thx that gets me closer to the end :).
let's try to summarize it (and add some more info):
- proxy and unix socket,
This allows permission management via user accounts but it
can can get bulky as soon as you set up user accounts for
permission management of each backend application, as they
pose a higher risk, as indicated in the previous email
For the server you make use of
that is all put in the same http{} block.
Would there be any advantage to use separate http{} blocks
as discussed some while ago in Disallowing
multiple http {} blocks in nginx.conf?
- harden nginx / php communication
php-fpm is typical tool to communicate with one or more php
interpretors. Nginx just starts php-fpm, what in turn takes
about the php script interpretation by means of the
interpretor processes. The interpretor processes run within
a so called of pool (of processes).
The good thing is, that you can setup multiple pools, each
with its own configuration, running with a different user,
allowing hardening php script execution.
How do I tell the proxied servers or php-fpm to use a
certain pool for a certain server?
- reach proxied servers within LAN
what you originally described refers to operations described
in
- pfSense
- Reach webserver by public IP from within LAN
- pfSense
- Can't reach internal web server / NAT Reflection,
Split DNS
- pfSnese
- How to Nat a web server
but nothing mentioned there or by you is supported by my
router at least I can declare a fixed IP for the NAS and set
the NAS as primary DNS Server to do:
- Running
DNS locally for home network
- How
To Configure BIND as a Private Network DNS Server
so the nginx related question, to I need to add listener to
NAS_IP:LANPort to proxy webserver within LAN?
- (new) how to debug
In /etc/nginx/nginx.conf as there is:
access_log
syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname
main;
error_log
syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname
error;
so I assume Debug
Logging is available although $ nginx -V
2>&1 | grep -- '--with-debug' does not return
anything.
How can I debug points 1 to 3 best?
- syno setup is complicated / get new hardware, what allows
to run linux and dockers.
I know but I'm still hoping that the will be an AMR
processor for a home server
I'll get new hardware in the long term but currently I'm
trying to understand the Syno setup, at least I found, most
likely, all relevant locations to configure nginx and php :
nginx
/etc/nginx
/etc/nginx/app.d syslink2 /var/tmp/nginx/app.d
/etc/nginx/conf.d syslink2
/etc/nginx/conf.d
/etc/nginx/sites-enabled syslink2
/etc/nginx/sites-enabled
nginx.conf generated by
nginx-conf-generator.sh
...
/etc.defaults/nginx
/etc/init syslink2 /usr/share/init
(pre-start script)
nginx.conf
/usr/local/etc/nginx
/usr/local/etc/nginx/conf.d emtpy
/usr/local/etc/nginx/sites-enabled emtpy
/usr/share/nginx
/usr/share/nginx/html
50x.html
index.html
/usr/syno/etc/rc.sysv
nginx-conf-generator.sh
/usr/syno/share/nginx
/usr/syno/share/nginx/conf.d location
configs
*.mustache files properly used by nginx-conf-generator.sh
/var/lib/nginx syslink2
/var/services/tmp/nginx
/var/tmp/nginx
/var/tmp/nginx/app
/var/tmp/nginx/app.d
/var/tmp/nginx/conf.d emtpy
/var/tmp/nginx/trusted_proxy
php (php5 is used by phpMyAdmin)
/etc/php
php.ini (extension_dir = "/usr/lib/php/modules"
& sendmail_path = /usr/bin/ssmtp -t)
/etc.defaults/php
php.ini (extension_dir =
"/usr/lib/php/modules" & sendmail_path =
/usr/bin/ssmtp -t)
/etc/init syslink2 /usr/share/init
(pre-start script)
php_timezone_update.conf
pkgctl-PHP5.6.conf
pkgctl-PHP7.0.conf
pkg-php56-fpm.conf
pkg-php70-fpm.conf
pkg-WebStation-php56.conf
pkg-WebStation-php70.conf
...
/lib syslink2 /usr/lib
/run/php-fpm
php*-fpm*
/usr/lib/php
/usr/lib/php/modules (same moduls as listed
in /etc/php/php.ini)
/usr/lib/php/phpmailer
/usr/lib/php/phpoffice
/usr/local/bin
/usr/local/bin/feasibilitycheck
...
php70-cgi syslink2
/var/packages/PHP7.0/target/usr/local/bin/php70-cgi
php70-fpm
syslink2 /var/packages/PHP7.0/target/usr/local/bin/php70-fpm
...
