Chapter 5. Security

Security is everyone’s job. NGINX Unit enables many layers of security configuration. Unit naturally separates applications by spawning separate processes for each one, enabling isolation at the process and memory layer. Each application process can be owned by separate users, enabling security at the file permission layer as well. Each application can also have its own Linux namespace specifications. Next, NGINX Unit has full SSL/TLS support, which enables Unit to serve applications through encrypted HTTPS communication. Finally, the system user accounts that are used to run Unit (the account that the unitd daemon runs as, the control socket owner, and the app-specific user and group accounts) enable fine-tuning access rights. All of these security attributes are demonstrated in this chapter.

5.1 Unix User Permissions

Problem

You need to further isolate your applications by using user permissions.

Solution

Use a different system user for each application so that Unit spawns the processes as separate users with their own permissions:

{
    "applications": {
        "auth-service": {
            "type": "ruby",
            "working_directory": "/var/app/auth/",
            "script": "/var/app/auth/config.ru",
            "user": "auth-app"
        },
        "key-service": {
            "type": "external",
            "working_directory": "/var/app/key/",
            "executable": "bin/key-app",
            "user": "key-app"
        }
    }
}

Discussion

Unit runs each application as a separate process or group of processes, enabling it to run these processes as separate system users. ...

Get NGINX Unit Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial