|
|
Sponsored Content
Operating Systems
Solaris
Setting up a DMZ webserver using Zones
Post 302353409 by in2deep on Tuesday 15th of September 2009 09:39:35 AM
09-15-2009
Setting up a DMZ webserver using Zones
I've been looking at various articles about Zones/Containers, from SUN's website, and through numerous Google searches, and although there's a lot of info out there, I've not got a definitive answer for what I'd like to do.....so here we go.....
I'm installing a webserver, which is sitting on a DMZ port, so can be accessed from anywhere on the 'net. I've configured all the filesystems for various user groups, and now have a nicely patched Solaris 10 5/09 system
What I'd like to do is to drop a couple (or more) of the filesystems into their own non-global zone each, where they'll be running an instance of the web server, and serving a number of users who will be maintaining their own websites within the zone.
I'd ideally like the overal URL to stay the same, with only a port number change to distinguish the website groups from each other, for example:
http://xyz.com:80 (Group 1's sites, zone 1, filesystem 1)
http://xyz.com:81 (Group 2's sites, zone 2, filesystem 2)
http://xyz.com:82 (Group 3's sites, zone 3, filesystem 3)
The global zone will host the main web server , with each zone's web process just running enough to operate its own server.
Users will login to their own zone, and will not be able to login elsewhere (I know this can be done by maintaining /etc/passwd and /etc/shadow files per zone, so a user isn't recognised in the other zones).
My questions are:
1) - Is it feasible / possible to run the above setup, with keeping the URL the same across each zone, and just changing the port each time?
2) - When a user logs in, will they have to login to the global zone, and then use zlogin to connect to their specific non-global zone?
3) - (Similar to (2)) - Can users login directly to their zone from a remote system, or do they have to come in via the global zone?
4) - Does each zone have to have its own IP address? If so, is this internal to the server, or is it external?
At the moment, the global zone has been allocated an IP address for the DMZ. If each zone needs its own unique external address, this could be a problem (limited availability on our network) - better solution would be some form of internal NAT on the server to forward login requests to the relevant zone, if possible???
Quite a lengthy "query", but I've not yet found anything specific to the above setup. I did find something on setting up a similar system using 2 NICs, but I only have the 1.
Thanks in advance....
I'm installing a webserver, which is sitting on a DMZ port, so can be accessed from anywhere on the 'net. I've configured all the filesystems for various user groups, and now have a nicely patched Solaris 10 5/09 system
What I'd like to do is to drop a couple (or more) of the filesystems into their own non-global zone each, where they'll be running an instance of the web server, and serving a number of users who will be maintaining their own websites within the zone.
I'd ideally like the overal URL to stay the same, with only a port number change to distinguish the website groups from each other, for example:
http://xyz.com:80 (Group 1's sites, zone 1, filesystem 1)
http://xyz.com:81 (Group 2's sites, zone 2, filesystem 2)
http://xyz.com:82 (Group 3's sites, zone 3, filesystem 3)
The global zone will host the main web server , with each zone's web process just running enough to operate its own server.
Users will login to their own zone, and will not be able to login elsewhere (I know this can be done by maintaining /etc/passwd and /etc/shadow files per zone, so a user isn't recognised in the other zones).
My questions are:
1) - Is it feasible / possible to run the above setup, with keeping the URL the same across each zone, and just changing the port each time?
2) - When a user logs in, will they have to login to the global zone, and then use zlogin to connect to their specific non-global zone?
3) - (Similar to (2)) - Can users login directly to their zone from a remote system, or do they have to come in via the global zone?
4) - Does each zone have to have its own IP address? If so, is this internal to the server, or is it external?
At the moment, the global zone has been allocated an IP address for the DMZ. If each zone needs its own unique external address, this could be a problem (limited availability on our network) - better solution would be some form of internal NAT on the server to forward login requests to the relevant zone, if possible???
Quite a lengthy "query", but I've not yet found anything specific to the above setup. I did find something on setting up a similar system using 2 NICs, but I only have the 1.
Thanks in advance....
Last edited by in2deep; 09-15-2009 at 11:21 AM..
|
|
8 More Discussions You Might Find Interesting
1. OS X (Apple)
Hey guys, does anyone know how I edit, configure the server settings using the terminal? MySQL and PHP was once working.
