Solved Best practice

fred974

fred974

Hello all,

I have been running a small web server with 4 domains in it at the moment from home..
As some of the websites are now becoming fairly used and the amount of domains hosted are increasing fast, I need to move it all on a small cloud VM somewhere to make sure that I have continuous power and internet feed. (I had power cut at home)

My current setup is

1 x FreeBSD 10 ZFS host
3 x ezjail jails
|--- MySQL jail
|--- Hiawatha web server {hosting 4 domains}
|----OpenSMTPD mail server

My question is around the webserver side..
I am good to carry on having 1 webserver for all the domains OR should I create a new jail for each domain?
In term of security, this will be better in case a website get hacked but I am not sure if its a good use of resources... and if I have one jail per domain, do I just clone the jails?

The VM specs are: 2vCPU/2GB/80GB VM

Thank you all
 
Please keep in mind, that you need a reverse proxy in front of your multiple webserver-jails, if you just have one single IP.
I would stay for the virtual host configuration - I think you can configure PHP and unsecure stuff to use separate users.

I have one nginx with multiple php-instances, all running by different users.

Regards
Markus
 
storvi_net said:
I have one nginx with multiple php-instances, all running by different users.
Click to expand...
Could you please tell me how this is achieve?

I use Hiawatha web server so I don't think I will need a reverse proxy but I will double check
Thank for your reply
 
I have no access to my config at the moment, but see https://www.howtoforge.com/php-fpm-nginx-security-in-shared-hosting-environments-debian-ubuntu for an example-configuration of nginx.

The reverse-proxy is neccessary, if you want to use separate jails and just have one single IP.

I guess your IP ist 1.2.3.4
Your domains are www.domain1.com, www.domain2.com and www.domain3.com
The DNS returns 1.2.3.4 for all of them.

What your webserver does at the moment is to interpret the request and routes the request based on the domain-name to the correct directory.
If you divide the domains into separate jails you probably route the requests to port 80/443 to 1.2.3.4 by using pf /ipfw to one single jail. On this way you can not interpret the domain name - for this the reverse-proxy comes into place.

The reverse-proxy-jail has the IP 1.2.3.4 and routes the requests based on the domain-names to the internal IPs of the jail.

Regards
Markus
 
storvi_net said:
The reverse-proxy-jail has the IP 1.2.3.4 and routes the requests based on the domain-names to the internal IPs of the jail.
Click to expand...

Thank you very much for your explanation.
It really help me understand a fundamental issue that I never though about:)

I use PHP-FPM at the moment. Is that as good as the 2 options you mentioned
 
Something to think about is what are you trying to protect? If you a serving 4 small static websites off one web server, your risk is very low that one would get compromised to begin with. If it does, it comes to what you are trying to protect from the other 3 sites that offsets the extra resources and management overhead from running multiple web servers in different jails. If you are running PHP applications that may not have the best security reputation then your risk may be higher and at that point the extra overhead may be worthwhile.
 
I have 2 Wordpress e-commerce and 2 other standard Wordpress blog site.

I use bough template on all of them so how secure is their PHP. I have no real mean to control it all.

How can I clone an ezjail so I don't have to reinstall all the applications all the time?
 
fred974 said:
I have 2 Wordpress e-commerce and 2 other standard Wordpress blog site.

I use bough template on all of them so how secure is their PHP. I have no real mean to control it all.
Click to expand...

I would probably use jails.

fred974 said:
How can I clone an ezjail so I don't have to reinstall all the applications all the time?
Click to expand...

Most of the basic stuff can be done with "flavour" templates. See the man page with a man ezjail | less -p flavour to see what I am talking about. I've never looked into pre-installing packages part of a flavour.

If the flavour route doesn't work out. you can build a template and use the ezjail-admin archive [U]jailname[/U] and a ezjail-admin create -a [U]archive[/U] to make a new jail from it. See ezjail-admin(8) for more info on it.
 
junovitch , thank you for the great advise here.
Could you please tell me if there ezjail is better than qjail for what I want to achieve here?
I know they are 2 different application but I am trying to make my life easier
 
Discussing the differences between jail helper utilities would be the subject of another thread so the best advice I can offer is to try them out and see which works best for you. I did try what I believe is now in the sysutils/qjail2 port at some point in the past but I've generally stuck with sysutils/ezjail since it does what I need.
 
You must log in or register to reply here.
Back
Top