/usr/local/etc
/usr/local/etc/php56
/usr/local/etc/php56/conf.d
/usr/local/etc/php56/fpm.d
/usr/local/etc/php56/freetds
php.ini
php-fpm.conf
syslink2 /volume1/@appstore/PHP5.6//usr/local/etc/php56/php-fpm.conf
/usr/local/etc/php70
/usr/local/etc/php70/conf.d
/usr/local/etc/php70/fpm.d
/usr/local/etc/php70/freetds
syslink2 /volume1/@appstore/PHP7.0//usr/local/etc/php70/freetds
php.ini
php-fpm.conf
syslink2 /volume1/@appstore/PHP7.0//usr/local/etc/php70/php-fpm.conf
/usr/local/lib
/usr/local/lib/php56
/usr/local/lib/php56/modules emtpy
/usr/local/lib/php70
/usr/local/lib/php70/modules emtpy
/var/packages
/var/packages/PHP5.6
/var/packages/PHP5.6/conf
/var/packages/PHP5.6/etc syslink2
/usr/syno/etc/packages/PHP5.6
/var/packages/PHP5.6/scripts
/var/packages/PHP5.6/target syslink2
/volume1/@appstore/PHP5.6
/var/packages/PHP7.0
/var/packages/PHP7.0/conf
/var/packages/PHP7.0/etc
syslink2
/usr/syno/etc/packages/PHP7.0
/var/packages/PHP7.0/scripts
/var/packages/PHP7.0/target
syslink2
/volume1/@appstore/PHP7.0
php managed by WebStation (Synology's web
site hosting package)
/var/packages/WebStation/target/misc
/var/packages/WebStation/target/misc/WebStation-php56
/var/packages/WebStation/target/misc/WebStation-php56/conf.d
extension.ini
/var/packages/WebStation/target/misc/WebStation-php56
/var/packages/WebStation/target/misc/WebStation-php56/conf.d
extension.ini
...
php56.ini
php56_fpm.conf
php70.ini
php70_fpm.conf
...
On 28.09.2018
20:49, Reinis Rozitis wrote:
how do I do it eaxtly regardless if it is cumbersome?.
Well you configure each individual nginx to listen ( https://nginx.org/en/docs/http/ngx_http_core_module.html#listen ) on a unix socket:
Config on nginx1:
..
events { }
http {
server {
listen unix:/some/path/user1.sock;
..
}
}
Config on nginx2:
..
server {
listen unix:/some/path/user2.sock;
...
}
And then on the main server you configure the per-user virtualhosts to be proxied to particular socket:
server {
listen 80;
server_name user1.domain;
location / {
proxy_pass http://unix:/some/path/user1.sock;
}
}
server {
listen 80;
server_name user2.domain;
location / {
proxy_pass http://unix:/some/path/user2.sock;
}
}
(obviously it's just a mockup and you need to add everything else like http {} blocks, root paths, SSL certificates (if available) etc)
So far I assuemd that the worker start the backend application the access to php is configured in the server block (my reference is What is the easiest way to enable PHP on nginx? and Serve PHP with PHP-FPM and NGINX). My googling tells my that the PHP process usually runs with the permissions of the webserver.
Not exactly.
php-fpm which is the typical way of running php under nginx are different processes/daemons each having their own configuration and communicate via FastCGI (http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html ) via tcp or unix socket and both can run under different system users (php-fpm can manage even multiple pools each under own user and different settings) .
The guide you linked on linode.com isn't fully correct "The listen.owner and listen.group variables are set to www-data by default, but they need to match the user and group NGINX is running as."
The users don't need to match but the nginx user needs read/write permissions on the socket file (setting the same user just makes the guide simpler and less error prone).
You can always put the nginx and php-fpm user in a group and make the socket file group writable (via listen.mode = 0660 in php-fpm.conf)
Unfortunettely, my NAS does not support it
While the Synologies are Linux-based maybe running somewhat complicated setups (user/app isolation) and exposing to WAN are not the best option.
Also it beats the whole idea of DSM being userfriendly centralized GUI tool. A regular pc/server with some native linux distribution (Ubuntu, Debian, Fedora, Opensuse etc) might be a better choice (and imho easier to experiment on) and you can always attach the NAS to the linux box (via NFS, samba/cifs, webdav etc).
rr
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
|