Nginx as Reverse Proxy for multiple servers binded to proxy using UNIX sockets - how to reached in LAN

Stefan Mueller stefan.mueller.83 at
Fri Sep 28 17:01:04 UTC 2018

Hoi Reinis,

I aswered inline and applied colors for my (#6633ff) and your (#cc9933) text
for better readability

Thanks a lot for your input


> I have a Synology NAS what runs a nginx as default web server to run all
their apps. I would like to extend it to meet the following. ​> > The
purposes is that if the useraccount webapp1 is compromised, it will only
affect webaoos1's web server.. and repeat this for all
accounts/websites/whatever you want to keep separated. this approach use
some more ram than having a single nginx instance do everything directly. ​>
​> Besides the question for the optimal setup to realize this ​ While
technically you could run per-user nginx listening on an unix socket and
then make a proxy on top of those while doable iit feels a bit cumbersome
(at least to me).

how do I do it eaxtly regardless if it is cumbersome?. Be it only for
informational purpose but it makes the entire conversation a bit
easier. Combined
with the outcome of the section it could outline all possbiel options
(incl. pro and cons).

​ Usually what gets compromised is the (dynamic) backend application
(php/python/perl/lua etc) not the nginx/webserver itself, also nginx by
default doesn't run under root but 'nobody'. root is only needed on startup
for the master process to open 80/443 (ports below 1024) then all the
workers switch to an unprivileged user.

So far I assuemd that the worker start the backend application the access
to php is configured in the server block (my reference is What is the
easiest way to enable PHP on nginx?
and Serve PHP with PHP-FPM and NGINX
). My googling tells my that the PHP process usually runs with the
permissions of the webserver. So I need to find a way that each
webapplication (webapp1, webapp2, etc.) call its PHPs using a unique user
account. When I read nginx + php run with different user id
and changing php user to run as nginx user
it must be somehow possible. Could share mor information how to achive

One way of doing this would be instead of launching several nginxes just
run the backend processes (like php-fpm, gunicorns etc) under particular
users and let nginx communicate to those via sockets. ​ ​ I'm not familiar
how Synology NAS internally separates different user processes but it has
Docker support ( and
even Virtual Machine Manager which technically would be a better user /
application isolation.

Unfortunettely, my NAS does not support it

> I'm wondering how I can call the web server locally, within my LAN if I
call them by the NAS's IP. ​ It depends on your network topology. ​ ​ Does
the Synology box has only LAN interface? Then you either need to configure
portforwarding on your router or make a server/device which has both
lan/wan interfaces (DMZ) and then can expose either on tcp level (for
example via iptables) or via http proxy the internal websites/resources

The NAS has only one LAN interface. You suggest a more complex solution as
just simple NAT port fowarding, as explained in Using router and internal
LAN port forwarding device - Advice please :)
. I have simple router, the Zyxel NBG6616
it seems that is supports DMZ
<> and if your refer to
a static DHCP table by IP Table than it is supported as well but doens't
look good for the http proxy. I still not understand how to forward to UNIX
Sockets. Do I need custom ports entry in the prox part like NASIP:80001 ->
Wepapp1ViaUNIXSocket NASIP:80002 -> Wepapp1ViaUNIXSocket

I could run a DNS server on the NAS if that simplifies it.

​ If you make a virtual machine for each user you can then assign a
separate LAN or WAN ip for each instance.

VMs aren't supported, so it isn't an option

​ ​ But this kind of gets out of the scope of this mailing list. ​ ​ rr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list