├── .gitignore ├── LICENSE ├── README.md ├── Vagrantfile ├── nginx.conf ├── tmp └── README.md └── webroot └── index.html /.gitignore: -------------------------------------------------------------------------------- 1 | # Vagrant related. 2 | .vagrant 3 | 4 | # Sublime Text 5 | *sublime-* 6 | 7 | # Nginx cache and log files. 8 | tmp/[a-z]* 9 | 10 | # TODO lists. 11 | TODO* 12 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2014 Reason [reason -A- exratione.com] 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Running Nginx Under a Non-Root User 2 | 3 | Sometimes, rarely, you will find yourself needing to run Nginx as a non-root 4 | user without sudo permissions. Figuring out the various settings needed to do 5 | this from scratch can be an annoying process: by default Nginx assumes it has 6 | write access to all sorts of restricted places in a UNIX filesystem, and each 7 | of those is controlled by a different configuration option. 8 | 9 | To run this example, first set up the Vagrant VM. This will install Nginx and 10 | create an `nginx` user with write access to the default `/vagrant` synced 11 | folder: 12 | 13 | ``` 14 | vagrant up 15 | ``` 16 | 17 | Now log in as the default `vagrant` user: 18 | 19 | ``` 20 | vagrant ssh 21 | ``` 22 | 23 | Once logged in switch to the `nginx` user and launch Nginx: 24 | 25 | ``` 26 | sudo su 27 | su - nginx 28 | /usr/sbin/nginx -c /vagrant/nginx.conf 29 | ``` 30 | 31 | You can satisfy yourself that Nginx is running just fine on port 8080 even 32 | though the `nginx` user doesn't have write access to `/var/run`, `/var/log`, and 33 | other restricted locations. 34 | 35 | To stop Nginx: 36 | 37 | ``` 38 | /usr/sbin/nginx -s stop -c /vagrant/nginx.conf 39 | ``` 40 | 41 | The various settings needed for this to work are documented in `nginx.conf`, and 42 | are easy enough to alter for other use cases. 43 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # Vagrantfile API/syntax version. Don't touch unless you know what you're doing! 5 | VAGRANTFILE_API_VERSION = "2" 6 | 7 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| 8 | # Every Vagrant virtual environment requires a box to build off of. Here 9 | # we are using 64-bit Ubuntu 12.04. It will be fetched from the remote 10 | # URL if not already installed. 11 | config.vm.box = "precise64" 12 | config.vm.box_url = "http://files.vagrantup.com/precise64.box" 13 | 14 | # Create a private network, which allows host-only access to the machine 15 | # using a specific IP. 16 | config.vm.network :private_network, ip: "192.168.35.10" 17 | 18 | # Mount the default synced folder with lax permissions, so as to allow the 19 | # provisioned nginx user to access it. 20 | config.vm.synced_folder ".", "/vagrant", :mount_options => ["dmode=777", "fmode=766"] 21 | 22 | # Provider-specific configuration so you can fine-tune various 23 | # backing providers for Vagrant. These expose provider-specific options. 24 | # For VirtualBox: 25 | config.vm.provider :virtualbox do |vb| 26 | # Use VBoxManage to customize the VM. For example to change memory: 27 | vb.customize ["modifyvm", :id, "--memory", "512"] 28 | end 29 | 30 | # Install Nginx. 31 | config.vm.provision :shell, :inline => "apt-get update && apt-get -y install nginx" 32 | # Create an nginx user for demonstration purposes. 33 | config.vm.provision :shell, :inline => "useradd nginx --shell /bin/bash --no-create-home" 34 | end 35 | -------------------------------------------------------------------------------- /nginx.conf: -------------------------------------------------------------------------------- 1 | # 2 | # A very simple example configuration showing how to launch Nginx as a non-root 3 | # user without sudo access. 4 | # 5 | # Adjust the paths and other settings for your specific circumstances. They are 6 | # currently configured for use in a Vagrant VM in which the /vagrant folder is 7 | # writable by the non-root user running Nginx. 8 | # 9 | # Note that as Nginx is not launched as root, it cannot bind to privileged 10 | # ports lower than 1024. 11 | # 12 | # Usage: nginx -c /path/to/this/nginx.conf 13 | # 14 | 15 | # This error log will be written regardless of server scope error_log 16 | # definitions, so we have to set this here in the main scope. 17 | # 18 | # Even doing this, Nginx will still try to create the default error file, and 19 | # log a non-fatal error when it fails. After that things will work, however. 20 | error_log /vagrant/tmp/error.log; 21 | 22 | # The pidfile will be written to /var/run unless this is set. 23 | pid /vagrant/tmp/nginx.pid; 24 | 25 | worker_processes 1; 26 | 27 | events { 28 | worker_connections 1024; 29 | } 30 | 31 | http { 32 | # Set an array of temp and cache file options that will otherwise default to 33 | # restricted locations accessible only to root. 34 | client_body_temp_path /vagrant/tmp/client_body; 35 | fastcgi_temp_path /vagrant/tmp/fastcgi_temp; 36 | proxy_temp_path /vagrant/tmp/proxy_temp; 37 | scgi_temp_path /vagrant/tmp/scgi_temp; 38 | uwsgi_temp_path /vagrant/tmp/uwsgi_temp; 39 | 40 | # This should be turned off in a Virtualbox VM, as it can cause some 41 | # interesting issues with data corruption in delivered files. 42 | sendfile off; 43 | 44 | tcp_nopush on; 45 | tcp_nodelay on; 46 | keepalive_timeout 65; 47 | types_hash_max_size 2048; 48 | 49 | include /etc/nginx/mime.types; 50 | index index.html index.htm index.php; 51 | 52 | log_format main '$remote_addr - $remote_user [$time_local] $status ' 53 | '"$request" $body_bytes_sent "$http_referer" ' 54 | '"$http_user_agent" "$http_x_forwarded_for"'; 55 | 56 | default_type application/octet-stream; 57 | 58 | server { 59 | # IPv4. 60 | listen 8080; 61 | # IPv6. 62 | listen [::]:8080 default ipv6only=on; 63 | 64 | root /vagrant/webroot; 65 | 66 | access_log /vagrant/tmp/access.log; 67 | error_log /vagrant/tmp/error.log; 68 | 69 | location / { 70 | # First attempt to serve request as file, then as directory, then fall 71 | # back to index.html. 72 | try_files $uri $uri/ /index.html; 73 | } 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /tmp/README.md: -------------------------------------------------------------------------------- 1 | Cache, log, and other files from the running Nginx instance are written to this 2 | directory. 3 | -------------------------------------------------------------------------------- /webroot/index.html: -------------------------------------------------------------------------------- 1 | 2 |
3 | 4 |8 | Nothing to see here. 9 |
10 | 11 |