I need help in understanding Jail+Nginx+Apache solution

G

G_Nerc

Hi all!
Now I have FreeBSD Server which has roles:
- Mail server for company
- MySQL Server
- Apache with name VirtualHosts with 4 sites
- And some other roles

I'm disturbe about sites, which was making by third-party companies and if some of it will hacked, all other roles will be compromised.
So I want to do some security and logical optimisations:
Adds one more server for internal roles (Samba, Backup, Virtualization, Database, etc..) and old server for external roles (WWW server, Mail)
And WWW-server I want to do one site in one jail (as more security level-up, because every site making by various companies, I don't 100% trust to it.), so my idea is:

- Several jails with Apache in its and its onw IP address for every jail
- Nginx will redirect requests based on domain name
- And ssh access in every jail for giving access to site-developers

One problem is: I have no experience in Jails and Nginx, so that my ideas fully teoretical, can You help me in understanding possibility of that solution, and maybe some possible difficulties in that way?

Thanks!
 
Use the sysutils/qjail port to create your jails. Installing apache in a jail is simple as pkg_add -r apache22. Besure your firewall does nat on all private ip addresses you use for your jails. Be sure to read qjail's man howto for a example of how to setup your desired jail network
 
fbsd1 thanks for answer!
Can you say, is my idea about www/nginx on host machine redirect www queries based on its www host address to related JAIL_IP:80 will work?
For example:
I have 3 jails with www/apache22:
JAIL1 [192.168.0.100] and apache inside it serve site http://www.site1.org
JAIL2 [192.168.0.101] and apache inside it serve site http://www.site2.org
JAIL3 [192.168.0.102] and apache inside it serve site http://www.site3.org
And Nginx on host machine (which hosts all 3 jails) redirect incoming queries based on it address to needed JAIL_IP?
Is that possible?
I not work at that moment with JAIL and nginx, but about jail tasks and possibilities I have some knowledge, but about nginx nothing except it speedup www server work.

Sorry for my bad language :)
 
That would be possible, yes. You can use nginx as a reverse proxy to then send the traffic to any jail or even other system.

Security wise, it would be clever to install nginx itself in a jail.

You just have to setup your firewall so that your nginx jail can connect to your apache jail - and you also might want to isolate mysqld (if needed) and whatever each on their own jails...
 
You must log in or register to reply here.
Back
Top