Nginx as Reverse Proxy for multiple servers binded to proxy using UNIX sockets - how to reached in LAN

Fri Sep 28 18:49:16 UTC 2018

> how do I do it eaxtly regardless if it is cumbersome?. 

Well you configure each individual nginx to listen ( https://nginx.org/en/docs/http/ngx_http_core_module.html#listen ) on a unix socket:

Config on nginx1:
..
events { }
http {
  server {
     listen unix:/some/path/user1.sock;
     ..
 } 
}

Config on nginx2:
..
server {
    listen unix:/some/path/user2.sock;
   ...
}

And then on the main server you configure the per-user virtualhosts to be proxied to particular socket:

server {
	listen 80;
	server_name     user1.domain;
	location / {
		proxy_pass http://unix:/some/path/user1.sock;
	}
}
server {
	listen 80;
	server_name     user2.domain;
	location / {
		proxy_pass http://unix:/some/path/user2.sock;
	}
}

(obviously it's just a mockup and you need to add everything else like http {} blocks, root paths, SSL certificates (if available) etc)

> So far I assuemd that the worker start the backend application the access to php is configured in the server block (my reference is What is the easiest way to enable PHP on nginx? and Serve PHP with PHP-FPM and NGINX). My googling tells my that the PHP process usually runs with the permissions of the webserver. 

Not exactly.

php-fpm which is the typical way of running php under nginx are different processes/daemons each having their own configuration and communicate via FastCGI (http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html ) via tcp or unix socket and both can run under different system users (php-fpm can manage even multiple pools each under own user and different settings) .

The guide you linked on linode.com isn't fully correct "The listen.owner and listen.group variables are set to www-data by default, but they need to match the user and group NGINX is running as."

The users don't need to match but the nginx user needs read/write permissions on the socket file (setting the same user just makes the guide simpler and less error prone).
You can always put the nginx and php-fpm user in a group and make the socket file group writable (via listen.mode = 0660 in php-fpm.conf)

> Unfortunettely, my NAS does not support it

While the Synologies are Linux-based maybe running somewhat complicated setups (user/app isolation) and exposing to WAN are not the best option. 

Also it beats the whole idea of DSM being userfriendly centralized GUI tool. A regular pc/server with some native linux distribution (Ubuntu, Debian, Fedora, Opensuse etc) might be a better choice (and imho easier to experiment on) and you can always attach the NAS to the linux box (via NFS, samba/cifs, webdav etc).

rr