freebsd jail: web and database server config questions

[APseudoUtopia]

On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet <dino_vliet at yahoo.com> wrote:
>
> Dear Freebsd people,
>
> To consolditae on resources I have configured a machine to run both a web and database server (powering my database driven website).
>
> Due to security concerns I'm contemplating on introducing a jailed environment on this machine and want to know if this would be feasible. I have a few questions for the freebsd community regarding this approach and hope someone would give me some advice.
>
> Is it advisable/wise/okay/clever to run a webserver on my host system and a database server on my jailed system? The webserver will need to connect to the database system on startup and update the database based on client access.

I would recommend either doing it the other way around (webserver
inside the jail) or have both web and db inside separate jails.

>
> However, if a machine gets compromised, it would rather be the webserver, therefore running the webserver in the jailed environment seems better to me. But how could that be done, if the webserver requires to connect through tcp/ip to the database server running on the host system? I thought that a key-feature of a jailed system is that it can't access resources outside the jail.
>

It *may* be possible to set your database software to listen on a unix
socket inside the jail dir on the host. For example, if your webserver
jail is in /usr/jails/httpd/ on the host, you may be able to have your
database listen on a unix socket in, say, /usr/jails/httpd/tmp/.
Inside the jail, you can point your web app to use the socket inside
/tmp/. I'm not sure if this is possible as I never actually
implemented it with my setup, but you can try.