Exploit the benefit of security and stability of FreeBSD by running webservers in jails along with reverse proxy jail, database jail and a redis jail

This holiday season I read up on FreeBSD jails. I’ve always wanted to be able to setup secure and stable websites. And Jails were the answer.

I’ve used Bastille as a jail tool, there are many out there and you can even do it without a tool, the FreeBSD handbook has enough to set them up.

My architecture for version one was a reverse proxy for all website jails. Then each website jail would have the whole stack - the database, the php components and the wordpres website. It took some time to build one but then I quickly realized, running MySQL databases for every website was a bit too overkill as MySQL took a lot of RAM out of my Hetzner VM with 4GB of memory. Having said that, if you need absoute security, you shoudl do it this way. But I found a more effecicient method for my small websites.

Version two consisted of a proxy jail for all websites to reverse proxy, one database jail for all website jails to use, one redis jail for all websites jails to use. This was much better approach. After a lot of trial and error, I built two scripts. One to setup the base system with whatever websites you have. Then a second script to just add more websites. Both are ansible playbooks and the way I did was to copy paste the scripts on the console of the VM via SSH. This creates all required files and you can just run the .sh file.

The script has been designed to run on a freshly spun FreeBSD instance. At Hetzner, you first buy a VM, mount a bootable Freebsd iso. Then reboot the machine. The reboot kicks off booting from the mounted iso. So you install freebsd with ZFS, add a user and put them into wheel group, shutdown the machine. Once the machine is shutdown, unmount the ISO and reboot. You now can ssh into the box using your newly added user. The do a ‘su’, become root and copy paste the script below.

The script takes care of pkg update, sets up Bastille properly and then builds the entire foundation. It takes cares of setting up of all components, sets up gzip and http2 and redis, certbot etc. At the end, you can just setup the wordpress the sites from your browser.

Scripts

• Foundation script Instruction: SSH into the host, copy paste the script into console, run the sh file.
• Add new Wordpress website script Instruction: SSH into the host, copy paste the script into console, run the sh file.

Some specs

• Host system is using FreeBSD 15.0-RELEASE.
• All jails are also using FreeBSD 15.0-RELEASE.
• Tested on Hetzner VM with 4GB of memory in the second half of December 2025.

Notes

1. Install Tailscale, enable tailscale setup –ssh so you can securely connect to the server passwordless. You can then stop the regular SSH from running (Yeah, tailscale doesn’t need that). That way, the thousands of bots trying to SSH to your server will not have anything to do at least on your server.https://sanjayregmi.com/posts/how-to-install-tailscale-on-freebsd/

2. Use ZFS snapshots for safety, backup.

3. Hetzner snapshots are very fast, take about one minute for 20GB of data. Use it - it costs extra but it’s worth it.

4. Lock the VM from inadvertent deletion. Hetzner console has the feature and its easy to find and setup.

5. Setup DragonFly Mail Agent (DMA) on the FreeBSD system so it alerts you via email. It’s quick and easy to setup.See https://docs.freebsd.org/en/books/handbook/mail/

6. Always take ZFS snapshots before a major update. That’s one of the beauties of ZFS.

🚥