owner of the control socket

Valentin V. Bartenev vbart at nginx.com
Fri Aug 23 11:37:17 UTC 2019 

On Friday, 23 August 2019 05:51:24 MSK John Gruber wrote:
> Thank you... I wrapped it. A little bash magic goes a long way.
> 
> The NGINX Unit eBook states on page 3: "The NGINX Unit control process is
> advertised through an API. The API can be configured to be served through a
> Unix or TCP socket. I didn't see a unitd option to create the control
> socket on a TCP listener. Right now I am fronting Unit with another NGINX
> instance and have route to the unix socket. Is that a typo in the eBook or
> did I just miss something?
[..]

It's as simple as: --control 127.0.0.1:4444

Thank you for the feedback.  I've just asked our technical writer to improve
the documentation on https://unit.nginx.org/installation/#startup to add an
example of IP-address option setting.  I'm not sure though, if we can improve
the ebook.

  wbr, Valentin V. Bartenev



> On Thu, Aug 22, 2019 at 3:06 PM Valentin V. Bartenev <vbart at nginx.com>
> wrote:
> 
> > On Wednesday, 21 August 2019 21:47:21 MSK John Gruber wrote:
> > > I'm attempting to proxy_pass secured access to the unit control socket
> > from
> > > an nginx instance running as my distro default nginx user. The unit
> > control
> > > socket is owned and restricted to 'root' access. Therefore I get a 502
> > > error from my requests to the nginx listener. If I chmod the control
> > socket
> > > to nginx:nginx (the same user I run unitd and nginx), my proxy_pass
> > secured
> > > access works.
> > >
> > > Can anyone tell me how to get unitd to create the control socket as its
> > > configured user and group?
> > >
> > > For example:
> > >
> > > unitd --user nginx --group nginx
> > >
> > > would then create my control socket owned by nginx:nginx?
> > [..]
> >
> > These options specify user and group for unprivileged processes
> > and don't affect control socket, which is for security purposes
> > managed by root.
> >
> >
> > >
> > > I would really rather not wrap a shell script around my instance so that
> > I
> > > run chown every time unitd runs.
> > >
> >
> > That's a known problem.  Adding options for changing control socket
> > permissions is in our TODO list.
> >
> >    wbr, Valentin V. Bartenev
> >
> >
> >
> > _______________________________________________
> > unit mailing list
> > unit at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/unit
> >
>

More information about the unit mailing list