diff --git a/manifests/config.pp b/manifests/config.pp index 8711e4c..f91b721 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -18,6 +18,7 @@ class nginx::config( $client_max_body_size = $nginx::params::nx_client_max_body_size, $confd_purge = $nginx::params::nx_confd_purge, $conf_template = $nginx::params::nx_conf_template, + $daemon_user = $nginx::params::nx_daemon_user, $events_use = $nginx::params::nx_events_use, $fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive, $fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key, @@ -49,6 +50,7 @@ class nginx::config( $proxy_send_timeout = $nginx::params::nx_proxy_send_timeout, $proxy_set_header = $nginx::params::nx_proxy_set_header, $server_tokens = $nginx::params::nx_server_tokens, + $super_user = $nginx::params::nx_super_user, $types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size, $types_hash_max_size = $nginx::params::nx_types_hash_max_size, $vhost_purge = $nginx::params::nx_vhost_purge, @@ -101,12 +103,12 @@ class nginx::config( file {$nginx::config::nx_client_body_temp_path: ensure => directory, - owner => $nginx::params::nx_daemon_user, + owner => $daemon_user, } file {$nginx::config::nx_proxy_temp_path: ensure => directory, - owner => $nginx::params::nx_daemon_user, + owner => $daemon_user, } file { "${nginx::params::nx_conf_dir}/sites-available": diff --git a/manifests/init.pp b/manifests/init.pp index dd7e78d..60df2d5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -34,6 +34,7 @@ class nginx ( $confd_purge = $nginx::params::nx_confd_purge, $configtest_enable = $nginx::params::nx_configtest_enable, $conf_template = $nginx::params::nx_conf_template, + $daemon_user = $nginx::params::nx_daemon_user, $events_use = $nginx::params::nx_events_use, $fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive, $fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key, @@ -76,6 +77,7 @@ class nginx ( $server_tokens = $nginx::params::nx_server_tokens, $service_ensure = $nginx::params::nx_service_ensure, $service_restart = $nginx::params::nx_service_restart, + $super_user = $nginx::params::nx_super_user, $vhost_purge = $nginx::params::nx_vhost_purge, $worker_connections = $nginx::params::nx_worker_connections, $worker_processes = $nginx::params::nx_worker_processes, @@ -154,6 +156,7 @@ class nginx ( validate_hash($nginx_mailhosts) validate_bool($manage_repo) validate_string($proxy_headers_hash_bucket_size) + validate_bool($super_user) class { 'nginx::package': package_name => $package_name, @@ -168,6 +171,7 @@ class nginx ( client_max_body_size => $client_max_body_size, confd_purge => $confd_purge, conf_template => $conf_template, + daemon_user => $daemon_user, events_use => $events_use, fastcgi_cache_inactive => $fastcgi_cache_inactive, fastcgi_cache_key => $fastcgi_cache_key, @@ -199,6 +203,7 @@ class nginx ( proxy_send_timeout => $proxy_send_timeout, proxy_set_header => $proxy_set_header, server_tokens => $server_tokens, + super_user => $super_user, vhost_purge => $vhost_purge, worker_connections => $worker_connections, worker_processes => $worker_processes, diff --git a/manifests/params.pp b/manifests/params.pp index c3f26d9..5a353c4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -115,6 +115,9 @@ class nginx::params { } } + # Nginx is default launched as root if not change this parameter + $nx_super_user = true + # Service restart after Nginx 0.7.53 could also be just # "/path/to/nginx/bin -s HUP" Some init scripts do a configtest, some don't. # If configtest_enable it's true then service restart will take diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index eaac8c1..4f56b99 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -516,32 +516,32 @@ define nginx::resource::vhost ( # Check if the file has been defined before creating the file to # avoid the error when using wildcard cert on the multiple vhosts ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.crt", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0444', source => $ssl_cert, }) ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_key, }) if ($ssl_dhparam != undef) { ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_dhparam, }) } if ($ssl_stapling_file != undef) { ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_stapling_file, }) } if ($ssl_trusted_cert != undef) { ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.trusted.crt", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_trusted_cert, }) diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb index 8d71472..8f1267f 100644 --- a/templates/conf.d/nginx.conf.erb +++ b/templates/conf.d/nginx.conf.erb @@ -1,4 +1,6 @@ -user <%= scope.lookupvar('nginx::config::nx_daemon_user') %>; +<% if @super_user -%> +user <%= @daemon_user %>; +<% end -%> worker_processes <%= @worker_processes %>; worker_rlimit_nofile <%= @worker_rlimit_nofile %>;