Talk:Nginx

From ArchWiki
Latest comment: 26 September 2022 by NetSysFire in topic Running nginx jailed

Reverse Proxying and Security section missing

Wouldn't it be nice to add more examples of how to reverse proxying with Nginix and having another section with an in-depth look at SSL security like here [1]? --T.ask (talk) 11:16, 9 March 2014 (UTC)Reply[reply]

There happens to be an example in the Gitea page on this wiki that demonstrates the config necessary for reverse proxying. Maybe this can be used? --Seodisparate (talk) 06:19, 5 October 2021 (UTC)Reply[reply]

systemd fails to start php-fpm with settings in this article

systemd gave error "Failed to get D-Bus connection". To fix, change the following in /etc/php/php-fpm.conf :

;error_log = log/php-fpm.log

to

error_log = /var/log/php-fpm.log

Not sure if this is confirmed, but seems to be common. Source: Installing Nginx With PHP5

Does anybody with wikiskills want to make the changes? I am new to wiki editing.

Check Help:Editing and Help:Style, it is a good opportunity to get involved. -- Fengchao (talk) 05:54, 20 March 2013 (UTC)Reply[reply]

Running nginx jailed

Wouldn't be better to use systemd's RootDirectory= User= & Group= Options in the [Service] section instead of running each Exec* with chroot?

/etc/sistemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=syslog.target network.target

[Service]
Type=forking
RootDirectory=/srv/http
User=http
Group=http
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=/usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit

[Install]
WantedBy=multi-user.target

Also Jail's /tmp and /run tmpfs should be added to fstab for the service to load on reboot.

—This unsigned comment is by Dalvenjia (talk) 20:53, 29 March 2013‎ (UTC). Please sign your posts with ~~~~!Reply[reply]

Yes. It has been almost a decade since your comment but systemd's sandboxing features have improved quite a lot. There is a hardened systemd unit already available at https://github.com/stephan13360/systemd-services
-- NetSysFire (talk) 11:49, 26 September 2022 (UTC)Reply[reply]

Bash Script for the Whole Setup

I've created a bash script to run all the steps in the setup described in the main article:

https://gist.github.com/adityamukho/7365731

This can be used as is, for 64-bit systems. For 32-bit systems, a few modifications need to be made, esp line 41.

—This unsigned comment is by Aditya2013 (talk) 03:30, 8 November 2013 (UTC). Please sign your posts with ~~~~!Reply[reply]

Copying libraries

This one-liner should take care of all the libraries, not just the ones in /usr/lib, provided they are all listed as absolute paths:

# ldd /usr/bin/nginx | sed -n 's!.*\(\s\|^\)\(/\S\+\).*!\2!p' | while read -r LIB; do cp "$LIB" "$JAIL$LIB"; done

I too have made a bash script which automates this tutorial:

https://github.com/bdusell/make-jailed-nginx/blob/master/make-jailed-nginx

—This unsigned comment is by Bdusell (talk) 09:41, 8 April 2014 (UTC). Please sign your posts with ~~~~!Reply[reply]

CA certificates

I would suggest adding a comment about tls-ca-bundle.pem file that should be made available from chroot jail. I was running mantis on installation described in this wiki and found out emails have not been working. After making tls-ca-bundle.pem available everything is working again.

Gregosky (talk) 22:23, 3 February 2015 (UTC)GregoskyReply[reply]

PHP garbage collector (session files removal) in chrooted environment

I noticed session files are not being removed automaticaly when running nginx from chrooted configuration. If left not maintained /srv/http/tmp will grow in size and in time may even take down whole server (if /srv does not reside within separate file system).

Gregosky (talk) 23:29, 28 April 2015 (UTC)GregoskyReply[reply]

Explain about listen owner and user of process

I think that it will be better if in article anybody explained, that it is necessary to correctly configure listen.owner of socket and Unix user/group of processes. — Agent0 (talk|contribs) 15:01, 29 July 2015 (UTC)Reply[reply]

What exactly do you mean? What did you changed? — Beta990 (talk) 08:31, 30 July 2015 (UTC)Reply[reply]
I changed user http; to user another_user; in /etc/nginx/nginx.conf file. It did not worked, because another_user is not owner of socket. I have found such entries in /etc/php/php-fpm.conf and I did not completely understand for what there are:
Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = http
group = http

and

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = http
listen.group = http
listen.mode = 0660}}

Because of that, I asked anybody to explain that in article. — Agent0 (talk|contribs) 12:12, 31 July 2015 (UTC)Reply[reply]

IPv6 details

Should the provided configuration examples also include details about IPv6 support? For a basic setup, all it's needed is an IPv6 IP, obviously, and "listen 80; listen [::]:80;" instead of just "listen 80;" since we already ship Nginx with IPv6 enabled.

On one side shouldn't it be the users' duty to search options related to IPv6 if they want to enable it? On the other side, North America(ARIN) ran out of IPv4 addresses and it will only get worse and worse. Shouldn't we get in front of this and help educate users about how they should enable IPv6 support?

Iwmrby (talk) 18:29, 1 October 2015 (UTC)Reply[reply]

Potential configuration issue

Hi guys, not being nginx expert nor php expert I came accross this article: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

Article states nginx configuration similar to the one within wiki may allow potential attacker to execute their code on the server. There are a few hints on how to prevent this - would this be within the scope of this wiki article to point out potential vulnerability?

(for reference here is how to craft such dodgy gif: http://resources.infosecinstitute.com/null-byte-injection-php/)

(here is what nginx advocates here: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#)

Gregosky (talk) 11:49, 24 August 2016 (UTC)Reply[reply]

php example wrong ?

The wike states (2017-06-26, at 19:33:40):

The example shown below is a copy of a working configuration. Notice that in this example the root path is specified directly under server, and not inside location (as it is in the default config).

--> At the moment, root is specified twice - example or explanation wrong ?

Ua4000 (talk) 10:33, 28 June 2017 (UTC)Reply[reply]

Updated instructions - I agree location shouldn't be set twice.
Francoism (talk) 20:07, 28 June 2017 (UTC)Reply[reply]

Actually, I had 'not found' error on php files until I moved 'root' outside 'location' section. --Ottoshmidt (talk) 06:56, 22 November 2018 (UTC)Reply[reply]

worth mentioning uwsgi ?

The #CGI_implementation section mentions that fcgiwrap is needed for CGI applications.

To quote the irc bot from #nginx:

fcgiwrap is a dirty hack that's nice if you want a brainless simple and easy way to throw something up really fast but if you want to actually do it right, look at something like uwsgi.

The uwsgi wiki page already contains information on how to configure nginx, it might be worth mentioning it on the nginx page.

Xse (talk) 22:22, 17 November 2019 (UTC)Reply[reply]