RHEL / CentOS Linux: Nginx Chroot Jail Start / Stop / Restart Shell Script

by on December 19, 2012 · 0 comments

A simple shell script to start / stop / restart chrooted nginx web server under CentOS / RHEL Linux. You must have Nginx web server setup in a chroot (jail) so that you can minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can also mount $jail/tmp as a separate filesystem (/images/tmpfile.bin) with the noexec,nosuid, nodev options under Linux like operating systems.

  1. #!/bin/bash
  2. # Name : nginx.rc
  3. # URL: http://bash.cyberciti.biz/security/linux-nginx-start-stop-restart-chrooted-jail/
  4. # Purpose: A simple shell script wrapper to chroot nginx in $_newroot under Linux
  5. # ----------------------------------------------------------------------------
  6. # Author: nixCraft <www.cyberciti.biz>
  7. # Copyright: 2011 nixCraft under GNU GPL v2.0+
  8. # ----------------------------------------------------------------------------
  9. # Last updated: 18/Dec/2012 - Added support for secure /tmp mount
  10. # Last updated: 19/Dec/2012 - Bug fixed in ln
  11. # Last updated: 10/Mar/2013 - Bug fixed in status()
  12. # ----------------------------------------------------------------------------
  13.  
  14. # jail location - must be up, see how to setup nginx using chroot
  15. # http://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/
  16. _newroot="/nginxjail"
  17.  
  18. # RHEL nginx and other binary paths
  19. _nginx="/usr/sbin/nginx"
  20. _chroot="/usr/sbin/chroot"
  21. _killall="/usr/bin/killall"
  22.  
  23. # 0 turn off or # 1 turn on
  24. _securetmp=0
  25. _securetmproot="/path/to/images/nginx_jail_tmp.bin"
  26.  
  27.  
  28. [ ! -d "$_newroot" ] &# mount /tmp securely inside $_newroot
  29. # see http://www.cyberciti.biz/faq/howto-mount-tmp-as-separate-filesystem-with-noexec-nosuid-nodev/
  30. mounttmp(){
  31. if [ $_securetmp -eq 1 ]
  32. then
  33. mount | grep -q $_securetmproot
  34. if [ $? -eq 0 ]
  35. then
  36. echo "*** Secure root enabled and mounted ***"
  37. else
  38. echo "*** Turning on secure /tmp..."
  39. [ ! -f "$_securetmproot" ] &mount -o loop,noexec,nosuid,rw "$_securetmproot" "$_newroot/tmp"
  40. chmod 1777 "$_newroot/tmp"
  41. rm -rf "$_newroot/var/tmp"
  42. ln -s ../tmp "$_newroot/var/tmp"
  43. fi
  44. fi
  45. }
  46.  
  47. start(){
  48. echo -en "Starting nginx...\t\t\t"
  49. $_chroot $_newroot $_nginx && echo -en "[ OK ]" || echo "[ Failed ]"
  50. }
  51.  
  52. stop(){
  53. echo -en "Stoping nginx...\t\t\t"
  54. $_killall "${_nginx##*/}" && echo -en "[ OK ]" || echo "[ Failed ]"
  55. }
  56.  
  57. reload(){
  58. echo -en "Reloading nginx...\t\t\t"
  59. $_chroot $_newroot $_nginx -s reload && echo -en "[ OK ]" || echo "[ Failed ]"
  60. }
  61.  
  62. ## Fancy status
  63. status(){
  64. echo
  65. pgrep -u ${_nginx##*/} ${_nginx##*/} &>/dev/null
  66. [ $? -eq 0 ] && echo "*** Nginx running on $(hostname) ***" || echo "*** Nginx not found on $(hostname) ***"
  67. echo
  68. echo "*** PID ***"
  69. #pgrep -u ${_nginx##*/} ${_nginx##*/}
  70. ps aux | grep "${_nginx##*/}" | egrep -v 'grep|bash'
  71. echo
  72.  
  73. echo "FD stats:"
  74. for p in $(pidof ${_nginx##*/}); do echo "PID # $p has $(lsof -n -a -p $p|wc -l) fd opend."; done
  75. echo
  76.  
  77. echo "Jail dir location:"
  78. pwdx $(pgrep -u "root" "${_nginx##*/}") | grep --color "$_newroot"
  79. echo
  80.  
  81. echo "*** PORT ***"
  82. netstat -tulpn | egrep --color ':80|:443'
  83. }
  84.  
  85. ## Make sure /tmp is securely mounted inside jail ##
  86. mounttmp
  87.  
  88. ## main ##
  89. case "$1" in
  90. start)
  91. start
  92. ;;
  93. stop)
  94. stop
  95. ;;
  96. restart)
  97. stop
  98. start
  99. ;;
  100. reload)
  101. reload
  102. ;;
  103. status)
  104. status
  105. ;;
  106. *)
  107. echo $"Usage: $0 {start|stop|restart|reload|status}"
  108. ;;
  109. esac
  110.  
  111. # just send \n
  112. echo

How do I use this script?

Download the script:
# cd /tmp
# wget http://bash.cyberciti.biz/dl/593.sh.zip
# unzip 593.sh.zip
# mv 593.sh /etc/rc.d/nginx.jail.rc
# chmod +x /etc/rc.d/nginx.jail.rc

Use it as follows:
# /etc/rc.d/nginx.jail.rc start
# /etc/rc.d/nginx.jail.rc stop
# /etc/rc.d/nginx.jail.rc restart
# /etc/rc.d/nginx.jail.rc status

Sample outputs:

Fig.01 nginx.rc in action

Fig.01 nginx.rc in action



4000+ howtos and counting! If you enjoyed this article, join 45000+ others and get free email updates!

Click here to subscribe via email.

Previous Script:

Next Script: