And voila! iMil.net has now migrated to a brand new (well, actually recycled) server, which is incidentally hosted by myself, in my company’s server room.
What are the news? on the architecture side, nothing revolutionary, my good old setup composed of a Debian (squeeze, yeah I don’t like to play) GNU/Linux dom0, which hosts various NetBSD 6.0/amd64 domUs (now SMP!).
Main news is the activation of naxsi, the Web Application Firewall on the nginx reverse proxy. I don’t like to waste IPv4 public addresses, so the websites I host are all served by an nginx reverse proxy that connects to domUs private IPs. Naxsi’s rules are detailed in this post. Apart from that, nginx configuration is rather classic, here’s a vhost example:
denied is used by naxsi, it’s a very simple location:
As I said before, NetBSD domUs are running 6.0.1. The main (mine) domU starts the following main services :
- Apache 2.4 + PHP 5.4
- Sendmail 8.14.5 (please shut your mouth on this one unless you know what you’re talking about)
- Dovecot 2.1.12
- MySQL Server 5.1.65
- Asterisk 1.8
- OpenVPN 2.2.2
- Bind 9.9.1-P4
Needless to say everything, except bind which is provided in base, was installed in binary form using…
pkgin ;) The packages came from pkgsrc-2012Q3 available at packages.netbsdfr.org.
Each service needing a public facing interface is made accessible with
iptables -t nat -A PREROUTING from the dom0.
As it already was the case, the website is available with both IPv4 and IPv6 IPs, maybe I’ll include some easter eggs for the latter :)
There you go. I hope you’ll continue enjoying my (now displaying faster) posts :)