<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div dir="ltr">
<div text="#000000" bgcolor="#FFFFFF">
<p>thx that gets me closer to the end :).</p>
<p>let's try to summarize it (and add some more info):<br>
</p>
<ol>
<li>proxy and unix socket,<br>
This allows permission management via user accounts but it
can can get bulky as soon as you set up user accounts for
permission management of each backend application, as they
pose a higher risk, as indicated in the previous email<br>
For the server you make use of
<ul>
<li>reverse proxy / main server:<tt> location / {
proxy_pass <a class="moz-txt-link-freetext"
href="http://unix:/some/path/user1.sock">http://unix:/some/path/user1.sock</a></tt></li>
<li>proxied servers / individual servers:<tt> listen
unix:/some/path/user1.sock</tt></li>
</ul>
that is all put in the same http{} block.<br>
Would there be any advantage to use separate http{} blocks
as discussed some while ago in <a
href="https://forum.nginx.org/read.php?29,243599">Disallowing
multiple http {} blocks in nginx.conf?</a> <br>
<br>
</li>
<li>harden nginx / php communication<br>
php-fpm is typical tool to communicate with one or more php
interpretors. Nginx just starts php-fpm, what in turn takes
about the php script interpretation by means of the
interpretor processes. The interpretor processes run within
a so called of pool (of processes). <br>
The good thing is, that you can setup multiple pools, each
with its own configuration, running with a different user,
allowing hardening php script execution. <br>
How do I tell the proxied servers or php-fpm to use a
certain pool for a certain server?<br>
<br>
</li>
<li>reach proxied servers within LAN<br>
what you originally described refers to operations described
in <br>
</li>
<ol>
<li><a
href="https://forum.netgate.com/topic/21237/reach-webserver-by-public-ip-from-within-lan">pfSense
- Reach webserver by public IP from within LAN</a></li>
<li><a
href="https://forum.netgate.com/topic/105405/can-t-reach-internal-web-server">pfSense
- Can't reach internal web server / NAT Reflection,
Split DNS </a></li>
<li><a
href="https://forum.netgate.com/topic/112709/how-to-nat-a-web-server">pfSnese
- How to Nat a web server</a></li>
</ol>
but nothing mentioned there or by you is supported by my
router at least I can declare a fixed IP for the NAS and set
the NAS as primary DNS Server to do: <br>
<ol>
<li><a
href="https://superuser.com/questions/45789/running-dns-locally-for-home-network">Running
DNS locally for home network</a></li>
<li><a
href="https://forum.netgate.com/topic/112709/how-to-nat-a-web-server">How
To Configure BIND as a Private Network DNS Server</a><a
href="https://forum.netgate.com/topic/112709/how-to-nat-a-web-server"><br>
</a></li>
</ol>
so the nginx related question, to I need to add listener to
NAS_IP:LANPort to proxy webserver within LAN? <br>
<br>
<li>(new) how to debug<br>
In /etc/nginx/nginx.conf as there is:<br>
<tt> </tt><tt>access_log
syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname
main;</tt><tt><br>
</tt><tt> </tt><tt>error_log
syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname
error;</tt><tt><br>
</tt><tt> </tt>so I assume <a
href="https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/">Debug
Logging</a> is available although <tt>$ nginx -V
2>&1 | grep -- '--with-debug'</tt> does not return
anything.<br>
