Nginx as Reverse Proxy for multiple servers binded to proxy using UNIX sockets - how to reached in LAN

Reinis Rozitis r at roze.lv
Thu Sep 27 10:14:29 UTC 2018 

> I have a Synology NAS what runs a nginx as default web server to run all their apps. I would like to extend it to meet the following.
> 
> The purposes is that  if the useraccount webapp1 is compromised, it will only affect webaoos1's web server.. and repeat this for all accounts/websites/whatever you want to keep separated. this approach use some more ram than having a single nginx instance do everything directly.
>
> Besides the question for the optimal setup to realize this


While technically you could run per-user nginx listening on an unix socket and then make a proxy on top of those while doable it feels a bit cumbersome (at least to me).

Usually what gets compromised is the (dynamic) backend application (php/python/perl/lua etc) not the nginx/webserver itself, also nginx by default doesn't run under root but 'nobody'. root is only needed on startup for the master process to open 80/443 (ports below 1024) then all the workers switch to an unprivileged user.

One way of doing this would be instead of launching several nginxes just run the backend processes (like php-fpm, gunicorns etc) under particular users and let nginx communicate to those via sockets.


I'm not familiar how Synology NAS  internally separates different user processes but it has Docker support ( https://www.synology.com/en-global/dsm/feature/docker ) and even Virtual Machine Manager which technically would be a better user / application isolation. 


> I'm wondering how I can call the web server locally, within my LAN if I call them by the NAS's IP.

It depends on your network topology.

Does the Synology box has only LAN interface? Then you either need to configure portforwarding on your router or make a server/device which has both lan/wan interfaces (DMZ) and then can expose either on tcp level (for example via iptables) or via http proxy the internal websites/resources.

If you make a virtual machine for each user you can then assign a separate LAN or WAN ip for each instance.


But this kind of gets out of the scope of this mailing list.   

rr

More information about the nginx mailing list