Ok, yesterday I finally get nginx and uWSGI servers running on my PC. Nginx and uWSGI configuration files, new users, groups and their privileges, and chrootdir for SSH I configured based on knowledge available on web. Unfortunately, I do not trust it too much, so I wanted to ask the sysadmins if I have not done a huge mistake somewhere, which will make that one day I will say goodbye to the server.
For HTTP server i use only /srv dir, which struct and priviliges are as follows:
drwxr-xr-x 2 root root 4096 2012-02-03 04:16 nginx
-rw-r--r-- 1 root root 411 2012-02-03 04:25 Site1.conf
-rw-r--r-- 1 root root 170 2012-02-02 23:59 Site2.conf
drwxrwxr-x 2 root www 4096 2012-02-03 04:25 sockets
srw-rw---- 1 Site1-www www 0 2012-02-03 04:25 Site1.socket
drwxr-xr-x 2 root root 4096 2012-02-03 04:09 uwsgi
-rw-r--r-- 1 root root 190 2012-02-03 04:10 DjangoAutoreload.py
-rw-r--r-- 1 root root 1477 2012-02-03 04:13 Site1.yaml
drwxr-xr-x 5 root root 4096 2012-02-03 03:44 www
drwxr-xr-x 3 root root 4096 2012-02-03 03:49 Site1
drwxr-xr-x 11 Site1 www 4096 2012-02-03 03:48 www
... all files with Site1 user, sftponly group and rw-r--r--
/srv/nginx folder in each separate file contains configuration for new virtual server.
/srv/sockets folder contains only socket files which is used by uWSGI ang nginx, example file with priviliges already exist.
/srv/uwsgi folder in each separate file contains configuration for each instance of uWSGI server.
Now the /srv/www folder. This folder containt subfolders, each for each SFTP user, which have chrootdir on it. Each of this folders containt www subfolder, which contains Django and RoR projects.
Now, there i have my first questions:
- Priviliges of folders are correct?
- Nginx works with uid=www gid=www, and each instance of uWSGI works with uid=USER-www and gid=www. Are socket folder and it's files have correct owner, group and priviliges?
2.1. If writing priviliges for group is sets to true, this not makes a security issue?
2.2. Are each instance of uWSGI server should works with the same uid, or each on other?
2.3. Are instances of uWSGI should works with the same uid as HTTP server (nginx)?
2.4. Are uWSGI server not should write socket file before priviliges drop? Is this a bug? - Whats priviliges, owner and group of /srv/www/Site1/www folder are correct?
- How to configure SSH server for users that already have chrootdirectory at /srv/www/Site1 to not see and not have access over SFTP to other, hidden folders in /srv/www/Site1, for example with logs or stats?
Now, users and groups. I created for server needs the following users and groups:
uid=1003(www) gid=1003(www) grupy=1003(www)
uid=1005(Site1) gid=1004(sftponly) grupy=1004(sftponly)
uid=1006(Site1-www) gid=100(users) grupy=100(users),1003(www)
User www is used by Nginx.
User Site1 is used only for SFTP access for customer, haved chrootdirectory in /srv/www/USER_NAME and /www dir in passwd file.
User Site1-www is "technical" user, used only by servers and scripts working for this user, eg. uWSGI.
Next questions:
- Are this configuration of user and groups is correct, don't make any security issues?
- I should use one user for SFTP connections and one for servers, scripts working for this user (Site1, Site1-www)?
Nginx server configuration. I don't paste all of the config because this isn't questions about if server is well configured, but about it's security.
Main configuration is in /etc/nginx folder, i don't make any priviliges changes to this files. Server works on www uid and group.
Configuration of virtual servers is are in /srv/nginx catalog, which is fully imported (include /srv/nginx/*.conf;).
Main logs of server is in /var/log/nginx folder, and user logs will be in the /srv/www/USER_NAME/log folder.
- If that configuraction are "correct", i.e. folders, files paths isn't weird?
- Any idea to change there anything, make it's better? :)
Now there's is the end. uWSGI configuration:
Configuration of each instance, one or more for each customer (is case of multiple apps is used /srv/www/USER_NAME/www/App1..App2 folders), is in /srv/uwsgi folder. All instances of uWSGI works with uid=USER_NAME-www and gid=www.
In uWSGI configuration I have the following python paths:
chdir: /srv/www/Site1/www
pythonpath: /srv/www/Site/www
- I want to jail all uWSGI instances with chroot. In which folder? What's i should do to make Django, RoR working correctly?
- Are pythonpath on /srv/www/Site/www is in any way limiting account capabilities?
- Are using one user and one /www folder for multiple projects is correct?
And thats will be all. Thank you for reading and I really appreciate any answer. I know that my english are not quite perfect, but i hope that's all was written clear and understandably. I answer for all questions in comments, so if theres are any inaccuracies so that I can immediately explained :)
