September 2020
Intermediate to advanced
68 pages
1h 12m
English
Content preview from NGINX Unit Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Chapter 5. Security
Security is everyone’s job. NGINX Unit enables many layers of security configuration. Unit naturally separates applications by spawning separate processes for each one, enabling isolation at the process and memory layer. Each application process can be owned by separate users, enabling security at the file permission layer as well. Each application can also have its own Linux namespace specifications. Next, NGINX Unit has full SSL/TLS support, which enables Unit to serve applications through encrypted HTTPS communication. Finally, the system user accounts that are used to run Unit (the account that the unitd daemon runs as, the control socket owner, and the app-specific user and group accounts) enable fine-tuning access rights. All of these security attributes are demonstrated in this chapter.
5.1 Unix User Permissions
Problem
You need to further isolate your applications by using user permissions.
Solution
Use a different system user for each application so that Unit spawns the processes as separate users with their own permissions:
{"applications":{"auth-service":{"type":"ruby","working_directory":"/var/app/auth/","script":"/var/app/auth/config.ru","user":"auth-app"},"key-service":{"type":"external","working_directory":"/var/app/key/","executable":"bin/key-app","user":"key-app"}}}
Discussion
Unit runs each application as a separate process or group of processes, enabling it to run these processes as separate system users. ...