Recommended multi-server FBSD hosting configuration

I'm building out a hosting environment for my customers. I typically use Linux but FreeBSD offers some features of interest to my customers. I've used FreeBSD before (version 9), but my experience is limited.

The hosting architecture I'd like to setup is (focusing on two servers):

Server 1 (frontend):
Nginx or Apache: reverse proxy, SSL, redirecting (from http->https, etc).

Server 2 (backend):
Python-based web applications.

Both servers will be hosted in a public cloud.

I'd like to have a secure, private tunnel between these two server so that proxied traffic is transmitted securely between the front- and back-end servers. With the exception of this tunnel, the frontend server will handle all other encryption activities (SSL certs and whatnot).

Given the specific nature of the environment, do jails make more sense that user-based separation (i.e. just running Nginx or Apache under their user account but not jailed, or running each Python app under its own user instead of jailing them)?

As I learn more about FreeBSD, I'll add additional capabilities like load balancing and failover, Mandatory Access Controls for publicly exposed ports, etc... But the current focus is getting the environment functional and implementing the basic services, and ensuring those things are secure at a high level.

Any feedback or direction on this would be greatly appreciated. I'm open to better or alternate ways of doing this, as well--just looking for input on best practices for this sort of thing on FreeBSD.
 
Jails will make things easier to manage and give you better security, I would use them for both your frontend and backend servers and completely segregate all client applications/data from each other.

Say you have 10 customers and one of their websites gets compromised, without jails your whole system and all 10 customers are exposed as a result. With jails you can limit the exposure to a single application for a single client.

If you only have 1 public IP, I would have your public facing nginx in a jail, reverse proxying to your clients jailed web-servers using virtual hosts. That way your internet exposure is 2 ports on 1 jailed nginx instance.
 
Back
Top