Information on Setting up a Jailed Webserver

[krad]

2009/8/28 Ruben de Groot <mail25 at bzerk.org>

> On Thu, Aug 27, 2009 at 12:28:26PM -0400, APseudoUtopia typed:
> > Two more questions then I should be ready to go with my jail(s).
> >
> > In order to minimize the HDD space of the jail, can I add things in my
> > src.conf such as
> > WITHOUT_BOOT, WITHOUT_ACPI, WITHOUT_PF?
>
> Yes you can. Another option is to use read only nullfs mounts for e.g.
> /usr,
> /lib, /sbin/ /bin to populate the jail. That will cost you no HDD space at
> all.
> The ezjail port, allready mentioned, can more or less automate this.
>
> > I do use pf on the host system, but it isn't needed inside the jail as
> > well, correct?
>
> Rather, it's not possible to use inside a standard (non-vimage) jail.
> There's
> only one network stack.
>
> > Also, is it possible to compile a port (specifically nginx) inside the
> > host, then simply cp it into the jail and run it? I'd like to do this
> > to avoid installing a compiler into the jail itself.
>
> make package-recursive
>
> Ruben
>
> > Thanks again for the help.
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>


I've not seen all this post so sorry if this has been mentioned before.
Apache has a module called mod_jail, that means (im pretty sure) you dont
have to build the full jail environment. I've not looked at it in detail but
it's probably worth looking at before you start hacking around with full
jails


http://www.freebsdsoftware.org/www/mod_jail.html