Need to build a secure (public) download site

I have a fairly simple task in front of me: Provide a place for random internet users to download (via anon. ftp, http and/or https) one of a set of several 300MB files. (Oh yeah, and they have no budget for hardware)

From this, I add the "usual" Enterprise Systems requirements: It has to be
  • manageable
  • secure
  • reliable
Seems straightforward: We have a Solaris 10 system in the DMZ in the central datacenter, it has enough mirrored disk space (over 20GB free) and it's running an application that's "more important" than this little download site, so reliability isn't a problem. If I create a zone on this server, it will be no less manageable than any of the rest (ok, the other) of the DMZ-based virtualization servers we have deployed.

That just leaves the "secure" requirement. There's lots of "interesting" opportunities there, though...

I think ideally the zone would be a mininmally installed zone (with just enough software to make apache and ftpd work) with everything mounted read-only from the global zone, and with a helper zone (only accessible to the LAN-side) having read-write access to the space (accessed via scp), with firewall rules allowing only (anyone->dlserver:80,443, and ftp) and (lan->helper:22) Oh yeah, and with traffic shaping to prevent this from eating too much of our outbound internet feed.

The firewall rules are easy... that's someone else's problem. "They" don't do traffic shaping, however, so I get to figure out the Solaris IPQOS functionality, if I get that far.

So how do you create a minimalist zone? Answers as I find them...


No comments: