Jails, webserver and website

F

freebsdRU

Hello, NB question here:
Setting up FreeBSD on a VPS.
Some howto's have Apache running on the host, and the website in a jail. Other howtos have Apache running in a jail.
My question, from a security point of view, is it better to run Apache in it's own jail? Would I put my Wordpress website in the same jail then, or does the Wordpress website, together with PHP and MySQL go in another jail (separate from the Apache server jail). Can these two jails 'talk' to each other then?
Thank you / Spasibo (Rus)
 
What is "better". Separate jails means more work, more configuration and more complex to update; but it can give you better security.
To do separate jails the right way you need to use php-fpm over unix sockets. AFAIK apache does not support that, but nginx does.
If you really want to go "inherently secure" you need 3 jails:
- web jail with outside ip address and shared fpm socket with php jail
- php jail (maybe without ip address) and 2 shared sockets
- mysql jail (without ip address) whith shared mysql socket with php jail
Told you, this takes a lot of config ;)
But your web jail does not have to share filesystems with the other jails, hence the "inherent security": for example, not even root on your webjail can access the mysql credentials.
 
Thinking about and reading more, you have a point, aribi.
I think I'll run Apache on the host and run my website in a dedicated jail (Wordpress, MySQL and PHP). Another jail will be used for mail and a third for Nextcloud.
 
You must log in or register to reply here.
Back
Top