How can I debug points 1 to 3 best?<br>
<br>
</li>
<li>syno setup is complicated / get new hardware, what allows
to run linux and dockers. <br>
I know but I'm still hoping that the will be an AMR
processor for a home server<br>
I'll get new hardware in the long term but currently I'm
trying to understand the Syno setup, at least I found, most
likely, all relevant locations to configure nginx and php :
<br>
<tt><b><br>
nginx</b></tt><br>
<tt> /etc/nginx</tt><tt><br>
</tt><tt> /etc/nginx/app.d <i>syslink2 </i>/var/tmp/nginx/app.d</tt><tt><br>
</tt><tt> /etc/nginx/conf.d </tt><tt><tt> <i>syslink2
</i>/etc/nginx/conf.d<br>
</tt></tt><tt> /etc/nginx/sites-enabled </tt><tt><tt><i>syslink2
</i>/etc/nginx/sites-enabled<br>
nginx.conf <i>generated by</i>
nginx-conf-generator.sh<br>
... </tt></tt><tt><br>
<br>
/etc.defaults/nginx<br>
<br>
/etc/init </tt><tt><tt> <i>syslink2 </i>/usr/share/init</tt></tt><tt><i>
(pre-start script)<br>
</i></tt><tt><tt> nginx.conf</tt> <br>
<br>
/usr/local/etc/nginx<br>
/usr/local/etc/nginx/conf.d <i>emtpy </i><br>
/usr/local/etc/nginx/sites-enable</tt><tt><tt>d <i>emtpy
</i></tt></tt><tt><br>
</tt><br>
<tt><tt><tt><tt> /usr/share/nginx<br>
/usr/share/nginx/html<br>
50x.html<br>
index.html<br>
</tt></tt></tt> <br>
/usr/syno/etc/rc.sysv </tt><br>
<tt><tt><tt> nginx-conf-generator.sh</tt></tt> <br>
<br>
/usr/syno/share/nginx<br>
/usr/syno/share/nginx/conf.d</tt><tt><tt><tt> <i>location
configs</i></tt></tt> <br>
*.mustache <i>files properly used by</i> </tt><tt><tt><tt>nginx-conf-generator.sh<br>
<br>
</tt></tt>/var/lib/nginx </tt><tt><tt> <i>syslink2
</i>/var/services/tmp/nginx<br>
</tt><br>
/var/tmp/nginx<br>
/var/tmp/nginx/app <br>
/var/tmp/nginx/app.d<br>
/var/tmp/nginx/conf.d</tt><tt><tt><tt> <i>emtpy </i></tt></tt><br>
/var/tmp/nginx/trusted_proxy<br>
<br>
<br>
<b>php </b>(php5 is used by <a
href="https://www.phpmyadmin.net/">phpMyAdmin</a>)<br>
/etc/php<br>
php.ini <i>(extension_dir = "/usr/lib/php/modules"
& sendmail_path = /usr/bin/ssmtp -t)</i><br>
<br>
</tt><tt> /etc.defaults/php<br>
php.ini </tt><tt><tt><i>(extension_dir =
"/usr/lib/php/modules" & sendmail_path =
/usr/bin/ssmtp -t)</i></tt><br>
<br>
</tt><tt><tt> /etc/init </tt><tt><tt> <i>syslink2 </i>/usr/share/init
</tt></tt></tt><tt><tt><tt><tt><tt><i>(pre-start script)</i></tt>
</tt><br>
php_timezone_update.conf</tt></tt></tt><br>
<tt><tt><tt><tt><tt><tt> pkgctl-PHP5.6.conf<br>
pkgctl-PHP7.0.conf<br>
pkg-php56-fpm.conf<br>
pkg-php70-fpm.conf</tt></tt></tt> </tt> <br>
pkg-WebStation-php56.conf<br>
pkg-WebStation-php70.conf</tt><br>
...<br>
<br>
/lib </tt><tt><tt><tt><i>syslink2 </i>/usr/lib <br>
<br>
/run/php-fpm <br>
php*-fpm*<br>
<br>
<br>
/usr/lib/php<br>
/usr/lib/php/modules <i>(same moduls as listed
in /etc/php/php.ini)</i><br>
/usr/lib/php/phpmailer<br>
/usr/lib/php/phpoffice<br>
<br>
/usr/local/bin<br>
/usr/local/bin/feasibilitycheck<br>
...<br>
php70-cgi</tt></tt></tt><tt><tt><tt><tt><tt> <i>syslink2
</i></tt></tt>/var/packages/PHP7.0/target/usr/local/bin/php70-cgi<br>
</tt></tt></tt> <tt><tt><tt><tt><tt><tt>php70-fpm</tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt>
<i>syslink2 </i></tt></tt>/var/packages/PHP7.0/target/usr/local/bin/php70-fpm<br>
...<br>
<br>
/usr/local/etc</tt></tt></tt><br>
/usr/local/etc/php56<br>
/usr/local/etc/php56/conf.d<br>
/usr/local/etc/php56/fpm.d<br>
/usr/local/etc/php56/freetds<br>
php.ini<br>
