I have a VPS on Digitalocean which I used mfsbsd to reinstall FreeBSD with ZFS/zroot with PF as my firewall. My plan with this VPS is to run wordpress, a static site and owncloud each in their own jails. Currently, I use nginx on the host machine running as a reverse proxy, intercepting https traffic and directing the unencrypted final bits to the appropriate jails. While this works and the outside world can connect to https://site-example-1.com, https://site-example-2.com etc., because the traffic going from host to jail isn't encrypted I worry that a compromised jail could intercept the unencrypted traffic of another jail. My jails are currently networked on a lo1 cloned interface with aliases and when I checked, each jail is able to access the other's running nginx service. Even after changing jails to different subnets (172.16.1.1 -jail A, 172.16.2.1 -jail B), jail A is able to see jail B's web server. I assume this is because they are all on the same loopback interface.
So, my question is: is there a best practice for isolating jails from being able to talk to one another? Can this be done through NAT via pf rules? Or, is there a better way to forbid jails from knowing another jail exists on the host machine? Or or, is running jails as fully contained web servers a dumb idea altogether?
While I am an enthusiast of FreeBSD and other *nix systems, I am one of those people who know just enough to sometimes break things. I don't have the best understanding of networking or firewalls so any help in this area would be greatly appreciated.
So, my question is: is there a best practice for isolating jails from being able to talk to one another? Can this be done through NAT via pf rules? Or, is there a better way to forbid jails from knowing another jail exists on the host machine? Or or, is running jails as fully contained web servers a dumb idea altogether?
While I am an enthusiast of FreeBSD and other *nix systems, I am one of those people who know just enough to sometimes break things. I don't have the best understanding of networking or firewalls so any help in this area would be greatly appreciated.