From john.t.gruber at gmail.com Wed Aug 21 18:47:21 2019 From: john.t.gruber at gmail.com (John Gruber) Date: Wed, 21 Aug 2019 13:47:21 -0500 Subject: owner of the control socket Message-ID: I'm attempting to proxy_pass secured access to the unit control socket from an nginx instance running as my distro default nginx user. The unit control socket is owned and restricted to 'root' access. Therefore I get a 502 error from my requests to the nginx listener. If I chmod the control socket to nginx:nginx (the same user I run unitd and nginx), my proxy_pass secured access works. Can anyone tell me how to get unitd to create the control socket as its configured user and group? For example: unitd --user nginx --group nginx would then create my control socket owned by nginx:nginx? I would really rather not wrap a shell script around my instance so that I run chown every time unitd runs. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Thu Aug 22 19:50:20 2019 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 22 Aug 2019 22:50:20 +0300 Subject: Unit 1.10.0 release Message-ID: <3845701.mcnl43KuP3@vbart-laptop> Hi, I'm glad to announce a new release of NGINX Unit. This release includes a number of improvements in various language modules and, finally, basic handling of incoming WebSocket connections, currently only for Node.js. Next in line to obtain WebSocket support is the Java module; it's almost ready but requires some polishing. To handle WebSocket connections in your Node.js app via Unit, use the server object from the 'unit-http' module instead of the default one: var webSocketServer = require('unit-http/websocket').server; Another interesting and long-awaited feature in this release is the splitting of PATH_INFO in the PHP module. Now, Unit can properly handle requests like /app.php/some/path?some=args, which are often used to implement "user-friendly" URLs in PHP applications. Changes with Unit 1.10.0 22 Aug 2019 *) Change: matching of cookies in routes made case sensitive. *) Change: decreased log level of common errors when clients close connections. *) Change: removed the Perl module's "--include=" ./configure option. *) Feature: built-in WebSocket server implementation for Node.js module. *) Feature: splitting PATH_INFO from request URI in PHP module. *) Feature: request routing by scheme (HTTP or HTTPS). *) Feature: support for multipart requests body in Java module. *) Feature: improved API compatibility with Node.js 11.10 or later. *) Bugfix: reconfiguration failed if "listeners" or "applications" objects were missing. *) Bugfix: applying a large configuration might have failed. Please welcome our new junior developer, Axel Duch. For this release, he implemented scheme matching in request routing; now, he works to further extend the request routing capabilities with source and destination address matching. In parallel, Tiago Natel de Moura, who also joined the development recently, has achieved significant progress in the effort to add various process isolation features to Unit. You can follow his recent work on Linux namespaces support in the following pull request: - https://github.com/nginx/unit/pull/289 See also his email about the feature: - https://mailman.nginx.org/pipermail/nginx/2019-August/058321.html In the meantime, we are about to finish the first round of adding basic support for serving static media assets and proxying in Unit. Stay tuned! wbr, Valentin V. Bartenev From vbart at nginx.com Thu Aug 22 20:08:02 2019 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 22 Aug 2019 23:08:02 +0300 Subject: owner of the control socket In-Reply-To: References: Message-ID: <6835850.XAfyQXM5ja@vbart-laptop> On Wednesday, 21 August 2019 21:47:21 MSK John Gruber wrote: > I'm attempting to proxy_pass secured access to the unit control socket from > an nginx instance running as my distro default nginx user. The unit control > socket is owned and restricted to 'root' access. Therefore I get a 502 > error from my requests to the nginx listener. If I chmod the control socket > to nginx:nginx (the same user I run unitd and nginx), my proxy_pass secured > access works. > > Can anyone tell me how to get unitd to create the control socket as its > configured user and group? > > For example: > > unitd --user nginx --group nginx > > would then create my control socket owned by nginx:nginx? [..] These options specify user and group for unprivileged processes and don't affect control socket, which is for security purposes managed by root. > > I would really rather not wrap a shell script around my instance so that I > run chown every time unitd runs. > That's a known problem. Adding options for changing control socket permissions is in our TODO list. wbr, Valentin V. Bartenev From pmuals7 at gmail.com Fri Aug 23 00:13:51 2019 From: pmuals7 at gmail.com (Alen Topcic) Date: Fri, 23 Aug 2019 02:13:51 +0200 Subject: owner of the control socket In-Reply-To: <6835850.XAfyQXM5ja@vbart-laptop> References: <6835850.XAfyQXM5ja@vbart-laptop> Message-ID: hello just send a picture 22. avg. 2019 22:06 je oseba "Valentin V. Bartenev" napisala: > On Wednesday, 21 August 2019 21:47:21 MSK John Gruber wrote: > > I'm attempting to proxy_pass secured access to the unit control socket > from > > an nginx instance running as my distro default nginx user. The unit > control > > socket is owned and restricted to 'root' access. Therefore I get a 502 > > error from my requests to the nginx listener. If I chmod the control > socket > > to nginx:nginx (the same user I run unitd and nginx), my proxy_pass > secured > > access works. > > > > Can anyone tell me how to get