-1

I want to generate a list of IPs which nginx should block. This list should be updated through actions that are made on the webserver. Like adding a new IP or removing one. This means it creates the "firewall.conf" for nginx.

The problem: nginx does not monitor changes in .conf-files, so I need to run "nginx reload". As our hosting company disallows exec(), I'm not able to execute it.

So my question is: Is it possible to reload nginx .conf-files by an HTTP request?

The idea is to call "http://example.org/?secret=key" and this fires "nginx reload".

mgutt
  • 503
  • 1
  • 7
  • 24
  • 1
    Creating a firewall in PHP sounds like a Bad Idea™... You could solve this in several ways, including, but not limited to, using any of the modules that integrate different programming languages into nginx (Lua, Perl, ...), writing your own nginx module... Also you don't really want to "run" "nginx reload" (whatever that means). You just want to send nginx SIGHUP. – Gnarfoz Jul 27 '12 at 09:24
  • A firewall inside PHP is a bad idea, but not if you combine it with nginx. Its much easier to implement filters inside of PHP (hidden forms, bad word filter, filters based of incorrect data in registration forms, etc.). By the way: SIGHUP results a downtime. This is the reason why I said reload. Look here: http://serverfault.com/a/378585/44086 – mgutt Jul 27 '12 at 12:11
  • I guess I misunderstood what you meant by "generate an IP firewall through PHP". Regarding nginx: "reload" is SIGHUP, and it spawns the new workers first, then shuts down the old. There should be no downtime. http://nginx.org/en/docs/control.html – Gnarfoz Jul 27 '12 at 12:33
  • 1
    You probably should be using something like fail2ban instead of this convoluted setup. Of course we don't support shared web hosting here anyway. – Michael Hampton Oct 10 '20 at 18:53

1 Answers1

1

This is surely not possible out of the box. Some ideas as to how you could do it:

  1. If you are able to send signals to the nginx process, you could try to send the HUP signal: posix_kill($pid_of_nginx, SIGHUP). Of course, this requires the POSIX functions in PHP.
  2. Write a program which listens for a reload command on a named pipe and which reacts by reloading nginx. With PHP, you then simply write the necessary command into the named pipe and you are done.
  3. Same as 2. with a program which regularly checks for a specific file at a given location (e.g. /tmp/reload-nginx). In PHP you then create that file and nginx will be reloaded.

EDIT: The "pipe thing" isn't so difficult:

#!/bin/bash
pipe=/tmp/mypipe
trap "rm -f $pipe" EXIT

if [ ! -p "$pipe" ]; then
  mkfifo $pipe
fi

while true; do
  if read line <$pipe; then
    if [ "$line" == "reload" ]; then
      ...do the reload here...
    fi
  fi
done

Now, echo reload >/tmp/mypipe will wake up that script and lets you do what you want.

Oliver
  • 5,973
  • 24
  • 33
  • 1.) `posix_kill` results a downtime :( 2.) how difficult is it writing a nginx module? – mgutt Jul 27 '12 at 12:28
  • 1
    See above, `SIGHUP` is the signal to initiate a reload of the configuration and should not result in downtime. http://nginx.org/en/docs/control.html – Gnarfoz Jul 27 '12 at 12:35
  • 1
    @mgutt writing a nginx module is for sure more difficult than implementing all the ideas I have proposed... – Oliver Jul 27 '12 at 13:12
  • Ok thank you. I tried. Apache runs in its own sandbox, so I don't have access to the nginx process. The pipe thing looks difficult. – mgutt Jul 27 '12 at 13:27
  • @mgutt see my edit. – Oliver Jul 27 '12 at 14:06