Setting up a DMZ webserver using Zones

I've been looking at various articles about Zones/Containers, from SUN's website, and through numerous Google searches, and although there's a lot of info out there, I've not got a definitive answer for what I'd like to do.....so here we go.....

I'm installing a webserver, which is sitting on a DMZ port, so can be accessed from anywhere on the 'net. I've configured all the filesystems for various user groups, and now have a nicely patched Solaris 10 5/09 system :b:

What I'd like to do is to drop a couple (or more) of the filesystems into their own non-global zone each, where they'll be running an instance of the web server, and serving a number of users who will be maintaining their own websites within the zone.

I'd ideally like the overal URL to stay the same, with only a port number change to distinguish the website groups from each other, for example:

http://xyz.com:80 (Group 1's sites, zone 1, filesystem 1)
http://xyz.com:81 (Group 2's sites, zone 2, filesystem 2)
http://xyz.com:82 (Group 3's sites, zone 3, filesystem 3)

The global zone will host the main web server , with each zone's web process just running enough to operate its own server.

Users will login to their own zone, and will not be able to login elsewhere (I know this can be done by maintaining /etc/passwd and /etc/shadow files per zone, so a user isn't recognised in the other zones).

My questions are:

1) - Is it feasible / possible to run the above setup, with keeping the URL the same across each zone, and just changing the port each time?

2) - When a user logs in, will they have to login to the global zone, and then use zlogin to connect to their specific non-global zone?

3) - (Similar to (2)) - Can users login directly to their zone from a remote system, or do they have to come in via the global zone?

4) - Does each zone have to have its own IP address? If so, is this internal to the server, or is it external?

At the moment, the global zone has been allocated an IP address for the DMZ. If each zone needs its own unique external address, this could be a problem (limited availability on our network) - better solution would be some form of internal NAT on the server to forward login requests to the relevant zone, if possible???

Quite a lengthy "query", but I've not yet found anything specific to the above setup. I did find something on setting up a similar system using 2 NICs, but I only have the 1.

Thanks in advance....

Not directly as zones have different IP addresses.

This isn't required and actually a bad practice.

Yes, assuming a service is available for them to log in, likely ssh.

No.

A zone doesn't need to have an IP address but assuming you want the zone to be reachable from the network, it will need one or more addresses. Zones IP addresses must be different in the shared IP model. With exclusive IP, you might have the same IP address on more than one zone but that would probably be useless.

Both.

It should be. Solaris bundles ipf which supports NAT.

Hmm, thanks for that. I'll digest it and see what I can come up with.

In reality I've quite a short timespan to get the server up and running, so it may be a case of configuring this server as a single global zone, adding some security, and getting it live. I can then play with zones on a spare box when time permits....

You can still put all three instances in a non global zone. That would be a first step in virtualizing them.