Website architecture

[gpatrick]

     pf
      |  (relayd to nginx)
   nginx
      /\
   pf--pf
    \   /
  web mail dns
    |
  pf--pf
   \   /
    db

The outer pf firewall would use relayd to redirect port 80 traffic to the nginx reverse proxy server. Relayd may also redirect ports 25 and 53 to the first dual pf firewalls for smtp and dns traffic where there will be a mail server handling traffic for multiple domains, and a non-authoritative dns server.

The second dual firewalls will be protecting a database used for handling tables for web content.

The databases will use CARP and pfsync and will be loadbalanced.

There will initially be three domains.

     pf
      |  (relayd to nginx) (smtpd to mail server)
   nginx  mail
      /\
   pf--pf
    \   /
  web dns
    |
  pf--pf
   \   /
    db

Another scenario above is to put the mail server in the same tier as the reverse proxy and relay traffic to the mail server with smtpd.

A third alternative is to eliminate the first set of dual pf/firewalls and only have the outer firewall and the interior pair for the database.

Any recommendations or opinions on the best way to implement this design? Or in what way would you implement this setup for three domains?

 

[arp242]

It is difficult to answer this question. Yes this setup might be appropriate for some situations, but since we next to nothing about your situation and demands ...

Personally, I would be inclined towards a simpler setup for two reasons: 1) I'm a simple guy 2) Less stuff that can go wrong.

But again, we don't know your situation or demands. You are asking us to "design a building for me please" without telling what the building will be used for.