jails Nginx, Php, Jail ?

MsieurSVP

MsieurSVP

Hello from France !

(sorry for my english...)

I need advises from your experience...

Today, i've 2 servers, one with nginx+php, the other with PgSQL for my private cloud (Moodle, Nextcloud).
For the futur, I will re-install them using jails (BastilleBSD).

What is the best choice within this list :
  • a jail for each : Nginx, Php ;
  • a jail with Nginx and Php ;
on the same server (Ram = 16Go, SSD for system drive) ?

Am I clear ?

Many thanks in advance !
 
joneum@ said:
PHP and NGINX in one jail is absolutely ok. (but how you do it, remains your final decision)
Click to expand...
I tend to run one jail per service. i.e. one jail for nextcloud, one jail for IRC bounder, one jail for git server, one jail for media server, ...
This way you have a "standalone" unit that can easily be backed up, migrated to different hosts etc. This way, when you create eg. a snapshot or a backup of a jail, you have a snapshot/backup of everything: webserver, PHP, database, config files, ...

My server at home is running merely five jails. Other servers I'm running run upwards of several dozen jails. Works like a threat. It's much easier to manage than full blown VMs and certainly more resource friendly on the host.

joneum@ said:
PS: As jail management I use cbsd
Click to expand...
I'd like to second this. sysutils/cbsd is amazing!
 
  • Like
Reactions: Ole
+1 for CBSD jails management.
I run Nextcloud for years in jail. I prefer to use Unit at place of php-fpm as application server (search for the configuration at Unit web site) and Nginx as Web server. I installed MariaDB inside the same jail, but nextcloud data and MariaDB data are placed in separate ZFS datasets, mounted inside the jail (see CBSD docs how to do it). If you prefer to install MariaDB in a separate jail - why not ;)
 
jbodenmann said:
I tend to run one jail per service. i.e. one jail for nextcloud, one jail for IRC bounder, one jail for git server, one jail for media server, ...
This way you have a "standalone" unit that can easily be backed up, migrated to different hosts etc. This way, when you create eg. a snapshot or a backup of a jail, you have a snapshot/backup of everything: webserver, PHP, database, config files, ...

My server at home is running merely five jails. Other servers I'm running run upwards of several dozen jails. Works like a threat. It's much easier to manage than full blown VMs and certainly more resource friendly on the host.


I'd like to second this. sysutils/cbsd is amazing!
Click to expand...
Another question as I walk on....

So if I set severals jails, each per service, I need an Nginx in front to redirect for each service ?
Where does this Nginx must take place : on the host ? On a specific Jail ?

Thanks in advance !
 
Either way works. I run a nginx in a public jail (accessible from the Internet), configured as a reverse proxy to a set of private service/application jails (not accessible from the Internet).

More jails is more management for base system and add-on packages updates/upgrades. Do you have a particular need to run everything from jails (i.e. conflicting package versions) or planning it for security's sake?
 
MsieurSVP said:
So if I set severals jails, each per service, I need an Nginx in front to redirect for each service ?
Where does this Nginx must take place : on the host ? On a specific Jail ?
Click to expand...
There's different ways of handling this but yes, in general you want a reverse proxy. Personally, I use net/haproxy very successfully in different scenarios.
For small setups I just have one jail that is facing the internet running HAproxy and the other jails are sitting behind that. In larger setups I actually do have a dedicated, physical host entirely dedicated to running net/haproxy in front of the hosts that run the various jails.


Bobi B. said:
Do you have a particular need to run everything from jails (i.e. conflicting package versions) or planning it for security's sake?
Click to expand...
If I learned one thing: Never don't use jails. They are so incredibly lightweight and offer a lot of benefits. Even for scenarios where security doesn't matter (which honestly, shouldn't be a thing) it's just super nice to have everything encapsulated in one entity that you can easily backup, upgrade, migrate and so on. Jails are basically docker but without all the problems that docker has. And yes, you can absolutely have a Linux jail :D
 
Well, back to this work after severals attemps...

I can manage to get jails for simple html + php application.

BUT, I am not able to get a Nextcloud jail at work !

Every attempt get error :
  • The front jail works and redirect with Nginx to the Nextcloud Jail ;
  • The Nextcloud jail respond well with the basic config file of Nginx and a simple php file ;
  • But when I set the Nginx config file as it may be for Nextcloud, I can't get any things !
Sorry for my english...
Anyone has examples ?

Many thanks !
 
jbodenmann said:
I tend to run one jail per service. i.e. one jail for nextcloud, one jail for IRC bounder, one jail for git server, one jail for media server, ...
Click to expand...

On the other hand I prefer to run jail per package (nginx & php in one, matrix-element, SVN, MariaDB, postfix & dovecot, etc...), only because if one of the packages has a vulnerability at least other jails are not compromised.

All my jails are in zfs pools with exactly the same setup except the IP and jail names.
Each has its own dedicated network port.
The data for each jail is in different pools mounted inside each jail.
There is also separate backup pools for each jails again mounted inside each jail.
So there is separation between the basic jails, their data and their backup data.

Daily snaphots of jail pools and data pools are created and TAR backed up to backup pool.
This backup pool is then backed up along with the host system to LTO tapes weekly (weekly, monthly, yearly..).

Hope this helps.
 
Maybe off-topic here, but anyone encountered this one:
Installing nextcloud-php82 package in a bastille jail with nginx and mariadb, just to get the following:
This version of Nextcloud is not compatible with PHP>=8.2.
You are currently running 8.2.0alpha1.
Click to expand...
I mean, the installation of the package included php82 (as the name indicated) and then you get an error saying it doesn't work with PHP8.2:oops:
 
Port is set to build with all available "flavors" of PHP:
Code: 
USES=		cpe gettext-runtime php:flavors,web tar:bzip2

If the port itself doesn't actually support one of the PHP flavors it should be excluded.

docs.freebsd.org

Chapter 7. Flavors

Flavors are a way to have multiple variations of a port
docs.freebsd.org docs.freebsd.org

The ports system itself has no way of knowing what is or isn't supported, it just builds every variant.
 
SirDice said:
Port is set to build with all available "flavors" of PHP:
Code: 
USES=        cpe gettext-runtime php:flavors,web tar:bzip2

If the port itself doesn't actually support one of the PHP flavors it should be excluded.

docs.freebsd.org

Chapter 7. Flavors

Flavors are a way to have multiple variations of a port
docs.freebsd.org docs.freebsd.org

The ports system itself has no way of knowing what is or isn't supported, it just builds every variant.
Click to expand...
Thanks for the quick response.
So if I understand you correctly, I could just install PHP8.1 instead of 8.2 and leave the nextcloud install untouched?
 
You must log in or register to reply here.
Back
Top