chroot vs virtual machine for web server?
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Sun Jul 11 20:56:29 UTC 2004
Am So, den 11.07.2004 schrieb Wayne Stidolph um 21:22:
> I want to transfer my web serving (small static pages) from an
> internal server to my firewall machine, to cut down on the number of
> computers running in my SOHO; but I'd like to stay reasonably secure
> :) So, I'm thinking I need to run httpd in a chroot, or a user-mode
> virtual machine. But which?
From the information given it is hard to say whether putting your
webserver and content into a "sandbox" would be a bit overdose. Though
attention about security aspects are never wrong.
As you say you have only static webcontent I don't think there is much
need to make your life harder by implementing a chrooted Apache or a
system inside a host system with UML. Is it home hobby hosting or home
office hosting you are doing? If you have no sensible data on the
boarder machine and no scripting languages active for the web site I
would think keeping both eyes on Apache security issues (reading
bugtraq) and keeping the system always up to date is enough to run it
normally.
> I have read about chroot and about UML, but haven't actually set up
> either and am uncertain about the security/performance/maintenance
> tradeoffs between them. I've done some searching for a
> discussion/guidance around anywhere on which way to proceed,
> particularly on FC2, but so far haven't been unsuccesful.
For running UML you will need to compile your kernel with support for
it. The Fedora kernel has no support for UML. Comparing chroot and UML,
the first is simpler and last more powerful because not limited to the
Apache processes.
Actually I am myself experimenting with UML (trying to apply the SKAS
patch to the FC2 kernel) and looking forward how the performance will
be. Meanwhile I heard something bad about UML in this aspect and was
pointed to Linux-VServer http://www.linux-vserver.org.
Here are Apache2 chroot howtos:
1) http://www.haught.org/freebsdapache.php
2) http://www.cgisecurity.com/webservers/apache/chrootapache2-howto.html
> Wayne Stidolph wayne _dot_ stidolph _at_ gmail _dot_ com
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435.2.3
Serendipity 22:39:24 up 4 days, 4:47, load average: 0.51, 0.66, 0.63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040711/7dbd3bbc/attachment-0002.bin
More information about the users
mailing list