php-fpm.conf</tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt>
<i>syslink2 </i></tt></tt>/volume1/@appstore/PHP5.6//usr/local/etc/php56/php-fpm.conf</tt></tt></tt></tt></tt></tt></tt></tt></tt>
<br>
/usr/local/etc/php70<br>
</tt></tt></tt><tt><tt><tt><tt><tt><tt>
/usr/local/etc/</tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt><tt>php70</tt></tt></tt>/conf.d<br>
/usr/local/etc/</tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt><tt>php70</tt></tt></tt>/fpm.d<br>
/usr/local/etc/</tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt><tt>php70</tt></tt></tt>/freetds</tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt>
<i>syslink2 </i></tt></tt>/volume1/@appstore/PHP7.0//usr/local/etc/php70/freetds<br>
</tt></tt></tt></tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt>
php.ini<br>
php-fpm.conf</tt></tt></tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt><tt>
<i>syslink2 </i></tt></tt>/volume1/@appstore/PHP7.0//usr/local/etc/php70/php-fpm.conf</tt></tt></tt></tt></tt></tt></tt></tt></tt>
<br>
<br>
</tt></tt></tt></tt></tt></tt></tt></tt></tt>/usr/local/lib<br>
/usr/local/lib/php56</tt></tt></tt><tt><tt><tt><tt><tt><tt><i>
<br>
</i> /usr/local/lib/php56/modules <i> </i></tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><i><tt><tt><tt><tt><tt><tt><i>emtpy<br>
</i></tt></tt></tt></tt></tt></tt></i></tt></tt></tt>
/usr/local/lib/php70</tt></tt></tt><tt><tt><tt><tt><tt><tt>
</tt></tt></tt></tt></tt></tt><br>
<tt><tt><tt><tt><tt><tt><tt><tt><tt>
/usr/local/lib/php70/modules<i> </i></tt></tt></tt></tt></tt></tt><tt><tt><tt><tt><tt><tt><i><tt><tt><tt><tt><tt><tt><i>emtpy</i></tt></tt></tt></tt></tt></tt></i></tt></tt></tt></tt></tt></tt><br>
<br>
/var/packages</tt></tt><br>
/var/packages/PHP5.6<br>
/var/packages/PHP5.6/conf<br>
/var/packages/PHP5.6/etc </tt><tt><tt> </tt><tt><tt><tt><i>syslink2 </i></tt></tt></tt>
/usr/syno/etc/packages/PHP5.6<br>
/var/packages/PHP5.6/scripts<br>
/var/packages/PHP5.6/target </tt><tt><tt> </tt><tt><tt><tt><i>syslink2 </i></tt></tt></tt>
/volume1/@appstore/PHP5.6<br>
</tt><tt><tt> /var/packages/PHP7.0<br>
</tt></tt><tt> /var/packages/PHP</tt><tt><tt><tt>7.0</tt></tt>/conf<br>
/var/packages/PHP</tt><tt><tt><tt>7.0</tt></tt>/etc </tt><tt><tt>
</tt><tt><tt><tt><i>syslink2 </i></tt></tt></tt>
/usr/syno/etc/packages/PHP</tt><tt><tt><tt>7.0<br>
</tt></tt> /var/packages/PHP</tt><tt><tt><tt>7.0</tt></tt>/scripts<br>
/var/packages/PHP</tt><tt><tt><tt>7.0</tt></tt>/target </tt><tt><tt>
</tt><tt><tt><tt><i>syslink2 </i></tt></tt></tt>
/volume1/@appstore/PHP7.0<br>
<br>
<br>
</tt><tt><b>php managed by WebStation</b> (Synology's web
site hosting package)<br>
/var/packages/WebStation/target/misc<br>
/var/packages/WebStation/target/misc/WebStation-php56<br>
/var/packages/WebStation/target/misc/WebStation-php56/conf.d<br>
extension.ini<br>
</tt><tt>
/var/packages/WebStation/target/misc/WebStation-php56<br>
/var/packages/WebStation/target/misc/WebStation-php56/conf.d<br>
extension.ini<br>
...<br>
php56.ini<br>
php56_fpm.conf<br>
php70.ini </tt><br>
<tt><tt> php70_fpm.conf<br>
</tt> ...<br>
<br>
</tt><br>
<br>
</li>
</ol>
<p><br>
</p>
<div class="m_4019222260713586108moz-cite-prefix">On 28.09.2018
20:49, Reinis Rozitis wrote:<br>
</div>
<blockquote type="cite">
<blockquote type="cite">
<pre class="m_4019222260713586108moz-quote-pre">how do I do it eaxtly regardless if it is cumbersome?.
