Reverse Proxying and Security section missing
Wouldn't it be nice to add more examples of how to reverse proxying with Nginix and having another section with an in-depth look at SSL security like here ? --T.ask (talk) 11:16, 9 March 2014 (UTC)
systemd fails to start php-fpm with settings in this article
systemd gave error "Failed to get D-Bus connection". To fix, change the following in /etc/php/php-fpm.conf :
;error_log = log/php-fpm.log
error_log = /var/log/php-fpm.log
Not sure if this is confirmed, but seems to be common. Source: Installing Nginx With PHP5
Does anybody with wikiskills want to make the changes? I am new to wiki editing.
- Check Help:Editing and Help:Style, it is a good opportunity to get involved. -- Fengchao (talk) 05:54, 20 March 2013 (UTC)
Running nginx jailed
Wouldn't be better to use systemd's
Group= Options in the
[Service] section instead of running each
[Unit] Description=A high performance web server and a reverse proxy server After=syslog.target network.target [Service] Type=forking RootDirectory=/srv/http User=http Group=http PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;' ExecStart=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' ExecReload=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload ExecStop=/usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit [Install] WantedBy=multi-user.target
/run tmpfs should be added to fstab for the service to load on reboot.
- Yes. It has been almost a decade since your comment but systemd's sandboxing features have improved quite a lot. There is a hardened systemd unit already available at https://github.com/stephan13360/systemd-services
- -- NetSysFire (talk) 11:49, 26 September 2022 (UTC)
Bash Script for the Whole Setup
I've created a bash script to run all the steps in the setup described in the main article:
This can be used as is, for 64-bit systems. For 32-bit systems, a few modifications need to be made, esp line 41.
This one-liner should take care of all the libraries, not just the ones in /usr/lib, provided they are all listed as absolute paths:
# ldd /usr/bin/nginx | sed -n 's!.*\(\s\|^\)\(/\S\+\).*!\2!p' | while read -r LIB; do cp "$LIB" "$JAIL$LIB"; done
I too have made a bash script which automates this tutorial:
I would suggest adding a comment about tls-ca-bundle.pem file that should be made available from chroot jail. I was running mantis on installation described in this wiki and found out emails have not been working. After making tls-ca-bundle.pem available everything is working again.
PHP garbage collector (session files removal) in chrooted environment
I noticed session files are not being removed automaticaly when running nginx from chrooted configuration. If left not maintained /srv/http/tmp will grow in size and in time may even take down whole server (if /srv does not reside within separate file system).
Explain about listen owner and user of process
I think that it will be better if in article anybody explained, that it is necessary to correctly configure listen.owner of socket and Unix user/group of processes. — Agent0 (talk|contribs) 15:01, 29 July 2015 (UTC)
- I changed
user another_user;in /etc/nginx/nginx.conf file. It did not worked, because another_user is not owner of socket. I have found such entries in /etc/php/php-fpm.conf and I did not completely understand for what there are:
- I changed
Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. user = http group = http
; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many ; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = http listen.group = http listen.mode = 0660}}
Should the provided configuration examples also include details about IPv6 support? For a basic setup, all it's needed is an IPv6 IP, obviously, and "listen 80; listen [::]:80;" instead of just "listen 80;" since we already ship Nginx with IPv6 enabled.
On one side shouldn't it be the users' duty to search options related to IPv6 if they want to enable it? On the other side, North America(ARIN) ran out of IPv4 addresses and it will only get worse and worse. Shouldn't we get in front of this and help educate users about how they should enable IPv6 support?
Potential configuration issue
Hi guys, not being nginx expert nor php expert I came accross this article: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
Article states nginx configuration similar to the one within wiki may allow potential attacker to execute their code on the server. There are a few hints on how to prevent this - would this be within the scope of this wiki article to point out potential vulnerability?
(for reference here is how to craft such dodgy gif: http://resources.infosecinstitute.com/null-byte-injection-php/)
(here is what nginx advocates here: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#)
php example wrong ?
The wike states (2017-06-26, at 19:33:40):
The example shown below is a copy of a working configuration. Notice that in this example the root path is specified directly under server, and not inside location (as it is in the default config).
--> At the moment, root is specified twice - example or explanation wrong ?
- Updated instructions - I agree
locationshouldn't be set twice.
- Francoism (talk) 20:07, 28 June 2017 (UTC)
worth mentioning uwsgi ?
The #CGI_implementation section mentions that fcgiwrap is needed for CGI applications.
To quote the irc bot from #nginx:
fcgiwrap is a dirty hack that's nice if you want a brainless simple and easy way to throw something up really fast but if you want to actually do it right, look at something like uwsgi.
The uwsgi wiki page already contains information on how to configure nginx, it might be worth mentioning it on the nginx page.