This article describes how to setup a secure FreeBSD 6 system with Apache and Tomcat. It's just an example, feel free to deviate, if you know what you're doing.
Work in progressBRThis document is work in progress and far from complete. Feedback is welcome at ernst@ernstdehaan.com.
When you successfully completed this guide, you will have the following installed:
- a host system running a production release of FreeBSD, with all networked services in jails
Apache 2.2.x in a jail, with HTTPS enabled, linked with the Tomcat installation
Tomcat 6.10.x in a jail, running inside the native JDK 1.5
Apache and Tomcat connected via [http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html mod_proxy_ajp]
Prerequisites
Base knowledge of FreeBSD system administration is assumed. If you've never compiled and installed a FreeBSD kernel, this article may be hard to follow, since it does not provide all the necessary details. Study the [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ FreeBSD Handbook] first.
Overview
Host versus jails
All services that listen on external network interfaces are contained within jails, except for sshd. Each service has it's own jail:
mailserver at 127.0.0.11 - runs sendmail;
webserver at 127.0.0.20 - contains the Apache httpd, listening on port 8000 for HTTP connections and on port ???? for HTTPS connections;
appserver at 127.0.0.21 - contains the Tomcat web server, listening on port ???? for AJP connections;
Software versions used
The setup described has been tested with the following software versions:
[http://www.freebsd.org/ FreeBSD] 6.2p6 (amd64)
[http://erdgeist.org/arts/software/ezjail/ ezjail] 2.0.1
[http://httpd.apache.org Apache] 2.2.4
[http://tomcat.apache.org/ Tomcat] 6.0.13
[http://www.freebsdfoundation.org/downloads/java.shtml Diablo JDK] 1.5.0.07.01
Configure a host system
If you haven't done so already, setup a FreeBSD 6 system. Use the most recent supported errata fix branch. At the time of writing, this is 6_2_RELENG. See: [http://www.freebsd.org/releng/ FreeBSD Release Engineering].
![/!\](/moin_static1911/modern/img/alert.png "/!\")
Secure configurationBRIf you want your system to be secure, make sure your configuration process is also secure. Consider completing the configuration of the system before allowing any incoming connections. This avoids that your system is compromised while being temporarily misconfigured.
Trim your kernel configuration to the minimum, excluding things like NFS. Test it with [http://www.freebsd.org/cgi/man.cgi?query=nextboot&sektion=8 nextboot(8)].
Prepare for setting up jails
Install Apache
(Keep the modules to a minimum)
Install Tomcat
Connect Apache and Tomcat
Connect Apache to the network
Resources
[http://www.freebsddiary.org/jail-6.php "Jails under FreeBSD 6" - Article at 'The FreeBSD Diary']
[http://www.onlamp.com/lpt/a/6503 "Virtualization with FreeBSD Jails" - ONLamp (O'Reilly) article, discusses FreeBSD 5]
[http://erdgeist.org/arts/software/ezjail/ ezjail homepage]
[http://en.wikipedia.org/wiki/FreeBSD_jail Wikipedia article on FreeBSD jails]
Man pages: [http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=8 jail(8)] [http://www.freebsd.org/cgi/man.cgi?query=jls&sektion=8 jls(8)] [http://www.freebsd.org/cgi/man.cgi?query=jexec&sektion=8 jexec(8)] [http://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5 rc.conf(5)]