RHEL / CentOS Linux: Nginx Chroot Jail Start / Stop / Restart Shell Script

A simple shell script to start / stop / restart chrooted nginx web server under CentOS / RHEL Linux. You must have Nginx web server setup in a chroot (jail) so that you can minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can also mount $jail/tmp as a separate filesystem (/images/tmpfile.bin) with the noexec,nosuid, nodev options under Linux like operating systems.

#!/bin/bash
# Name : nginx.rc  
# URL: https://bash.cyberciti.biz/security/linux-nginx-start-stop-restart-chrooted-jail/
# Purpose: A simple shell script wrapper to chroot nginx in $_newroot under Linux
# ----------------------------------------------------------------------------
# Author: nixCraft - http://www.cyberciti.biz
# Copyright: 2011 nixCraft under GNU GPL v2.0+
# ----------------------------------------------------------------------------
# Last updated: 18/Dec/2012 - Added support for secure /tmp mount
# Last updated: 19/Dec/2012 - Bug fixed in ln 
# Last updated: 10/Mar/2013 - Bug fixed in status()
# ----------------------------------------------------------------------------
 
# jail location - must be up, see how to setup nginx using chroot
# https://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/
_newroot="/nginxjail"
 
# RHEL nginx and other binary paths
_nginx="/usr/sbin/nginx"
_chroot="/usr/sbin/chroot"
_killall="/usr/bin/killall"
 
# 0 turn off or # 1 turn on
_securetmp=0
_securetmproot="/path/to/images/nginx_jail_tmp.bin"
 
 
[ ! -d "$_newroot" ] &# mount /tmp securely inside $_newroot
# see http://www.cyberciti.biz/faq/howto-mount-tmp-as-separate-filesystem-with-noexec-nosuid-nodev/
mounttmp(){
	if [ $_securetmp -eq 1 ]
	then
		mount | grep -q $_securetmproot
		if [ $? -eq  0 ]
		then
			echo "*** Secure root enabled and mounted ***"
		else
			echo "*** Turning on secure /tmp..."
			[ ! -f "$_securetmproot" ] &mount -o loop,noexec,nosuid,rw "$_securetmproot" "$_newroot/tmp"
			chmod 1777 "$_newroot/tmp"
			rm -rf "$_newroot/var/tmp"
			ln -s ../tmp "$_newroot/var/tmp"
		fi
	fi
}
 
start(){
	echo -en "Starting nginx...\t\t\t"
	$_chroot $_newroot $_nginx && echo -en "[ OK ]" || echo "[ Failed ]"
}
 
stop(){
	echo -en "Stoping nginx...\t\t\t"
	$_killall "${_nginx##*/}" && echo -en "[ OK ]" || echo "[ Failed ]"
}
 
reload(){
	echo -en "Reloading nginx...\t\t\t"
	$_chroot $_newroot $_nginx -s reload && echo -en "[ OK ]" || echo "[ Failed ]"
}
 
## Fancy status
status(){
	echo 
	pgrep -u ${_nginx##*/} ${_nginx##*/} &>/dev/null
	[ $? -eq 0 ] && echo "*** Nginx running on $(hostname) ***" || echo "*** Nginx not found on $(hostname) ***"
	echo 
	echo "*** PID ***"
	#pgrep -u ${_nginx##*/} ${_nginx##*/}
	ps aux | grep "${_nginx##*/}" | egrep -v 'grep|bash'
	echo
 
	echo "FD stats:"
	for p in $(pidof ${_nginx##*/}); do echo "PID # $p has $(lsof -n -a -p $p|wc -l) fd opend."; done
	echo
 
	echo "Jail dir location:"
	pwdx $(pgrep -u "root" "${_nginx##*/}") | grep  --color "$_newroot"
	echo 
 
	echo "*** PORT ***"
	netstat -tulpn | egrep --color  ':80|:443'
}
 
## Make sure /tmp is securely mounted inside jail ##
mounttmp
 
## main ##
case "$1" in
        start)
                start 
                ;;
        stop)
                stop 
                ;;
        restart)
                stop 
                start 
                ;;
        reload)
                reload
		;; 
        status)
                status
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                ;;
esac
 
# just send \n
echo

How do I use this script?

Download the script:
# cd /tmp
# wget http://bash.cyberciti.biz/dl/593.sh.zip
# unzip 593.sh.zip
# mv 593.sh /etc/rc.d/nginx.jail.rc
# chmod +x /etc/rc.d/nginx.jail.rc

Use it as follows:
# /etc/rc.d/nginx.jail.rc start
# /etc/rc.d/nginx.jail.rc stop
# /etc/rc.d/nginx.jail.rc restart
# /etc/rc.d/nginx.jail.rc status

Sample outputs:

Fig.01 nginx.rc in action

Fig.01 nginx.rc in action

Get the latest tutorials on SysAdmin, Linux/Unix, Open Source, and DevOps topics:
CategoryList of Unix and Linux commands
File Management cat
Firewall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilities dig host ip nmap
OpenVPN CentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Manager apk apt
Processes Management bg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searching grep whereis which
User Information groups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPN CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.