I would place the webserver in a
DMZ
For the most simple DMZ setup you would need a single box with 3 network cards.
With a proper DMZ pf.conf, a static website, and with all unnecessary services like mail, ftp, ssh disabled, there is not much opportunity for somebody to use your www server for serving malware or attacking others.
If you are really paranoia, you even could use a pf.conf for the server allowing only incoming traffic on tcp port 80, outgoing DNS traffic on tcp & udp port 53 and outgoing ntp (udp port 123).