Multiple Web Services with Jails

[He101]

Hello,

I switched to FreeBSD a week ago on my main server. So far the experience has been great.
Because I'm new to the whole jails theory I'd like to present my plan and possible challenges.

My Setup:

Hostsystem: FreeBSD, 8 Cores, 24GB Ram, Static IP

My idea was to create multiple jails with ezjail to perform the following tasks:

- DNS-Jail: Unbound Nameserver for all other Jails. Managing internal domains.
- Nginx-Jail: Redirecting all Port 80, 443 Traffic
- MySql-Jail: Managing all databases for webserver-jails etc.

Other Services (all in individual Jail): Apache(Wordpress), Teamspeak, Git, ...
Host: Redirecting all Port 80/443 Traffic to Nginx-Jail. Redirecting Ports for other Services. Using PF

Possible problems:
- I heard that I can be quit difficult to run a mysql-server in a jail.
- I'm not sure about the redirecting with nginx. If I redirect incoming-domains like "https://test.com" to internal ips of jails there could be ssl-certificate problems.

Possible solutions:
- Use Unbound to create local domains "test.com" would go to internal-ip x.x.x.x

What do you guys think?

Thanks.

 

[SirDice]

I heard that I can be quit difficult to run a mysql-server in a jail.

It isn't. It runs just fine. No need for extra configurations, just install and run.

I'm not sure about the redirecting with nginx. If I redirect incoming-domains like "https://test.com" to internal ips of jails there could be ssl-certificate problems.

A better solution, in my opinion, is to run net/haproxy on the host and use that to direct traffic to the various jails.

 

[storvi_net]

I don't think that net/haproxy here is the best way.

For all other protocols than HTTP I would say yes - you are very flexible with net/haproxy.
But for HTTP/HTTPS www/nginx would be the way to got.

With NGINX you can go to routes:
- Use NGINX as a reverse-proxy and use a jail for each webpage
- Use NGINX as webserver with vhosts and just put the dynamic stuff (PHP) in several jails for security

In both cases the SSL-Handling must be done on the "first" nginx-instance, because here the client connection is handled. For this the certificates must be placed in this jail.

Regards
Markus

 

[rudelgurke]

https://test.com to internal ips of jails there could be ssl-certificate problems.

Why ? I'm using Nginx and doing SSL offload with Nginx so Apache, Lighty or whatever is "behind" just "speaks" plain HTTP. Though it's also possible to proxy HTTPS through.

Use Unbound to create local domains "test.com" would go to internal-ip x.x.x.x

Well, since the webserver, db server etc. jails aren't allowed - here - to connect anywhere I simply edited /etc/hosts and bypassed DNS lookups.