> I have a Synology NAS what runs a nginx as default web server to run all > their apps. I would like to extend it to meet the following. > > The purposes is that if the useraccount webapp1 is compromised, it will only > affect webaoos1's web server.. and repeat this for all > accounts/websites/whatever you want to keep separated. this approach use some > more ram than having a single nginx instance do everything directly. > > Besides the question for the optimal setup to realize this
While technically you could run per-user nginx listening on an unix socket and then make a proxy on top of those while doable it feels a bit cumbersome (at least to me). Usually what gets compromised is the (dynamic) backend application (php/python/perl/lua etc) not the nginx/webserver itself, also nginx by default doesn't run under root but 'nobody'. root is only needed on startup for the master process to open 80/443 (ports below 1024) then all the workers switch to an unprivileged user. One way of doing this would be instead of launching several nginxes just run the backend processes (like php-fpm, gunicorns etc) under particular users and let nginx communicate to those via sockets. I'm not familiar how Synology NAS internally separates different user processes but it has Docker support ( https://www.synology.com/en-global/dsm/feature/docker ) and even Virtual Machine Manager which technically would be a better user / application isolation. > I'm wondering how I can call the web server locally, within my LAN if I call > them by the NAS's IP. It depends on your network topology. Does the Synology box has only LAN interface? Then you either need to configure portforwarding on your router or make a server/device which has both lan/wan interfaces (DMZ) and then can expose either on tcp level (for example via iptables) or via http proxy the internal websites/resources. If you make a virtual machine for each user you can then assign a separate LAN or WAN ip for each instance. But this kind of gets out of the scope of this mailing list. rr _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
