Serving a simple website from a Jail with Bastille

In this short little howto we will be setting up a simple Jail via Bastille and host a static website.

Beware: The article assumes that sudo is configured. You can of course also use doas or switch to root, if you so desire. Some commands need root rights to work – keep that in mind as you go along!

First, we need to install Bastille itself.

$ sudo pkg install -y bastille

After installing, we enable the bastille service.

$ sudo sysrc bastille_enable=YES

And finally we start it.

$ sudo service bastille start

The next step on the list is to acually alter the bastille config to adapt it to our needs. Beware that in this guide I assume that you’ve installed FreeBSD with ZFS – or that you have a ZFS pool on hand that we can leverage. By default FreeBSD calls this pool zroot (Which can be altered during the install of FreeBSD). If you do not use ZFS be sure to not alter the variables below – the default is not leveraging ZFS.

Edit the configuration file.

$ sudo vim /usr/local/etc/bastille/bastille.conf

bastille_tzdata="Europe/Berlin"
...
bastille_zfs_enable="YES"
bastille_zfs_zpool="zroot"
...

In my case, as you can see, I’ve adapted the timezone and set up ZFS for the coming Bastille Jails. Be sure to alter the timezone according to your needs.

Next up is creating a loopback interface.

$ sudo sysrc cloned_interfaces+=lo1
$ sudo sysrc ifconfig_lo1_name="bastille0"

Start the newly created interface after creating it.

$ sudo service netif cloneup

Now we can move on to the bootstrap phase. The following command will get the newest release (As of this time) and prepare the environment.

$ sudo bastille bootstrap 14.3-RELEASE update

Alright, with that done we can create our first Jail.

The command given will create a Jail named “web” and give it the IP address of 10.0.23.60. Also specifying the interface after the IP address is important.

Note: Be sure to alter the given address to your own needs!

$ sudo bastille create web 14.3-RELEASE 10.0.23.60/24 vtnet0

So far so good. Check if the Jail is created with the “list” option to bastille.

$ sudo bastille list

If the output shows our newly created Jail called “web” we are good to go.

Now we want to enter our freshly created Jail to continue the setup.

$ sudo bastille console web

First, let’s install pkg and update the repository.

# pkg
# pkg update

Next we’ll install the needed software (Webserver) to host our website. We also install a editor – pick the one your prefer (In this example we’ll use vim).

# pkg install -y lighttpd vim

Enable Lighttpd and start it afterwards.

# sysrc lighttpd_enable="YES"
# service lighttpd start

We could now configure Lighttpd to our needs and change quite some settings. But in the interest of keeping it simple we will use the default configuration for now. If however you want to change things you can always take a look into the configuration directory which can be found under /usr/local/www/lighttpd (Multiple config files).

By default Lighttpd serves the directory /usr/local/www/data (Document Root). This is where we will put the needed files of our little website.

But, the directory “data” is not yet created. So let us just do that.

# cd /usr/local/www/
# mkdir data
# chown www:www data

Make sure the owner is set correctly since Lighttpd will by default leverage the user www and group www.

Final stretch ahead. Let’s cd into the directory and clone a simple website from git – After installing git of course.

# pkg install -y git-lite
# cd data
# git clone https://github.com/jhx0/bsd-website.git
# mv bsd-website/* .

Our frehsly cloned site should now be moved into the data directory.

The only thing left to do is opening your webbrowser of choice on our client system and navigation to the IP address previously configured.

$ firefox http://10.0.23.60

Finsihed!

Beware: This is a default setup – There are many ways to improve this!
Look into the configuration of Lighttpd, esp, considering security related alterations.

Have fun everyone.

Stay Open!