Has anybody located their root website on a filer and mounted it via NFS to their webserver?
I don't believe it would need "root=" permissions. I'm considering this possibility but am curious towards the Security considerations. IE: We'd have to open the NFS port through out Firewall to the DMZ to allow the NFS mount. How secure is the NFS port in OnTAP?
Thanks
-Bob
On Tue, 18 Mar 2003, Robert Borowicz wrote:
Has anybody located their root website on a filer and mounted it via NFS to their webserver?
DocumentRoot, yes. ServerRoot, no.
Having content files on the filer works great. We have a directory structure something like this:
.../www/ | + virtual.host.com/ | | | - public_html/ | - cgi-bin/ | - ... + another.virtual.host/ | - blah blah blah
I don't believe it would need "root=" permissions.
Nope.
--Paul Heinlein heinlein@cse.ogi.edu
The filer should live on your DMZ :) No holes through firewalls to worry about. In fact, it should be on a private VLAN that only your web server(s) can see.
/Brian/
On Tue, 2003-03-18 at 16:09, Robert Borowicz wrote:
Has anybody located their root website on a filer and mounted it via NFS to their webserver?
I don't believe it would need "root=" permissions. I'm considering this possibility but am curious towards the Security considerations. IE: We'd have to open the NFS port through out Firewall to the DMZ to allow the NFS mount. How secure is the NFS port in OnTAP?
Thanks
-Bob
On Wed, 19 Mar 2003, Brian Long wrote:
:=The filer should live on your DMZ :) No holes through firewalls to :=worry about. In fact, it should be on a private VLAN that only your web :=server(s) can see.
Also, if it is necessary to have access to boxes inside your firewall access the filer, you can put in another ethernet card and have an interface on the DMZ and one inside the trusted network. Since the filer doesn't route packets the practical worry is greatly minimized.
I'd also deny any NFS traffic through the firewall and any traffic period to the filer that doesn't come from inside the DMZ as well as keeping a very tight lock on the exports file on the filer (including not exporting vol0 to anything inside the DMZ).
-
Brian Long -
Dylan Northrup -
Paul Heinlein -
Robert Borowicz