RE: Jails and loopback interfaces




I recently did something like this. I have a webserver in a jail that
needs to talk to a database, and the webserver is the only thing that
should talk to the databse.

My solution was to use 2 jails: one for the webserver, and another for the

database.

Jail 1:
* runs webserver
* binds to real interface with real, routable IP

Jail 2:
* runs database server
* binds to loopback interface, isn't directly reachable
from outside the box

just to clarify that for me: you did setup this layout or you
tried to setup this? as i read it, i understand that you did!

i tried exactly the same but currently jails are bound to the specific
ip-address assigned with them so i wonder, how the webserver on a real
ip-address can communicate with the database bound to the loopback ip?
if you could kindly tell, how you solved this issue (we're using 6.1).

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Jails and loopback interfaces
    ... * runs webserver ... binds to real interface with real, ... * runs database server ... it is a good idea to _always_ bind jails to non- ...
    (FreeBSD-Security)
  • Re: Query regarding virtual path and physical path
    ... anything Web Server specific. ... I have httpd webserver and once i give it goes to remote ... The database file cannot be found. ... I set virtual path in my webserver. ...
    (microsoft.public.windowsce.embedded)
  • Re: freebsd jail: web and database server config questions
    ... The webserver will need to connect to the database system on startup and update the database based on client access. ... I would setup two jails on the system and run the database in one jail and the webserver in the other. ... I thought that a key-feature of a jailed system is that it can't access resources outside the jail. ...
    (freebsd-questions)
  • Re: DMZ HOSTS
    ... The database for this example is on SBS. ... webserver to access the db on SBS from the external interface. ...
    (microsoft.public.windows.server.sbs)
  • Re: Secure Web-Based Administration
    ... > The best option would be to set up sudo to allow this webserver ... somewhat nicer and imho nuch more secure. ... These very same credentials (password + ... passphrase) are then used to store the changed data in a database. ...
    (Focus-Linux)