Opened 6 months ago

Closed 6 months ago

#1960 closed enhancement (duplicate)

nginx -t tries to bind to ports

Reported by: Izorkin@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.17.x
Keywords: test configuration Cc:
uname -a: Linux NixOS-Test 5.6.6-hardened #1-NixOS SMP Tue Apr 21 07:08:17 UTC 2020 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.1
built by gcc 9.3.0 (GCC)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/nix/store/s35lpssk7v7bw1bad5c54ny8knkwc6hj-nginx-1.16.1 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-threads --with-pcre-jit --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --pid-path=/var/log/nginx/nginx.pid --http-client-body-temp-path=/var/cache/nginx/client_body --http-proxy-temp-path=/var/cache/nginx/proxy --http-fastcgi-temp-path=/var/cache/nginx/fastcgi --http-uwsgi-temp-path=/var/cache/nginx/uwsgi --http-scgi-temp-path=/var/cache/nginx/scgi --with-http_image_filter_module --with-file-aio --add-module=/nix/store/4w2zbpv9ihl36kbpp6w5d1x33gp5ivfh-source --add-module=/nix/store/n14bjnksgk2phl8n69m4yabmds7f0jj2-source --add-module=/nix/store/jsqrk045m09i136mgcfjfai8i05nq14c-source --add-module=/nix/store/vby65xv4ngj8xsxxnhkc24mcwcg5n39v-source --add-module=/nix/store/zs9hil66siqp0myai8d9r4lshmx2qh7a-source --add-module=/nix/store/nnd38k64qk5qlnxbh9bdwndza99r8ycx-source --add-module=/nix/store/ga1064z690d8x3z3szn8jz54daj0j5p1-source

Description

nginx -t tries to bind to ports, which is a questionable thing to do while running as a separate user, and validating configuration before reloading the real server with the new configuration:

webserver # Apr 23 10:20:33 webserver nginx[1094]: 2020/04/23 10:20:33 [emerg] 1094#1094: bind() to 0.0.0.0:80 failed (13: Permission denied)

This variant patch maybe used?

diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
index 3368253..387fe51 100644
--- a/src/core/ngx_connection.c
+++ b/src/core/ngx_connection.c
@@ -612,10 +612,6 @@ ngx_open_listening_sockets(ngx_cycle_t *cycle)
                                   &ls[i].addr_text);
                 }

-                if (err != NGX_EADDRINUSE) {
-                    return NGX_ERROR;
-                }
-
                 if (!ngx_test_config) {
                     failed = 1;
                 }

Issue - https://github.com/NixOS/nixpkgs/pull/85820#issuecomment-618318976

Change History (1)

comment:1 by Maxim Dounin, 6 months ago

Resolution: duplicate
Status: newclosed

The nginx -t is expected to test the configuration, and this what it does, including binding to ports configured. And "nginx -t" is expected to fail when started under the wrong user if the user has not enough rights to open listening sockets requests.

There is no command to do a pure configuration syntax check without doing any configuration testing at the same time, see #1506 for such a feature request. Closing this as a duplicate of #1506.

Note: See TracTickets for help on using tickets.