freebsd jail: web and database server config questions

krad kraduk at
Tue Oct 13 15:44:49 UTC 2009

2009/10/13 APseudoUtopia <apseudoutopia at>

> On Tue, Oct 13, 2009 at 9:51 AM, Dino Vliet <dino_vliet at> wrote:
> >
> > Dear Freebsd people,
> >
> > To consolditae on resources I have configured a machine to run both a web
> and database server (powering my database driven website).
> >
> > Due to security concerns I'm contemplating on introducing a jailed
> environment on this machine and want to know if this would be feasible. I
> have a few questions for the freebsd community regarding this approach and
> hope someone would give me some advice.
> >
> > Is it advisable/wise/okay/clever to run a webserver on my host system and
> a database server on my jailed system? The webserver will need to connect to
> the database system on startup and update the database based on client
> access.
> I would recommend either doing it the other way around (webserver
> inside the jail) or have both web and db inside separate jails.
> >
> > However, if a machine gets compromised, it would rather be the webserver,
> therefore running the webserver in the jailed environment seems better to
> me. But how could that be done, if the webserver requires to connect through
> tcp/ip to the database server running on the host system? I thought that a
> key-feature of a jailed system is that it can't access resources outside the
> jail.
> >
> It *may* be possible to set your database software to listen on a unix
> socket inside the jail dir on the host. For example, if your webserver
> jail is in /usr/jails/httpd/ on the host, you may be able to have your
> database listen on a unix socket in, say, /usr/jails/httpd/tmp/.
> Inside the jail, you can point your web app to use the socket inside
> /tmp/. I'm not sure if this is possible as I never actually
> implemented it with my setup, but you can try.

you can do this but only if the the db is running on the host system. What
you are doing then is open a big whole in the security of the system that
will potentially let someone attack the host os via apache->mysql.

What i have done on some systems is jail the db and apache in separate
jails. and have a shared nullfs writable fs between them. Generally I found
it better to make the connection go over ip and heavily wrap it.

The added advantage of doing it over ip is that it keeps things separate,
and it is far easier to migrate one of the jails onto another box in the
future if you start running into capacity issues.

> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list