Diff for "ErnstDeHaan/AppServerJails"

Differences between revisions 5 and 6

This article describes how to setup a secure FreeBSD 6 system with Apache and Tomcat. It's just an example, feel free to deviate, if you know what you're doing.

Work in progressBRThis document is work in progress and far from complete. Feedback is welcome at ernst@ernstdehaan.com.

When you successfully completed this guide, you will have the following:

a FreeBSD system that is partioned into a host system and some virtual servers (jails);
the host system is running a production release of FreeBSD, with no networked services except ntpd and sshd;
[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sendmail.html sendmail] in a jail, only allowing incoming connections from the same machine;
[http://httpd.apache.org Apache] 2.2.x in a jail, with HTTPS enabled;
[http://tomcat.apache.org Tomcat] 6.10.x in a jail, running inside the native JDK 1.5;
Apache and Tomcat connected via [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp]

Prerequisites

Basic knowledge of FreeBSD system administration is assumed. If you've never compiled and installed a FreeBSD kernel, this article may be hard to follow, since it does not provide all the necessary details. Study the [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ FreeBSD Handbook] first, especially [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html chapter 8: 'Configuring the FreeBSD kernel'].

Overview

Host versus jails

All services that listen on external network interfaces are contained within jails, except for sshd. Each service has it's own jail:

mailserver at 127.0.0.11 - runs sendmail;
webserver at 127.0.0.20 - contains the Apache httpd, listening on port 8000 for HTTP connections and on port ???? for HTTPS connections;
appserver at 127.0.0.21 - contains the Tomcat web server, listening on port ???? for AJP connections;

Software versions used

The setup described has been tested with the following software versions:

[http://www.freebsd.org/ FreeBSD] 6.2p6 (amd64)
[http://erdgeist.org/arts/software/ezjail/ ezjail] 2.0.1
[http://httpd.apache.org Apache] 2.2.4
[http://tomcat.apache.org/ Tomcat] 6.0.13
[http://www.freebsdfoundation.org/downloads/java.shtml Diablo JDK] 1.5.0.07.01

Configure a host system

If you haven't done so already, setup a FreeBSD 6 system. Use the most recent supported errata fix branch. At the time of writing, this is 6_2_RELENG; see the [http://www.freebsd.org/releng/ FreeBSD Release Engineering] page to determine the current one.

$/!\$ Secure configurationBRIf you want your system to be secure, make sure your configuration process is also secure. Consider completing the configuration of the system before allowing any incoming connections. E.g. configure it while it's physically near your desk and disconnected from the Internet. This avoids that your system is compromised while being temporarily misconfigured.

Trim your kernel configuration to the minimum, excluding things like NFS. Test it with [http://www.freebsd.org/cgi/man.cgi?query=nextboot&sektion=8 nextboot(8)].

Prepare for setting up jails

Install Apache

(Keep the modules to a minimum)

Install Tomcat

Connect Apache and Tomcat

Connect Apache to the network

Apache is listening at the loopback address 127.0.0.20, which is inaccessible from the network. Incoming connections at the external network interface need to be forwarded to the loopback address.

Resources

[http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/jail.html "The Jail Subsystem" - Chapter 4 in the FreeBSD Architecture Handbook]
[http://www.freebsddiary.org/jail-6.php "Jails under FreeBSD 6" - Article at 'The FreeBSD Diary']
[http://www.onlamp.com/lpt/a/6503 "Virtualization with FreeBSD Jails" - ONLamp (O'Reilly) article, discusses FreeBSD 5]
[http://erdgeist.org/arts/software/ezjail/ ezjail homepage]
[http://en.wikipedia.org/wiki/FreeBSD_jail Wikipedia article on FreeBSD jails]
Man pages: [http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=8 jail(8)] [http://www.freebsd.org/cgi/man.cgi?query=jls&sektion=8 jls(8)] [http://www.freebsd.org/cgi/man.cgi?query=jexec&sektion=8 jexec(8)] [http://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5 rc.conf(5)]

ErnstDeHaan/AppServerJails (last edited 2021-04-25T03:50:31+0000 by KubilayKocak)

-  ⇤ ← Revision 5 as of 2007-07-25T13:38:41+0000 → 
  Size: 3815
  Editor: ErnstDeHaan
  Comment:
+   ← Revision 6 as of 2007-07-25T14:00:49+0000 → ⇥
  Size: 4439
  Editor: ErnstDeHaan
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 5:
-When you successfully completed this guide, you will have the following installed:
 * a host system running a production release of FreeBSD, with all networked services in jails
 * Apache 2.2.''x'' in a jail, with HTTPS enabled, linked with the Tomcat installation
 * Tomcat 6.10.''x'' in a jail, running inside the native JDK 1.5
+When you successfully completed this guide, you will have the following:
 * a FreeBSD system that is partioned into a host system and some virtual servers (jails);
 * the host system is running a production release of FreeBSD, with no networked services except `ntpd` and `sshd`;
 * [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sendmail.html sendmail] in a jail, only allowing incoming connections from the same machine;
 * [http://httpd.apache.org Apache] 2.2.''x'' in a jail, with HTTPS enabled;
 * [http://tomcat.apache.org Tomcat] 6.10.''x'' in a jail, running inside the native JDK 1.5;
-Line 46:
+Line 48:
+Apache is listening at the loopback address 127.0.0.20, which is inaccessible from the network. Incoming connections at the external network interface need to be forwarded to the loopback address.
-Line 48:
+Line 51:
+ * [http://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/jail.html "The Jail Subsystem" - Chapter 4 in the FreeBSD Architecture Handbook]