Nginx as Reverse Proxy for multiple servers binded to proxy using UNIX sockets - how to reached in LAN

Stefan Müller stefan.mueller.83 at gmail.com
Tue Oct 16 19:23:33 UTC 2018 

Hallo Francis,
thank you for  the liberating response :).

Unfortunately that rise some questions:

 1. documentation
    Is there any additional document for the -c command. I find only:
     1. http://nginx.org/en/docs/switches.html
     2. https://stackoverflow.com/questions/19910042/locate-the-nginx-conf-file-my-nginx-is-actually-using
    but none of them says that it will start an independent instances of
    nginx.

 2. command line
    I assume, that the command line parameters refer to a single
    instance environment. How do I use the command line parameters for a
    specific instance? Is it like this nginx -V "pid
    /var/run/nginx-user1.pid"?

 3. root and non-root
    only the master / proxy server instance need root access in order to
    bind to ports <1024 and change its user-id to the one defined in
    the|user <https://nginx.org/en/docs/ngx_core_module.html#user>|
    directive in the main context of its .conf file.
    The other / backend instances don't have to be started as root as
    they don't need to bind to ports, they communicate via UNIX sockets
    so all permission are managed by the user account management.
    That is the same, what you said, isn't it?

 4. all in all there two layers of isolation
     1. dynamic content provide such as PHP
        each "virtual host" / server{} blocks has its own PHP pool. So
        the user for pool server{}/user1/ cannot see  the pool
        server{}/user2/. If /user1/ gets hacked, the hacker won't get
        immidate acceass to /user2/ or the nginx  master process, correct?
     2. independent instances of nginx.
        In case the master process is breach for what ever reason, the
        hacker cannot see the other serves as long as he won't get root
        privileges of the machine and there is the same exploit in the
        other servers, correct?

Stefan

On 16.10.2018 09:56, Francis Daly wrote:
> On Tue, Oct 16, 2018 at 09:20:33AM +0200, Stefan Müller wrote:
>
> Hi there,
>
>> so I wonder, if I need to work with multiple .conf files or shall I put
>> multiple http{} blocks in the general configuration of nginx
>> /etc/nginx/nginx.conf? I assume that Reinis told me indirectly to run
>> multiple instances of nginx, but I haven't understood yet how. There is the
>> master process, properly taking care about the proxy server but how to I
>> start the instance (if I need to work with instances) per /virtual host/?
> In this design, you run multiple instances of nginx. That is: multiple
> individual system processes that are totally independent of each other.
>
> So: nginx-user1.conf includes something like
>
>    http {
>      server {
>        listen unix:/some/path/user1.sock;
>      }
>    }
>
> and refers to log files and tmp files and a pid file that user1 can write,
> and to a document root that user1 can read (if necessary), and you run
> the command "/usr/sbin/nginx -c nginx-user1.conf" as system user user1.
>
> And then you do the same for user2, user3, etc.
>
> And then you have one other "nginx-main.conf" which includes "listen 443
> ssl" and includes proxy_pass to the individual unix:/some/path/userN.sock
> "backend" servers; and you run the command "/usr/sbin/nginx -c
> nginx-main.conf" as user root.
>
>
> Note: the actual file names involved are irrelevant. All that matters
> is that when the nginx binary is run with a "-c" option, it can read
> the named file which contains the config that this instance will use.
>
> If the nginx process starts as user root, it will change itself to run as
> the other configured user-id as soon as it can; if it starts as non-root,
> it will not. In the above design, all of the user-specific backend nginx
> servers run as non-root.
>
>
> And - the term "virtual host" usually refers to different server{} blocks
> within the configuration of a single nginx instance. You (generally) don't
> care about those -- the nginx binary will start the appropriate child
> system-level processes to deal with the configuration that it was given.
>
> If you are running multiple nginx system-level processes, each one has
> its own idea of the virtual hosts from its configuration. With the above
> design, all of the "user" nginx instances have just one server{} block,
> while the "root" nginx instance probably has multiple server{} blocks.
>
>
> Good luck with it,
>
> 	f
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20181016/1b174c36/attachment.html>

More information about the nginx mailing list