Merge pull request #328 from janorn/run_as_unprivileged
Run as unprivileged user
This commit is contained in:
James Fryman
commit
9c7cf2d182
5 changed files with 20 additions and 8 deletions
|
|
@ -18,6 +18,7 @@ class nginx::config(
|
||||||
$client_max_body_size = $nginx::params::nx_client_max_body_size,
|
$client_max_body_size = $nginx::params::nx_client_max_body_size,
|
||||||
$confd_purge = $nginx::params::nx_confd_purge,
|
$confd_purge = $nginx::params::nx_confd_purge,
|
||||||
$conf_template = $nginx::params::nx_conf_template,
|
$conf_template = $nginx::params::nx_conf_template,
|
||||||
|
$daemon_user = $nginx::params::nx_daemon_user,
|
||||||
$events_use = $nginx::params::nx_events_use,
|
$events_use = $nginx::params::nx_events_use,
|
||||||
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
|
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
|
||||||
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
|
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
|
||||||
|
|
@ -49,6 +50,7 @@ class nginx::config(
|
||||||
$proxy_send_timeout = $nginx::params::nx_proxy_send_timeout,
|
$proxy_send_timeout = $nginx::params::nx_proxy_send_timeout,
|
||||||
$proxy_set_header = $nginx::params::nx_proxy_set_header,
|
$proxy_set_header = $nginx::params::nx_proxy_set_header,
|
||||||
$server_tokens = $nginx::params::nx_server_tokens,
|
$server_tokens = $nginx::params::nx_server_tokens,
|
||||||
|
$super_user = $nginx::params::nx_super_user,
|
||||||
$types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size,
|
$types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size,
|
||||||
$types_hash_max_size = $nginx::params::nx_types_hash_max_size,
|
$types_hash_max_size = $nginx::params::nx_types_hash_max_size,
|
||||||
$vhost_purge = $nginx::params::nx_vhost_purge,
|
$vhost_purge = $nginx::params::nx_vhost_purge,
|
||||||
|
|
@ -101,12 +103,12 @@ class nginx::config(
|
||||||
|
|
||||||
file {$nginx::config::nx_client_body_temp_path:
|
file {$nginx::config::nx_client_body_temp_path:
|
||||||
ensure => directory,
|
ensure => directory,
|
||||||
owner => $nginx::params::nx_daemon_user,
|
owner => $daemon_user,
|
||||||
}
|
}
|
||||||
|
|
||||||
file {$nginx::config::nx_proxy_temp_path:
|
file {$nginx::config::nx_proxy_temp_path:
|
||||||
ensure => directory,
|
ensure => directory,
|
||||||
owner => $nginx::params::nx_daemon_user,
|
owner => $daemon_user,
|
||||||
}
|
}
|
||||||
|
|
||||||
file { "${nginx::params::nx_conf_dir}/sites-available":
|
file { "${nginx::params::nx_conf_dir}/sites-available":
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,7 @@ class nginx (
|
||||||
$confd_purge = $nginx::params::nx_confd_purge,
|
$confd_purge = $nginx::params::nx_confd_purge,
|
||||||
$configtest_enable = $nginx::params::nx_configtest_enable,
|
$configtest_enable = $nginx::params::nx_configtest_enable,
|
||||||
$conf_template = $nginx::params::nx_conf_template,
|
$conf_template = $nginx::params::nx_conf_template,
|
||||||
|
$daemon_user = $nginx::params::nx_daemon_user,
|
||||||
$events_use = $nginx::params::nx_events_use,
|
$events_use = $nginx::params::nx_events_use,
|
||||||
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
|
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
|
||||||
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
|
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
|
||||||
|
|
@ -76,6 +77,7 @@ class nginx (
|
||||||
$server_tokens = $nginx::params::nx_server_tokens,
|
$server_tokens = $nginx::params::nx_server_tokens,
|
||||||
$service_ensure = $nginx::params::nx_service_ensure,
|
$service_ensure = $nginx::params::nx_service_ensure,
|
||||||
$service_restart = $nginx::params::nx_service_restart,
|
$service_restart = $nginx::params::nx_service_restart,
|
||||||
|
$super_user = $nginx::params::nx_super_user,
|
||||||
$vhost_purge = $nginx::params::nx_vhost_purge,
|
$vhost_purge = $nginx::params::nx_vhost_purge,
|
||||||
$worker_connections = $nginx::params::nx_worker_connections,
|
$worker_connections = $nginx::params::nx_worker_connections,
|
||||||
$worker_processes = $nginx::params::nx_worker_processes,
|
$worker_processes = $nginx::params::nx_worker_processes,
|
||||||
|
|
@ -154,6 +156,7 @@ class nginx (
|
||||||
validate_hash($nginx_mailhosts)
|
validate_hash($nginx_mailhosts)
|
||||||
validate_bool($manage_repo)
|
validate_bool($manage_repo)
|
||||||
validate_string($proxy_headers_hash_bucket_size)
|
validate_string($proxy_headers_hash_bucket_size)
|
||||||
|
validate_bool($super_user)
|
||||||
|
|
||||||
class { 'nginx::package':
|
class { 'nginx::package':
|
||||||
package_name => $package_name,
|
package_name => $package_name,
|
||||||
|
