|
Hallo Reinis and others,
I still not get it as the information are not consistent
rather inconsistent.I find a plenty of information to
run separate PHP-FPM pools with unique user accounts for each
but I haven't found anything similar for nginx.
How do make sure put the entire server is at risk if a web
app/virtual host is compromised? If I understand the nginx
worker
processes correctly, a new worker process is started for each .conf
file read by the nginx master process by means of include.
If I want to run the virtual host under a unique (and
lmited) user account to avoid cross server hacks, the way to get
there is to put the .conf of each
virtual host in the user folder of each dedicated virtual host
user folder. In addition I put the unique user
directive (the virtual host user) in each .conf
file of the virtual hosts. Is that assumption correct?
thank you
Stefan
On 12.10.2018 23:59, Stefan Müller
wrote:
hallo,
mostly all question are answered
- local DNS Server
using DHCP server of the router and run a DNS Server on the
NAS, all unersolved queries are solved in by the means of the
routers WAN0's DNS settings
- debug logging
- php isolation
create a pool per webage and rund
them as seperate users by creating a php.conf per pool
- nginx
this is the only one remaining. How can I isolate the servers?
thx a lot
Stefan
On 07.10.2018 21:42, Stefan Müller
wrote:
good
evening,
in the past we were mailing each other on a daily base but now
it is silent. Anything alright?
On 03.10.2018 23:02, Stefan Müller wrote:
thank you again for you quick answer but I'm getting lost
A typical nginx configuration has only
one http {} block.
You can look at some examples:
I'm aware of those and other examples. What confuses me that
you say that but also said in the email before that one:
If you put everything (both the user
unix sockets and also the parent proxy server) under the
same http{} block then it makes no sense since a single
instance of nginx always runs under the same user (and beats
the whole user/app isolation).
so how must be the setup to the the whole user/app isolation
nginx.pid - master process
\_nginx.conf
\_http{} - master server
\_http{} - proxied/app servers
or
nginx.pid - master process
\_nginx1.conf - master server
\_http{} - reverse proxy server
\_nginx2.conf - proxied servers
\_http{} - proxied/app servers
or?
If it is only one nginx.pid, how to I need to configure it to
run nginx1.conf and nginx2.conf?
Unless by "router" you mean the same
Synology box you can't proxy unix sockets over TCP, they
work only inside a single server/machine.
I mean my fibre router and I'm aware that unix sockets work
only inside a single server/machine. I'll use it only to
redirect to the DNS Server what will run on the Synology box
Also you don't need to forward
multiple ports, just 80 and 443 (if ssl) and have name-based
virtualhosts.
you got me, I have mistaken that, it got to late last night
On 03.10.2018 02:09, Reinis Rozitis wrote:
so all goes in the same nginx.conf
but in different http{} block or do I need one nginx.conf
for each, the user unix sockets and also the parent proxy
server?
A typical nginx configuration has only one http {} block.
You can look at some examples:
https://nginx.org/en/docs/http/request_processing.html
https://nginx.org/en/docs/http/server_names.html
https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/
You suggesting to setup virtualhosts
what listen to a port whereto traffic is forwarded from
the router. I don't to have multiple ports open at the
router, so I would like to stick with UNIX Sockets and
proxy.
Unless by "router" you mean the same Synology box you can't
proxy unix sockets over TCP, they work only inside a single
server/machine.
Also you don't need to forward multiple ports, just 80 and
443 (if ssl) and have name-based virtualhosts.
rr
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
|
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
