

Securing an HTTPS server - cperciva
http://www.daemonology.net/blog/2009-09-28-securing-https.html

======
fsniper
Encapsulating parts in their jails is a good security measure. But this is not
anything related to securing the SSL. It's about securing your system. But
giving a "my cgi's are secure but I can't believe in Apache's security"
thought to your customers is not a correct way I think. I can't find any
statistics right now but AFAIK security breach sources are mostly not the
servers but user applications running over them.

~~~
cperciva
_But this is not anything related to securing the SSL. It's about securing
your system._

Nonsense. This configuration both keeps other parts of my system safe from
bugs in OpenSSL _and_ keeps the SSL certificate safe from bugs in Apache.

 _I can't find any statistics right now but AFAIK security breach sources are
mostly not the servers but user applications running over them._

Quite true, in general. But in my particular case I have far more confidence
in my (very simple) CGI scripts than I have in Apache.

~~~
Davertron
I would add that there are more than likely far more people trying to exploit
Apache than are trying to exploit your particular CGI scripts :)

~~~
tptacek
The opposite is true.

------
tptacek
I think this is overkill, and add that a vulnerability that this FreeBSD jail
setup would stop would be page 1 "the Internet is broken" news; hundreds of
millions of dollars of transactions every day rely on there _not_ being system
integrity flaws in OpenSSL.

That doesn't make Colin crazy; it just makes this not general-purpose advice.

~~~
cperciva
_a vulnerability that this FreeBSD jail setup would stop would be page 1 "the
Internet is broken" news_

Not true. There have been potential code execution bugs in OpenSSL which have
received very little attention in the past. One which comes to mind is a 'free
an arbitrary pointer' bug -- in an application like Apache, if you can free
the right pointer, it's not hard to get code execution. (I didn't produce an
exploit for this OpenSSL bug, so it's possible that it was unexploitable for
some reason -- I just saw 'bogus pointer being freed' and said 'wow, this
really needs to be fixed'.)

 _That doesn't make Colin crazy_

Thanks, I think.

 _it just makes this not general-purpose advice._

This is an easy step to take, and prevents a class of attacks. Why not err on
the side of caution?

------
artificer
Nice setup. I've got a similar one on a server: Each daemon runs on it's own
jail. Each jail is created from a cloned ZFS "base" jail filesystem, so it
doesn't take any additional space (except each jail's installed packages),
plus there are all the nice ZFS goodies (snapshots etc). There is one package-
building jail. Every http request is served from a jail running varnish, which
serves as a caching front-end to all the other http daemons in each jail.

