You are not logged in.

#1 2020-10-01 14:40:16

RageBanken
Member
Registered: 2020-09-16
Posts: 24

[CLOSED] Multiple chroot jailed nginx server location practices?

I need to set up two nginx servers running in chroot jails.  One for www and one for lan.  I'm trying to wrap my head around how to adapt the wiki entry away from using the entire /srv/http directory as the chroot - and failing.  Can someone point me at a resource regarding what are the best practices or common ways of doing this kind of setup?  I would like to keep the /srv/http/www and /srv/http/lan directory structure.

Last edited by RageBanken (2020-10-03 13:24:10)


Gate-keeping knowledge is functionally the same as burning books.
Don't have the time or can't admit you don't know?  Zip it.

Offline

#2 2020-10-01 15:09:23

solskog
Member
Registered: 2020-09-05
Posts: 246

Re: [CLOSED] Multiple chroot jailed nginx server location practices?

How about using firejail with separate process tree? also if mysql is involved, you need to include that in the jail as well.

Offline

#3 2020-10-01 16:35:30

RageBanken
Member
Registered: 2020-09-16
Posts: 24

Re: [CLOSED] Multiple chroot jailed nginx server location practices?

I'm aware of needing to put mysql in the jail as well.  Firejail is a fair recommendation; however, I'm trying to do this without extra software/automation, otherwise I'd just slap docker on here and be done with it.

Would it be fair to say that I should just adapt information from the wiki entry by just moving the entire chroots for these down a level from /srv/http/ to www and lan?

EDIT:  The more I read up on this elsewhere, I am becoming convinced that using chroot for this is a dated and problematic approach.  It seems that using a container is a far more practical and secure option (by all means, correct me if you have a better option) so I'm going to pursue this with systemd-nspawn as it is already included with the base install.  I'm marking this as closed as the original approach/question itsn't practical/current.

Last edited by RageBanken (2020-10-03 13:23:14)


Gate-keeping knowledge is functionally the same as burning books.
Don't have the time or can't admit you don't know?  Zip it.

Offline

Board footer

Powered by FluxBB