Hoi Reinis, I aswered inline and applied colors for my (#6633ff) and your (#cc9933) text for better readability
Thanks a lot for your input > I have a Synology NAS what runs a nginx as default web server to run all their apps. I would like to extend it to meet the following. > > The purposes is that if the useraccount webapp1 is compromised, it will only affect webaoos1's web server.. and repeat this for all accounts/websites/whatever you want to keep separated. this approach use some more ram than having a single nginx instance do everything directly. > > Besides the question for the optimal setup to realize this While technically you could run per-user nginx listening on an unix socket and then make a proxy on top of those while doable iit feels a bit cumbersome (at least to me). how do I do it eaxtly regardless if it is cumbersome?. Be it only for informational purpose but it makes the entire conversation a bit easier. Combined with the outcome of the section it could outline all possbiel options (incl. pro and cons). Usually what gets compromised is the (dynamic) backend application (php/python/perl/lua etc) not the nginx/webserver itself, also nginx by default doesn't run under root but 'nobody'. root is only needed on startup for the master process to open 80/443 (ports below 1024) then all the workers switch to an unprivileged user. So far I assuemd that the worker start the backend application the access to php is configured in the server block (my reference is What is the easiest way to enable PHP on nginx? <https://askubuntu.com/questions/134666/what-is-the-easiest-way-to-enable-php-on-nginx> and Serve PHP with PHP-FPM and NGINX <https://www.linode.com/docs/web-servers/nginx/serve-php-php-fpm-and-nginx/> ). My googling tells my that the PHP process usually runs with the permissions of the webserver. So I need to find a way that each webapplication (webapp1, webapp2, etc.) call its PHPs using a unique user account. When I read nginx + php run with different user id <https://serverfault.com/questions/826378/nginx-php-run-with-different-user-id> and changing php user to run as nginx user <https://stackoverflow.com/questions/21999586/changing-php-user-to-run-as-nginx-user> it must be somehow possible. Could share mor information how to achive that? One way of doing this would be instead of launching several nginxes just run the backend processes (like php-fpm, gunicorns etc) under particular users and let nginx communicate to those via sockets. I'm not familiar how Synology NAS internally separates different user processes but it has Docker support ( https://www.synology.com/en-global/dsm/feature/docker) and even Virtual Machine Manager which technically would be a better user / application isolation. Unfortunettely, my NAS does not support it > I'm wondering how I can call the web server locally, within my LAN if I call them by the NAS's IP. It depends on your network topology. Does the Synology box has only LAN interface? Then you either need to configure portforwarding on your router or make a server/device which has both lan/wan interfaces (DMZ) and then can expose either on tcp level (for example via iptables) or via http proxy the internal websites/resources The NAS has only one LAN interface. You suggest a more complex solution as just simple NAT port fowarding, as explained in Using router and internal LAN port forwarding device - Advice please :) <https://superuser.com/questions/1218881/using-router-and-internal-lan-port-forwarding-device-advice-please> . I have simple router, the Zyxel NBG6616 <https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01999&md=NBG6616>. it seems that is supports DMZ <https://www.zyxel.com/tr/tr/guidemo/zyw70/h_DMZ.html> and if your refer to a static DHCP table by IP Table than it is supported as well but doens't look good for the http proxy. I still not understand how to forward to UNIX Sockets. Do I need custom ports entry in the prox part like NASIP:80001 -> Wepapp1ViaUNIXSocket NASIP:80002 -> Wepapp1ViaUNIXSocket I could run a DNS server on the NAS if that simplifies it. If you make a virtual machine for each user you can then assign a separate LAN or WAN ip for each instance. VMs aren't supported, so it isn't an option But this kind of gets out of the scope of this mailing list. rr
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
