nginx: forward HTTPS requests to UNIX sockets #126
Conversation
| server { | ||
| listen 443; | ||
| proxy_protocol on; | ||
| proxy_pass unix:/var/run/nginx/$ssl_preread_server_name.https.sock; |
There was a problem hiding this comment.
What is preventing a user from making this socket without "ownership" of the domain? Why should we use this instead of a socket in $HOME? Why would we use /var/run instead of /run?
There was a problem hiding this comment.
/run works, I didn't know /run is a common place to hold those files.
There was a problem hiding this comment.
Well technology, he cannot.
You can only listening a socket by creating it, meaning if the socket file presents, you cannot listen it without removing it. So users won't be able to hijack a socket in most cases.
By putting every domain under same folder, we don't need to regenerate and reload ngnix. This also solves the issue that multiple users trying to bind to same domain name.
There was a problem hiding this comment.
The weakness seems to be that they can claim any unclaimed hostname, so they could grab something like admin.hashbang.sh if it wasn't bound already. They could create listeners for whole blocks of hostnames and eat up the namespace.
There was a problem hiding this comment.
Yes, but I guess you shouldn't use shell server for that purpose if you want a really stable bind. This is the same limitation that current ad-hoc port based http server has. Anyone can grab a port and take it forever.
So I don't think it's a big disadvantage compared to any other approaches, unless we introduce a humans to approve each domain before take the bind.
There was a problem hiding this comment.
Someone more clever than me might find a way to bind it to their username?
RyanSquared
changed the title
#105