</pre>
</blockquote>
<pre class="m_4019222260713586108moz-quote-pre">Well you configure each individual nginx to listen ( <a class="m_4019222260713586108moz-txt-link-freetext" href="https://nginx.org/en/docs/http/ngx_http_core_module.html#listen" target="_blank">https://nginx.org/en/docs/http/ngx_http_core_module.html#listen</a> ) on a unix socket:
Config on nginx1:
..
events { }
http {
server {
listen unix:/some/path/user1.sock;
..
}
}
Config on nginx2:
..
server {
listen unix:/some/path/user2.sock;
...
}
And then on the main server you configure the per-user virtualhosts to be proxied to particular socket:
server {
listen 80;
server_name user1.domain;
location / {
proxy_pass <a class="m_4019222260713586108moz-txt-link-freetext" href="http://unix:/some/path/user1.sock" target="_blank">http://unix:/some/path/user1.sock</a>;
}
}
server {
listen 80;
server_name user2.domain;
location / {
proxy_pass <a class="m_4019222260713586108moz-txt-link-freetext" href="http://unix:/some/path/user2.sock" target="_blank">http://unix:/some/path/user2.sock</a>;
}
}
(obviously it's just a mockup and you need to add everything else like http {} blocks, root paths, SSL certificates (if available) etc)
</pre>
<blockquote type="cite">
<pre class="m_4019222260713586108moz-quote-pre">So far I assuemd that the worker start the backend application the access to php is configured in the server block (my reference is What is the easiest way to enable PHP on nginx? and Serve PHP with PHP-FPM and NGINX). My googling tells my that the PHP process usually runs with the permissions of the webserver.
</pre>
</blockquote>
<pre class="m_4019222260713586108moz-quote-pre">Not exactly.
php-fpm which is the typical way of running php under nginx are different processes/daemons each having their own configuration and communicate via FastCGI (<a class="m_4019222260713586108moz-txt-link-freetext" href="http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html" target="_blank">http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html</a> ) via tcp or unix socket and both can run under different system users (php-fpm can manage even multiple pools each under own user and different settings) .
The guide you linked on <a href="http://linode.com" target="_blank">linode.com</a> isn't fully correct "The listen.owner and listen.group variables are set to www-data by default, but they need to match the user and group NGINX is running as."
The users don't need to match but the nginx user needs read/write permissions on the socket file (setting the same user just makes the guide simpler and less error prone).
You can always put the nginx and php-fpm user in a group and make the socket file group writable (via listen.mode = 0660 in php-fpm.conf)
</pre>
<blockquote type="cite">
<pre class="m_4019222260713586108moz-quote-pre">Unfortunettely, my NAS does not support it
</pre>
</blockquote>
<pre class="m_4019222260713586108moz-quote-pre">While the Synologies are Linux-based maybe running somewhat complicated setups (user/app isolation) and exposing to WAN are not the best option.
Also it beats the whole idea of DSM being userfriendly centralized GUI tool. A regular pc/server with some native linux distribution (Ubuntu, Debian, Fedora, Opensuse etc) might be a better choice (and imho easier to experiment on) and you can always attach the NAS to the linux box (via NFS, samba/cifs, webdav etc).
rr
_______________________________________________
nginx mailing list
<a class="m_4019222260713586108moz-txt-link-abbreviated" href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a>
<a class="m_4019222260713586108moz-txt-link-freetext" href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a>
</pre>
</blockquote>
</div>
</div>
</body>
</html>