├── .gitignore
├── LICENSE
├── README.md
├── Vagrantfile
├── nginx.conf
├── tmp
└── README.md
└── webroot
└── index.html
/.gitignore:
--------------------------------------------------------------------------------
1 | # Vagrant related.
2 | .vagrant
3 |
4 | # Sublime Text
5 | *sublime-*
6 |
7 | # Nginx cache and log files.
8 | tmp/[a-z]*
9 |
10 | # TODO lists.
11 | TODO*
12 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License
2 |
3 | Copyright (c) 2014 Reason [reason -A- exratione.com]
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in
13 | all copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | THE SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Running Nginx Under a Non-Root User
2 |
3 | Sometimes, rarely, you will find yourself needing to run Nginx as a non-root
4 | user without sudo permissions. Figuring out the various settings needed to do
5 | this from scratch can be an annoying process: by default Nginx assumes it has
6 | write access to all sorts of restricted places in a UNIX filesystem, and each
7 | of those is controlled by a different configuration option.
8 |
9 | To run this example, first set up the Vagrant VM. This will install Nginx and
10 | create an `nginx` user with write access to the default `/vagrant` synced
11 | folder:
12 |
13 | ```
14 | vagrant up
15 | ```
16 |
17 | Now log in as the default `vagrant` user:
18 |
19 | ```
20 | vagrant ssh
21 | ```
22 |
23 | Once logged in switch to the `nginx` user and launch Nginx:
24 |
25 | ```
26 | sudo su
27 | su - nginx
28 | /usr/sbin/nginx -c /vagrant/nginx.conf
29 | ```
30 |
31 | You can satisfy yourself that Nginx is running just fine on port 8080 even
32 | though the `nginx` user doesn't have write access to `/var/run`, `/var/log`, and
33 | other restricted locations.
34 |
35 | To stop Nginx:
36 |
37 | ```
38 | /usr/sbin/nginx -s stop -c /vagrant/nginx.conf
39 | ```
40 |
41 | The various settings needed for this to work are documented in `nginx.conf`, and
42 | are easy enough to alter for other use cases.
43 |
--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
1 | # -*- mode: ruby -*-
2 | # vi: set ft=ruby :
3 |
4 | # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
5 | VAGRANTFILE_API_VERSION = "2"
6 |
7 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
8 | # Every Vagrant virtual environment requires a box to build off of. Here
9 | # we are using 64-bit Ubuntu 12.04. It will be fetched from the remote
10 | # URL if not already installed.
11 | config.vm.box = "precise64"
12 | config.vm.box_url = "http://files.vagrantup.com/precise64.box"
13 |
14 | # Create a private network, which allows host-only access to the machine
15 | # using a specific IP.
16 | config.vm.network :private_network, ip: "192.168.35.10"
17 |
18 | # Mount the default synced folder with lax permissions, so as to allow the
19 | # provisioned nginx user to access it.
20 | config.vm.synced_folder ".", "/vagrant", :mount_options => ["dmode=777", "fmode=766"]
21 |
22 | # Provider-specific configuration so you can fine-tune various
23 | # backing providers for Vagrant. These expose provider-specific options.
24 | # For VirtualBox:
25 | config.vm.provider :virtualbox do |vb|
26 | # Use VBoxManage to customize the VM. For example to change memory:
27 | vb.customize ["modifyvm", :id, "--memory", "512"]
28 | end
29 |
30 | # Install Nginx.
31 | config.vm.provision :shell, :inline => "apt-get update && apt-get -y install nginx"
32 | # Create an nginx user for demonstration purposes.
33 | config.vm.provision :shell, :inline => "useradd nginx --shell /bin/bash --no-create-home"
34 | end
35 |
--------------------------------------------------------------------------------
/nginx.conf:
--------------------------------------------------------------------------------
1 | #
2 | # A very simple example configuration showing how to launch Nginx as a non-root
3 | # user without sudo access.
4 | #
5 | # Adjust the paths and other settings for your specific circumstances. They are
6 | # currently configured for use in a Vagrant VM in which the /vagrant folder is
7 | # writable by the non-root user running Nginx.
8 | #
9 | # Note that as Nginx is not launched as root, it cannot bind to privileged
10 | # ports lower than 1024.
11 | #
12 | # Usage: nginx -c /path/to/this/nginx.conf
13 | #
14 |
15 | # This error log will be written regardless of server scope error_log
16 | # definitions, so we have to set this here in the main scope.
17 | #
18 | # Even doing this, Nginx will still try to create the default error file, and
19 | # log a non-fatal error when it fails. After that things will work, however.
20 | error_log /vagrant/tmp/error.log;
21 |
22 | # The pidfile will be written to /var/run unless this is set.
23 | pid /vagrant/tmp/nginx.pid;
24 |
25 | worker_processes 1;
26 |
27 | events {
28 | worker_connections 1024;
29 | }
30 |
31 | http {
32 | # Set an array of temp and cache file options that will otherwise default to
33 | # restricted locations accessible only to root.
34 | client_body_temp_path /vagrant/tmp/client_body;
35 | fastcgi_temp_path /vagrant/tmp/fastcgi_temp;
36 | proxy_temp_path /vagrant/tmp/proxy_temp;
37 | scgi_temp_path /vagrant/tmp/scgi_temp;
38 | uwsgi_temp_path /vagrant/tmp/uwsgi_temp;
39 |
40 | # This should be turned off in a Virtualbox VM, as it can cause some
41 | # interesting issues with data corruption in delivered files.
42 | sendfile off;
43 |
44 | tcp_nopush on;
45 | tcp_nodelay on;
46 | keepalive_timeout 65;
47 | types_hash_max_size 2048;
48 |
49 | include /etc/nginx/mime.types;
50 | index index.html index.htm index.php;
51 |
52 | log_format main '$remote_addr - $remote_user [$time_local] $status '
53 | '"$request" $body_bytes_sent "$http_referer" '
54 | '"$http_user_agent" "$http_x_forwarded_for"';
55 |
56 | default_type application/octet-stream;
57 |
58 | server {
59 | # IPv4.
60 | listen 8080;
61 | # IPv6.
62 | listen [::]:8080 default ipv6only=on;
63 |
64 | root /vagrant/webroot;
65 |
66 | access_log /vagrant/tmp/access.log;
67 | error_log /vagrant/tmp/error.log;
68 |
69 | location / {
70 | # First attempt to serve request as file, then as directory, then fall
71 | # back to index.html.
72 | try_files $uri $uri/ /index.html;
73 | }
74 | }
75 | }
76 |
--------------------------------------------------------------------------------
/tmp/README.md:
--------------------------------------------------------------------------------
1 | Cache, log, and other files from the running Nginx instance are written to this
2 | directory.
3 |
--------------------------------------------------------------------------------
/webroot/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | An Empty Index Page
5 |
6 |
7 |
8 | Nothing to see here.
9 |
10 |
11 |