unitd to create the control socket as its > > configured user and group? > > > > For example: > > > > unitd --user nginx --group nginx > > > > would then create my control socket owned by nginx:nginx? > [..] > > These options specify user and group for unprivileged processes > and don't affect control socket, which is for security purposes > managed by root. > > > > > > I would really rather not wrap a shell script around my instance so that > I > > run chown every time unitd runs. > > > > That's a known problem. Adding options for changing control socket > permissions is in our TODO list. > > wbr, Valentin V. Bartenev > > > > _______________________________________________ > unit mailing list > unit at nginx.org > https://mailman.nginx.org/mailman/listinfo/unit > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20190823_020625.jpg Type: image/jpeg Size: 667516 bytes Desc: not available URL: From john.t.gruber at gmail.com Fri Aug 23 02:51:24 2019 From: john.t.gruber at gmail.com (John Gruber) Date: Thu, 22 Aug 2019 21:51:24 -0500 Subject: owner of the control socket In-Reply-To: <6835850.XAfyQXM5ja@vbart-laptop> References: <6835850.XAfyQXM5ja@vbart-laptop> Message-ID: Thank you... I wrapped it. A little bash magic goes a long way. The NGINX Unit eBook states on page 3: "The NGINX Unit control process is advertised through an API. The API can be configured to be served through a Unix or TCP socket. I didn't see a unitd option to create the control socket on a TCP listener. Right now I am fronting Unit with another NGINX instance and have route to the unix socket. Is that a typo in the eBook or did I just miss something? Thanks again.. loving things so far! On Thu, Aug 22, 2019 at 3:06 PM Valentin V. Bartenev wrote: > On Wednesday, 21 August 2019 21:47:21 MSK John Gruber wrote: > > I'm attempting to proxy_pass secured access to the unit control socket > from > > an nginx instance running as my distro default nginx user. The unit > control > > socket is owned and restricted to 'root' access. Therefore I get a 502 > > error from my requests to the nginx listener. If I chmod the control > socket > > to nginx:nginx (the same user I run unitd and nginx), my proxy_pass > secured > > access works. > > > > Can anyone tell me how to get unitd to create the control socket as its > > configured user and group? > > > > For example: > > > > unitd --user nginx --group nginx > > > > would then create my control socket owned by nginx:nginx? > [..] > > These options specify user and group for unprivileged processes > and don't affect control socket, which is for security purposes > managed by root. > > > > > > I would really rather not wrap a shell script around my instance so that > I > > run chown every time unitd runs. > > > > That's a known problem. Adding options for changing control socket > permissions is in our TODO list. > > wbr, Valentin V. Bartenev > > > > _______________________________________________ > unit mailing list > unit at nginx.org > https://mailman.nginx.org/mailman/listinfo/unit > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Fri Aug 23 11:37:17 2019 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 23 Aug 2019 14:37:17 +0300 Subject: owner of the control socket In-Reply-To: References: <6835850.XAfyQXM5ja@vbart-laptop> Message-ID: <4169300.dMHuJOpqMi@vbart-laptop> On Friday, 23 August 2019 05:51:24 MSK John Gruber wrote: > Thank you... I wrapped it. A little bash magic goes a long way. > > The NGINX Unit eBook states on page 3: "The NGINX Unit control process is > advertised through an API. The API can be configured to be served through a > Unix or TCP socket. I didn't see a unitd option to create the control > socket on a TCP listener. Right now I am fronting Unit with another NGINX > instance and have route to the unix socket. Is that a typo in the eBook or > did I just miss something? [..] It's as simple as: --control 127.0.0.1:4444 Thank you for the feedback. I've just asked our technical writer to improve the documentation on https://unit.nginx.org/installation/#startup to add an example of IP-address option setting. I'm not sure though, if we can improve the ebook. wbr, Valentin V. Bartenev > On Thu, Aug 22, 2019 at 3:06 PM Valentin V. Bartenev > wrote: > > > On Wednesday, 21 August 2019 21:47:21 MSK John Gruber wrote: > > > I'm attempting to proxy_pass secured access to the unit control socket > > from > > > an nginx instance running as my distro default nginx user. The unit > > control > > > socket is owned and restricted to 'root' access. Therefore I get a 502 > > > error from my requests to the nginx listener. If I chmod the control > > socket > > > to nginx:nginx (the same user I run unitd and nginx), my proxy_pass > > secured > > > access works. > > > > > > Can anyone tell me how to get unitd to create the control socket as its > > > configured user and group? > > > > > > For example: > > > > > > unitd --user nginx --group nginx > > > > > > would then create my control socket owned by nginx:nginx? > > [..] > > > > These options specify user and group for unprivileged processes > > and don't affect control socket, which is for security purposes > > managed by root. > > > > > > > > > > I would really rather not wrap a shell script around my instance so that > > I > > > run chown every time unitd runs. > > > > > > > That's a known problem. Adding options for changing control socket > > permissions is in our TODO list. > > > > wbr, Valentin V. Bartenev > > > > > > > > _______________________________________________ > > unit mailing list > > unit at nginx.org > > https://mailman.nginx.org/mailman/listinfo/unit > > >