Mailinglist Archive: opensuse (3378 mails)

< Previous Next >
Re: [SLE] Linux Database and Web server considerations
  • From: Michael Hasenstein <mha@xxxxxxxx>
  • Date: Mon, 29 Apr 2002 15:52:20 -0700
  • Message-id: <3CCDCEA4.5070503@xxxxxxxx>
Alex Daniloff wrote:

Hello SuSE folkz,
Is this a good idea to put Firewall, NFS, Database and Web services on
one Linux box or they should be separated?


Firewall: ALWAYS separate. Can be an old pentium with 200 MHz and 16 MB of RAM (still overpowered)!


The Web server part is MySQL database driven interface through
persistent fcgi scripts.
MySQL Database server should be able to operate in a long run with up
to 60GB of critical data.
The Firewall should keep in stealth mode all unnessesary ports and
provide masquerading and routing for a small internal network.
The NFS server should export publicly shared data directory to the
internal network.


Recommended setup for someone who's servers to put on the internet:

TWO firewalls. Between the outside one and the inside one you have a small network called "DMZ" (demilitarized zone) where you place your internet servers. Do NOT enable remote accessability options on the firewall(s), use a serial console instead: so the console server is on the internal network, with serial cables to all hosts on the DMZ and the firewalls, so you can access those machines safely from the inside over the network without creating any traffic anyone might observe and without having to open any login services on the net on those servers.


I proposed this configuration:
A separate Linux box provides firewall/masquerading/routing services.
The second Linux box serves as a NFS, Database and Web server to
generate less network traffic during database queries.

One co-worker proposed less costly alternative to put everything on
one box.


The two firewalls for a DMZ are VERY cheap (or free), use any computer veryone else would throw out as garbage. Well, not too old, see above for a safe minimum. Routers/firewalls that don't do active filtering (looking at the actual content of the traffic) are incredibly bored and have almost nothing to do even on a fast internet connection...


Another one expressed his opinion in separating all services between
four Linux boxes.


Separate by this category: Whom is it for? External or internal? External services go into the DMZ, internal ones are - internal.

Accessing internal services from an external server, e.g. a database, is yet another (complicated) topic.


Since we are on a tight budget we can't create dedicated data center
for our tasks.
Could somebody enlighten me what are advantages and drawbacks of both
these methods. What is a cheapest variant in this situation.



< Previous Next >
References