On May 6, 3:32 am, Derick Eisenhardt <[email protected]>
wrote:
> Thanks for all the info so far guys. I really like the idea of having
> nginx be the only server accessible by the web, and then a different
> service running the python side of things that is only accessible to
> the localhost to give an added layer of security...but maybe that's
> negligible, maybe there's really no security benefit there? I just
> know I really like that nginx can run as a very limited user account,
> as while Apache requires you to run it in a chroot jail if you don't
> want it having root access.
Huh? Unless you are using SELinux or similar, for nginx to be able to
accept connections on port 80, it must be started up as root. This is
the same situation as Apache. For Apache, any server child processes
which handle connections do not run as root, instead they have dropped
privileges and run as a special user, usually www, www-data, wwwserv
or similar. I would expect/hope that nginx would also do similar. In
that respect, there shouldn't really be any differences between the
two.
With Apache/mod_wsgi, you can also use its daemon mode and delegate
specific WSGI applications to run in their own process group (like
fastcgi), with mod_wsgi being able to be told to run them as a
different user again, with that user not being restricted to just
being the Apache user. This is done as an inbuilt feature of mod_wsgi
and it isn't necessary to have to fiddle with suexec or similar like
with fastcgi implementations which also perform process management.
I think perhaps your understanding of how Apache works isn't
complete. :-)
Graham
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
