I'm building out a hosting environment for my customers. I typically use Linux but FreeBSD offers some features of interest to my customers. I've used FreeBSD before (version 9), but my experience is limited.
The hosting architecture I'd like to setup is (focusing on two servers):
Server 1 (frontend):
Nginx or Apache: reverse proxy, SSL, redirecting (from http->https, etc).
Server 2 (backend):
Python-based web applications.
Both servers will be hosted in a public cloud.
I'd like to have a secure, private tunnel between these two server so that proxied traffic is transmitted securely between the front- and back-end servers. With the exception of this tunnel, the frontend server will handle all other encryption activities (SSL certs and whatnot).
Given the specific nature of the environment, do jails make more sense that user-based separation (i.e. just running Nginx or Apache under their user account but not jailed, or running each Python app under its own user instead of jailing them)?
As I learn more about FreeBSD, I'll add additional capabilities like load balancing and failover, Mandatory Access Controls for publicly exposed ports, etc... But the current focus is getting the environment functional and implementing the basic services, and ensuring those things are secure at a high level.
Any feedback or direction on this would be greatly appreciated. I'm open to better or alternate ways of doing this, as well--just looking for input on best practices for this sort of thing on FreeBSD.
The hosting architecture I'd like to setup is (focusing on two servers):
Server 1 (frontend):
Nginx or Apache: reverse proxy, SSL, redirecting (from http->https, etc).
Server 2 (backend):
Python-based web applications.
Both servers will be hosted in a public cloud.
I'd like to have a secure, private tunnel between these two server so that proxied traffic is transmitted securely between the front- and back-end servers. With the exception of this tunnel, the frontend server will handle all other encryption activities (SSL certs and whatnot).
Given the specific nature of the environment, do jails make more sense that user-based separation (i.e. just running Nginx or Apache under their user account but not jailed, or running each Python app under its own user instead of jailing them)?
As I learn more about FreeBSD, I'll add additional capabilities like load balancing and failover, Mandatory Access Controls for publicly exposed ports, etc... But the current focus is getting the environment functional and implementing the basic services, and ensuring those things are secure at a high level.
Any feedback or direction on this would be greatly appreciated. I'm open to better or alternate ways of doing this, as well--just looking for input on best practices for this sort of thing on FreeBSD.