nginx chroot with a proxy_pass unix socket

Wed, 09 Aug 2017 03:05:02 -0700 

Hello everybody, I’m on 6.1 and trying to configure NGINX.
I’m posting this issue here because it may be peculiar to OpenBSD but I know it 
could be more appropriate to post it on an NGINX specific mailing list.
Please let me know if I’m in topic.

I successfully installed NGINX (`$ doas pkg_add nginx`) and managed to setup a 
pure static vhost:


/etc/nginx/nginx.conf:
```
# ...
    server {
      listen 80;
      server_name myapp.com;
      access_log /var/www/apps/my_app/logs/access.log;
      error_log /var/www/apps/my_app/logs/error.log;
      root /var/www/apps/my_app/current;
    }
# ...
```

And it works just fine.

Then I tried to implement a reverse proxy with the `proxy_pass` directive 
toward a local Ruby-based application server (Puma, booting a Ruby app).

If I define a proxy_pass toward a TCP port then the requests correctly reach 
the application server but when I try to migrate the setup into a unix socket 
binding, then I get an error due to NGINX being chrooted.


/etc/nginx/nginx.conf:
```
# ...
    server {
      server_name myapp.com;
      access_log /var/www/apps/my_app/logs/access.log;
      error_log /var/www/apps/my_app/logs/error.log;
      root /var/www/apps/my_app/current;
      location / {
        proxy_pass http://unix:/var/www/apps/my_app/application.socket;
      }
    }
# ...
```

/var/log/nginx/error.log:
```
2017/08/05 23:17:34 [crit] 58554#0: *5 connect() to 
unix:/var/www/apps/my_app/application.socket failed (2: No such file or 
directory) while connecting to upstream, client: 192.168.1.3, server: 
myapp.com, request: "GET / HTTP/1.1", upstream: 
"http://unix:/var/www/apps/my_app/application.socket:/";, host: “myapp.com"
```

```
$ ls -al /var/www
drwxr-xr-x  4 olistik  olistik  512 Aug  3 18:17 apps
drwxr-xr-x  3 www      www      512 Jul 16 22:48 htdocs
drwxr-xr-x  2 root     daemon   512 Apr  1 21:38 run
drwx------  2 www      www      512 Jul 15 20:51 tmp
```

This is how I start the application server:

```
$ bundle exec puma --debug -v -e production -b 
unix:///var/www/apps/my_app/application.socket -v
Puma starting in single mode...
* Version 3.9.1 (ruby 2.4.1-p111), codename: Private Caller
* Min threads: 0, max threads: 16
* Environment: production
* Listening on unix:///var/www/apps/my_app/application.socket
Use Ctrl-C to stop
```

The only way I found to work around this issue is to disable NGINX chroot:

```
$ doas rcctl enable nginx
$ doas rcctl set nginx flags -u
$ doas rcctl restart nginx
```

But it’s not ideal to lose the isolation chroot gives.

Do you have any suggestions on how to implement a unix socket connection with 
NGINX chroot enabled?

Thank in advance,
olistik

Reply via email to