I'm transitioning a web app (runs on LAMP) from a single host to a configuration with the php/apache app running on a public facing server in a DMZ. The app connects to mysql which is sitting in a private network behind the DMZ. My main criteria I have been given is to keep all user data (in the database or user uploaded files) out of the DMZ entirely and only allow access to it via an ACL. I.e. segregating the application layer from the data layer, both by network and by authentication/access.
I've got this segregation nicely with mysql, but I'm not coming up with any good ideas for how to access file storage on the file server from the web server. I've got it running currently on an NFS export mounted on the web server, but that leaves the file server and all its data open to anyone with access to the web server (basically) without authentication.
I realize that any serious solution is probably going to involve significant development time, and I'm prepared to do that. Also prepared to spend some money on an off-the-shelf solution if needed to get the job done right. I feel like I'm missing something blindingly obvious here.
Best Answer
You really can't have it both ways: If you want to access a resource on the file server from the web server you need to open a firewall hole for it.
There's really no difference punching the hole for NFS versus MySQL -- If someone breaks into your web server they can get your MySQL database (or at least grab the credentials and access any DB that user can get to). Similarly if they break into the web server they can access anything the web server is authorized to get to, subject to whatever restrictions you put on the NFS export.
About the best thing you can do in this situation is restrict the NFS export to the minimum practical window of the file server (protecting you from a compromise of the web server), and use strong authentication for the NFS client, via Kerberos for example (protecting you from a collateral breach of the DMZ). There are also a few questions here tagged with nfs which talk about authorization and authentication concerns, security, etc. that can give you a few pointers on this.