Hoi Reinis,
I aswered inline and applied colors for my (#6633ff) and your (#cc9933) text
for better readability
Thanks a lot for your input
> I have a Synology NAS what runs a nginx as default web server to run all
their apps. I would like to extend it to meet the following. > > The
purposes is that if the useraccount webapp1 is compromised, it will only
affect webaoos1's web server.. and repeat this for all
accounts/websites/whatever you want to keep separated. this approach use
some more ram than having a single nginx instance do everything directly. >
> Besides the question for the optimal setup to realize this While
technically you could run per-user nginx listening on an unix socket and
then make a proxy on top of those while doable iit feels a bit cumbersome
(at least to me).
how do I do it eaxtly regardless if it is cumbersome?. Be it only for
informational purpose but it makes the entire conversation a bit
easier. Combined
with the outcome of the section it could outline all possbiel options
(incl. pro and cons).
Usually what gets compromised is the (dynamic) backend application
(php/python/perl/lua etc) not the nginx/webserver itself, also nginx by
default doesn't run under root but 'nobody'. root is only needed on startup
for the master process to open 80/443 (ports below 1024) then all the
workers switch to an unprivileged user.
So far I assuemd that the worker start the backend application the access
to php is configured in the server block (my reference is What is the
easiest way to enable PHP on nginx?
https://askubuntu.com/questions/134666/what-is-the-easiest-way-to-enable-php-on-nginx
and Serve PHP with PHP-FPM and NGINX
https://www.linode.com/docs/web-servers/nginx/serve-php-php-fpm-and-nginx/
). My googling tells my that the PHP process usually runs with the
permissions of the webserver. So I need to find a way that each
webapplication (webapp1, webapp2, etc.) call its PHPs using a unique user
account. When I read nginx + php run with different user id
https://serverfault.com/questions/826378/nginx-php-run-with-different-user-id
and changing php user to run as nginx user
https://stackoverflow.com/questions/21999586/changing-php-user-to-run-as-nginx-user
it must be somehow possible. Could share mor information how to achive
that?
One way of doing this would be instead of launching several nginxes just
run the backend processes (like php-fpm, gunicorns etc) under particular
users and let nginx communicate to those via sockets. I'm not familiar
how Synology NAS internally separates different user processes but it has
Docker support ( https://www.synology.com/en-global/dsm/feature/docker) and
even Virtual Machine Manager which technically would be a better user /
application isolation.
Unfortunettely, my NAS does not support it
> I'm wondering how I can call the web server locally, within my LAN if I
call them by the NAS's IP. It depends on your network topology. Does
the Synology box has only LAN interface? Then you either need to configure
portforwarding on your router or make a server/device which has both
lan/wan interfaces (DMZ) and then can expose either on tcp level (for
example via iptables) or via http proxy the internal websites/resources
The NAS has only one LAN interface. You suggest a more complex solution as
just simple NAT port fowarding, as explained in Using router and internal
LAN port forwarding device - Advice please :)
https://superuser.com/questions/1218881/using-router-and-internal-lan-port-forwarding-device-advice-please
.. I have simple router, the Zyxel NBG6616
https://www.zyxel.com/support/SupportLandingSR.shtml?c=gb&l=en&kbid=M-01999&md=NBG6616.
it seems that is supports DMZ
https://www.zyxel.com/tr/tr/guidemo/zyw70/h_DMZ.html and if your refer to
a static DHCP table by IP Table than it is supported as well but doens't
look good for the http proxy. I still not understand how to forward to UNIX
Sockets. Do I need custom ports entry in the prox part like NASIP:80001 ->
Wepapp1ViaUNIXSocket NASIP:80002 -> Wepapp1ViaUNIXSocket
I could run a DNS server on the NAS if that simplifies it.
If you make a virtual machine for each user you can then assign a
separate LAN or WAN ip for each instance.
VMs aren't supported, so it isn't an option
But this kind of gets out of the scope of this mailing list. rr
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
