# Jail strategies for web host?



## Brandwalla (Jul 9, 2009)

I'm upgrading my web server and am intrigued by the capabilities of jails. 

I do 3 things with the server: 1)host paying clients 2)host my own business-related sites 3)host student media experiments. As you can imagine, jails are perfect for this situation.

My question, what are good strategies for using jails? Is it better to jail single processes or entire user spaces? 

My thought is this:
1. Build a jail for the the paying clients environment running Apache1.3 and isolating this from experiments gone awry

2. Build individual environment jails for the affilate and experimental areas (Apache2.2 and LightHTTPD for example)

3. Build individual jails tuned to serve larger client websites.

4. Put the mailserver in it's own jail.

Does this make sense? Any comments or pointers?
Thank you for your help,
Bill


----------



## estrabd (Jul 9, 2009)

You should check out http://www.rootbsd.net; I've used them for over a year now, and love it. I have a jail, but I do believe they've moved over to virtualization for new accounts.

Brett


----------



## Brandwalla (Jul 9, 2009)

Thanks, Brett, but my situation requires I have a dedicated server, that's why I am looking for virtualization strategies.


----------



## vivek (Jul 9, 2009)

Yes, set jail for each task and/or paying client. I run it as follows

MySQL - /jails/mysql
qmail - /jails/qmail
example.com - /jails/example.com
example.net - /jails/example.net
bind9 - /jails/named
testing - /jails/testing - for lighttpd / apache and what not..

Take a help of ezjail. It saves lots of disk space and automate everything for you - http://www.cyberciti.biz/faq/howto-setup-freebsd-jail-with-ezjail/ and also FreeBSD jail @ http://www.freebsd.org/doc/en/books/handbook/jails.html


----------



## estrabd (Jul 9, 2009)

Brandwalla said:
			
		

> Thanks, Brett, but my situation requires I have a dedicated server, that's why I am looking for virtualization strategies.



I am not suggesting you use them, only that they seem to have done what you wish to do.

Cheers,
Brett


----------



## Brandwalla (Jul 10, 2009)

My apologies, Brett. You are right, it's pretty much what I want to do if I can get my head around the structure.


Vivek, are you using the same IP for jails/MySQL, jails/Postfix, etc? If so, how do they talk to one another?

I have 8 IPs to work with. Is my assumption correct that I would create each task bound to the same IP and running only the one process (e.g., MySQL), and a new IP number for each site with a full-blown userland?

In other words:
jails/Apache 75.22.33.11
jails/MySQL 75.22.33.11
jails/PHP 75.22.33.11
jails/Postfix 75.22.33.11

jails/example.com 75.22.33.12
jails.example.net 75.22.33.13

Or do you lump the tasks together:
jails/www (Apache, PHP, MySQL) 75.22.33.11
jails/mail (Cyrus Postfix, etc) 75.22.33.11

I've been working with ezjails for about a day, very nice, very powerful.

Thank you again for your time and insight.
Bill


----------



## vivek (Jul 10, 2009)

You can use single IP and use pf firewall to redirect traffic between jails and host to the Internet using NAT.

You can assign public IP to each jail and no need to use NAT. This is easy. Some services such as mysql can work w/o public IP.


----------



## Brandwalla (Jul 10, 2009)

Excellent, thanks for that. I'll give it a try, and I'm sure I'll have a question or two.


----------



## Brandwalla (Jul 31, 2009)

PF users, would you kindly take a look at my rules and see if these make sense? I'm new to PF, so not confident.

What I'm trying to do: run 3+ jailed services that talk to one another and to the outside world.

*Setup*

```
mailjail 10.0.0.15
apachejail 10.0.0.20
dbjail 10.0.0.25
client1 10.0.0.30
```
*

ifconfig*

```
defaultrouter="x.x.x.11"
ifconfig_em0="inet x.x.x.12 netmask 255.255.255.248"
ifconfig_em0_alias0="inet x.x.x.13 netmask 255.255.255.255"
ifconfig_em0_alias1="inet x.x.x.14 netmask 255.255.255.255"
ifconfig_em0_alias2="inet x.x.x.15 netmask 255.255.255.255"
ifconfig_em0_alias3="inet x.x.x.16 netmask 255.255.255.255"
```

*My rules*

```
lan="em0"
lan_subnet="10.0.0.0/8"
lan_ip="10.0.0.10"
jailserver_ip="x.x.x.12/29"
nat on $lan inet proto { tcp, udp, icmp } from $jailserver_ip to $lan_subnet -> $lan_ip
```


Any comments or suggestions would be greatly appreciated.
Thanks!
Bill


----------



## wonslung (Sep 10, 2009)

Brandwalla said:
			
		

> PF users, would you kindly take a look at my rules and see if these make sense? I'm new to PF, so not confident.
> 
> What I'm trying to do: run 3+ jailed services that talk to one another and to the outside world.
> 
> ...



did these rules work?  I remember i tried this awhile back and ran into problems...i ended up getting a public ip for each but now on a new box i find myself with only a single ip.

I have a single interface and i've set up a cloned interface lo1 for the 10.0.0.1/24 subnet

thanks


----------

