Talk:Nginx

From ArchWiki
(Redirected from Talk:NginX)
Jump to: navigation, search

Reverse Proxying and Security section missing

Wouldn't it be nice to add more examples of how to reverse proxying with Nginix and having another section with an in-depth look at SSL security like here [1]? --T.ask (talk) 11:16, 9 March 2014 (UTC)

systemd fails to start php-fpm with settings in this article

systemd gave error "Failed to get D-Bus connection". To fix, change the following in /etc/php/php-fpm.conf :

;error_log = log/php-fpm.log

to

error_log = /var/log/php-fpm.log

Not sure if this is confirmed, but seems to be common. Source: Installing Nginx With PHP5

Does anybody with wikiskills want to make the changes? I am new to wiki editing.

Check Help:Editing and Help:Style, it is a good opportunity to get involved. -- Fengchao (talk) 05:54, 20 March 2013 (UTC)

Running nginx jailed

Wouldn't be better to use systemd's RootDirectory= User= & Group= Options in the [Service] section instead of running each Exec* with chroot?

/etc/sistemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=syslog.target network.target

[Service]
Type=forking
RootDirectory=/srv/http
User=http
Group=http
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=/usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit

[Install]
WantedBy=multi-user.target

Also Jail's /tmp and /run tmpfs should be added to fstab for the service to load on reboot.

Bash Script for the Whole Setup

I've created a bash script to run all the steps in the setup described in the main article:

https://gist.github.com/adityamukho/7365731

This can be used as is, for 64-bit systems. For 32-bit systems, a few modifications need to be made, esp line 41.

Copying libraries

This one-liner should take care of all the libraries, not just the ones in /usr/lib, provided they are all listed as absolute paths:

# ldd /usr/bin/nginx | sed -n 's!.*\(\s\|^\)\(/\S\+\).*!\2!p' | while read -r LIB; do cp "$LIB" "$JAIL$LIB"; done

I too have made a bash script which automates this tutorial:

https://github.com/bdusell/make-jailed-nginx/blob/master/make-jailed-nginx

CA certificates

I would suggest adding a comment about tls-ca-bundle.pem file that should be made available from chroot jail. I was running mantis on installation described in this wiki and found out emails have not been working. After making tls-ca-bundle.pem available everything is working again.

Gregosky (talk) 22:23, 3 February 2015 (UTC)Gregosky

PHP garbage collector (session files removal) in chrooted environment

I noticed session files are not being removed automaticaly when running nginx from chrooted configuration. If left not maintained /srv/http/tmp will grow in size and in time may even take down whole server (if /srv does not reside within separate file system).

Gregosky (talk) 23:29, 28 April 2015 (UTC)Gregosky

Explain about listen owner and user of process

I think that it will be better if in article anybody explained, that it is necessary to correctly configure listen.owner of socket and Unix user/group of processes. — Agent0 (talk|contribs) 15:01, 29 July 2015 (UTC)

What exactly do you mean? What did you changed? — Beta990 (talk) 08:31, 30 July 2015 (UTC)
I changed user http; to user another_user; in /etc/nginx/nginx.conf file. It did not worked, because another_user is not owner of socket. I have found such entries in /etc/php/php-fpm.conf and I did not completely understand for what there are:
Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = http
group = http

and

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = http
listen.group = http
listen.mode = 0660}}

Because of that, I asked anybody to explain that in article. — Agent0 (talk|contribs) 12:12, 31 July 2015 (UTC)

IPv6 details

Should the provided configuration examples also include details about IPv6 support? For a basic setup, all it's needed is an IPv6 IP, obviously, and "listen 80; listen [::]:80;" instead of just "listen 80;" since we already ship Nginx with IPv6 enabled.

On one side shouldn't it be the users' duty to search options related to IPv6 if they want to enable it? On the other side, North America(ARIN) ran out of IPv4 addresses and it will only get worse and worse. Shouldn't we get in front of this and help educate users about how they should enable IPv6 support?

Iwmrby (talk) 18:29, 1 October 2015 (UTC)

Potential configuration issue

Hi guys, not being nginx expert nor php expert I came accross this article: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

Article states nginx configuration similar to the one within wiki may allow potential attacker to execute their code on the server. There are a few hints on how to prevent this - would this be within the scope of this wiki article to point out potential vulnerability?

(for reference here is how to craft such dodgy gif: http://resources.infosecinstitute.com/null-byte-injection-php/)

(here is what nginx advocates here: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#)

Gregosky (talk) 11:49, 24 August 2016 (UTC)