Context Navigation

← Previous Ticket
Next Ticket →

#1187 closed defect (duplicate)

Can't Restart NginX Due to Socket Permissions

Reported by:	vaultwiki@…	Owned by:
Priority:	major	Milestone:
Component:	nginx-core	Version:	1.11.x
Keywords:	listen unix socket restart permissions	Cc:
uname -a:	Linux ... 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V:	nginx 1.11.6

Description

I use unix sockets to proxy_pass requests to another server block for authentication. The current configuration works for my purposes. However, when restarting NginX, and always when rebooting the server, NginX is not able to start again because the sockets still exist and/or have different permissions than NginX has. I'm not aware of a way to tell NginX what user/group/permissions to give the sockets it creates.

My server blocks look like this:

user webuser webuser

...

http {

	...

	server {

		listen 80;
		server_name mydomain.com;

		location / {

			proxy_pass http://unix:/home/nginx/.auth/socket:;
			proxy_set_header Host mydomain.com;
			proxy_set_header X-Forwarded-For $remote_addr;
		}
	}

	server {
		listen unix:/home/nginx/.auth/socket;

		...
	}
}

Even though nginx runs as webuser, it requires a more privileged user, such as root, to start it. From my understanding, this is a more secure way to handle it than having webuser able to start and stop nginx directly.

In this case, upon starting, nginx automatically creates /home/nginx/.auth/socket with root:root 0666. And things run normally. Then we tell nginx to stop. However, either nginx doesn't clean the sockets up now, or it no longer has the necessary root:root permission to do so. Subsequently, when nginx starts, it tries to create /home/nginx/.auth/socket, but it already exists. Thus, nginx fails to start.

I am able to start nginx successfully again after I manually remove the troublesome socket from the file system using a more privileged user.

Change History (2)

comment:1 by Maxim Dounin, 7 years ago

Resolution:	→ duplicate
Status:	new → closed

Looks like duplicate of #753.

As a workaround, try the following:

use configuration reload (HUP signal) instead of restarting nginx;
if you want to stop nginx, use TERM/INT signal (fast shutdown) instead of QUIT (graceful shutdown).

comment:2 by vaultwiki@…, 7 years ago

Thank you for the information. It pointed me in the appropriate direction: modified my systemd files to use TERM instead of QUIT, and restart now works as expected. At the next Linux kernel update, I will see if this resolves the problem during system reboot as well.

Note: See TracTickets for help on using tickets.

Download in other formats: