to jail or not to jail

Dave Cottlehuber dch at
Sun Jun 2 07:20:38 UTC 2019

On Sun, 2 Jun 2019, at 00:34, David Mehler wrote:
> Hello,
> I've got a newly installed FreeBSD 12 vps. It's going to be running a
> web server/php hosting multiple sites, with letsencrypt tls
> certificates for each. It's also going to be running an email server,
> postfix, dovecot, rspamd, mysql database backend, again with the same
> letsencrypt tls certificates. Previously I've had all this on one
> host.
> What I'm wondering is if I should jail off these services, I've got a
> zfs setup, still trying to wrap my head around that, and am wondering
> should I run the database in one jail, the webserver/php in another
> jail, and the email server in a third jail? If I do this how would I
> get the tls certificates in to each jail, I'm looking for the maximum
> automation.

My approach has been to jail all the things, and run haproxy & do TLS
stripping within that. I then redirect traffic into the appropriate app jail
based on either HTTP host headers (HTTPS only) or SNI fields (generic
TLS wrapped TCP services). This gives me one place to open to the
internet, with very nice logging and internal stats, and only 1 place
to update TLS certificates with lets encrypt.

I also look after a few more complicated setups, where we use wild
card ACME generated certs (DNS-01 auth) and ansible fiddles with
the DNS, then propagates the new certificates to all the cluster
nodes that need it. IMO this is the nicest of all the setups, but it
is somewhat more complicated.


More information about the freebsd-questions mailing list