id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2470	Add support for the systemd directive OpenFile= for passing UNIX socket FDs to nginx	erik.sjolund@…		"nginx currently supports specifying a UNIX socket path with the **proxy_pass** configuration directive

For example 

{{{
proxy_pass http://unix:/tmp/backend.socket:/uri/;
}}}

(reference: 
https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
)

Instead of specifying a path to the UNIX socket, I would like to pass in a file descriptor for the UNIX socket to nginx via inheritance from the parent process that starts nginx (i.e., **systemd**).

Feature request:
Add support for specifying a UNIX socket via the new systemd directive

{{{
OpenFile=
}}}

(see https://www.freedesktop.org/software/systemd/man/systemd.service.html#OpenFile=) which is available in **systemd 253** (released 15 February 2023).

**systemd** connects to the UNIX socket and lets nginx inherit the file descriptor.

I have not yet investigated how systemd sets the environment variable **LISTEN_FDNAMES**. (I could provide more details later). 

Rationale

This new feature would make it possible to set up a **systemd system service** with the systemd configuration directives **USER=myuser** and **GROUP=myser** and use nginx to proxy traffic to a UNIX socket that the user ''myuser:myuser'' does not have file permission access to. The reason ''myuser:myuser'' is able to use the UNIX socket is that **systemd** (running as root) has already connected to the socket."	enhancement	new	minor	nginx-1.23.4	nginx-module	1.23.x			erik.sjolund@…		"nginx version: nginx/1.23.3
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
built with OpenSSL 1.1.1k  25 Mar 2021 (running with OpenSSL 1.1.1n  15 Mar 2022)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.23.3/debian/debuild-base/nginx-1.23.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"