|
> That if the machine gets exploited, the attacker
can't do much with it because
> it isn't allowed to make outbound connections,
and incoming connections only
> via the "real" webserver that forwards the
request.
Yeap setup a reverse
proxy ngix or lighttpd can be a solution.
All Etch are
already running on VMware ESX so it's just a matter
of setup
this reverse proxy.
We can upgrade
to Lenny use my PHP4 package and add a
reverse proxy in
front and use private address space to communicate
with Apache2/PHP4
..
OpenVZ will
add too much complexity (special if interface, etc.)
and
will also add memory
overhead (loading another libc, etc.) . Then
you need to monitor
both, backup both, maintain both etc.
In term of isolation
I prefere VMware, KVM or Xen then add
mod_security to
Apache2, grsecurity to kernel can help
to
circonvent most of the exploits to gain root.
Best
Regards,
Guy
|