From f5a12bdb3384b4a9202c3eb377f032569955fd5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20O=CC=88rnstedt?= Date: Thu, 15 May 2014 14:51:37 +0200 Subject: [PATCH 1/3] Add super_user option to be able to launch nginx as unprivileged user without complains. --- manifests/config.pp | 1 + manifests/init.pp | 2 ++ manifests/params.pp | 3 +++ templates/conf.d/nginx.conf.erb | 4 +++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/manifests/config.pp b/manifests/config.pp index 8711e4c..5430221 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -49,6 +49,7 @@ class nginx::config( $proxy_send_timeout = $nginx::params::nx_proxy_send_timeout, $proxy_set_header = $nginx::params::nx_proxy_set_header, $server_tokens = $nginx::params::nx_server_tokens, + $super_user = $nginx::params::nx_super_user, $types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size, $types_hash_max_size = $nginx::params::nx_types_hash_max_size, $vhost_purge = $nginx::params::nx_vhost_purge, diff --git a/manifests/init.pp b/manifests/init.pp index dd7e78d..9d46ea9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -76,6 +76,7 @@ class nginx ( $server_tokens = $nginx::params::nx_server_tokens, $service_ensure = $nginx::params::nx_service_ensure, $service_restart = $nginx::params::nx_service_restart, + $super_user = $nginx::params::nx_super_user, $vhost_purge = $nginx::params::nx_vhost_purge, $worker_connections = $nginx::params::nx_worker_connections, $worker_processes = $nginx::params::nx_worker_processes, @@ -199,6 +200,7 @@ class nginx ( proxy_send_timeout => $proxy_send_timeout, proxy_set_header => $proxy_set_header, server_tokens => $server_tokens, + super_user => $super_user, vhost_purge => $vhost_purge, worker_connections => $worker_connections, worker_processes => $worker_processes, diff --git a/manifests/params.pp b/manifests/params.pp index c3f26d9..5a353c4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -115,6 +115,9 @@ class nginx::params { } } + # Nginx is default launched as root if not change this parameter + $nx_super_user = true + # Service restart after Nginx 0.7.53 could also be just # "/path/to/nginx/bin -s HUP" Some init scripts do a configtest, some don't. # If configtest_enable it's true then service restart will take diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb index 0ad6838..e7c00d4 100644 --- a/templates/conf.d/nginx.conf.erb +++ b/templates/conf.d/nginx.conf.erb @@ -1,4 +1,6 @@ -user <%= scope.lookupvar('nginx::config::nx_daemon_user') %>; +<% if @super_user -%> +user <%= @daemon_user %>; +<% end -%> worker_processes <%= @worker_processes %>; worker_rlimit_nofile <%= @worker_rlimit_nofile %>; From cc01a84e3902006ad9a06c138a6b9e1cb42efbc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20O=CC=88rnstedt?= Date: Wed, 4 Jun 2014 23:28:04 +0200 Subject: [PATCH 2/3] Validate boolean config option. --- manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/init.pp b/manifests/init.pp index 9d46ea9..6761805 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -155,6 +155,7 @@ class nginx ( validate_hash($nginx_mailhosts) validate_bool($manage_repo) validate_string($proxy_headers_hash_bucket_size) + validate_bool($super_user) class { 'nginx::package': package_name => $package_name, From 526620183d28cf8261332441c4a4fe98bdc180a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20O=CC=88rnstedt?= Date: Thu, 5 Jun 2014 00:00:41 +0200 Subject: [PATCH 3/3] Added daemon_user as a parameter. --- manifests/config.pp | 5 +++-- manifests/init.pp | 2 ++ manifests/resource/vhost.pp | 10 +++++----- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 5430221..f91b721 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -18,6 +18,7 @@ class nginx::config( $client_max_body_size = $nginx::params::nx_client_max_body_size, $confd_purge = $nginx::params::nx_confd_purge, $conf_template = $nginx::params::nx_conf_template, + $daemon_user = $nginx::params::nx_daemon_user, $events_use = $nginx::params::nx_events_use, $fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive, $fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key, @@ -102,12 +103,12 @@ class nginx::config( file {$nginx::config::nx_client_body_temp_path: ensure => directory, - owner => $nginx::params::nx_daemon_user, + owner => $daemon_user, } file {$nginx::config::nx_proxy_temp_path: ensure => directory, - owner => $nginx::params::nx_daemon_user, + owner => $daemon_user, } file { "${nginx::params::nx_conf_dir}/sites-available": diff --git a/manifests/init.pp b/manifests/init.pp index 6761805..60df2d5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -34,6 +34,7 @@ class nginx ( $confd_purge = $nginx::params::nx_confd_purge, $configtest_enable = $nginx::params::nx_configtest_enable, $conf_template = $nginx::params::nx_conf_template, + $daemon_user = $nginx::params::nx_daemon_user, $events_use = $nginx::params::nx_events_use, $fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive, $fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key, @@ -170,6 +171,7 @@ class nginx ( client_max_body_size => $client_max_body_size, confd_purge => $confd_purge, conf_template => $conf_template, + daemon_user => $daemon_user, events_use => $events_use, fastcgi_cache_inactive => $fastcgi_cache_inactive, fastcgi_cache_key => $fastcgi_cache_key, diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index ef24e43..0af7594 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -504,32 +504,32 @@ define nginx::resource::vhost ( # Check if the file has been defined before creating the file to # avoid the error when using wildcard cert on the multiple vhosts ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.crt", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0444', source => $ssl_cert, }) ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_key, }) if ($ssl_dhparam != undef) { ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_dhparam, }) } if ($ssl_stapling_file != undef) { ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_stapling_file, }) } if ($ssl_trusted_cert != undef) { ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.trusted.crt", { - owner => $nginx::params::nx_daemon_user, + owner => $nginx::config::daemon_user, mode => '0440', source => $ssl_trusted_cert, })