Difference between revisions of "Talk:Nginx"

From ArchWiki
Jump to: navigation, search
(Explain about listen owner and user of process: new section)
(Explain about listen owner and user of process)
Line 72: Line 72:
 
== Explain about listen owner and user of process ==
 
== Explain about listen owner and user of process ==
  
I think that it will be better if in article anybody explained, that it is neсessary to correctly configure listen.owner of socket and Unix user/group of processes. — [[User:Agent0|Agent0]] ([[User_talk:Agent0|talk]]|[[Special:Contributions/Agent0|contribs]]) 15:01, 29 July 2015 (UTC)
+
I think that it will be better if in article anybody explained, that it is necessary to correctly configure listen.owner of socket and Unix user/group of processes. — [[User:Agent0|Agent0]] ([[User_talk:Agent0|talk]]|[[Special:Contributions/Agent0|contribs]]) 15:01, 29 July 2015 (UTC)
 +
 
 +
What exactly do you mean? What did you changed?
 +
 
 +
[[User:Beta990|Beta990]] ([[User talk:Beta990|talk]]) 08:31, 30 July 2015 (UTC)

Revision as of 08:31, 30 July 2015

Reverse Proxying and Security section missing

Wouldn't it be nice to add more examples of how to reverse proxying with Nginix and having another section with an in-depth look at SSL security like here [1]? --T.ask (talk) 11:16, 9 March 2014 (UTC)

systemd fails to start php-fpm with settings in this article

systemd gave error "Failed to get D-Bus connection". To fix, change the following in /etc/php/php-fpm.conf :

;error_log = log/php-fpm.log

to

error_log = /var/log/php-fpm.log

Not sure if this is confirmed, but seems to be common. Source: Installing Nginx With PHP5

Does anybody with wikiskills want to make the changes? I am new to wiki editing.

Check Help:Editing and Help:Style, it is a good opportunity to get involved. -- Fengchao (talk) 05:54, 20 March 2013 (UTC)

Running nginx jailed

Wouldn't be better to use systemd's RootDirectory= User= & Group= Options in the [Service] section instead of running each Exec* with chroot?

/etc/sistemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=syslog.target network.target

[Service]
Type=forking
RootDirectory=/srv/http
User=http
Group=http
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=/usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit

[Install]
WantedBy=multi-user.target

Also Jail's /tmp and /run tmpfs should be added to fstab for the service to load on reboot.

Bash Script for the Whole Setup

I've created a bash script to run all the steps in the setup described in the main article:

https://gist.github.com/adityamukho/7365731

This can be used as is, for 64-bit systems. For 32-bit systems, a few modifications need to be made, esp line 41.

Copying libraries

This one-liner should take care of all the libraries, not just the ones in /usr/lib, provided they are all listed as absolute paths:

# ldd /usr/bin/nginx | sed -n 's!.*\(\s\|^\)\(/\S\+\).*!\2!p' | while read -r LIB; do cp "$LIB" "$JAIL$LIB"; done

I too have made a bash script which automates this tutorial:

https://github.com/bdusell/make-jailed-nginx/blob/master/make-jailed-nginx

CA certificates

I would suggest adding a comment about tls-ca-bundle.pem file that should be made available from chroot jail. I was running mantis on installation described in this wiki and found out emails have not been working. After making tls-ca-bundle.pem available everything is working again.

Gregosky (talk) 22:23, 3 February 2015 (UTC)Gregosky

PHP garbage collector (session files removal) in chrooted environment

I noticed session files are not being removed automaticaly when running nginx from chrooted configuration. If left not maintained /srv/http/tmp will grow in size and in time may even take down whole server (if /srv does not reside within separate file system).

Gregosky (talk) 23:29, 28 April 2015 (UTC)Gregosky

Explain about listen owner and user of process

I think that it will be better if in article anybody explained, that it is necessary to correctly configure listen.owner of socket and Unix user/group of processes. — Agent0 (talk|contribs) 15:01, 29 July 2015 (UTC)

What exactly do you mean? What did you changed?

Beta990 (talk) 08:31, 30 July 2015 (UTC)