owner of the control socket
John Gruber
john.t.gruber at gmail.com
Fri Aug 23 02:51:24 UTC 2019
Thank you... I wrapped it. A little bash magic goes a long way.
The NGINX Unit eBook states on page 3: "The NGINX Unit control process is
advertised through an API. The API can be configured to be served through a
Unix or TCP socket. I didn't see a unitd option to create the control
socket on a TCP listener. Right now I am fronting Unit with another NGINX
instance and have route to the unix socket. Is that a typo in the eBook or
did I just miss something?
Thanks again.. loving things so far!
On Thu, Aug 22, 2019 at 3:06 PM Valentin V. Bartenev <vbart at nginx.com>
wrote:
> On Wednesday, 21 August 2019 21:47:21 MSK John Gruber wrote:
> > I'm attempting to proxy_pass secured access to the unit control socket
> from
> > an nginx instance running as my distro default nginx user. The unit
> control
> > socket is owned and restricted to 'root' access. Therefore I get a 502
> > error from my requests to the nginx listener. If I chmod the control
> socket
> > to nginx:nginx (the same user I run unitd and nginx), my proxy_pass
> secured
> > access works.
> >
> > Can anyone tell me how to get unitd to create the control socket as its
> > configured user and group?
> >
> > For example:
> >
> > unitd --user nginx --group nginx
> >
> > would then create my control socket owned by nginx:nginx?
> [..]
>
> These options specify user and group for unprivileged processes
> and don't affect control socket, which is for security purposes
> managed by root.
>
>
> >
> > I would really rather not wrap a shell script around my instance so that
> I
> > run chown every time unitd runs.
> >
>
> That's a known problem. Adding options for changing control socket
> permissions is in our TODO list.
>
> wbr, Valentin V. Bartenev
>
>
>
> _______________________________________________
> unit mailing list
> unit at nginx.org
> https://mailman.nginx.org/mailman/listinfo/unit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/unit/attachments/20190822/123044c6/attachment.html>
More information about the unit
mailing list