can get through that > > I'm never going to notice- I know I won't make time to run something > > like tripwire often enough to be that useful, and even if I did, if > > someone gets through the above, they're very likely to be smart enough > > to hide the evidence so I don't notice for a long time (if ever.) > > Again, this is for a hobby server- one domain for family pics, etc, > > the other for something like trac for me and some friends to have fun > > with with some hobby development. > > > > First question- does the above sound reasonable? > > > > Te me it does. Have you thought about using mod_deflate or mod_gzip it > will save some of your precious upstream bandwidth. > > Now I have to hurry to work, maybe more answers in the evening. > > -- > Ewald Wasscher > > > PGP Key Fingerprint: D3FE ED15 03B0 8385 DD5D 95CE F866 9E37 28E8 1D69 > > -- > [email protected] mailing list > > -- [email protected] mailing list