But after frying the Xserve G5 i'm in the middle of rebuilding everything, I believe i need to re-configure the root document directory...
but have forgotten how to edit... (1 Reply)
Discussion started by: hype.it
1 Replies
2. Linux
Hi to all.
There are eth0(wan) eth1(lan) and eth3(dmz) in my debian router.
In dmz is planing dns, ad, dhcp, smtp/pop/imap, https(web-based imap client). I don't configured rules on "iptables" and "route" loads for right relation lan clients with dmz services.
Please explain me example... (0 Replies)
Discussion started by: sotich82
0 Replies
3. UNIX for Advanced & Expert Users
I'd just like to know what you use for user account management on your DMZ servers?
Do you use the same authentication realm as internally?
Do you use a different authentication realm, perhaps only for the DMZ?
Do you use local accounts? (2 Replies)
Discussion started by: humbletech99
2 Replies
4. Shell Programming and Scripting
Hi
I would like write a script that will do sftp frm a box that resides inside the FW to a box that resides in DMZ.Any ideas guys.I tried generating rsa keys for a particular user, however just want to know is there any other solution or not. Your help is much appreciated.
Thanks
CK (2 Replies)
Discussion started by: coolkid
2 Replies
5. Cybersecurity
Hi, I am new here. Nice to meet you guys :)
Here is my first question:
We are using Fortigate 3800 as firewalls. The DMZ contains external DNS, web and proxy servers. Systems in DMZ use subnet 192.168.1.0, and the internal systems use subnet 10.1.1.0.
My questions: Can we assign two... (3 Replies)
Discussion started by: aixlover
3 Replies
6. Shell Programming and Scripting
I remote to many DMZ boxes every day to run batch file that allows me to create users. I create users in 17 DMZ boxes every day which takes a lot of my time.
Is there any script that would do this job from my local computer?
Thank you for your help! (3 Replies)
Discussion started by: idiazza
3 Replies
7. UNIX and Linux Applications
Hi All,
Hope this is the correct thread to ask this, if not, can an admin please move it to the correct thread.
Got a wee problem I hope someone can point me in the right direction.
I have Network A with two servers hosting separate webpages (I will call these WP1 & WP2). A DMZ server... (6 Replies)
Discussion started by: dakelly
6 Replies
8. UNIX for Beginners Questions & Answers
Hi All,
I have a strange issue and I am not sure where the problem lies.
I have about six Ubuntu servers on our DMZ two of which were built on 18.04 from scratch the others were upgraded to 18.04 from 16.04.
The servers built from scratch can send emails from the server via sendmail fine, so... (4 Replies)
Discussion started by: dakelly
4 Replies
LEARN ABOUT DEBIAN
install-solaris
install-solaris(1M) install-solaris(1M) NAME
install-solaris - install the Solaris operating system SYNOPSIS
install-solaris install-solaris invokes the Solaris Install program. Depending on graphical capability and available memory at the time of invocation, install-solaris invokes either a text-based installer or a graphical installer. The following minimum requirements for physical memory dictate which features are available during installation: For SPARC machines: 128 MB Minimum physical memory for all installation types 128 MB Minimum physical memory required for windowing system 384 MB Minimum physical memory required for graphical-based installation For x86 machines: 256 MB Minimum physical memory for all installation types 256 MB Minimum physical memory required for windowing system 512 MB Minimum physical memory required for graphical-based installation In some cases, even if the minimum physical memory is present, available virtual memory after system startup can limit the number of fea- tures available. install-solaris exists only on the Solaris installation media (CD or DVD) and should be invoked only from there. Refer to the for more details. install-solaris allows installation of the operating system onto any standalone system. install-solaris loads the software available on the installation media. Refer to the for disk space requirements. Refer to the for more information on the various menus and selections. See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcdrom (Solaris instal- | | |lation media) | +-----------------------------+-----------------------------+ |Interface Stability |Evolving | +-----------------------------+-----------------------------+ pkginfo(1), install(1M), pkgadd(1M), attributes(5) It is advisable to exit install-solaris by means of the exit options in the install-solaris menus. 23 Sep 2005 install-solaris(1M)