I am trying to set up a set of servers with FreeBSD using Jails, and I am struggling to find a proper solution. I am a bit of a noob, so I think the biggest part of the picture I'm missing is what the heck my options are.
I'll try to make it brief: I imagine a FreeBSD server would have a reverse proxy running on the main host, and a Jail for each Apache/FTP instance I want to create. And probably also a Jail for MySQL for a while. Perhaps also other services would be added in the future.
I'm confident I'm not the first to come up with something like this. However, I am at the moment trying this on virtual machines @ DigitalOcean. They provide one public IP and, more importantly, one single private network IP per host, so I can't just start creating Jails with each their private IPs on said private network.
So, my options as far as I can see:
1 - I have read on one or more posts here that it should be possible for me to just pass traffic to a Jail from the main host, even if that jail only has a "lo1" network interface. Is this really even possible (I have not yet succeeded in finding out how to) and if so, would this be a/the way to go?
2 - I have also read (in the ezjails page of the FreeBSD docs, I think) that a jail could have the same IP address as the host without (too many) problems. Would this be a viable alternative?
3 - My idea (and this might be a far fetched thing) was to add a tap device to the host (say, with IP 192.168.2.1 which is different from the already assigned local network's subnet), and then add a tap device for each jail and giving it an address in the same 192.168.2.0/24 subnet, thereby creating a virtual internal network.
I would then setup firewall and NAT on the main host that would grant and remove internet access to the jails as needed and, most importantly, a reverse proxy could route HTTP requests and the like into this virtual internal network (I found that for this to work I would have to play with setfib, since jails and main host will need to have different default routers, an issue I'll need to read on if I continue on this venue).
I think it would then be possible to set firewalls on all jails for added security (would this not be a good idea?), and perhaps even set up SSH tunnels for communicating with other jails to/from other servers, which will quite probably be a requirement in the future if things work out
Are any of these three options (and specially the latter) sound at all, or am I barking mad? If my idea turns out to be barking mad, what would be a better way to go?
Thanks!
/Alan
I'll try to make it brief: I imagine a FreeBSD server would have a reverse proxy running on the main host, and a Jail for each Apache/FTP instance I want to create. And probably also a Jail for MySQL for a while. Perhaps also other services would be added in the future.
I'm confident I'm not the first to come up with something like this. However, I am at the moment trying this on virtual machines @ DigitalOcean. They provide one public IP and, more importantly, one single private network IP per host, so I can't just start creating Jails with each their private IPs on said private network.
So, my options as far as I can see:
1 - I have read on one or more posts here that it should be possible for me to just pass traffic to a Jail from the main host, even if that jail only has a "lo1" network interface. Is this really even possible (I have not yet succeeded in finding out how to) and if so, would this be a/the way to go?
2 - I have also read (in the ezjails page of the FreeBSD docs, I think) that a jail could have the same IP address as the host without (too many) problems. Would this be a viable alternative?
3 - My idea (and this might be a far fetched thing) was to add a tap device to the host (say, with IP 192.168.2.1 which is different from the already assigned local network's subnet), and then add a tap device for each jail and giving it an address in the same 192.168.2.0/24 subnet, thereby creating a virtual internal network.
I would then setup firewall and NAT on the main host that would grant and remove internet access to the jails as needed and, most importantly, a reverse proxy could route HTTP requests and the like into this virtual internal network (I found that for this to work I would have to play with setfib, since jails and main host will need to have different default routers, an issue I'll need to read on if I continue on this venue).
I think it would then be possible to set firewalls on all jails for added security (would this not be a good idea?), and perhaps even set up SSH tunnels for communicating with other jails to/from other servers, which will quite probably be a requirement in the future if things work out
Are any of these three options (and specially the latter) sound at all, or am I barking mad? If my idea turns out to be barking mad, what would be a better way to go?
Thanks!
/Alan