<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><tt>Hallo Reinis and others,</tt></p>
<p><tt>I still not get it as the information are not consistent
rather inconsistent.</tt><tt>I find a plenty of information to
run separate PHP-FPM pools with unique user accounts for each
but I haven't found anything similar for nginx. <br>
</tt></p>
<p><tt>How do make sure put the entire server is at risk if a web
app/virtual host is compromised? If I understand the nginx
worker
processes correctly, a new worker process is started for each </tt><code>.conf
</code><tt> file read by the nginx master process by means of </tt><code><a
href="https://nginx.org/en/docs/ngx_core_module.html#include">include</a></code><tt>.
</tt><br>
</p>
<p><tt> If I want to run the virtual host under a unique (and
lmited) user account to avoid cross server hacks, the way to get
there is to put the </tt><code>.conf </code><tt> of each
virtual host in the user folder of each dedicated virtual host
user folder. In addition I put the unique </tt><code><a
href="https://nginx.org/en/docs/ngx_core_module.html#user">user</a></code><tt>
directive (the virtual host user) in each </tt><code>.conf </code><tt>
file of the virtual hosts. Is that assumption correct? <br>
</tt></p>
<p><tt>thank you <br>
</tt></p>
<p><tt>Stefan<br>
</tt></p>
<p><tt><br>
</tt></p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 12.10.2018 23:59, Stefan Müller
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e94e3e8d-0029-eb2c-ee66-77a9c4a443d0@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>hallo,</p>
<p>mostly all question are answered</p>
<ol>
<li>local DNS Server <br>
using DHCP server of the router and run a DNS Server on the
NAS, all unersolved queries are solved in by the means of the
routers WAN0's DNS settings<br>
</li>
<li>debug logging</li>
<li>php isolation<br>
<span style="color: rgb(0, 0, 0); font-family:
"open

 sans"; font-size: 15.2px;
font-style: normal;

 font-variant-ligatures:
normal; font-variant-caps:
 normal;
 font-weight:
400; letter-spacing: normal;
 orphans: 2;

text-align: start; text-indent: 0px;
 text-transform:
none;
 white-space: normal; widows: 2;

word-spacing: 0px;
 -webkit-text-stroke-width: 0px;

text-decoration-style:
 initial;
text-decoration-color:
 initial; display: inline

!important; float: none;">create a pool per webage and rund
them as seperate users by creating a php.conf per pool<br>
</span></li>
<li><b>nginx</b><br>
this is the only one remaining. How can I isolate the servers?</li>
</ol>
<p>thx a lot</p>
<p>Stefan<br>
</p>
<div class="moz-cite-prefix">On 07.10.2018 21:42, Stefan Müller
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:f00c3c44-32c7-31dc-0423-c79a27ff7f7a@gmail.com">good
evening, <br>
<br>
in the past we were mailing each other on a daily base but now
it is silent. Anything alright? <br>
<br>
On 03.10.2018 23:02, Stefan Müller wrote: <br>
<blockquote type="cite"> <br>
thank you again for you quick answer but I'm getting lost <br>
<br>
<br>
<blockquote type="cite">A typical nginx configuration has only
one http {} block. <br>
<br>
You can look at some examples: <br>
</blockquote>
I'm aware of those and other examples. What confuses me that
you say that but also said in the email before that one: <br>
<br>
<blockquote type="cite">If you put everything (both the user
unix sockets and also the parent proxy server) under the
same http{} block then it makes no sense since a single
instance of nginx always runs under the same user (and beats
the whole user/app isolation). <br>
</blockquote>
<br>
so how must be the setup to the the whole user/app isolation <br>
<br>
nginx.pid - master process <br>
\_nginx.conf <br>
\_http{} - master server <br>
\_http{} - proxied/app servers <br>
<br>
or <br>
<br>
nginx.pid - master process <br>
\_nginx1.conf - master server <br>
\_http{} - reverse proxy server <br>
\_nginx2.conf - proxied servers <br>
\_http{} - proxied/app servers <br>
<br>
or? <br>
<br>
If it is only one nginx.pid, how to I need to configure it to
run nginx1.conf and nginx2.conf? <br>
<br>
<br>
<br>
<blockquote type="cite">Unless by "router" you mean the same
Synology box you can't proxy unix sockets over TCP, they
work only inside a single server/machine. <br>
</blockquote>
I mean my fibre router and I'm aware that unix sockets work
only inside a single server/machine. I'll use it only to
redirect to the DNS Server what will run on the Synology box <br>
<br>
<br>
<blockquote type="cite">Also you don't need to forward
multiple ports, just 80 and 443 (if ssl) and have name-based
virtualhosts. <br>
</blockquote>
<br>
you got me, I have mistaken that, it got to late last night <br>
<br>
<br>
On 03.10.2018 02:09, Reinis Rozitis wrote: <br>
<blockquote type="cite">
<blockquote type="cite">so all goes in the same nginx.conf
but in different http{} block or do I need one nginx.conf
for each, the user unix sockets and also the parent proxy
server? <br>
</blockquote>
A typical nginx configuration has only one http {} block. <br>
<br>
You can look at some examples: <br>
<a class="moz-txt-link-freetext"
href="https://nginx.org/en/docs/http/request_processing.html"
moz-do-not-send="true">https://nginx.org/en/docs/http/request_processing.html</a>
<br>
<a class="moz-txt-link-freetext"
href="https://nginx.org/en/docs/http/server_names.html"
moz-do-not-send="true">https://nginx.org/en/docs/http/server_names.html</a>
<a class="moz-txt-link-freetext"
href="https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/"
moz-do-not-send="true">https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/</a><br>
<br>
<br>
<blockquote type="cite">You suggesting to setup virtualhosts
what listen to a port whereto traffic is forwarded from
the router. I don't to have multiple ports open at the
router, so I would like to stick with UNIX Sockets and
proxy. <br>
</blockquote>
Unless by "router" you mean the same Synology box you can't
proxy unix sockets over TCP, they work only inside a single
server/machine. <br>
<br>
Also you don't need to forward multiple ports, just 80 and
443 (if ssl) and have name-based virtualhosts. <br>
<br>
rr <br>
<br>
_______________________________________________ <br>
nginx mailing list <br>
<a class="moz-txt-link-abbreviated"
href="mailto:nginx@nginx.org" moz-do-not-send="true">nginx@nginx.org</a>
<br>
<a class="moz-txt-link-freetext"
href="http://mailman.nginx.org/mailman/listinfo/nginx"
moz-do-not-send="true">http://mailman.nginx.org/mailman/listinfo/nginx</a>
<br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>