|
@ -168,6 +171,7 @@ class nginx (
|
||||||
client_max_body_size => $client_max_body_size,
|
client_max_body_size => $client_max_body_size,
|
||||||
confd_purge => $confd_purge,
|
confd_purge => $confd_purge,
|
||||||
conf_template => $conf_template,
|
conf_template => $conf_template,
|
||||||
|
daemon_user => $daemon_user,
|
||||||
events_use => $events_use,
|
events_use => $events_use,
|
||||||
fastcgi_cache_inactive => $fastcgi_cache_inactive,
|
fastcgi_cache_inactive => $fastcgi_cache_inactive,
|
||||||
fastcgi_cache_key => $fastcgi_cache_key,
|
fastcgi_cache_key => $fastcgi_cache_key,
|
||||||
|
|
@ -199,6 +203,7 @@ class nginx (
|
||||||
proxy_send_timeout => $proxy_send_timeout,
|
proxy_send_timeout => $proxy_send_timeout,
|
||||||
proxy_set_header => $proxy_set_header,
|
proxy_set_header => $proxy_set_header,
|
||||||
server_tokens => $server_tokens,
|
server_tokens => $server_tokens,
|
||||||
|
super_user => $super_user,
|
||||||
vhost_purge => $vhost_purge,
|
vhost_purge => $vhost_purge,
|
||||||
worker_connections => $worker_connections,
|
worker_connections => $worker_connections,
|
||||||
worker_processes => $worker_processes,
|
worker_processes => $worker_processes,
|
||||||
|
|
|
||||||
|
|
@ -115,6 +115,9 @@ class nginx::params {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Nginx is default launched as root if not change this parameter
|
||||||
|
$nx_super_user = true
|
||||||
|
|
||||||
# Service restart after Nginx 0.7.53 could also be just
|
# Service restart after Nginx 0.7.53 could also be just
|
||||||
# "/path/to/nginx/bin -s HUP" Some init scripts do a configtest, some don't.
|
# "/path/to/nginx/bin -s HUP" Some init scripts do a configtest, some don't.
|
||||||
# If configtest_enable it's true then service restart will take
|
# If configtest_enable it's true then service restart will take
|
||||||
|
|
|
||||||
|
|
@ -516,32 +516,32 @@ define nginx::resource::vhost (
|
||||||
# Check if the file has been defined before creating the file to
|
# Check if the file has been defined before creating the file to
|
||||||
# avoid the error when using wildcard cert on the multiple vhosts
|
# avoid the error when using wildcard cert on the multiple vhosts
|
||||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.crt", {
|
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.crt", {
|
||||||
owner => $nginx::params::nx_daemon_user,
|
owner => $nginx::config::daemon_user,
|
||||||
mode => '0444',
|
mode => '0444',
|
||||||
source => $ssl_cert,
|
source => $ssl_cert,
|
||||||
})
|
})
|
||||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", {
|
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", {
|
||||||
owner => $nginx::params::nx_daemon_user,
|
owner => $nginx::config::daemon_user,
|
||||||
mode => '0440',
|
mode => '0440',
|
||||||
source => $ssl_key,
|
source => $ssl_key,
|
||||||
})
|
})
|
||||||
if ($ssl_dhparam != undef) {
|
if ($ssl_dhparam != undef) {
|
||||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
|
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
|
||||||
owner => $nginx::params::nx_daemon_user,
|
owner => $nginx::config::daemon_user,
|
||||||
mode => '0440',
|
mode => '0440',
|
||||||
source => $ssl_dhparam,
|
source => $ssl_dhparam,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
if ($ssl_stapling_file != undef) {
|
if ($ssl_stapling_file != undef) {
|
||||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", {
|
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", {
|
||||||
owner => $nginx::params::nx_daemon_user,
|
owner => $nginx::config::daemon_user,
|
||||||
mode => '0440',
|
mode => '0440',
|
||||||
source => $ssl_stapling_file,
|
source => $ssl_stapling_file,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
if ($ssl_trusted_cert != undef) {
|
if ($ssl_trusted_cert != undef) {
|
||||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.trusted.crt", {
|
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.trusted.crt", {
|
||||||
owner => $nginx::params::nx_daemon_user,
|
owner => $nginx::config::daemon_user,
|
||||||
mode => '0440',
|
mode => '0440',
|
||||||
source => $ssl_trusted_cert,
|
source => $ssl_trusted_cert,
|
||||||
})
|
})
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,6 @@
|
||||||
user <%= scope.lookupvar('nginx::config::nx_daemon_user') %>;
|
<% if @super_user -%>
|
||||||
|
user <%= @daemon_user %>;
|
||||||
|
<% end -%>
|
||||||
worker_processes <%= @worker_processes %>;
|
worker_processes <%= @worker_processes %>;
|
||||||
worker_rlimit_nofile <%= @worker_rlimit_nofile %>;
|
worker_rlimit_nofile <%= @worker_rlimit_nofile %>;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue