Arch Linux

lichar

Member

Registered: 2015-04-06

Posts: 5

Nginx in chroot and SSL

Hi all,

I have Arch Linux running on a VPS. I managed to install nginx in a chroot environment as described by the documentation. Everything works well for now except SSL.

The problem I have is that nginx now run as http user therefore I need to change the ownership of my ssl key file otherwise nginx can't read it and raise an error. I did install nginx in a chroot for security purposes but now I have my ssl key no longer owned by root and I feel like this is less secure if my server is compromised.  Is that true ?

Thanks in advance,

Charlie

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Nginx in chroot and SSL

Ubuntu have a sensible way of handling this - a group named "ssl-cert".

Put your http user in the ssl-cert group.

Cert key file properties should then be:
* chmod 640
* chown root:ssl-cert

Spider.007

Member

Registered: 2004-06-20

Posts: 1,175

Re: Nginx in chroot and SSL

Ubuntu have a sensible way of handling this - a group named "ssl-cert".

Put your http user in the ssl-cert group.

Cert key file properties should then be:
* chmod 640
* chown root:ssl-cert

How is this better then chgrp-ing to http? @ts; are you sure the chroot caused this? I'm pretty sure nginx reads the private-key as root, before dropping privileges.

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Nginx in chroot and SSL

How is this better then chgrp-ing to http?

When the private key is used by *multiple* server processes, not just a webserver.

E.g.: LDAP server, Jabber server, Mailserver.

lichar

Member

Registered: 2015-04-06

Posts: 5

Re: Nginx in chroot and SSL

Archlinux doesn't come with a ssl-cert group. How should I process ?

@Spider.007 : from Arch nginx documentation under 'Installation in a chroot section' : "Arch comes with an http user and group by default which will run the server."

Last edited by lichar (2015-06-21 01:02:08)

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Nginx in chroot and SSL

groupadd --system ssl-cert

However, to keep things as simple as possible, just stick with the http user and group for now.

Use the chown and chmod commands. E.g.:

chown root:http mycert.key
chmod 640 mycert.key

Spider.007

Member

Registered: 2004-06-20

Posts: 1,175

Re: Nginx in chroot and SSL

[...]

@Spider.007 : from Arch nginx documentation under 'Installation in a chroot section' : "Arch comes with an http user and group by default which will run the server."

But did you keeping the private key owned by root? The documentation is incomplete; have a look at the user that runs the nginx master process (hint; it's not http)

Last edited by Spider.007 (2015-06-21 13:38:31)

lichar

Member

Registered: 2015-04-06

Posts: 5

Re: Nginx in chroot and SSL

@Spider.007 :

 
ps -aux | grep nginx
http     11919  0.0  0.0  23896  1096 ?        Ss   Jun20   0:00 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; daemon on; master_process on;
http     11920  0.0  0.2  25728  6996 ?        S    Jun20   0:09 nginx: worker process
root     14027  0.0  0.0  73252     0 ?        Ss   Apr09   0:00 nginx: master process /usr/sbin/nginx

I see two master processes. One for root and the other for http. Seems to be a problem here no ?

EDIT
I killed the old nginx process from Apr09. Now I only have one master process and one worker process both run by http user.

If I keep the private key owned by root nginx raise an error when I start/reload it using systemd.

@brebs: I know I can add a group but I thought you were talking about a specific group that has specific "rules".
Eventually I thought that my ssl key is in the chroot (what a surprise ^^) which means that to navigate through that folder a user needs root privileges or be part of http. However why is

 chown root:http 

more secure than changing ownership only to http ?

Last edited by lichar (2015-06-23 18:02:11)

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Nginx in chroot and SSL

... more secure than changing ownership only to http ?

I was just giving you a perfectly reasonable and sensible example.