Skip to content
This repository has been archived by the owner on Jun 21, 2018. It is now read-only.

nginx: Add reverse http(s) proxy for users #155

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .etckeeper
Original file line number Diff line number Diff line change
Expand Up @@ -1004,6 +1004,7 @@ maybe chmod 0644 'nginx/nginx.conf'
maybe chmod 0644 'nginx/scgi_params'
maybe chmod 0755 'nginx/stream.conf.d'
maybe chmod 0644 'nginx/stream.conf.d/sock-https.conf'
maybe chmod 0755 'nginx/symlinks.sh'
maybe chmod 0644 'nginx/uwsgi_params'
maybe chmod 0644 'nginx/win-utf'
maybe chmod 0644 'nova-agent.env'
Expand Down
2 changes: 1 addition & 1 deletion nginx/stream.conf.d/sock-https.conf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ stream{
listen 443;
listen [::]:443;

proxy_pass unix:/var/run/nginx/$user_-https.sock;
proxy_pass unix:/run/http/$user_-https.sock;
}
}
11 changes: 11 additions & 0 deletions nginx/symlinks.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/sh -e
USER="${PAM_USER}"
UID=$(id -u "$USER")
XDG_RUNTIME_DIR="/run/user/${UID}"
NGINX_SOCK_DIR="/run/http"

for proto in http https; do
SOCKET_LINK="${NGINX_SOCK_DIR}/${USER}-${proto}.sock"
[ -L "${SOCKET_LINK}" ] || \
ln -s "${XDG_RUNTIME_DIR}/${proto}.sock" "${SOCKET_LINK}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are the permissions on the socket going to be?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, 0700 + the following ACL: g:nginx:rwx, and the default daemon should do that, but users can implement whatever they want.
Truthfully, arbitrary users being able to send stuff to it wouldn't seem like a big deal, given that the socket is (by nature) exposed to the whole Internet anyhow.

done
3 changes: 3 additions & 0 deletions pam.d/common-session-noninteractive
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ session required pam_env.so
session required pam_namespace.so unmnt_remnt
session required pam_limits.so

# Setting up HTTP-related symlinks
session optional pam_exec.so log=/dev/log /etc/nginx/symlinks.sh

# Passwd database handling
session sufficient pam_sss.so
session sufficient pam_unix.so
Expand Down
2 changes: 2 additions & 0 deletions tmpfiles.d/http-socks
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#Type Path Mode UID GID Age Argument
d /run/http 0755 root root - -