Possible nginx security enhancement

Igor Sysoev igor at sysoev.ru
Thu Jul 28 18:22:05 UTC 2011


On Thu, Jul 28, 2011 at 07:59:14PM +0200, Michele Alzetta wrote:
> Hallo all,
> 
> I have been using nginx very satisfactorily for a few years by now.
> 
> Recently I noticed I was having problems with my sites, and finally traced
> them back to an nginx problem.
> 
> I use nginx on a gentoo linux system, and when nginx is emerged the
> necessary directories are created in /var/tmp:
> 
> nginx - client
>       - fastcgi
>       - proxy
>       - scgi
>       - uwsgi
> 
> What happens is that, if /var/tmp/nginx directory is missing, nginx will
> not start at all. However, if subdirectories have been cancelled, nginx
> will start normally, but sites won't work properly ( things like uploading
> attachments for squirrelmail or changing theme preferences in drupal etc.
> ) In my case, the /var/tmp/nginx subdirectories had been cancelled (my
> fault)
> 
> I appreciate the fact that nginx checks the conf file before starting or
> restarting - helps avoiding a mess when you've edited a file and forgotten
> an extra } somewhere.
> 
> Wouldn't it be good if it also checked for the proper directories to
> exist? Or even created them if they didn't exist?
> 
> /var/tmp is a directory which may be cleaned up periodically to avoid
> useless clutter and this sometimes leads to weird mistakes.
> 
> Just a suggestion.

I do not think that /var/tmp/nginx is good place for nginx temp files.
nginx may relink temporary files to permanent storage, so these directories
are better:

/var/nginx/fastcgi_cache
           fastcgi_temp
           ...


-- 
Igor Sysoev



More information about the nginx mailing list