Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx: forward HTTPS requests to UNIX sockets #126

Closed
wants to merge 1 commit into from
Closed

nginx: forward HTTPS requests to UNIX sockets #126

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions ansible/tasks/nginx/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,85 @@
name:
- nginx

- name: Setup stream in nginx.conf
register: nginxconf
copy:
dest: /etc/nginx/nginx.conf
content: |
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

# Forward :443 to /var/run/nginx/$domain.https.sock
stream {
server {
listen 443;
proxy_protocol on;
proxy_pass unix:/var/run/nginx/$ssl_preread_server_name.https.sock;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is preventing a user from making this socket without "ownership" of the domain? Why should we use this instead of a socket in $HOME? Why would we use /var/run instead of /run?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/run works, I didn't know /run is a common place to hold those files.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well technology, he cannot.
You can only listening a socket by creating it, meaning if the socket file presents, you cannot listen it without removing it. So users won't be able to hijack a socket in most cases.

By putting every domain under same folder, we don't need to regenerate and reload ngnix. This also solves the issue that multiple users trying to bind to same domain name.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The weakness seems to be that they can claim any unclaimed hostname, so they could grab something like admin.hashbang.sh if it wasn't bound already. They could create listeners for whole blocks of hostnames and eat up the namespace.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but I guess you shouldn't use shell server for that purpose if you want a really stable bind. This is the same limitation that current ad-hoc port based http server has. Anyone can grab a port and take it forever.
So I don't think it's a big disadvantage compared to any other approaches, unless we introduce a humans to approve each domain before take the bind.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Someone more clever than me might find a way to bind it to their username?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ping?

ssl_preread on;
}
}


- name: Setup sites-enabled/hashbang-http
register: nginxconf
copy:
Expand Down Expand Up @@ -55,6 +134,12 @@
state: absent
path: /etc/nginx/sites-enabled/default

- name: create sockets directory
file:
path: /var/run/nginx
state: directory
mode: '0777'

- name: Restart nginx
when: nginxconf.changed
service: name=nginx state=restarted enabled=yes
Expand Down