Merge pull request #328 from janorn/run_as_unprivileged
Run as unprivileged user
This commit is contained in:
James Fryman
commit
9c7cf2d182
5 changed files with 20 additions and 8 deletions
|
|
@ -18,6 +18,7 @@ class nginx::config(
|
|||
$client_max_body_size = $nginx::params::nx_client_max_body_size,
|
||||
$confd_purge = $nginx::params::nx_confd_purge,
|
||||
$conf_template = $nginx::params::nx_conf_template,
|
||||
$daemon_user = $nginx::params::nx_daemon_user,
|
||||
$events_use = $nginx::params::nx_events_use,
|
||||
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
|
||||
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
|
||||
|
|
@ -49,6 +50,7 @@ class nginx::config(
|
|||
$proxy_send_timeout = $nginx::params::nx_proxy_send_timeout,
|
||||
$proxy_set_header = $nginx::params::nx_proxy_set_header,
|
||||
$server_tokens = $nginx::params::nx_server_tokens,
|
||||
$super_user = $nginx::params::nx_super_user,
|
||||
$types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size,
|
||||
$types_hash_max_size = $nginx::params::nx_types_hash_max_size,
|
||||
$vhost_purge = $nginx::params::nx_vhost_purge,
|
||||
|
|
@ -101,12 +103,12 @@ class nginx::config(
|
|||
|
||||
file {$nginx::config::nx_client_body_temp_path:
|
||||
ensure => directory,
|
||||
owner => $nginx::params::nx_daemon_user,
|
||||
owner => $daemon_user,
|
||||
}
|
||||
|
||||
file {$nginx::config::nx_proxy_temp_path:
|
||||
ensure => directory,
|
||||
owner => $nginx::params::nx_daemon_user,
|
||||
owner => $daemon_user,
|
||||
}
|
||||
|
||||
file { "${nginx::params::nx_conf_dir}/sites-available":
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ class nginx (
|
|||
$confd_purge = $nginx::params::nx_confd_purge,
|
||||
$configtest_enable = $nginx::params::nx_configtest_enable,
|
||||
$conf_template = $nginx::params::nx_conf_template,
|
||||
$daemon_user = $nginx::params::nx_daemon_user,
|
||||
$events_use = $nginx::params::nx_events_use,
|
||||
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
|
||||
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
|
||||
|
|
@ -76,6 +77,7 @@ class nginx (
|
|||
$server_tokens = $nginx::params::nx_server_tokens,
|
||||
$service_ensure = $nginx::params::nx_service_ensure,
|
||||
$service_restart = $nginx::params::nx_service_restart,
|
||||
$super_user = $nginx::params::nx_super_user,
|
||||
$vhost_purge = $nginx::params::nx_vhost_purge,
|
||||
$worker_connections = $nginx::params::nx_worker_connections,
|
||||
$worker_processes = $nginx::params::nx_worker_processes,
|
||||
|
|
@ -154,6 +156,7 @@ class nginx (
|
|||
validate_hash($nginx_mailhosts)
|
||||
validate_bool($manage_repo)
|
||||
validate_string($proxy_headers_hash_bucket_size)
|
||||
validate_bool($super_user)
|
||||
|
||||
class { 'nginx::package':
|
||||
package_name => $package_name,
|
||||
|
|
@ -168,6 +171,7 @@ class nginx (
|
|||
client_max_body_size => $client_max_body_size,
|
||||
confd_purge => $confd_purge,
|
||||
conf_template => $conf_template,
|
||||
daemon_user => $daemon_user,
|
||||
events_use => $events_use,
|
||||
fastcgi_cache_inactive => $fastcgi_cache_inactive,
|
||||
fastcgi_cache_key => $fastcgi_cache_key,
|
||||
|
|
@ -199,6 +203,7 @@ class nginx (
|
|||
proxy_send_timeout => $proxy_send_timeout,
|
||||
proxy_set_header => $proxy_set_header,
|
||||
server_tokens => $server_tokens,
|
||||
super_user => $super_user,
|
||||
vhost_purge => $vhost_purge,
|
||||
worker_connections => $worker_connections,
|
||||
worker_processes => $worker_processes,
|
||||
|
|
|
|||
|
|
@ -115,6 +115,9 @@ class nginx::params {
|
|||
}
|
||||
}
|
||||
|
||||
# Nginx is default launched as root if not change this parameter
|
||||
$nx_super_user = true
|
||||
|
||||
# Service restart after Nginx 0.7.53 could also be just
|
||||
# "/path/to/nginx/bin -s HUP" Some init scripts do a configtest, some don't.
|
||||
# If configtest_enable it's true then service restart will take
|
||||
|
|
|
|||
|
|
@ -516,32 +516,32 @@ define nginx::resource::vhost (
|
|||
# Check if the file has been defined before creating the file to
|
||||
# avoid the error when using wildcard cert on the multiple vhosts
|
||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.crt", {
|
||||
owner => $nginx::params::nx_daemon_user,
|
||||
owner => $nginx::config::daemon_user,
|
||||
mode => '0444',
|
||||
source => $ssl_cert,
|
||||
})
|
||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", {
|
||||
owner => $nginx::params::nx_daemon_user,
|
||||
owner => $nginx::config::daemon_user,
|
||||
mode => '0440',
|
||||
source => $ssl_key,
|
||||
})
|
||||
if ($ssl_dhparam != undef) {
|
||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
|
||||
owner => $nginx::params::nx_daemon_user,
|
||||
owner => $nginx::config::daemon_user,
|
||||
mode => '0440',
|
||||
source => $ssl_dhparam,
|
||||
})
|
||||
}
|
||||
if ($ssl_stapling_file != undef) {
|
||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", {
|
||||
owner => $nginx::params::nx_daemon_user,
|
||||
owner => $nginx::config::daemon_user,
|
||||
mode => '0440',
|
||||
source => $ssl_stapling_file,
|
||||
})
|
||||
}
|
||||
if ($ssl_trusted_cert != undef) {
|
||||
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.trusted.crt", {
|
||||
owner => $nginx::params::nx_daemon_user,
|
||||
owner => $nginx::config::daemon_user,
|
||||
mode => '0440',
|
||||
source => $ssl_trusted_cert,
|
||||
})
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
user <%= scope.lookupvar('nginx::config::nx_daemon_user') %>;
|
||||
<% if @super_user -%>
|
||||
user <%= @daemon_user %>;
|
||||
<% end -%>
|
||||
worker_processes <%= @worker_processes %>;
|
||||
worker_rlimit_nofile <%= @worker_rlimit_nofile %>;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue