# webserver jail a local access question



## fred974 (Feb 24, 2014)

Hello,

I have Nginx running inside a FreeBSD jail and everything is good.
Now my problem as that want to have 2 applications (zabbix & phpmyadmin) locally.
I don't want them to be available outside on my LAN.
How can this be achieve knowing that jails do not have a 'localhost'?
Here is what I had in mind.. but it doesn't work as you guessed

```
server {
        listen 82;
        server_name localhost;
        location / {
            root /usr/local/www/zabbix;
            index index.php index.html index.htm;
        }
        location ~ \.php$ {
            root /usr/local/www/zabbix;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /usr/local/www/zabbix$fastcgi_script_name;
            include fastcgi_params;
        }
        location ~ /\.ht {
            deny all;
        }
}
```

How do you guys restrict your web application to your LAN?

Thank you


----------



## SirDice (Feb 24, 2014)

I've spent almost a week trying to configure NGINX to serve two different web applications. Never got it working properly. In the end I just used Apache, that only took me 5 minutes to configure. NGINX is a nice web server but you really shouldn't use it for anything but serving static content.


----------



## fred974 (Feb 24, 2014)

SirDice said:
			
		

> I've spent almost a week trying to configure NGINX to serve two different web applications. Never got it working properly. In the end I just used Apache, that only took me 5 minutes to configure. NGINX is a nice web server but you really shouldn't use it for anything but serving static content.



So even in Apache, how do you get it to work on your LAN when the webserver is in the JAIL?
All my websites us wordpress and it seem OK at the moment..
Why do you think its not good for serving dynamic content?


----------



## SirDice (Feb 24, 2014)

fred974 said:
			
		

> So even in Apache, how do you get it to work on your LAN when the webserver is in the JAIL?


Just add the aliases to your configuration or define two different virtual hosts. It depends on what you want to do. 

If I remember correctly, both ports have instructions for Apache in their pkg-message.



> Why do you think its not good for serving dynamic content?


Because of the convoluted way you have to configure PHP. Besides that, it's marketed as a fast server for static content.


----------



## scottro (Feb 24, 2014)

If I remember correctly, I just had to add 
	
	



```
jail_zabbixjail_parameters="allow.sysvipc=1"
```
 to /etc/rc.conf in FreeBSD-9 and 
	
	



```
allow.sysvipc = 1
```
 in /etc/jail.conf FreeBSD-10 to get zabbix working.  One gives the jail an IP alias.  (I also copy the host's /etc/rc.conf over to the jail's /etc.  

Then, on my LAN, I just go to the jail's IP address, e.g, in my browser go to 192.168.1.55 or whatever.


----------



## fred974 (Feb 24, 2014)

Hi @scottro,
Is that not a major security risk?
My understanding is that enabling sysvipc will  defeats the whole purpose of having a jail since users from the jail will be able to affect processes outside the jailed environment.
Should I not be monitoring all the jails using zabbix ? is it a bad design from my part?


----------



## scottro (Feb 24, 2014)

Yes, it is a security risk. I thought, however, that you meant this would only be available on the LAN.  When we've put zabbix in a jail, it was more to make extra use of a machine--that is, have some relatively insecure things that were only running inside the local network. 
Apologies for not specifically mentioning that in my first post.


----------



## junovitch@ (Feb 24, 2014)

Something like this?


```
location /zabbix {
  root /usr/local/www/zabbix;
...
location /phpmyadmin {
  root /path/to/phpmyadmin;
```

Or multiple server { } blocks using a different server_name in each.  You would have to put those each server_name in your /etc/hosts since you'll only be accessing them from on the local machine itself.


----------



## fred974 (Feb 25, 2014)

I don't think I have explained myself very well..
I have Zabbix + agent installed on my FreeBSD host but the frontend files has been moved to the jail webserver.
I want to access zabbix on my windows computer on the same LAN without using an external domain name.
So I guess I might have to do something with PF to redirect?
Ideally I'll like: http://webjail_IP/zappix


----------



## junovitch@ (Feb 25, 2014)

If the jail is a 127.x.x.x address then yes, you'll need to do a PF redirect.  I haven't done that but I'm sure there is a bunch of info on how to do that around.  From there separate location blocks should let you access it as you mentioned.


----------



## fred974 (Feb 26, 2014)

wrong post


----------

